7abfc386238c93da96d262c68cc09759f5ff556549fd25b5d2f0d819882564c0

General

Target

7abfc386238c93da96d262c68cc09759f5ff556549fd25b5d2f0d819882564c0.exe
Size

203KB
MD5

3665eaf62e6ad1cbe0d153eb028f0f10
SHA1

103a960bedbd8634b265ad9f74efd8685756d508
SHA256

7abfc386238c93da96d262c68cc09759f5ff556549fd25b5d2f0d819882564c0
SHA512

ea7c39b6710f8e03adb51aafeb53cb226a91e33fea3475484be81b869bddf09ad5f47182402fd4208d007291a83326dd2609efc41d7155131d8d9ad98b33817c
SSDEEP

3072:mBAp5XhKpN4eOyVTGfhEClj8jTk+0hu/MEPmWBMmvtGEcKJy9HnuthV9h+f2C8wH:dbXE9OiTGfhEClq9KEpO

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
8	2968	WScript.exe

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	cmd.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	WScript.exe
File opened for modification	C:\Windows\System32\drivers\etc\hîsts	WScript.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	7abfc386238c93da96d262c68cc09759f5ff556549fd25b5d2f0d819882564c0.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\ringoo ho kjsaq\nada rano vsavat\ee\aaaaaaaaaaaaaaa.aa.aa	7abfc386238c93da96d262c68cc09759f5ff556549fd25b5d2f0d819882564c0.exe
File opened for modification	C:\Program Files (x86)\ringoo ho kjsaq\nada rano vsavat\1ca0a320b7bd66069c01d79c71e2349.bat	7abfc386238c93da96d262c68cc09759f5ff556549fd25b5d2f0d819882564c0.exe
File opened for modification	C:\Program Files (x86)\ringoo ho kjsaq\nada rano vsavat\ee\63c4da4fde984fa5c719cdcf2147ab7f.vbs	7abfc386238c93da96d262c68cc09759f5ff556549fd25b5d2f0d819882564c0.exe
File opened for modification	C:\Program Files (x86)\ringoo ho kjsaq\nada rano vsavat\ee\87dba6b5e5e739d7a8506bbceb19e4be.vbs	7abfc386238c93da96d262c68cc09759f5ff556549fd25b5d2f0d819882564c0.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	7abfc386238c93da96d262c68cc09759f5ff556549fd25b5d2f0d819882564c0.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4112 wrote to memory of 3236	4112	7abfc386238c93da96d262c68cc09759f5ff556549fd25b5d2f0d819882564c0.exe	79
PID 4112 wrote to memory of 3236	4112	7abfc386238c93da96d262c68cc09759f5ff556549fd25b5d2f0d819882564c0.exe	79
PID 4112 wrote to memory of 3236	4112	7abfc386238c93da96d262c68cc09759f5ff556549fd25b5d2f0d819882564c0.exe	79
PID 4112 wrote to memory of 1460	4112	7abfc386238c93da96d262c68cc09759f5ff556549fd25b5d2f0d819882564c0.exe	81
PID 4112 wrote to memory of 1460	4112	7abfc386238c93da96d262c68cc09759f5ff556549fd25b5d2f0d819882564c0.exe	81
PID 4112 wrote to memory of 1460	4112	7abfc386238c93da96d262c68cc09759f5ff556549fd25b5d2f0d819882564c0.exe	81
PID 4112 wrote to memory of 2968	4112	7abfc386238c93da96d262c68cc09759f5ff556549fd25b5d2f0d819882564c0.exe	82
PID 4112 wrote to memory of 2968	4112	7abfc386238c93da96d262c68cc09759f5ff556549fd25b5d2f0d819882564c0.exe	82
PID 4112 wrote to memory of 2968	4112	7abfc386238c93da96d262c68cc09759f5ff556549fd25b5d2f0d819882564c0.exe	82

C:\Users\Admin\AppData\Local\Temp\7abfc386238c93da96d262c68cc09759f5ff556549fd25b5d2f0d819882564c0.exe
"C:\Users\Admin\AppData\Local\Temp\7abfc386238c93da96d262c68cc09759f5ff556549fd25b5d2f0d819882564c0.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4112
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\ringoo ho kjsaq\nada rano vsavat\1ca0a320b7bd66069c01d79c71e2349.bat" "
  2⤵
  - Drops file in Drivers directory
  PID:3236
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\ringoo ho kjsaq\nada rano vsavat\ee\63c4da4fde984fa5c719cdcf2147ab7f.vbs"
  2⤵
  - Drops file in Drivers directory
  PID:1460
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\ringoo ho kjsaq\nada rano vsavat\ee\87dba6b5e5e739d7a8506bbceb19e4be.vbs"
  2⤵
  - Blocklisted process makes network request
  PID:2968

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\ringoo ho kjsaq\nada rano vsavat\1ca0a320b7bd66069c01d79c71e2349.bat

Filesize
5KB

MD5
fb8242bd500a8e4bb29dfe4bf64571c9

SHA1
edf1b571117668423abc4047220c083f6db7081e

SHA256
0145ef6493397dad15301a87f26d76164e0e9f84d72d674d72bee839eff62a66

SHA512
79fbce712e72cc900e1d35d50a8a30346588356938dc14371008d7c74a7d241adf066d911274057d319fc61603f9141288b8e5963a9edca14c3218d74e703a07

Download Submit
C:\Program Files (x86)\ringoo ho kjsaq\nada rano vsavat\ee\63c4da4fde984fa5c719cdcf2147ab7f.vbs

Filesize
641B

MD5
bbc1a81a72b3b986702c2fcde9790e74

SHA1
1483eb8249bfd73f65e194dac1d8b74bc90ed705

SHA256
0d20b0ebe07ff8c62f3b8267163dbd2e571c70128dc13982b825a91e08693b20

SHA512
b0f01058e77c6eeabd1dab6bad3cb68f0c80ce01c4f66f326027d9a22017c7c2692d33ebecd50fed9709e7c885f3d07374c0a2437736f77e5c8697b79af6d219

Download Submit
C:\Program Files (x86)\ringoo ho kjsaq\nada rano vsavat\ee\87dba6b5e5e739d7a8506bbceb19e4be.vbs

Filesize
500B

MD5
c097bf0196db9a113115b03624b95146

SHA1
77c54f8caa0544aa3d9acecc3c31e5394780e47a

SHA256
5f15638361d74a656437095f89b1403be51a8270dd0c87f79c0b37ea458794d6

SHA512
d9e042c02082226040c3ff21a8ad87749aab10c9bc78e5a51bcd8b12c8d3b3946cc049db0d44766871f44bb1f01b761916386f2999753bc53fbf2a61d93574a3

Download Submit
C:\Program Files (x86)\ringoo ho kjsaq\nada rano vsavat\ee\aaaaaaaaaaaaaaa.aa.aa

Filesize
91B

MD5
28fee033201cdfe2a2808788bf775183

SHA1
d5a9f3c7c46ca65401586bfdb8048bb39ba89a75

SHA256
40ed06b1e1100e017fff14c0c37907ace709d2dcd7e116b78812d13dd7fd4e7e

SHA512
e7a184cdfbf580564dc5a1a4427b711f173326a9ce321fd1b1d93f6327a49ebd6b358d8d43a77418bf4061d19ad0e0bb26d5fd5df12c9974630316c0388f00a5

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
1KB

MD5
9c846a38a3cfc733640177b7ec7f22ab

SHA1
1bb22cb19dca52c4650a02c6660a3a54462f2655

SHA256
5a3db496c5fddfe5a13e3e290c7de9ff65dc0776b7117a7cb150575353730afd

SHA512
4d10aff6f74de9d9bf36e05cc276f87d80cb6570ca6e90e3f9841048da82418a526cdc6653d601014ebc7ee16b87745060ff9a832193d096f3d9b20e032547c9

Download Submit

Analysis

Sharing