5fba1cfa75333a6bc8223c683d039670ad09e5911ce4621207915c995ef44edd

General

Target

5fba1cfa75333a6bc8223c683d039670ad09e5911ce4621207915c995ef44edd.exe
Size

210KB
MD5

6c84c43ec57a64a3245b0d52e08572a2
SHA1

b42fdfa67113c9ab0806ba3e2ff329decc2c3f66
SHA256

5fba1cfa75333a6bc8223c683d039670ad09e5911ce4621207915c995ef44edd
SHA512

b830aba575a68c82312a0fd4f043840e4581b9db959b12a7d01a8c28d72b47b7153013f79b50beb683bdc076a7b8926dd00742168bbf9c8f3bca5d63578c84de
SSDEEP

3072:EBAp5XhKpN4eOyVTGfhEClj8jTk+0h8xwNhbt+Cgw5CKHG:TbXE9OiTGfhEClq9hwQJJUG

Score

8^/10

discovery

Malware Config

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
3	1992	WScript.exe
5	1992	WScript.exe

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hîsts	WScript.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	cmd.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	WScript.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 13 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\oni_voobshe_ohueli_haher\yarko_zeltie_vot_eto_da_bleat\netu_pokoya_mne_gore.tua	5fba1cfa75333a6bc8223c683d039670ad09e5911ce4621207915c995ef44edd.exe
File opened for modification	C:\Program Files (x86)\oni_voobshe_ohueli_haher\yarko_zeltie_vot_eto_da_bleat\Uninstall.exe	5fba1cfa75333a6bc8223c683d039670ad09e5911ce4621207915c995ef44edd.exe
File created	C:\Program Files (x86)\oni_voobshe_ohueli_haher\yarko_zeltie_vot_eto_da_bleat\Uninstall.ini	5fba1cfa75333a6bc8223c683d039670ad09e5911ce4621207915c995ef44edd.exe
File created	C:\Program Files (x86)\oni_voobshe_ohueli_haher\yarko_zeltie_vot_eto_da_bleat\netu_pokoya_mne_gore.vbs	cmd.exe
File opened for modification	C:\Program Files (x86)\oni_voobshe_ohueli_haher\yarko_zeltie_vot_eto_da_bleat\netu_pokoya_mne_gore.vbs	cmd.exe
File created	C:\Program Files (x86)\oni_voobshe_ohueli_haher\yarko_zeltie_vot_eto_da_bleat\pod_yasnim_nebom_yanvarya.pro	5fba1cfa75333a6bc8223c683d039670ad09e5911ce4621207915c995ef44edd.exe
File opened for modification	C:\Program Files (x86)\oni_voobshe_ohueli_haher\yarko_zeltie_vot_eto_da_bleat\pod_yasnim_nebom_yanvarya.pro	5fba1cfa75333a6bc8223c683d039670ad09e5911ce4621207915c995ef44edd.exe
File opened for modification	C:\Program Files (x86)\oni_voobshe_ohueli_haher\yarko_zeltie_vot_eto_da_bleat\netu_pokoya_mne_gore.tua	5fba1cfa75333a6bc8223c683d039670ad09e5911ce4621207915c995ef44edd.exe
File created	C:\Program Files (x86)\oni_voobshe_ohueli_haher\yarko_zeltie_vot_eto_da_bleat\opasdkjsadflijsldf.wf	5fba1cfa75333a6bc8223c683d039670ad09e5911ce4621207915c995ef44edd.exe
File opened for modification	C:\Program Files (x86)\oni_voobshe_ohueli_haher\yarko_zeltie_vot_eto_da_bleat\opasdkjsadflijsldf.wf	5fba1cfa75333a6bc8223c683d039670ad09e5911ce4621207915c995ef44edd.exe
File created	C:\Program Files (x86)\oni_voobshe_ohueli_haher\yarko_zeltie_vot_eto_da_bleat\Uninstall.exe	5fba1cfa75333a6bc8223c683d039670ad09e5911ce4621207915c995ef44edd.exe
File created	C:\Program Files (x86)\oni_voobshe_ohueli_haher\yarko_zeltie_vot_eto_da_bleat\froggi_nogcci.bat	5fba1cfa75333a6bc8223c683d039670ad09e5911ce4621207915c995ef44edd.exe
File opened for modification	C:\Program Files (x86)\oni_voobshe_ohueli_haher\yarko_zeltie_vot_eto_da_bleat\froggi_nogcci.bat	5fba1cfa75333a6bc8223c683d039670ad09e5911ce4621207915c995ef44edd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1512 wrote to memory of 2004	1512	5fba1cfa75333a6bc8223c683d039670ad09e5911ce4621207915c995ef44edd.exe	27
PID 1512 wrote to memory of 2004	1512	5fba1cfa75333a6bc8223c683d039670ad09e5911ce4621207915c995ef44edd.exe	27
PID 1512 wrote to memory of 2004	1512	5fba1cfa75333a6bc8223c683d039670ad09e5911ce4621207915c995ef44edd.exe	27
PID 1512 wrote to memory of 2004	1512	5fba1cfa75333a6bc8223c683d039670ad09e5911ce4621207915c995ef44edd.exe	27
PID 1512 wrote to memory of 1992	1512	5fba1cfa75333a6bc8223c683d039670ad09e5911ce4621207915c995ef44edd.exe	29
PID 1512 wrote to memory of 1992	1512	5fba1cfa75333a6bc8223c683d039670ad09e5911ce4621207915c995ef44edd.exe	29
PID 1512 wrote to memory of 1992	1512	5fba1cfa75333a6bc8223c683d039670ad09e5911ce4621207915c995ef44edd.exe	29
PID 1512 wrote to memory of 1992	1512	5fba1cfa75333a6bc8223c683d039670ad09e5911ce4621207915c995ef44edd.exe	29

C:\Users\Admin\AppData\Local\Temp\5fba1cfa75333a6bc8223c683d039670ad09e5911ce4621207915c995ef44edd.exe
"C:\Users\Admin\AppData\Local\Temp\5fba1cfa75333a6bc8223c683d039670ad09e5911ce4621207915c995ef44edd.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1512
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Program Files (x86)\oni_voobshe_ohueli_haher\yarko_zeltie_vot_eto_da_bleat\froggi_nogcci.bat" "
  2⤵
  - Drops file in Drivers directory
  - Drops file in Program Files directory
  PID:2004
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\oni_voobshe_ohueli_haher\yarko_zeltie_vot_eto_da_bleat\netu_pokoya_mne_gore.vbs"
  2⤵
  - Blocklisted process makes network request
  - Drops file in Drivers directory
  PID:1992

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\oni_voobshe_ohueli_haher\yarko_zeltie_vot_eto_da_bleat\froggi_nogcci.bat

Filesize
1KB

MD5
6fb680e8a6aa2006f2b63f240a4d92dd

SHA1
c86f9038aefee3d10f4643c3d7a0a7a40cde59b7

SHA256
68569a0a1b8f0f9ebb61d6641c03377a295b74c34b782ba0b20033e593d1650d

SHA512
f8e74430968c6e9363f4631b22dd24dbbcd238efecdf275356a30d26d2b64ea83b18dc2b708a6d9f4a0838403004fca8c267133168f7163c98149eecc5560d5f

Download Submit
C:\Program Files (x86)\oni_voobshe_ohueli_haher\yarko_zeltie_vot_eto_da_bleat\netu_pokoya_mne_gore.tua

Filesize
1KB

MD5
3c939845d4a469ddd0889a669d649720

SHA1
6afdc41966133da8346d01b6106b9ace9db07b56

SHA256
56dbb7ee03c11a918954494c9343d162e7bc2ecebaf1fec3311fd22dd637d67d

SHA512
9cd7a8c062e7314b1bbecbbc12996c9b413b58eafadf7600153ec7bf8e1f7fcbd7b2f4659636d5ef9fa7b23e10f7ef376c7ef24fd1090f8fc6bf524d296eb71b

Download Submit
C:\Program Files (x86)\oni_voobshe_ohueli_haher\yarko_zeltie_vot_eto_da_bleat\netu_pokoya_mne_gore.vbs

Filesize
1KB

MD5
3c939845d4a469ddd0889a669d649720

SHA1
6afdc41966133da8346d01b6106b9ace9db07b56

SHA256
56dbb7ee03c11a918954494c9343d162e7bc2ecebaf1fec3311fd22dd637d67d

SHA512
9cd7a8c062e7314b1bbecbbc12996c9b413b58eafadf7600153ec7bf8e1f7fcbd7b2f4659636d5ef9fa7b23e10f7ef376c7ef24fd1090f8fc6bf524d296eb71b

Download Submit
C:\Program Files (x86)\oni_voobshe_ohueli_haher\yarko_zeltie_vot_eto_da_bleat\pod_yasnim_nebom_yanvarya.pro

Filesize
86B

MD5
3899d8451f6b6731d25226cc44cfb12d

SHA1
78a1726c95f868adf3e2768e5b0e98ada6c33073

SHA256
cd1e6ed5128b324ad52fba017f43c608a996ad898477ed451255da5f6ee72582

SHA512
6bd5ee656424db941cf98d79aacb34a8fe0c348c127ed8dc759ae542b2e86d61f2dc03667cf642ad0dbd382a8c04db07e12332656c0b3007dc5d85e32bd1de4c

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
1KB

MD5
726cb20f68339bc61b967471b7c7e70d

SHA1
f6b8b00acbf9c5bb78ff9d0bcffab004d68ae68d

SHA256
49a7ee10a25aaebf3ae07acf1e5504d4444e3e0d998f02fd48e87150367bafe2

SHA512
0b554ef2ba0a1df9b416da44aaf2d750e4c7a1651d500f9b14ed1a6a893561d2ac4d4203811dd24311fd4b21c1316bdb6f3a0bcb9b8824a8d39653151b5709a6

Download Submit
memory/1512-54-0x00000000756A1000-0x00000000756A3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing