Analysis
-
max time kernel
112s -
max time network
123s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
29-11-2022 12:11
Static task
static1
Behavioral task
behavioral1
Sample
f6ddecb8263d612902074ebe839d2c6a23e2ba08a89e890a81b81faeaa082d6b.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
f6ddecb8263d612902074ebe839d2c6a23e2ba08a89e890a81b81faeaa082d6b.exe
Resource
win10v2004-20220901-en
General
-
Target
f6ddecb8263d612902074ebe839d2c6a23e2ba08a89e890a81b81faeaa082d6b.exe
-
Size
151KB
-
MD5
4e47c89610cdae2aac3d33f5135047f8
-
SHA1
114512b95e45177d865d84d5489b4c9f5f3c3775
-
SHA256
f6ddecb8263d612902074ebe839d2c6a23e2ba08a89e890a81b81faeaa082d6b
-
SHA512
ddf7cf7028d3a13ed817755e89d67379ef761aa7059f2cb023e734ddea76624a65354fa9e657389e7a39c42155b0e5af30ea9b83b1a9ac94db8ff26eb7cc1068
-
SSDEEP
3072:CBAp5XhKpN4eOyVTGfhEClj8jTk+0h22v4M/x8dwNwM:RbXE9OiTGfhEClq93+pwM
Malware Config
Signatures
-
Blocklisted process makes network request 1 IoCs
flow pid Process 9 3532 WScript.exe -
Drops file in Drivers directory 3 IoCs
description ioc Process File opened for modification C:\Windows\System32\drivers\etc\hosts cmd.exe File opened for modification C:\Windows\System32\drivers\etc\hosts WScript.exe File opened for modification C:\Windows\System32\drivers\etc\hîsts WScript.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation f6ddecb8263d612902074ebe839d2c6a23e2ba08a89e890a81b81faeaa082d6b.exe -
Drops file in Program Files directory 4 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\kolobrod\nada rano vsavat\ee\87dba6b5e5e739d7a8506bbceb19e4be.vbs f6ddecb8263d612902074ebe839d2c6a23e2ba08a89e890a81b81faeaa082d6b.exe File opened for modification C:\Program Files (x86)\kolobrod\nada rano vsavat\ee\aaaaaaaaaaaaaaa.aa.aa f6ddecb8263d612902074ebe839d2c6a23e2ba08a89e890a81b81faeaa082d6b.exe File opened for modification C:\Program Files (x86)\kolobrod\nada rano vsavat\1ca0a320b7bd66069c01d79c71e2349.bat f6ddecb8263d612902074ebe839d2c6a23e2ba08a89e890a81b81faeaa082d6b.exe File opened for modification C:\Program Files (x86)\kolobrod\nada rano vsavat\ee\63c4da4fde984fa5c719cdcf2147ab7f.vbs f6ddecb8263d612902074ebe839d2c6a23e2ba08a89e890a81b81faeaa082d6b.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings f6ddecb8263d612902074ebe839d2c6a23e2ba08a89e890a81b81faeaa082d6b.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 4988 wrote to memory of 424 4988 f6ddecb8263d612902074ebe839d2c6a23e2ba08a89e890a81b81faeaa082d6b.exe 83 PID 4988 wrote to memory of 424 4988 f6ddecb8263d612902074ebe839d2c6a23e2ba08a89e890a81b81faeaa082d6b.exe 83 PID 4988 wrote to memory of 424 4988 f6ddecb8263d612902074ebe839d2c6a23e2ba08a89e890a81b81faeaa082d6b.exe 83 PID 4988 wrote to memory of 4228 4988 f6ddecb8263d612902074ebe839d2c6a23e2ba08a89e890a81b81faeaa082d6b.exe 85 PID 4988 wrote to memory of 4228 4988 f6ddecb8263d612902074ebe839d2c6a23e2ba08a89e890a81b81faeaa082d6b.exe 85 PID 4988 wrote to memory of 4228 4988 f6ddecb8263d612902074ebe839d2c6a23e2ba08a89e890a81b81faeaa082d6b.exe 85 PID 4988 wrote to memory of 3532 4988 f6ddecb8263d612902074ebe839d2c6a23e2ba08a89e890a81b81faeaa082d6b.exe 86 PID 4988 wrote to memory of 3532 4988 f6ddecb8263d612902074ebe839d2c6a23e2ba08a89e890a81b81faeaa082d6b.exe 86 PID 4988 wrote to memory of 3532 4988 f6ddecb8263d612902074ebe839d2c6a23e2ba08a89e890a81b81faeaa082d6b.exe 86
Processes
-
C:\Users\Admin\AppData\Local\Temp\f6ddecb8263d612902074ebe839d2c6a23e2ba08a89e890a81b81faeaa082d6b.exe"C:\Users\Admin\AppData\Local\Temp\f6ddecb8263d612902074ebe839d2c6a23e2ba08a89e890a81b81faeaa082d6b.exe"1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4988 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\kolobrod\nada rano vsavat\1ca0a320b7bd66069c01d79c71e2349.bat" "2⤵
- Drops file in Drivers directory
PID:424
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\kolobrod\nada rano vsavat\ee\63c4da4fde984fa5c719cdcf2147ab7f.vbs"2⤵
- Drops file in Drivers directory
PID:4228
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\kolobrod\nada rano vsavat\ee\87dba6b5e5e739d7a8506bbceb19e4be.vbs"2⤵
- Blocklisted process makes network request
PID:3532
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
6KB
MD5bad618f8b34cc84b5c4a6e9d1ef8b079
SHA1025b2c435c730d2d38f9f3c52d700b8e3a237aaa
SHA25682e1f91759f02700f2e544113a299a3052b311a83ec9559cd0468bf5b5db39d5
SHA512ffeaa4b911280ec47da34c0ade1d08bd2a1dfd82c7adcf2d6a098ac59e4faec11e88e6f5716ad4a63d085328a31ca1b381c66282bb3181b492654e786097c9f9
-
Filesize
610B
MD58c2f09e15b927ae164b22ba20a1fede9
SHA1a40f07c0f7bbf18aaadbfc4dc75780025f99b20b
SHA256a2dbcac874416b99a41d7c0c07d025a4d6ea73f552fd26a594c51cdb5e9dfa15
SHA5122fd87e413c7373764caa58f6d5ffebd100455ae104fe7e648beb68543410fd86fcbd9864660b6db24a709d37cb6f149e78b2b12bedd8bca98156b2fb7745acca
-
Filesize
524B
MD50085363909db685a3504f3cbdc90331e
SHA1de2e85c6c030f4d07730c35b427f71066b62ecac
SHA256cb20da380620884f7a4e63858fde0d3f99b1317669f33601a1f61e0523e5640b
SHA5121fe8cfac1d69f7c1d962018cae8b667035cc94a93f5bbf523ba0d7ec87d215bca15d3044f2d4a41033a7feeefb3b1021c818189281160e43b29f144309dedc71
-
Filesize
91B
MD57c62cec3c249eab878d8df39b1bc7889
SHA1f31b98f046b1d51a44e9cf1c45209b6a0f0dbd07
SHA2568b96673e123cbf38a6a856cede02bb7080f54f87fc626a863cb3d96cee1fe9f1
SHA51232efb2d92d8e51add2001a958a1ca6bfb776a5105d7688e5396526cc2ecd73699996ffe36f35ae28b747005bcc70f075b9f08a04bc532f9080c5c7a7c02f369c
-
Filesize
1KB
MD5075c951c83a4c0f656dd97bf8ae23ccf
SHA1ea19e60a322ef4b2a706a778b0337de083463e21
SHA2563e90ee01da170674630ebdd8d7a82149c94c1f0ccd628d492442042ef9f7b2cb
SHA5126990ff540f384ed19a8088533d043a9a65919b002c130d42dc2920a8553114f6172c86502ad559f6666f3a2cc994e07dfe2cc40662e2877735d0a5d85213126f