4d627dce7453de5aecbaf5362c65be354be38c410936f388093a46b56c764055

General

Target

4d627dce7453de5aecbaf5362c65be354be38c410936f388093a46b56c764055.exe
Size

241KB
MD5

af1f4f86dc4594add73e35f73011e2b8
SHA1

51cf43f667dba267a27f43b3eb4818564359bd0b
SHA256

4d627dce7453de5aecbaf5362c65be354be38c410936f388093a46b56c764055
SHA512

850c1aa4c4be581879c24ee67aba986de6c19f2a419ccec13c34a63277c9f3fb6021c04cf863aa558790fd65d4b317d2844e32d652b8c11c7e2bd426bf4a0d5d
SSDEEP

6144:zZXBsWqsE/Ao+mv8Qv0LVmwq4FU0nN876NKxCpQ0wxFT+g:lXmwRo+mv8QD4+0N46NKxCyHxl

Score

8^/10

discovery

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

Processes:

WScript.exe

flow pid process

6 1396 WScript.exe
Drops file in Drivers directory 1 IoCs

Processes:

cmd.exe

description ioc process

File opened for modification C:\Windows\System32\drivers\etc\hosts cmd.exe

flow	pid	process
6	1396	WScript.exe

description	ioc	process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	cmd.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

4d627dce7453de5aecbaf5362c65be354be38c410936f388093a46b56c764055.execmd.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	4d627dce7453de5aecbaf5362c65be354be38c410936f388093a46b56c764055.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	cmd.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 5 IoCs

Processes:

4d627dce7453de5aecbaf5362c65be354be38c410936f388093a46b56c764055.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Insata\Ikars\sanodo.vbs	4d627dce7453de5aecbaf5362c65be354be38c410936f388093a46b56c764055.exe
File opened for modification	C:\Program Files (x86)\Insata\Ikars\albur.bat	4d627dce7453de5aecbaf5362c65be354be38c410936f388093a46b56c764055.exe
File opened for modification	C:\Program Files (x86)\Insata\Ikars\1.txt	4d627dce7453de5aecbaf5362c65be354be38c410936f388093a46b56c764055.exe
File opened for modification	C:\Program Files (x86)\Insata\Ikars\Uninstall.exe	4d627dce7453de5aecbaf5362c65be354be38c410936f388093a46b56c764055.exe
File created	C:\Program Files (x86)\Insata\Ikars\Uninstall.ini	4d627dce7453de5aecbaf5362c65be354be38c410936f388093a46b56c764055.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Modifies registry class 1 IoCs

Processes:

cmd.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings cmd.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings	cmd.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

4d627dce7453de5aecbaf5362c65be354be38c410936f388093a46b56c764055.execmd.exe

description	pid	process	target process
PID 4312 wrote to memory of 2784	4312	4d627dce7453de5aecbaf5362c65be354be38c410936f388093a46b56c764055.exe	cmd.exe
PID 4312 wrote to memory of 2784	4312	4d627dce7453de5aecbaf5362c65be354be38c410936f388093a46b56c764055.exe	cmd.exe
PID 4312 wrote to memory of 2784	4312	4d627dce7453de5aecbaf5362c65be354be38c410936f388093a46b56c764055.exe	cmd.exe
PID 2784 wrote to memory of 1396	2784	cmd.exe	WScript.exe
PID 2784 wrote to memory of 1396	2784	cmd.exe	WScript.exe
PID 2784 wrote to memory of 1396	2784	cmd.exe	WScript.exe

C:\Users\Admin\AppData\Local\Temp\4d627dce7453de5aecbaf5362c65be354be38c410936f388093a46b56c764055.exe
"C:\Users\Admin\AppData\Local\Temp\4d627dce7453de5aecbaf5362c65be354be38c410936f388093a46b56c764055.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:4312

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\Insata\Ikars\albur.bat" "
2⤵
- Drops file in Drivers directory
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2784

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\Insata\Ikars\sanodo.vbs"
3⤵
- Blocklisted process makes network request
PID:1396

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Insata\Ikars\1.txt

Filesize
27B

MD5
213c0742081a9007c9093a01760f9f8c

SHA1
df53bb518c732df777b5ce19fc7c02dcb2f9d81b

SHA256
9681429a2b00c27fe6cb0453f255024813944a7cd460d18797e3c35e81c53d69

SHA512
55182c2e353a0027f585535a537b9c309c3bf57f47da54a16e0c415ed6633b725bf40e40a664b1071575feeb7e589d775983516728ec3e51e87a0a29010c4eb9

Download Submit
C:\Program Files (x86)\Insata\Ikars\albur.bat

Filesize
900B

MD5
a628d3720e3c252fa5f2d34c16b68189

SHA1
a70ee2d2497c0bdd4936bbadc725c0cf4d5d5597

SHA256
d76717361021bf589669ce37c57c7126a4b1985347067b3fb6106d1844d9fc8c

SHA512
976959f10415c16da7bfc39ec10ea8832ee6555310758666ed83ffbd41917ea81af1b3c7abb49fc718c6699611d57218feedf924b0e74243e4821fc050e1fefc

Download Submit
C:\Program Files (x86)\Insata\Ikars\sanodo.vbs

Filesize
189B

MD5
e3a71ecbb9fc743aa29239c5b03a2fbe

SHA1
8aba26e09c8fd903f1dec0dd142115a431a0e0bd

SHA256
8736e87a88ae6a1fa7dbc8722c39251af1ba49eb51329056bd1f68cf309df57d

SHA512
e8301456e4582758d6375b25bea72750d2491082170510f0030ab5f9fc4b372b243d057f06451a0ae555f63e38172a859fd8565edd2db4acc33cd6f55f79af69

Download Submit
memory/1396-136-0x0000000000000000-mapping.dmp

Download
memory/2784-132-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads