f056d6f718bb3eff711b2848b3f2bb12e382800bdffb75ad5b61fe1cb14bc4c2

General

Target

f056d6f718bb3eff711b2848b3f2bb12e382800bdffb75ad5b61fe1cb14bc4c2.exe
Size

241KB
MD5

ffd5da021af5260af449cb71413e9d39
SHA1

b38a68c6858f3dc0d5da4b134d44bc37c8a481d1
SHA256

f056d6f718bb3eff711b2848b3f2bb12e382800bdffb75ad5b61fe1cb14bc4c2
SHA512

da9b77cd2f5d47bc6465550c0a608905e309ac72d1c4127e216824ce8bb4ef41281856f45afa0f0f0499b8a413378c9c78ee851ebebcc10a0104d6ed1e93248a
SSDEEP

6144:zZXBsWqsE/Ao+mv8Qv0LVmwq4FU0nN876NKxlgNMkEFUD:lXmwRo+mv8QD4+0N46NKxlg6FFY

Score

8^/10

discovery

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

Processes:

WScript.exe

flow pid process

9 4828 WScript.exe
Drops file in Drivers directory 1 IoCs

Processes:

cmd.exe

description ioc process

File opened for modification C:\Windows\System32\drivers\etc\hosts cmd.exe

flow	pid	process
9	4828	WScript.exe

description	ioc	process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	cmd.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

f056d6f718bb3eff711b2848b3f2bb12e382800bdffb75ad5b61fe1cb14bc4c2.execmd.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	f056d6f718bb3eff711b2848b3f2bb12e382800bdffb75ad5b61fe1cb14bc4c2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	cmd.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 5 IoCs

Processes:

f056d6f718bb3eff711b2848b3f2bb12e382800bdffb75ad5b61fe1cb14bc4c2.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Insata\Ikars\sanodo.vbs	f056d6f718bb3eff711b2848b3f2bb12e382800bdffb75ad5b61fe1cb14bc4c2.exe
File opened for modification	C:\Program Files (x86)\Insata\Ikars\albur.bat	f056d6f718bb3eff711b2848b3f2bb12e382800bdffb75ad5b61fe1cb14bc4c2.exe
File opened for modification	C:\Program Files (x86)\Insata\Ikars\1.txt	f056d6f718bb3eff711b2848b3f2bb12e382800bdffb75ad5b61fe1cb14bc4c2.exe
File opened for modification	C:\Program Files (x86)\Insata\Ikars\Uninstall.exe	f056d6f718bb3eff711b2848b3f2bb12e382800bdffb75ad5b61fe1cb14bc4c2.exe
File created	C:\Program Files (x86)\Insata\Ikars\Uninstall.ini	f056d6f718bb3eff711b2848b3f2bb12e382800bdffb75ad5b61fe1cb14bc4c2.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Modifies registry class 1 IoCs

Processes:

cmd.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings cmd.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	cmd.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

f056d6f718bb3eff711b2848b3f2bb12e382800bdffb75ad5b61fe1cb14bc4c2.execmd.exe

description	pid	process	target process
PID 4384 wrote to memory of 3060	4384	f056d6f718bb3eff711b2848b3f2bb12e382800bdffb75ad5b61fe1cb14bc4c2.exe	cmd.exe
PID 4384 wrote to memory of 3060	4384	f056d6f718bb3eff711b2848b3f2bb12e382800bdffb75ad5b61fe1cb14bc4c2.exe	cmd.exe
PID 4384 wrote to memory of 3060	4384	f056d6f718bb3eff711b2848b3f2bb12e382800bdffb75ad5b61fe1cb14bc4c2.exe	cmd.exe
PID 3060 wrote to memory of 4828	3060	cmd.exe	WScript.exe
PID 3060 wrote to memory of 4828	3060	cmd.exe	WScript.exe
PID 3060 wrote to memory of 4828	3060	cmd.exe	WScript.exe

C:\Users\Admin\AppData\Local\Temp\f056d6f718bb3eff711b2848b3f2bb12e382800bdffb75ad5b61fe1cb14bc4c2.exe
"C:\Users\Admin\AppData\Local\Temp\f056d6f718bb3eff711b2848b3f2bb12e382800bdffb75ad5b61fe1cb14bc4c2.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:4384

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\Insata\Ikars\albur.bat" "
2⤵
- Drops file in Drivers directory
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3060

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\Insata\Ikars\sanodo.vbs"
3⤵
- Blocklisted process makes network request
PID:4828

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Insata\Ikars\1.txt
Filesize
27B

MD5
213c0742081a9007c9093a01760f9f8c

SHA1
df53bb518c732df777b5ce19fc7c02dcb2f9d81b

SHA256
9681429a2b00c27fe6cb0453f255024813944a7cd460d18797e3c35e81c53d69

SHA512
55182c2e353a0027f585535a537b9c309c3bf57f47da54a16e0c415ed6633b725bf40e40a664b1071575feeb7e589d775983516728ec3e51e87a0a29010c4eb9

Download Submit
C:\Program Files (x86)\Insata\Ikars\albur.bat
Filesize
889B

MD5
7b46e74b945e898d69222dd39a6205e7

SHA1
465a7686882900012e781eaee052e9a309b62968

SHA256
1bfb0620fcc89d130f3e0cef96be1c297c41c41d45ceeb4e8fe86c55e3bbdba8

SHA512
6c376422d10b5e92c88d308fb0c5f3bdec9cc0b56db702560b9164abb1ba5b82abf4827a7c1a0be9f1470ed8f84bb33c6a7103b6ae6bdc75342cbbe96a29e7f9

Download Submit
C:\Program Files (x86)\Insata\Ikars\sanodo.vbs
Filesize
184B

MD5
7d6a5965ae5ae6f2dbec2d0747302a12

SHA1
1d3ac7bb138f5ff8e12483da2807ba04aa098507

SHA256
cc3a4853ccfd6f5302661411bdc8e6be5b956d79cdc8bd0efc797afba02949f0

SHA512
53504043533ff2064a0fe7ee71549cb16134cc8fa3fd45d760ae36cbd7affd2cfda437f111ae5aeaecd38cdb5f2b3cec40c9a6470431c4562d3047a8165e29d0

Download Submit
memory/3060-132-0x0000000000000000-mapping.dmp

Download
memory/4828-136-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads