18f24e0983dc3a449e0dff309c309fe0794e6036cd31d850a78638d3060a836a

General

Target

18f24e0983dc3a449e0dff309c309fe0794e6036cd31d850a78638d3060a836a.exe
Size

180KB
MD5

c0e2bff5c7080984e53927eace8945db
SHA1

4cfe916cfa6806be5a4cfaa8ea0312c014179fea
SHA256

18f24e0983dc3a449e0dff309c309fe0794e6036cd31d850a78638d3060a836a
SHA512

6b3fc79fa100849221df0f2e370188c952d536283a33f9c791b724d4344212df5b4db3294d7777387fae055ba1c6aca378402b5a629c51917cc8b356abea4be1
SSDEEP

3072:fBAp5XhKpN4eOyVTGfhEClj8jTk+0hD+V64pfPFxi+:ibXE9OiTGfhEClq9VzfPFk+

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

Processes:

WScript.exe

flow pid process

6 1388 WScript.exe

flow	pid	process
6	1388	WScript.exe

Drops file in Drivers directory 3 IoCs

Processes:

cmd.exeWScript.exe

description	ioc	process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	cmd.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	WScript.exe
File opened for modification	C:\Windows\System32\drivers\etc\hîsts	WScript.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

18f24e0983dc3a449e0dff309c309fe0794e6036cd31d850a78638d3060a836a.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	18f24e0983dc3a449e0dff309c309fe0794e6036cd31d850a78638d3060a836a.exe

Drops file in Program Files directory 4 IoCs

Processes:

18f24e0983dc3a449e0dff309c309fe0794e6036cd31d850a78638d3060a836a.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\na ulissdfsdf\take me devo4ka\kandyvi\ebi_manya_kon.rud	18f24e0983dc3a449e0dff309c309fe0794e6036cd31d850a78638d3060a836a.exe
File opened for modification	C:\Program Files (x86)\na ulissdfsdf\take me devo4ka\ebi_manya_kon\so_my_name_is_brus_dick.bat	18f24e0983dc3a449e0dff309c309fe0794e6036cd31d850a78638d3060a836a.exe
File opened for modification	C:\Program Files (x86)\na ulissdfsdf\take me devo4ka\kandyvi\krasota_ta_kakaya.vbs	18f24e0983dc3a449e0dff309c309fe0794e6036cd31d850a78638d3060a836a.exe
File opened for modification	C:\Program Files (x86)\na ulissdfsdf\take me devo4ka\kandyvi\prich4ki_pouuuuut.vbs	18f24e0983dc3a449e0dff309c309fe0794e6036cd31d850a78638d3060a836a.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 1 IoCs

Processes:

18f24e0983dc3a449e0dff309c309fe0794e6036cd31d850a78638d3060a836a.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	18f24e0983dc3a449e0dff309c309fe0794e6036cd31d850a78638d3060a836a.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

18f24e0983dc3a449e0dff309c309fe0794e6036cd31d850a78638d3060a836a.exe

description	pid	process	target process
PID 456 wrote to memory of 396	456	18f24e0983dc3a449e0dff309c309fe0794e6036cd31d850a78638d3060a836a.exe	cmd.exe
PID 456 wrote to memory of 396	456	18f24e0983dc3a449e0dff309c309fe0794e6036cd31d850a78638d3060a836a.exe	cmd.exe
PID 456 wrote to memory of 396	456	18f24e0983dc3a449e0dff309c309fe0794e6036cd31d850a78638d3060a836a.exe	cmd.exe
PID 456 wrote to memory of 4292	456	18f24e0983dc3a449e0dff309c309fe0794e6036cd31d850a78638d3060a836a.exe	WScript.exe
PID 456 wrote to memory of 4292	456	18f24e0983dc3a449e0dff309c309fe0794e6036cd31d850a78638d3060a836a.exe	WScript.exe
PID 456 wrote to memory of 4292	456	18f24e0983dc3a449e0dff309c309fe0794e6036cd31d850a78638d3060a836a.exe	WScript.exe
PID 456 wrote to memory of 1388	456	18f24e0983dc3a449e0dff309c309fe0794e6036cd31d850a78638d3060a836a.exe	WScript.exe
PID 456 wrote to memory of 1388	456	18f24e0983dc3a449e0dff309c309fe0794e6036cd31d850a78638d3060a836a.exe	WScript.exe
PID 456 wrote to memory of 1388	456	18f24e0983dc3a449e0dff309c309fe0794e6036cd31d850a78638d3060a836a.exe	WScript.exe

C:\Users\Admin\AppData\Local\Temp\18f24e0983dc3a449e0dff309c309fe0794e6036cd31d850a78638d3060a836a.exe
"C:\Users\Admin\AppData\Local\Temp\18f24e0983dc3a449e0dff309c309fe0794e6036cd31d850a78638d3060a836a.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:456

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\na ulissdfsdf\take me devo4ka\ebi_manya_kon\so_my_name_is_brus_dick.bat" "
2⤵
- Drops file in Drivers directory
PID:396

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\na ulissdfsdf\take me devo4ka\kandyvi\krasota_ta_kakaya.vbs"
2⤵
- Drops file in Drivers directory
PID:4292

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\na ulissdfsdf\take me devo4ka\kandyvi\prich4ki_pouuuuut.vbs"
2⤵
- Blocklisted process makes network request
PID:1388

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\na ulissdfsdf\take me devo4ka\ebi_manya_kon\so_my_name_is_brus_dick.bat

Filesize
2KB

MD5
d500363e1857924e0b14f61386c527c7

SHA1
8192979be0ea511fe1e7fe2b05e4e05d32f73c89

SHA256
5dbfc877536909e202f35a9dc3f536a7a6aed89ecdb9fc242dacf09cea3f82e0

SHA512
ec217b82915661acf049e3f9865bd6a7c49e742901ca980cb6abd198d05d973d3155a4e24884f24d6678b94fd5f250d679b72f3aa0294fb9f020d7d6233cc7f3

Download Submit
C:\Program Files (x86)\na ulissdfsdf\take me devo4ka\kandyvi\ebi_manya_kon.rud

Filesize
33B

MD5
3b872cad32179d6439cb881c10ddbc3d

SHA1
9a1a7419d5b9dd584e2b31a099f9d4f4b6d9840a

SHA256
79f439172cfd44f0581a05956e2a3c5c5c6c3f119359eb5f067061581568a3c7

SHA512
bb20d7eaabc0f6afc93196cf47085bd60e37f3b045ac5d86cd60f3274d4aa3e0b79a8dd473b75901ee5f821ea4f8614b1fc2430e9f02646d96b32f08d282d479

Download Submit
C:\Program Files (x86)\na ulissdfsdf\take me devo4ka\kandyvi\krasota_ta_kakaya.vbs

Filesize
909B

MD5
7b492ffa8638ebfec98dc28d94d40b50

SHA1
b1c0142200aaecaa0ec81d915879265be6e429cb

SHA256
73ef3bffc757aa3b8b181a92a08f0c525996bac3a51935200690ac77e8e7be57

SHA512
be1b3563fc5c8b9c918ee217881bf00fdf4040d311dcca6a856526a5583e2dc538d86c25946dc30f19e02f2708e8bc2c28d645a7934b7f189a30f2556f67c77b

Download Submit
C:\Program Files (x86)\na ulissdfsdf\take me devo4ka\kandyvi\prich4ki_pouuuuut.vbs

Filesize
635B

MD5
a2d2ec3d8447064be489ff80607614eb

SHA1
15aa84b1a47f8f9c1a634bf0491172520008a3c7

SHA256
1e27c6d0bf78023e7156a02da0f5d91f6380e3caeca3b14b978c00de52c21969

SHA512
5a0d105f02b987706d869234bb8634cef297308463403fafaaa651e4f931bc59ee74ac1cb47b92390a0d1cb03d856372a6d55af3eb830fef4d44708c8a980530

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
1KB

MD5
c1a113ce29b3ff24d3beddbdc4ade320

SHA1
e7aada7f61d7b7c6642f0c7452259275450557d3

SHA256
37a2e36ba13cefea757430c6e8aeb8d252400211b6af451d778cb7d54195dec3

SHA512
8eda41ac5e6720751cda5099fd05a31870942f350e6a87c7dd779f375f672dee0dffee0d0b1a9850d85949dc4dd2c4f4cbc20d0bb995698fdfa54daf65361cb9

Download Submit
memory/396-132-0x0000000000000000-mapping.dmp

Download
memory/1388-135-0x0000000000000000-mapping.dmp

Download
memory/4292-134-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads