345bd2f1681b190b8ec182aba16e00ea3494665200c57e03fc1f0bb1ae7876f7

General

Target

345bd2f1681b190b8ec182aba16e00ea3494665200c57e03fc1f0bb1ae7876f7.exe
Size

180KB
MD5

fa3a46faf0d30fbf4405a36873f1693e
SHA1

0c214841f143763bc2e64af6963cf2cfc6be2bce
SHA256

345bd2f1681b190b8ec182aba16e00ea3494665200c57e03fc1f0bb1ae7876f7
SHA512

b54bca88477b49b03f84517cff7dd09d8277f7338588121a56ce135358b8799a98dcab2fc83e63baaf8789dcb3c50cfbb1a48927ba8ff966df07ff1875e14f63
SSDEEP

3072:bBAp5XhKpN4eOyVTGfhEClj8jTk+0hQZDO0REkyx2dBp/4luaMyzPviMKT:GbXE9OiTGfhEClq9PUgEkyQdBp/4luRH

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
3	1952	WScript.exe
4	1952	WScript.exe

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	cmd.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	WScript.exe
File opened for modification	C:\Windows\System32\drivers\etc\hîsts	WScript.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\The first evidence\Guatemala\ee1\she.he	345bd2f1681b190b8ec182aba16e00ea3494665200c57e03fc1f0bb1ae7876f7.exe
File opened for modification	C:\Program Files (x86)\The first evidence\Guatemala\08a4415e9d594ff960030b921d42b91e.bat	345bd2f1681b190b8ec182aba16e00ea3494665200c57e03fc1f0bb1ae7876f7.exe
File opened for modification	C:\Program Files (x86)\The first evidence\Guatemala\ee1\63c4da4fde984fa5c719cdcf2147ab7f.vbs	345bd2f1681b190b8ec182aba16e00ea3494665200c57e03fc1f0bb1ae7876f7.exe
File opened for modification	C:\Program Files (x86)\The first evidence\Guatemala\ee1\87dba6b5e5e739d7a8506bbceb19e4be.vbs	345bd2f1681b190b8ec182aba16e00ea3494665200c57e03fc1f0bb1ae7876f7.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 900 wrote to memory of 316	900	345bd2f1681b190b8ec182aba16e00ea3494665200c57e03fc1f0bb1ae7876f7.exe	27
PID 900 wrote to memory of 316	900	345bd2f1681b190b8ec182aba16e00ea3494665200c57e03fc1f0bb1ae7876f7.exe	27
PID 900 wrote to memory of 316	900	345bd2f1681b190b8ec182aba16e00ea3494665200c57e03fc1f0bb1ae7876f7.exe	27
PID 900 wrote to memory of 316	900	345bd2f1681b190b8ec182aba16e00ea3494665200c57e03fc1f0bb1ae7876f7.exe	27
PID 900 wrote to memory of 1952	900	345bd2f1681b190b8ec182aba16e00ea3494665200c57e03fc1f0bb1ae7876f7.exe	29
PID 900 wrote to memory of 1952	900	345bd2f1681b190b8ec182aba16e00ea3494665200c57e03fc1f0bb1ae7876f7.exe	29
PID 900 wrote to memory of 1952	900	345bd2f1681b190b8ec182aba16e00ea3494665200c57e03fc1f0bb1ae7876f7.exe	29
PID 900 wrote to memory of 1952	900	345bd2f1681b190b8ec182aba16e00ea3494665200c57e03fc1f0bb1ae7876f7.exe	29
PID 900 wrote to memory of 1964	900	345bd2f1681b190b8ec182aba16e00ea3494665200c57e03fc1f0bb1ae7876f7.exe	30
PID 900 wrote to memory of 1964	900	345bd2f1681b190b8ec182aba16e00ea3494665200c57e03fc1f0bb1ae7876f7.exe	30
PID 900 wrote to memory of 1964	900	345bd2f1681b190b8ec182aba16e00ea3494665200c57e03fc1f0bb1ae7876f7.exe	30
PID 900 wrote to memory of 1964	900	345bd2f1681b190b8ec182aba16e00ea3494665200c57e03fc1f0bb1ae7876f7.exe	30

C:\Users\Admin\AppData\Local\Temp\345bd2f1681b190b8ec182aba16e00ea3494665200c57e03fc1f0bb1ae7876f7.exe
"C:\Users\Admin\AppData\Local\Temp\345bd2f1681b190b8ec182aba16e00ea3494665200c57e03fc1f0bb1ae7876f7.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:900
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Program Files (x86)\The first evidence\Guatemala\08a4415e9d594ff960030b921d42b91e.bat" "
  2⤵
  - Drops file in Drivers directory
  PID:316
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\The first evidence\Guatemala\ee1\63c4da4fde984fa5c719cdcf2147ab7f.vbs"
  2⤵
  - Blocklisted process makes network request
  PID:1952
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\The first evidence\Guatemala\ee1\87dba6b5e5e739d7a8506bbceb19e4be.vbs"
  2⤵
  - Drops file in Drivers directory
  PID:1964

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\The first evidence\Guatemala\08a4415e9d594ff960030b921d42b91e.bat

Filesize
2KB

MD5
fdc435649c20bf019fabb7a2c6f7aabb

SHA1
2b1e9e1c29515cd56129b1124927cd4191b1e0a3

SHA256
679f6db234acb119fa878ca5fe011c95f5b51e345871d006746aa0d1f8986a07

SHA512
3c9db3c1064e8b79a1460bdf047de9cf0a6e135f75e015cef3c1adfdb5b16c927284f318e55945d90d3fd484c589ee225c726bcf8c49bb64914addc9be081eac

Download Submit
C:\Program Files (x86)\The first evidence\Guatemala\ee1\63c4da4fde984fa5c719cdcf2147ab7f.vbs

Filesize
492B

MD5
a50ef4bd6a9d2d35f847044eed40ea56

SHA1
f3be1f876a8fcbe2748a7a313abcc72ae37451ec

SHA256
7e888c2cfef575e8515a651760cfa66a8261dab7024819acf347786e3352d6b8

SHA512
ca6e775ffc73888b0d72028c62962111a334c7b1dd5db824d30a50f2a615559f80c533e485866516010288cf662db91841f930dc93e3e2fbd5601a77033d0d2d

Download Submit
C:\Program Files (x86)\The first evidence\Guatemala\ee1\87dba6b5e5e739d7a8506bbceb19e4be.vbs

Filesize
632B

MD5
d04bbcc23db21b329b70ba8740f38793

SHA1
6356ce4b1e6790a6c5dac29a78bfe3020c15bd25

SHA256
411d941431b1b9bb910dd01113a322bfbba3e3636221fc48c883ae66b2ecff58

SHA512
bfd7cca3fbba2050b4ae46370f00ca009660893b286e2ff2f84405c978ac25a6cd35334b6b603f8422d4531675c84ce6f63205e8d3925406cb2213c001463996

Download Submit
C:\Program Files (x86)\The first evidence\Guatemala\ee1\she.he

Filesize
88B

MD5
9b85b710213b0976251c59371062b411

SHA1
7f138cf9dc12bade492e113c647504e729d42644

SHA256
01f8589b96008e5e9c5002d126e3c4523e6ee00c955026b9f34f2e3b9cdae252

SHA512
fc2ec6400b0f75e1656ce49a7d0d40f66589b6da65f73a40d4fc3d98e69a5a1087a58ac58c342fb98d7a92d4d203c9852619a2985c2691f61caad85dd9f8251d

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
1KB

MD5
be7b308dd01558f918f24e2b2a2bd77a

SHA1
086e02425ae3a7be9c0a64ad6c50620d41de99b7

SHA256
f6eb0e132fc049be3d6003e1a12c865eb504e54eeea5f69ee77decdec48ec567

SHA512
d82903af3836441c3cd687dfac023e6e5fea50099ce1f48723a16091f39bbcf81f2191d099d2746c56843357b4e77b6f937b16299e80072ed0a4aab4d9efa713

Download Submit
memory/900-54-0x0000000076121000-0x0000000076123000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing