Analysis
-
max time kernel
90s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
25-11-2022 12:41
Static task
static1
Behavioral task
behavioral1
Sample
f056d6f718bb3eff711b2848b3f2bb12e382800bdffb75ad5b61fe1cb14bc4c2.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
f056d6f718bb3eff711b2848b3f2bb12e382800bdffb75ad5b61fe1cb14bc4c2.exe
Resource
win10v2004-20220901-en
General
-
Target
f056d6f718bb3eff711b2848b3f2bb12e382800bdffb75ad5b61fe1cb14bc4c2.exe
-
Size
241KB
-
MD5
ffd5da021af5260af449cb71413e9d39
-
SHA1
b38a68c6858f3dc0d5da4b134d44bc37c8a481d1
-
SHA256
f056d6f718bb3eff711b2848b3f2bb12e382800bdffb75ad5b61fe1cb14bc4c2
-
SHA512
da9b77cd2f5d47bc6465550c0a608905e309ac72d1c4127e216824ce8bb4ef41281856f45afa0f0f0499b8a413378c9c78ee851ebebcc10a0104d6ed1e93248a
-
SSDEEP
6144:zZXBsWqsE/Ao+mv8Qv0LVmwq4FU0nN876NKxlgNMkEFUD:lXmwRo+mv8QD4+0N46NKxlg6FFY
Malware Config
Signatures
-
Blocklisted process makes network request 1 IoCs
Processes:
WScript.exeflow pid process 9 4828 WScript.exe -
Drops file in Drivers directory 1 IoCs
Processes:
cmd.exedescription ioc process File opened for modification C:\Windows\System32\drivers\etc\hosts cmd.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
f056d6f718bb3eff711b2848b3f2bb12e382800bdffb75ad5b61fe1cb14bc4c2.execmd.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation f056d6f718bb3eff711b2848b3f2bb12e382800bdffb75ad5b61fe1cb14bc4c2.exe Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation cmd.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Program Files directory 5 IoCs
Processes:
f056d6f718bb3eff711b2848b3f2bb12e382800bdffb75ad5b61fe1cb14bc4c2.exedescription ioc process File opened for modification C:\Program Files (x86)\Insata\Ikars\sanodo.vbs f056d6f718bb3eff711b2848b3f2bb12e382800bdffb75ad5b61fe1cb14bc4c2.exe File opened for modification C:\Program Files (x86)\Insata\Ikars\albur.bat f056d6f718bb3eff711b2848b3f2bb12e382800bdffb75ad5b61fe1cb14bc4c2.exe File opened for modification C:\Program Files (x86)\Insata\Ikars\1.txt f056d6f718bb3eff711b2848b3f2bb12e382800bdffb75ad5b61fe1cb14bc4c2.exe File opened for modification C:\Program Files (x86)\Insata\Ikars\Uninstall.exe f056d6f718bb3eff711b2848b3f2bb12e382800bdffb75ad5b61fe1cb14bc4c2.exe File created C:\Program Files (x86)\Insata\Ikars\Uninstall.ini f056d6f718bb3eff711b2848b3f2bb12e382800bdffb75ad5b61fe1cb14bc4c2.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
Processes:
cmd.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings cmd.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
f056d6f718bb3eff711b2848b3f2bb12e382800bdffb75ad5b61fe1cb14bc4c2.execmd.exedescription pid process target process PID 4384 wrote to memory of 3060 4384 f056d6f718bb3eff711b2848b3f2bb12e382800bdffb75ad5b61fe1cb14bc4c2.exe cmd.exe PID 4384 wrote to memory of 3060 4384 f056d6f718bb3eff711b2848b3f2bb12e382800bdffb75ad5b61fe1cb14bc4c2.exe cmd.exe PID 4384 wrote to memory of 3060 4384 f056d6f718bb3eff711b2848b3f2bb12e382800bdffb75ad5b61fe1cb14bc4c2.exe cmd.exe PID 3060 wrote to memory of 4828 3060 cmd.exe WScript.exe PID 3060 wrote to memory of 4828 3060 cmd.exe WScript.exe PID 3060 wrote to memory of 4828 3060 cmd.exe WScript.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f056d6f718bb3eff711b2848b3f2bb12e382800bdffb75ad5b61fe1cb14bc4c2.exe"C:\Users\Admin\AppData\Local\Temp\f056d6f718bb3eff711b2848b3f2bb12e382800bdffb75ad5b61fe1cb14bc4c2.exe"1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:4384 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\Insata\Ikars\albur.bat" "2⤵
- Drops file in Drivers directory
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3060 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\Insata\Ikars\sanodo.vbs"3⤵
- Blocklisted process makes network request
PID:4828
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\Insata\Ikars\1.txtFilesize
27B
MD5213c0742081a9007c9093a01760f9f8c
SHA1df53bb518c732df777b5ce19fc7c02dcb2f9d81b
SHA2569681429a2b00c27fe6cb0453f255024813944a7cd460d18797e3c35e81c53d69
SHA51255182c2e353a0027f585535a537b9c309c3bf57f47da54a16e0c415ed6633b725bf40e40a664b1071575feeb7e589d775983516728ec3e51e87a0a29010c4eb9
-
C:\Program Files (x86)\Insata\Ikars\albur.batFilesize
889B
MD57b46e74b945e898d69222dd39a6205e7
SHA1465a7686882900012e781eaee052e9a309b62968
SHA2561bfb0620fcc89d130f3e0cef96be1c297c41c41d45ceeb4e8fe86c55e3bbdba8
SHA5126c376422d10b5e92c88d308fb0c5f3bdec9cc0b56db702560b9164abb1ba5b82abf4827a7c1a0be9f1470ed8f84bb33c6a7103b6ae6bdc75342cbbe96a29e7f9
-
C:\Program Files (x86)\Insata\Ikars\sanodo.vbsFilesize
184B
MD57d6a5965ae5ae6f2dbec2d0747302a12
SHA11d3ac7bb138f5ff8e12483da2807ba04aa098507
SHA256cc3a4853ccfd6f5302661411bdc8e6be5b956d79cdc8bd0efc797afba02949f0
SHA51253504043533ff2064a0fe7ee71549cb16134cc8fa3fd45d760ae36cbd7affd2cfda437f111ae5aeaecd38cdb5f2b3cec40c9a6470431c4562d3047a8165e29d0
-
memory/3060-132-0x0000000000000000-mapping.dmp
-
memory/4828-136-0x0000000000000000-mapping.dmp