Analysis

  • max time kernel
    112s
  • max time network
    123s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29-11-2022 12:11

General

  • Target

    f6ddecb8263d612902074ebe839d2c6a23e2ba08a89e890a81b81faeaa082d6b.exe

  • Size

    151KB

  • MD5

    4e47c89610cdae2aac3d33f5135047f8

  • SHA1

    114512b95e45177d865d84d5489b4c9f5f3c3775

  • SHA256

    f6ddecb8263d612902074ebe839d2c6a23e2ba08a89e890a81b81faeaa082d6b

  • SHA512

    ddf7cf7028d3a13ed817755e89d67379ef761aa7059f2cb023e734ddea76624a65354fa9e657389e7a39c42155b0e5af30ea9b83b1a9ac94db8ff26eb7cc1068

  • SSDEEP

    3072:CBAp5XhKpN4eOyVTGfhEClj8jTk+0h22v4M/x8dwNwM:RbXE9OiTGfhEClq93+pwM

Score
8/10

Malware Config

Signatures

  • Blocklisted process makes network request 1 IoCs
  • Drops file in Drivers directory 3 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops file in Program Files directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f6ddecb8263d612902074ebe839d2c6a23e2ba08a89e890a81b81faeaa082d6b.exe
    "C:\Users\Admin\AppData\Local\Temp\f6ddecb8263d612902074ebe839d2c6a23e2ba08a89e890a81b81faeaa082d6b.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Program Files directory
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:4988
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\kolobrod\nada rano vsavat\1ca0a320b7bd66069c01d79c71e2349.bat" "
      2⤵
      • Drops file in Drivers directory
      PID:424
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\kolobrod\nada rano vsavat\ee\63c4da4fde984fa5c719cdcf2147ab7f.vbs"
      2⤵
      • Drops file in Drivers directory
      PID:4228
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\kolobrod\nada rano vsavat\ee\87dba6b5e5e739d7a8506bbceb19e4be.vbs"
      2⤵
      • Blocklisted process makes network request
      PID:3532

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\kolobrod\nada rano vsavat\1ca0a320b7bd66069c01d79c71e2349.bat

    Filesize

    6KB

    MD5

    bad618f8b34cc84b5c4a6e9d1ef8b079

    SHA1

    025b2c435c730d2d38f9f3c52d700b8e3a237aaa

    SHA256

    82e1f91759f02700f2e544113a299a3052b311a83ec9559cd0468bf5b5db39d5

    SHA512

    ffeaa4b911280ec47da34c0ade1d08bd2a1dfd82c7adcf2d6a098ac59e4faec11e88e6f5716ad4a63d085328a31ca1b381c66282bb3181b492654e786097c9f9

  • C:\Program Files (x86)\kolobrod\nada rano vsavat\ee\63c4da4fde984fa5c719cdcf2147ab7f.vbs

    Filesize

    610B

    MD5

    8c2f09e15b927ae164b22ba20a1fede9

    SHA1

    a40f07c0f7bbf18aaadbfc4dc75780025f99b20b

    SHA256

    a2dbcac874416b99a41d7c0c07d025a4d6ea73f552fd26a594c51cdb5e9dfa15

    SHA512

    2fd87e413c7373764caa58f6d5ffebd100455ae104fe7e648beb68543410fd86fcbd9864660b6db24a709d37cb6f149e78b2b12bedd8bca98156b2fb7745acca

  • C:\Program Files (x86)\kolobrod\nada rano vsavat\ee\87dba6b5e5e739d7a8506bbceb19e4be.vbs

    Filesize

    524B

    MD5

    0085363909db685a3504f3cbdc90331e

    SHA1

    de2e85c6c030f4d07730c35b427f71066b62ecac

    SHA256

    cb20da380620884f7a4e63858fde0d3f99b1317669f33601a1f61e0523e5640b

    SHA512

    1fe8cfac1d69f7c1d962018cae8b667035cc94a93f5bbf523ba0d7ec87d215bca15d3044f2d4a41033a7feeefb3b1021c818189281160e43b29f144309dedc71

  • C:\Program Files (x86)\kolobrod\nada rano vsavat\ee\aaaaaaaaaaaaaaa.aa.aa

    Filesize

    91B

    MD5

    7c62cec3c249eab878d8df39b1bc7889

    SHA1

    f31b98f046b1d51a44e9cf1c45209b6a0f0dbd07

    SHA256

    8b96673e123cbf38a6a856cede02bb7080f54f87fc626a863cb3d96cee1fe9f1

    SHA512

    32efb2d92d8e51add2001a958a1ca6bfb776a5105d7688e5396526cc2ecd73699996ffe36f35ae28b747005bcc70f075b9f08a04bc532f9080c5c7a7c02f369c

  • C:\Windows\System32\drivers\etc\hosts

    Filesize

    1KB

    MD5

    075c951c83a4c0f656dd97bf8ae23ccf

    SHA1

    ea19e60a322ef4b2a706a778b0337de083463e21

    SHA256

    3e90ee01da170674630ebdd8d7a82149c94c1f0ccd628d492442042ef9f7b2cb

    SHA512

    6990ff540f384ed19a8088533d043a9a65919b002c130d42dc2920a8553114f6172c86502ad559f6666f3a2cc994e07dfe2cc40662e2877735d0a5d85213126f