dfab8d3bd3b1ade1a6403cdcc8d73fa27b335269e3cf3d6175ef79a5034b024e

General

Target

dfab8d3bd3b1ade1a6403cdcc8d73fa27b335269e3cf3d6175ef79a5034b024e.exe
Size

203KB
MD5

a64a7a2bbd294de605e480e82e810e12
SHA1

74b580ca5df6ed5eded2db28fd68ff8ec622584b
SHA256

dfab8d3bd3b1ade1a6403cdcc8d73fa27b335269e3cf3d6175ef79a5034b024e
SHA512

f40803559b60f4971e2c66baab4adf272100cea97a1dd3598b2d64110a192535aaaed9056f3a54551e5fca62d1fc30c2279f7fba0ccc49d38f923e70bea4193f
SSDEEP

3072:mBAp5XhKpN4eOyVTGfhEClj8jTk+0hu/MEPmWBMmvtGEcKJy9HnuthV9h+f2C8ws:dbXE9OiTGfhEClq9KEpf

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
3	1348	WScript.exe
4	1348	WScript.exe

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	cmd.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	WScript.exe
File opened for modification	C:\Windows\System32\drivers\etc\hîsts	WScript.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\ringoo ho kjsaq\nada rano vsavat\ee\87dba6b5e5e739d7a8506bbceb19e4be.vbs	dfab8d3bd3b1ade1a6403cdcc8d73fa27b335269e3cf3d6175ef79a5034b024e.exe
File opened for modification	C:\Program Files (x86)\ringoo ho kjsaq\nada rano vsavat\ee\lisape.for	dfab8d3bd3b1ade1a6403cdcc8d73fa27b335269e3cf3d6175ef79a5034b024e.exe
File opened for modification	C:\Program Files (x86)\ringoo ho kjsaq\nada rano vsavat\1ca0a320b7bd66069c01d79c71e2349.bat	dfab8d3bd3b1ade1a6403cdcc8d73fa27b335269e3cf3d6175ef79a5034b024e.exe
File opened for modification	C:\Program Files (x86)\ringoo ho kjsaq\nada rano vsavat\ee\63c4da4fde984fa5c719cdcf2147ab7f.vbs	dfab8d3bd3b1ade1a6403cdcc8d73fa27b335269e3cf3d6175ef79a5034b024e.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1976 wrote to memory of 1980	1976	dfab8d3bd3b1ade1a6403cdcc8d73fa27b335269e3cf3d6175ef79a5034b024e.exe	28
PID 1976 wrote to memory of 1980	1976	dfab8d3bd3b1ade1a6403cdcc8d73fa27b335269e3cf3d6175ef79a5034b024e.exe	28
PID 1976 wrote to memory of 1980	1976	dfab8d3bd3b1ade1a6403cdcc8d73fa27b335269e3cf3d6175ef79a5034b024e.exe	28
PID 1976 wrote to memory of 1980	1976	dfab8d3bd3b1ade1a6403cdcc8d73fa27b335269e3cf3d6175ef79a5034b024e.exe	28
PID 1976 wrote to memory of 1584	1976	dfab8d3bd3b1ade1a6403cdcc8d73fa27b335269e3cf3d6175ef79a5034b024e.exe	30
PID 1976 wrote to memory of 1584	1976	dfab8d3bd3b1ade1a6403cdcc8d73fa27b335269e3cf3d6175ef79a5034b024e.exe	30
PID 1976 wrote to memory of 1584	1976	dfab8d3bd3b1ade1a6403cdcc8d73fa27b335269e3cf3d6175ef79a5034b024e.exe	30
PID 1976 wrote to memory of 1584	1976	dfab8d3bd3b1ade1a6403cdcc8d73fa27b335269e3cf3d6175ef79a5034b024e.exe	30
PID 1976 wrote to memory of 1348	1976	dfab8d3bd3b1ade1a6403cdcc8d73fa27b335269e3cf3d6175ef79a5034b024e.exe	31
PID 1976 wrote to memory of 1348	1976	dfab8d3bd3b1ade1a6403cdcc8d73fa27b335269e3cf3d6175ef79a5034b024e.exe	31
PID 1976 wrote to memory of 1348	1976	dfab8d3bd3b1ade1a6403cdcc8d73fa27b335269e3cf3d6175ef79a5034b024e.exe	31
PID 1976 wrote to memory of 1348	1976	dfab8d3bd3b1ade1a6403cdcc8d73fa27b335269e3cf3d6175ef79a5034b024e.exe	31

C:\Users\Admin\AppData\Local\Temp\dfab8d3bd3b1ade1a6403cdcc8d73fa27b335269e3cf3d6175ef79a5034b024e.exe
"C:\Users\Admin\AppData\Local\Temp\dfab8d3bd3b1ade1a6403cdcc8d73fa27b335269e3cf3d6175ef79a5034b024e.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1976
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Program Files (x86)\ringoo ho kjsaq\nada rano vsavat\1ca0a320b7bd66069c01d79c71e2349.bat" "
  2⤵
  - Drops file in Drivers directory
  PID:1980
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\ringoo ho kjsaq\nada rano vsavat\ee\63c4da4fde984fa5c719cdcf2147ab7f.vbs"
  2⤵
  - Drops file in Drivers directory
  PID:1584
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\ringoo ho kjsaq\nada rano vsavat\ee\87dba6b5e5e739d7a8506bbceb19e4be.vbs"
  2⤵
  - Blocklisted process makes network request
  PID:1348

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\ringoo ho kjsaq\nada rano vsavat\1ca0a320b7bd66069c01d79c71e2349.bat

Filesize
6KB

MD5
c04b539be33c109c7974dfe480458eb2

SHA1
0da6d06a0ffad04fe8369c0cffeee318ec6ec7a8

SHA256
29d1805746b9b341314389c94d8eab6fb2d52df6d818e8929f0fb5f4a01b9869

SHA512
367c2fc078ebcf10c219466eea3f28b3b225d8a9d13dc8849767ae96e5446e9ab0e68fec7cb58bcbbec6c5aa9d4678d339b814968a76601388f7073a7ae4f5be

Download Submit
C:\Program Files (x86)\ringoo ho kjsaq\nada rano vsavat\ee\63c4da4fde984fa5c719cdcf2147ab7f.vbs

Filesize
645B

MD5
f1c2725abff308321204f7c7af9d0847

SHA1
267a4f927a0155d9bc452827ac3cc8687f8b2679

SHA256
2d23da4aa09d962f0267e5a2457ce9d455cadbbd0718db85eb25683db49c01f8

SHA512
01f948afa1de34547a981640e98323fabf0d140eb2d45b411cb5fcc374b3f50ca7689a93838de78722c8db80f4ac0ed252177d0322e3d211d634eba8d0909510

Download Submit
C:\Program Files (x86)\ringoo ho kjsaq\nada rano vsavat\ee\87dba6b5e5e739d7a8506bbceb19e4be.vbs

Filesize
508B

MD5
eb7c1f72da88c64ecf316fe8616ae161

SHA1
f18a5017c03282cdbe987ff9e5fba3d0b6443020

SHA256
68a3b2be6b4357ded9a0c6378840124cc9602760f5a63c0f271d6cf07803de6b

SHA512
18d0277e14de5d4f8b630ebb88a8453279e57237c079494bf15e32a7b407baa48d837dd735506e5e08b232895105a65de90a87dbc45679b1a023a5513416bd2f

Download Submit
C:\Program Files (x86)\ringoo ho kjsaq\nada rano vsavat\ee\lisape.for

Filesize
91B

MD5
e311d9b0347d0541839ff7059ec6198a

SHA1
32a79e69e505825e7f1d12e9a1b93f7e69aabb6d

SHA256
4a44b6975f80d5245fbed7b3ad0878945547909fbc63675fb36a26d22a499a34

SHA512
5cd30ba05f82ef9fdcd5440f61190e4d413acda32f487648de615dc7e82a88275b3abb476c99232be5ac09eef41e970f87acfc8bf3fabb7a9504cb20295fd2ff

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
1KB

MD5
82cc956e1637519e96659ded66901bee

SHA1
594e335fceb0750f6dc0f829711561c409e31349

SHA256
93a3aa656bc826adbc150be1c8ee3a85c905185cdac9b2dafbc4fbabb1709062

SHA512
e7317849c6dd74bc197a1722ddf8485dff2332372b384bea9760671633237295ecbe29505dc7db508b41bc4e99b58473ef7fea7818e50348ecf676a3420712b7

Download Submit
memory/1976-54-0x00000000764D1000-0x00000000764D3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing