9861e195763e14f267104f71b2eb2032954eef33febe3df786afdc02caff533d

General

Target

9861e195763e14f267104f71b2eb2032954eef33febe3df786afdc02caff533d.exe
Size

203KB
MD5

c7111974649e431e7210a711acc3fd0c
SHA1

11b75b7ffe44f4d60ffb53bb6f1edbc89d0ca825
SHA256

9861e195763e14f267104f71b2eb2032954eef33febe3df786afdc02caff533d
SHA512

ab3cc66f212b69ae632b55c021df7cde8692e059d0f403175d9c77b218725b78d94f84be4e99a553786f8baf1f54425b7861e7cdf17b1b9f5d64f957e1b3639d
SSDEEP

3072:mBAp5XhKpN4eOyVTGfhEClj8jTk+0hu/MEPmWBMmvtGEcKJy9HnuthV9h+f2C8ww:dbXE9OiTGfhEClq9KEpz

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
62	888	WScript.exe

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	WScript.exe
File opened for modification	C:\Windows\System32\drivers\etc\hîsts	WScript.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	cmd.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	9861e195763e14f267104f71b2eb2032954eef33febe3df786afdc02caff533d.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\ringoo ho kjsaq\nada rano vsavat\ee\lisape.for	9861e195763e14f267104f71b2eb2032954eef33febe3df786afdc02caff533d.exe
File opened for modification	C:\Program Files (x86)\ringoo ho kjsaq\nada rano vsavat\1ca0a320b7bd66069c01d79c71e2349.bat	9861e195763e14f267104f71b2eb2032954eef33febe3df786afdc02caff533d.exe
File opened for modification	C:\Program Files (x86)\ringoo ho kjsaq\nada rano vsavat\ee\63c4da4fde984fa5c719cdcf2147ab7f.vbs	9861e195763e14f267104f71b2eb2032954eef33febe3df786afdc02caff533d.exe
File opened for modification	C:\Program Files (x86)\ringoo ho kjsaq\nada rano vsavat\ee\87dba6b5e5e739d7a8506bbceb19e4be.vbs	9861e195763e14f267104f71b2eb2032954eef33febe3df786afdc02caff533d.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings	9861e195763e14f267104f71b2eb2032954eef33febe3df786afdc02caff533d.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4392 wrote to memory of 964	4392	9861e195763e14f267104f71b2eb2032954eef33febe3df786afdc02caff533d.exe	84
PID 4392 wrote to memory of 964	4392	9861e195763e14f267104f71b2eb2032954eef33febe3df786afdc02caff533d.exe	84
PID 4392 wrote to memory of 964	4392	9861e195763e14f267104f71b2eb2032954eef33febe3df786afdc02caff533d.exe	84
PID 4392 wrote to memory of 2656	4392	9861e195763e14f267104f71b2eb2032954eef33febe3df786afdc02caff533d.exe	86
PID 4392 wrote to memory of 2656	4392	9861e195763e14f267104f71b2eb2032954eef33febe3df786afdc02caff533d.exe	86
PID 4392 wrote to memory of 2656	4392	9861e195763e14f267104f71b2eb2032954eef33febe3df786afdc02caff533d.exe	86
PID 4392 wrote to memory of 888	4392	9861e195763e14f267104f71b2eb2032954eef33febe3df786afdc02caff533d.exe	87
PID 4392 wrote to memory of 888	4392	9861e195763e14f267104f71b2eb2032954eef33febe3df786afdc02caff533d.exe	87
PID 4392 wrote to memory of 888	4392	9861e195763e14f267104f71b2eb2032954eef33febe3df786afdc02caff533d.exe	87

C:\Users\Admin\AppData\Local\Temp\9861e195763e14f267104f71b2eb2032954eef33febe3df786afdc02caff533d.exe
"C:\Users\Admin\AppData\Local\Temp\9861e195763e14f267104f71b2eb2032954eef33febe3df786afdc02caff533d.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4392
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\ringoo ho kjsaq\nada rano vsavat\1ca0a320b7bd66069c01d79c71e2349.bat" "
  2⤵
  - Drops file in Drivers directory
  PID:964
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\ringoo ho kjsaq\nada rano vsavat\ee\63c4da4fde984fa5c719cdcf2147ab7f.vbs"
  2⤵
  - Drops file in Drivers directory
  PID:2656
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\ringoo ho kjsaq\nada rano vsavat\ee\87dba6b5e5e739d7a8506bbceb19e4be.vbs"
  2⤵
  - Blocklisted process makes network request
  PID:888

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\ringoo ho kjsaq\nada rano vsavat\1ca0a320b7bd66069c01d79c71e2349.bat

Filesize
5KB

MD5
d8ea4d5e806a71b3a291f13e60d3c5e1

SHA1
c0c35aa5a4cc4db46a115e3e4a0faa36ee28318f

SHA256
bbef383e3425c661de5c588cb5bb555e0df9900ca5fd5727f6dbab8fb3442311

SHA512
03f9071045f2c8bd1f20f10145f1b2e053dfddf3e69fa9242cc3c9b5324a6929dd649e09c1708a78b74882ecef213240c9a802179dba70bf93bafee9a63b89b0

Download Submit
C:\Program Files (x86)\ringoo ho kjsaq\nada rano vsavat\ee\63c4da4fde984fa5c719cdcf2147ab7f.vbs

Filesize
643B

MD5
630740046cd71addf3de4905bacd57d5

SHA1
c4996eb965a6eb0161421db10ee16ba64315ecc5

SHA256
394fa1613c4b5b7e7bc69e9baf302d142b760d26903e2659a38aa6eca6a4ae54

SHA512
545db09a36e111a4213192ba1911acf12b0af39611294014ad18d600a3f408d8d433b16057b353f54c6e67994d41fa6769515f247ea46f1f3d30cb8b29837320

Download Submit
C:\Program Files (x86)\ringoo ho kjsaq\nada rano vsavat\ee\87dba6b5e5e739d7a8506bbceb19e4be.vbs

Filesize
506B

MD5
b95b5286512a8492864091e8c035cd6b

SHA1
24bb084bdcba4753c0c1512fd05f631c2bfa6b8a

SHA256
36f67c4926b5843be273abaf2184c351bf351b663d7e4590ce0a7d9ef204c77e

SHA512
71ed209d37d5c571677a810b7e04e27bda3acd77fc6ff44e1e72edf194ef9b1a2f81fe6b6977ed7111aac5aaef4e132029424fab39b938aa997a9af6550e948e

Download Submit
C:\Program Files (x86)\ringoo ho kjsaq\nada rano vsavat\ee\lisape.for

Filesize
91B

MD5
4e2af0fae31247c1439b8a3fa52925f5

SHA1
9f2677120305cee08921461876319cde9300d3e2

SHA256
edf66aa040a80368a44ee4bb02daac288f6d006a4f30acd579ea8db0f8e2f38e

SHA512
53059a7e5972b8b70bdc39987e9e237453f16734bb7f8daded91eb792cdc56db29410212ff3ebc47c81dc3509cbabb1a1ed5ba01382e1b71f8226083cac942dd

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
1KB

MD5
af71630604fac5209f8729c9dfbb0be8

SHA1
4b00af9da5c6c684c38dad75807c2ed75980189c

SHA256
ceebf83497b78add90436d83d13bbdd34dc90d95dd4f954cf32482fa319ac460

SHA512
01f2b03b09dc0910bb94dd4d3f5df8f3468cacf2ce94565d56d4700cb0a361290a6994048d27bd997f61b937682aba1c99a1d90838e0d2e5ecfe794d4c6c1216

Download Submit

Analysis

Sharing