983b468e7250ecd565072a0161ca2b04093266046fa91c3a19df62a19701113e

General

Target

983b468e7250ecd565072a0161ca2b04093266046fa91c3a19df62a19701113e.exe
Size

241KB
MD5

6f30ccc777aeb9d85f19c45f8ab8ab99
SHA1

33d18a37ea7130f2a9539616fef4d6a71328601f
SHA256

983b468e7250ecd565072a0161ca2b04093266046fa91c3a19df62a19701113e
SHA512

dc9500e4108fa2d5114e26d48ddea7f5be5e86639c26e16b01db00389a996ecbd3abe92b71a5a10065b1bac1caa4733598b9fea824b3df5ab9bfeed31cadd554
SSDEEP

6144:zZXBsWqsE/Ao+mv8Qv0LVmwq4FU0nN876NKxg3AW1KHFn:lXmwRo+mv8QD4+0N46NKx2KHp

Score

8^/10

discovery

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

Processes:

WScript.exe

flow pid process

6 1764 WScript.exe
Drops file in Drivers directory 1 IoCs

Processes:

cmd.exe

description ioc process

File opened for modification C:\Windows\System32\drivers\etc\hosts cmd.exe

flow	pid	process
6	1764	WScript.exe

description	ioc	process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	cmd.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

983b468e7250ecd565072a0161ca2b04093266046fa91c3a19df62a19701113e.execmd.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\Control Panel\International\Geo\Nation	983b468e7250ecd565072a0161ca2b04093266046fa91c3a19df62a19701113e.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\Control Panel\International\Geo\Nation	cmd.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 5 IoCs

Processes:

983b468e7250ecd565072a0161ca2b04093266046fa91c3a19df62a19701113e.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Insat\Kagr\anabioz.vbs	983b468e7250ecd565072a0161ca2b04093266046fa91c3a19df62a19701113e.exe
File opened for modification	C:\Program Files (x86)\Insat\Kagr\dfdfdfdf.bat	983b468e7250ecd565072a0161ca2b04093266046fa91c3a19df62a19701113e.exe
File opened for modification	C:\Program Files (x86)\Insat\Kagr\1.txt	983b468e7250ecd565072a0161ca2b04093266046fa91c3a19df62a19701113e.exe
File opened for modification	C:\Program Files (x86)\Insat\Kagr\Uninstall.exe	983b468e7250ecd565072a0161ca2b04093266046fa91c3a19df62a19701113e.exe
File created	C:\Program Files (x86)\Insat\Kagr\Uninstall.ini	983b468e7250ecd565072a0161ca2b04093266046fa91c3a19df62a19701113e.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Modifies registry class 1 IoCs

Processes:

cmd.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000_Classes\Local Settings cmd.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000_Classes\Local Settings	cmd.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

983b468e7250ecd565072a0161ca2b04093266046fa91c3a19df62a19701113e.execmd.exe

description	pid	process	target process
PID 2484 wrote to memory of 1004	2484	983b468e7250ecd565072a0161ca2b04093266046fa91c3a19df62a19701113e.exe	cmd.exe
PID 2484 wrote to memory of 1004	2484	983b468e7250ecd565072a0161ca2b04093266046fa91c3a19df62a19701113e.exe	cmd.exe
PID 2484 wrote to memory of 1004	2484	983b468e7250ecd565072a0161ca2b04093266046fa91c3a19df62a19701113e.exe	cmd.exe
PID 1004 wrote to memory of 1764	1004	cmd.exe	WScript.exe
PID 1004 wrote to memory of 1764	1004	cmd.exe	WScript.exe
PID 1004 wrote to memory of 1764	1004	cmd.exe	WScript.exe

C:\Users\Admin\AppData\Local\Temp\983b468e7250ecd565072a0161ca2b04093266046fa91c3a19df62a19701113e.exe
"C:\Users\Admin\AppData\Local\Temp\983b468e7250ecd565072a0161ca2b04093266046fa91c3a19df62a19701113e.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2484

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\Insat\Kagr\dfdfdfdf.bat" "
2⤵
- Drops file in Drivers directory
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1004

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\Insat\Kagr\anabioz.vbs"
3⤵
- Blocklisted process makes network request
PID:1764

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Insat\Kagr\1.txt

Filesize
27B

MD5
213c0742081a9007c9093a01760f9f8c

SHA1
df53bb518c732df777b5ce19fc7c02dcb2f9d81b

SHA256
9681429a2b00c27fe6cb0453f255024813944a7cd460d18797e3c35e81c53d69

SHA512
55182c2e353a0027f585535a537b9c309c3bf57f47da54a16e0c415ed6633b725bf40e40a664b1071575feeb7e589d775983516728ec3e51e87a0a29010c4eb9

Download Submit
C:\Program Files (x86)\Insat\Kagr\anabioz.vbs

Filesize
157B

MD5
dc6981fc7a187e1e6a4701c358d59e17

SHA1
bb05b733e4d6cc8b0eb0c64b0fdc583bfde798b5

SHA256
8b353c615a8141639e0f13f17dd1f2dd63d2730af5b67586e29567bc0e8f90cc

SHA512
dd97bc9a2c2b5f51c525a5bbf848c7c1111d72be8af96d06bec1ac3af1b25a9890576066158cb98c58f6cb88180fa537ac8b59fe6891a1ce35bab94280129615

Download Submit
C:\Program Files (x86)\Insat\Kagr\dfdfdfdf.bat

Filesize
1KB

MD5
addbbe3e284cbc333842c1a49d640839

SHA1
f71e2013f328bf3d59fe9107401039466a7ed9ec

SHA256
4f9bafd87045ffb2b15a3324267e86d16a88db040588a43d1182ff93d4f559df

SHA512
ff7d87527d1303b0a4075896fb2f305486e938944424433b964794cf0d214f44feb7880b1d9e74321890ff9372d42bf719c85ed81cc2efd79d14a46577aece38

Download Submit
memory/1004-132-0x0000000000000000-mapping.dmp

Download
memory/1764-136-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads