dc848d72c7885494b4a55cca209944a6e8a27ada2b4020829f57c0bcede37b0d

General

Target

dc848d72c7885494b4a55cca209944a6e8a27ada2b4020829f57c0bcede37b0d.exe
Size

437KB
MD5

00d2f2d26012cf7af715768e33f83504
SHA1

e665130336b73ccc586f4e366a29ae1229d4dc49
SHA256

dc848d72c7885494b4a55cca209944a6e8a27ada2b4020829f57c0bcede37b0d
SHA512

5fe464cc9d11cd5ea2dc2deb78a24abdad764e7c8bc36fb0cb04147e0861c69abf9c49c54807264be80cc60d9cbe94dad5594b6dffb5de926e1f23719bfaaa83
SSDEEP

6144:nim1FMLBBvpIjSUdhFZH6l0b1rLWgRYuC:KLBvdkaYVC

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

Vk AvtoOtvet.exe

pid process

2356 Vk AvtoOtvet.exe

pid	process
2356	Vk AvtoOtvet.exe

Checks BIOS information in registry 2 TTPs 1 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

dc848d72c7885494b4a55cca209944a6e8a27ada2b4020829f57c0bcede37b0d.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	dc848d72c7885494b4a55cca209944a6e8a27ada2b4020829f57c0bcede37b0d.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

dc848d72c7885494b4a55cca209944a6e8a27ada2b4020829f57c0bcede37b0d.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	dc848d72c7885494b4a55cca209944a6e8a27ada2b4020829f57c0bcede37b0d.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

dw20.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	dw20.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

dw20.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dw20.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

dc848d72c7885494b4a55cca209944a6e8a27ada2b4020829f57c0bcede37b0d.exe

pid	process
2504	dc848d72c7885494b4a55cca209944a6e8a27ada2b4020829f57c0bcede37b0d.exe
2504	dc848d72c7885494b4a55cca209944a6e8a27ada2b4020829f57c0bcede37b0d.exe
2504	dc848d72c7885494b4a55cca209944a6e8a27ada2b4020829f57c0bcede37b0d.exe
2504	dc848d72c7885494b4a55cca209944a6e8a27ada2b4020829f57c0bcede37b0d.exe
2504	dc848d72c7885494b4a55cca209944a6e8a27ada2b4020829f57c0bcede37b0d.exe
2504	dc848d72c7885494b4a55cca209944a6e8a27ada2b4020829f57c0bcede37b0d.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

dw20.exe

description	pid	process
Token: SeRestorePrivilege	548	dw20.exe
Token: SeBackupPrivilege	548	dw20.exe
Token: SeBackupPrivilege	548	dw20.exe
Token: SeBackupPrivilege	548	dw20.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

Vk AvtoOtvet.exe

pid process

2356 Vk AvtoOtvet.exe
Suspicious use of SendNotifyMessage 1 IoCs

Processes:

Vk AvtoOtvet.exe

pid process

2356 Vk AvtoOtvet.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

Vk AvtoOtvet.exe

pid process

2356 Vk AvtoOtvet.exe
2356 Vk AvtoOtvet.exe

pid	process
2356	Vk AvtoOtvet.exe

pid	process
2356	Vk AvtoOtvet.exe

pid	process
2356	Vk AvtoOtvet.exe
2356	Vk AvtoOtvet.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

dc848d72c7885494b4a55cca209944a6e8a27ada2b4020829f57c0bcede37b0d.exeVk AvtoOtvet.exe

description	pid	process	target process
PID 2504 wrote to memory of 2356	2504	dc848d72c7885494b4a55cca209944a6e8a27ada2b4020829f57c0bcede37b0d.exe	Vk AvtoOtvet.exe
PID 2504 wrote to memory of 2356	2504	dc848d72c7885494b4a55cca209944a6e8a27ada2b4020829f57c0bcede37b0d.exe	Vk AvtoOtvet.exe
PID 2504 wrote to memory of 2356	2504	dc848d72c7885494b4a55cca209944a6e8a27ada2b4020829f57c0bcede37b0d.exe	Vk AvtoOtvet.exe
PID 2356 wrote to memory of 548	2356	Vk AvtoOtvet.exe	dw20.exe
PID 2356 wrote to memory of 548	2356	Vk AvtoOtvet.exe	dw20.exe
PID 2356 wrote to memory of 548	2356	Vk AvtoOtvet.exe	dw20.exe

C:\Users\Admin\AppData\Local\Temp\dc848d72c7885494b4a55cca209944a6e8a27ada2b4020829f57c0bcede37b0d.exe
"C:\Users\Admin\AppData\Local\Temp\dc848d72c7885494b4a55cca209944a6e8a27ada2b4020829f57c0bcede37b0d.exe"
1⤵
- Checks BIOS information in registry
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2504

C:\Users\Admin\AppData\Local\Temp\Vk AvtoOtvet.exe
"C:\Users\Admin\AppData\Local\Temp\Vk AvtoOtvet.exe"
2⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2356

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 1872
3⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:548

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

4

T1012

System Information Discovery

5

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Vk AvtoOtvet.exe

Filesize
59KB

MD5
8f3aac76491c5e19eb6adcc4ff06cf59

SHA1
16f48285f9b33e7f4a1f5e0f8ed9a303d795a355

SHA256
33569eb53940f6b8805bed3ec93735370c8e1d7cb82f58ea1739350f58dec2c7

SHA512
5684581350a40e6b0505f790bf6815aff6ed07b6805f6bae7e5963875d6cba0af8fd2efd4618c915d7ce491334148ac94acdb824c6c909f81b6b647a65c83d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Vk AvtoOtvet.exe

Filesize
59KB

MD5
8f3aac76491c5e19eb6adcc4ff06cf59

SHA1
16f48285f9b33e7f4a1f5e0f8ed9a303d795a355

SHA256
33569eb53940f6b8805bed3ec93735370c8e1d7cb82f58ea1739350f58dec2c7

SHA512
5684581350a40e6b0505f790bf6815aff6ed07b6805f6bae7e5963875d6cba0af8fd2efd4618c915d7ce491334148ac94acdb824c6c909f81b6b647a65c83d2c

Download Submit
memory/548-138-0x0000000000000000-mapping.dmp

Download
memory/2356-134-0x0000000000000000-mapping.dmp

Download
memory/2356-137-0x0000000073430000-0x00000000739E1000-memory.dmp

Filesize
5.7MB

Download
memory/2356-140-0x0000000073430000-0x00000000739E1000-memory.dmp

Filesize
5.7MB

Download
memory/2356-141-0x0000000073430000-0x00000000739E1000-memory.dmp

Filesize
5.7MB

Download
memory/2504-133-0x0000000000400000-0x0000000000520000-memory.dmp

Filesize
1.1MB

Download
memory/2504-139-0x0000000000400000-0x0000000000520000-memory.dmp

Filesize
1.1MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads