dc848d72c7885494b4a55cca209944a6e8a27ada2b4020829f57c0bcede37b0d

General

Target

dc848d72c7885494b4a55cca209944a6e8a27ada2b4020829f57c0bcede37b0d.exe
Size

437KB
MD5

00d2f2d26012cf7af715768e33f83504
SHA1

e665130336b73ccc586f4e366a29ae1229d4dc49
SHA256

dc848d72c7885494b4a55cca209944a6e8a27ada2b4020829f57c0bcede37b0d
SHA512

5fe464cc9d11cd5ea2dc2deb78a24abdad764e7c8bc36fb0cb04147e0861c69abf9c49c54807264be80cc60d9cbe94dad5594b6dffb5de926e1f23719bfaaa83
SSDEEP

6144:nim1FMLBBvpIjSUdhFZH6l0b1rLWgRYuC:KLBvdkaYVC

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

Vk AvtoOtvet.exe

pid process

1776 Vk AvtoOtvet.exe

pid	process
1776	Vk AvtoOtvet.exe

Checks BIOS information in registry 2 TTPs 1 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

dc848d72c7885494b4a55cca209944a6e8a27ada2b4020829f57c0bcede37b0d.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	dc848d72c7885494b4a55cca209944a6e8a27ada2b4020829f57c0bcede37b0d.exe

Loads dropped DLL 2 IoCs

Processes:

dc848d72c7885494b4a55cca209944a6e8a27ada2b4020829f57c0bcede37b0d.exedw20.exe

pid process

1492 dc848d72c7885494b4a55cca209944a6e8a27ada2b4020829f57c0bcede37b0d.exe
1568 dw20.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies system certificate store 2 TTPs 6 IoCs

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

Vk AvtoOtvet.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	Vk AvtoOtvet.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	Vk AvtoOtvet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	Vk AvtoOtvet.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	Vk AvtoOtvet.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	Vk AvtoOtvet.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	Vk AvtoOtvet.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

dc848d72c7885494b4a55cca209944a6e8a27ada2b4020829f57c0bcede37b0d.exe

pid	process
1492	dc848d72c7885494b4a55cca209944a6e8a27ada2b4020829f57c0bcede37b0d.exe
1492	dc848d72c7885494b4a55cca209944a6e8a27ada2b4020829f57c0bcede37b0d.exe
1492	dc848d72c7885494b4a55cca209944a6e8a27ada2b4020829f57c0bcede37b0d.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

Vk AvtoOtvet.exe

pid process

1776 Vk AvtoOtvet.exe
Suspicious use of SendNotifyMessage 1 IoCs

Processes:

Vk AvtoOtvet.exe

pid process

1776 Vk AvtoOtvet.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

Vk AvtoOtvet.exe

pid process

1776 Vk AvtoOtvet.exe
1776 Vk AvtoOtvet.exe

pid	process
1776	Vk AvtoOtvet.exe

pid	process
1776	Vk AvtoOtvet.exe

pid	process
1776	Vk AvtoOtvet.exe
1776	Vk AvtoOtvet.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

dc848d72c7885494b4a55cca209944a6e8a27ada2b4020829f57c0bcede37b0d.exeVk AvtoOtvet.exe

description	pid	process	target process
PID 1492 wrote to memory of 1776	1492	dc848d72c7885494b4a55cca209944a6e8a27ada2b4020829f57c0bcede37b0d.exe	Vk AvtoOtvet.exe
PID 1492 wrote to memory of 1776	1492	dc848d72c7885494b4a55cca209944a6e8a27ada2b4020829f57c0bcede37b0d.exe	Vk AvtoOtvet.exe
PID 1492 wrote to memory of 1776	1492	dc848d72c7885494b4a55cca209944a6e8a27ada2b4020829f57c0bcede37b0d.exe	Vk AvtoOtvet.exe
PID 1492 wrote to memory of 1776	1492	dc848d72c7885494b4a55cca209944a6e8a27ada2b4020829f57c0bcede37b0d.exe	Vk AvtoOtvet.exe
PID 1776 wrote to memory of 1568	1776	Vk AvtoOtvet.exe	dw20.exe
PID 1776 wrote to memory of 1568	1776	Vk AvtoOtvet.exe	dw20.exe
PID 1776 wrote to memory of 1568	1776	Vk AvtoOtvet.exe	dw20.exe
PID 1776 wrote to memory of 1568	1776	Vk AvtoOtvet.exe	dw20.exe

C:\Users\Admin\AppData\Local\Temp\dc848d72c7885494b4a55cca209944a6e8a27ada2b4020829f57c0bcede37b0d.exe
"C:\Users\Admin\AppData\Local\Temp\dc848d72c7885494b4a55cca209944a6e8a27ada2b4020829f57c0bcede37b0d.exe"
1⤵
- Checks BIOS information in registry
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1492

C:\Users\Admin\AppData\Local\Temp\Vk AvtoOtvet.exe
"C:\Users\Admin\AppData\Local\Temp\Vk AvtoOtvet.exe"
2⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1776

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 1084
3⤵
- Loads dropped DLL
PID:1568

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

Modify Registry

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Vk AvtoOtvet.exe

Filesize
59KB

MD5
8f3aac76491c5e19eb6adcc4ff06cf59

SHA1
16f48285f9b33e7f4a1f5e0f8ed9a303d795a355

SHA256
33569eb53940f6b8805bed3ec93735370c8e1d7cb82f58ea1739350f58dec2c7

SHA512
5684581350a40e6b0505f790bf6815aff6ed07b6805f6bae7e5963875d6cba0af8fd2efd4618c915d7ce491334148ac94acdb824c6c909f81b6b647a65c83d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Vk AvtoOtvet.exe

Filesize
59KB

MD5
8f3aac76491c5e19eb6adcc4ff06cf59

SHA1
16f48285f9b33e7f4a1f5e0f8ed9a303d795a355

SHA256
33569eb53940f6b8805bed3ec93735370c8e1d7cb82f58ea1739350f58dec2c7

SHA512
5684581350a40e6b0505f790bf6815aff6ed07b6805f6bae7e5963875d6cba0af8fd2efd4618c915d7ce491334148ac94acdb824c6c909f81b6b647a65c83d2c

Download Submit
\Users\Admin\AppData\Local\Temp\Vk AvtoOtvet.exe

Filesize
59KB

MD5
8f3aac76491c5e19eb6adcc4ff06cf59

SHA1
16f48285f9b33e7f4a1f5e0f8ed9a303d795a355

SHA256
33569eb53940f6b8805bed3ec93735370c8e1d7cb82f58ea1739350f58dec2c7

SHA512
5684581350a40e6b0505f790bf6815aff6ed07b6805f6bae7e5963875d6cba0af8fd2efd4618c915d7ce491334148ac94acdb824c6c909f81b6b647a65c83d2c

Download Submit
\Users\Admin\AppData\Local\Temp\Vk AvtoOtvet.exe

Filesize
59KB

MD5
8f3aac76491c5e19eb6adcc4ff06cf59

SHA1
16f48285f9b33e7f4a1f5e0f8ed9a303d795a355

SHA256
33569eb53940f6b8805bed3ec93735370c8e1d7cb82f58ea1739350f58dec2c7

SHA512
5684581350a40e6b0505f790bf6815aff6ed07b6805f6bae7e5963875d6cba0af8fd2efd4618c915d7ce491334148ac94acdb824c6c909f81b6b647a65c83d2c

Download Submit
memory/1492-54-0x0000000076BA1000-0x0000000076BA3000-memory.dmp

Filesize
8KB

Download
memory/1492-60-0x0000000000400000-0x0000000000520000-memory.dmp

Filesize
1.1MB

Download
memory/1568-63-0x0000000000000000-mapping.dmp

Download
memory/1776-56-0x0000000000000000-mapping.dmp

Download
memory/1776-61-0x00000000744B0000-0x0000000074A5B000-memory.dmp

Filesize
5.7MB

Download
memory/1776-62-0x00000000021A9000-0x00000000021BA000-memory.dmp

Filesize
68KB

Download
memory/1776-66-0x00000000744B0000-0x0000000074A5B000-memory.dmp

Filesize
5.7MB

Download
memory/1776-67-0x00000000021A9000-0x00000000021BA000-memory.dmp

Filesize
68KB

Download

pid	process
1492	dc848d72c7885494b4a55cca209944a6e8a27ada2b4020829f57c0bcede37b0d.exe
1568	dw20.exe

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads