Overview

overview

8

Static

static

18f24e0983...6a.exe

windows7-x64

8

18f24e0983...6a.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    57s
  • max time network
    67s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    23-11-2022 17:19

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    18f24e0983dc3a449e0dff309c309fe0794e6036cd31d850a78638d3060a836a.exe

  • Size

    180KB

  • MD5

    c0e2bff5c7080984e53927eace8945db

  • SHA1

    4cfe916cfa6806be5a4cfaa8ea0312c014179fea

  • SHA256

    18f24e0983dc3a449e0dff309c309fe0794e6036cd31d850a78638d3060a836a

  • SHA512

    6b3fc79fa100849221df0f2e370188c952d536283a33f9c791b724d4344212df5b4db3294d7777387fae055ba1c6aca378402b5a629c51917cc8b356abea4be1

  • SSDEEP

    3072:fBAp5XhKpN4eOyVTGfhEClj8jTk+0hD+V64pfPFxi+:ibXE9OiTGfhEClq9VzfPFk+

Score
8/10

Malware Config

Signatures

  • Blocklisted process makes network request 2 IoCs
  • Drops file in Drivers directory 3 IoCs
  • Drops file in Program Files directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\18f24e0983dc3a449e0dff309c309fe0794e6036cd31d850a78638d3060a836a.exe
    "C:\Users\Admin\AppData\Local\Temp\18f24e0983dc3a449e0dff309c309fe0794e6036cd31d850a78638d3060a836a.exe"
    1⤵
    • Drops file in Program Files directory
    • Suspicious use of WriteProcessMemory
    PID:2004
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Program Files (x86)\na ulissdfsdf\take me devo4ka\ebi_manya_kon\so_my_name_is_brus_dick.bat" "
      2⤵
      • Drops file in Drivers directory
      PID:948
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\na ulissdfsdf\take me devo4ka\kandyvi\krasota_ta_kakaya.vbs"
      2⤵
      • Drops file in Drivers directory
      PID:744
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\na ulissdfsdf\take me devo4ka\kandyvi\prich4ki_pouuuuut.vbs"
      2⤵
      • Blocklisted process makes network request
      PID:1456

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\na ulissdfsdf\take me devo4ka\ebi_manya_kon\so_my_name_is_brus_dick.bat
    Filesize

    2KB

    MD5

    d500363e1857924e0b14f61386c527c7

    SHA1

    8192979be0ea511fe1e7fe2b05e4e05d32f73c89

    SHA256

    5dbfc877536909e202f35a9dc3f536a7a6aed89ecdb9fc242dacf09cea3f82e0

    SHA512

    ec217b82915661acf049e3f9865bd6a7c49e742901ca980cb6abd198d05d973d3155a4e24884f24d6678b94fd5f250d679b72f3aa0294fb9f020d7d6233cc7f3

    Download Submit
  • C:\Program Files (x86)\na ulissdfsdf\take me devo4ka\kandyvi\ebi_manya_kon.rud
    Filesize

    33B

    MD5

    3b872cad32179d6439cb881c10ddbc3d

    SHA1

    9a1a7419d5b9dd584e2b31a099f9d4f4b6d9840a

    SHA256

    79f439172cfd44f0581a05956e2a3c5c5c6c3f119359eb5f067061581568a3c7

    SHA512

    bb20d7eaabc0f6afc93196cf47085bd60e37f3b045ac5d86cd60f3274d4aa3e0b79a8dd473b75901ee5f821ea4f8614b1fc2430e9f02646d96b32f08d282d479

    Download Submit
  • C:\Program Files (x86)\na ulissdfsdf\take me devo4ka\kandyvi\krasota_ta_kakaya.vbs
    Filesize

    909B

    MD5

    7b492ffa8638ebfec98dc28d94d40b50

    SHA1

    b1c0142200aaecaa0ec81d915879265be6e429cb

    SHA256

    73ef3bffc757aa3b8b181a92a08f0c525996bac3a51935200690ac77e8e7be57

    SHA512

    be1b3563fc5c8b9c918ee217881bf00fdf4040d311dcca6a856526a5583e2dc538d86c25946dc30f19e02f2708e8bc2c28d645a7934b7f189a30f2556f67c77b

    Download Submit
  • C:\Program Files (x86)\na ulissdfsdf\take me devo4ka\kandyvi\prich4ki_pouuuuut.vbs
    Filesize

    635B

    MD5

    a2d2ec3d8447064be489ff80607614eb

    SHA1

    15aa84b1a47f8f9c1a634bf0491172520008a3c7

    SHA256

    1e27c6d0bf78023e7156a02da0f5d91f6380e3caeca3b14b978c00de52c21969

    SHA512

    5a0d105f02b987706d869234bb8634cef297308463403fafaaa651e4f931bc59ee74ac1cb47b92390a0d1cb03d856372a6d55af3eb830fef4d44708c8a980530

    Download Submit
  • C:\Windows\System32\drivers\etc\hosts
    Filesize

    1KB

    MD5

    40fe6ce2d75538adff1c5adf9ae80643

    SHA1

    8bbf8d6d9535585bf5e0d1ae0b7f883c224bf500

    SHA256

    357568bf987374745bdbd561d3082752aea2e9ca0dc48a308d2628c1c7d683a9

    SHA512

    5f6fdb71afbadd526dda1283cc4c797c7c7688e99c5af9a36793b06257faa265a87a0235f7114865b8fc651d3311075c13066e5ecbc78df9c9eb39c2842b22b2

    Download Submit
  • memory/744-57-0x0000000000000000-mapping.dmp
    Download
  • memory/948-55-0x0000000000000000-mapping.dmp
    Download
  • memory/1456-59-0x0000000000000000-mapping.dmp
    Download
  • memory/2004-54-0x0000000075BA1000-0x0000000075BA3000-memory.dmp
    Filesize

    8KB

    Download