5fba1cfa75333a6bc8223c683d039670ad09e5911ce4621207915c995ef44edd

General

Target

5fba1cfa75333a6bc8223c683d039670ad09e5911ce4621207915c995ef44edd.exe
Size

210KB
MD5

6c84c43ec57a64a3245b0d52e08572a2
SHA1

b42fdfa67113c9ab0806ba3e2ff329decc2c3f66
SHA256

5fba1cfa75333a6bc8223c683d039670ad09e5911ce4621207915c995ef44edd
SHA512

b830aba575a68c82312a0fd4f043840e4581b9db959b12a7d01a8c28d72b47b7153013f79b50beb683bdc076a7b8926dd00742168bbf9c8f3bca5d63578c84de
SSDEEP

3072:EBAp5XhKpN4eOyVTGfhEClj8jTk+0h8xwNhbt+Cgw5CKHG:TbXE9OiTGfhEClq9hwQJJUG

Score

8^/10

discovery

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
2	1928	WScript.exe

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	cmd.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	WScript.exe
File opened for modification	C:\Windows\System32\drivers\etc\hîsts	WScript.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	5fba1cfa75333a6bc8223c683d039670ad09e5911ce4621207915c995ef44edd.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{F80A4113-0879-49A9-AB3B-A51D9DA18DDF}.catalogItem	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{25DAE9A5-37AD-4920-88BA-D22494DA2D4C}.catalogItem	svchost.exe

Drops file in Program Files directory 13 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\oni_voobshe_ohueli_haher\yarko_zeltie_vot_eto_da_bleat\netu_pokoya_mne_gore.tua	5fba1cfa75333a6bc8223c683d039670ad09e5911ce4621207915c995ef44edd.exe
File opened for modification	C:\Program Files (x86)\oni_voobshe_ohueli_haher\yarko_zeltie_vot_eto_da_bleat\opasdkjsadflijsldf.wf	5fba1cfa75333a6bc8223c683d039670ad09e5911ce4621207915c995ef44edd.exe
File created	C:\Program Files (x86)\oni_voobshe_ohueli_haher\yarko_zeltie_vot_eto_da_bleat\Uninstall.ini	5fba1cfa75333a6bc8223c683d039670ad09e5911ce4621207915c995ef44edd.exe
File created	C:\Program Files (x86)\oni_voobshe_ohueli_haher\yarko_zeltie_vot_eto_da_bleat\netu_pokoya_mne_gore.vbs	cmd.exe
File created	C:\Program Files (x86)\oni_voobshe_ohueli_haher\yarko_zeltie_vot_eto_da_bleat\froggi_nogcci.bat	5fba1cfa75333a6bc8223c683d039670ad09e5911ce4621207915c995ef44edd.exe
File created	C:\Program Files (x86)\oni_voobshe_ohueli_haher\yarko_zeltie_vot_eto_da_bleat\pod_yasnim_nebom_yanvarya.pro	5fba1cfa75333a6bc8223c683d039670ad09e5911ce4621207915c995ef44edd.exe
File created	C:\Program Files (x86)\oni_voobshe_ohueli_haher\yarko_zeltie_vot_eto_da_bleat\netu_pokoya_mne_gore.tua	5fba1cfa75333a6bc8223c683d039670ad09e5911ce4621207915c995ef44edd.exe
File created	C:\Program Files (x86)\oni_voobshe_ohueli_haher\yarko_zeltie_vot_eto_da_bleat\Uninstall.exe	5fba1cfa75333a6bc8223c683d039670ad09e5911ce4621207915c995ef44edd.exe
File opened for modification	C:\Program Files (x86)\oni_voobshe_ohueli_haher\yarko_zeltie_vot_eto_da_bleat\Uninstall.exe	5fba1cfa75333a6bc8223c683d039670ad09e5911ce4621207915c995ef44edd.exe
File opened for modification	C:\Program Files (x86)\oni_voobshe_ohueli_haher\yarko_zeltie_vot_eto_da_bleat\netu_pokoya_mne_gore.vbs	cmd.exe
File opened for modification	C:\Program Files (x86)\oni_voobshe_ohueli_haher\yarko_zeltie_vot_eto_da_bleat\froggi_nogcci.bat	5fba1cfa75333a6bc8223c683d039670ad09e5911ce4621207915c995ef44edd.exe
File opened for modification	C:\Program Files (x86)\oni_voobshe_ohueli_haher\yarko_zeltie_vot_eto_da_bleat\pod_yasnim_nebom_yanvarya.pro	5fba1cfa75333a6bc8223c683d039670ad09e5911ce4621207915c995ef44edd.exe
File created	C:\Program Files (x86)\oni_voobshe_ohueli_haher\yarko_zeltie_vot_eto_da_bleat\opasdkjsadflijsldf.wf	5fba1cfa75333a6bc8223c683d039670ad09e5911ce4621207915c995ef44edd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	svchost.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	svchost.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings	5fba1cfa75333a6bc8223c683d039670ad09e5911ce4621207915c995ef44edd.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1544 wrote to memory of 2212	1544	5fba1cfa75333a6bc8223c683d039670ad09e5911ce4621207915c995ef44edd.exe	75
PID 1544 wrote to memory of 2212	1544	5fba1cfa75333a6bc8223c683d039670ad09e5911ce4621207915c995ef44edd.exe	75
PID 1544 wrote to memory of 2212	1544	5fba1cfa75333a6bc8223c683d039670ad09e5911ce4621207915c995ef44edd.exe	75
PID 1544 wrote to memory of 1928	1544	5fba1cfa75333a6bc8223c683d039670ad09e5911ce4621207915c995ef44edd.exe	77
PID 1544 wrote to memory of 1928	1544	5fba1cfa75333a6bc8223c683d039670ad09e5911ce4621207915c995ef44edd.exe	77
PID 1544 wrote to memory of 1928	1544	5fba1cfa75333a6bc8223c683d039670ad09e5911ce4621207915c995ef44edd.exe	77

C:\Users\Admin\AppData\Local\Temp\5fba1cfa75333a6bc8223c683d039670ad09e5911ce4621207915c995ef44edd.exe
"C:\Users\Admin\AppData\Local\Temp\5fba1cfa75333a6bc8223c683d039670ad09e5911ce4621207915c995ef44edd.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1544
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\oni_voobshe_ohueli_haher\yarko_zeltie_vot_eto_da_bleat\froggi_nogcci.bat" "
  2⤵
  - Drops file in Drivers directory
  - Drops file in Program Files directory
  PID:2212
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\oni_voobshe_ohueli_haher\yarko_zeltie_vot_eto_da_bleat\netu_pokoya_mne_gore.vbs"
  2⤵
  - Blocklisted process makes network request
  - Drops file in Drivers directory
  PID:1928

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p
1⤵
- Drops file in System32 directory
- Checks processor information in registry
- Enumerates system info in registry
PID:4588

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

4

T1012

System Information Discovery

4

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\oni_voobshe_ohueli_haher\yarko_zeltie_vot_eto_da_bleat\froggi_nogcci.bat

Filesize
1KB

MD5
6fb680e8a6aa2006f2b63f240a4d92dd

SHA1
c86f9038aefee3d10f4643c3d7a0a7a40cde59b7

SHA256
68569a0a1b8f0f9ebb61d6641c03377a295b74c34b782ba0b20033e593d1650d

SHA512
f8e74430968c6e9363f4631b22dd24dbbcd238efecdf275356a30d26d2b64ea83b18dc2b708a6d9f4a0838403004fca8c267133168f7163c98149eecc5560d5f

Download Submit
C:\Program Files (x86)\oni_voobshe_ohueli_haher\yarko_zeltie_vot_eto_da_bleat\netu_pokoya_mne_gore.tua

Filesize
1KB

MD5
3c939845d4a469ddd0889a669d649720

SHA1
6afdc41966133da8346d01b6106b9ace9db07b56

SHA256
56dbb7ee03c11a918954494c9343d162e7bc2ecebaf1fec3311fd22dd637d67d

SHA512
9cd7a8c062e7314b1bbecbbc12996c9b413b58eafadf7600153ec7bf8e1f7fcbd7b2f4659636d5ef9fa7b23e10f7ef376c7ef24fd1090f8fc6bf524d296eb71b

Download Submit
C:\Program Files (x86)\oni_voobshe_ohueli_haher\yarko_zeltie_vot_eto_da_bleat\netu_pokoya_mne_gore.vbs

Filesize
1KB

MD5
3c939845d4a469ddd0889a669d649720

SHA1
6afdc41966133da8346d01b6106b9ace9db07b56

SHA256
56dbb7ee03c11a918954494c9343d162e7bc2ecebaf1fec3311fd22dd637d67d

SHA512
9cd7a8c062e7314b1bbecbbc12996c9b413b58eafadf7600153ec7bf8e1f7fcbd7b2f4659636d5ef9fa7b23e10f7ef376c7ef24fd1090f8fc6bf524d296eb71b

Download Submit
C:\Program Files (x86)\oni_voobshe_ohueli_haher\yarko_zeltie_vot_eto_da_bleat\pod_yasnim_nebom_yanvarya.pro

Filesize
86B

MD5
3899d8451f6b6731d25226cc44cfb12d

SHA1
78a1726c95f868adf3e2768e5b0e98ada6c33073

SHA256
cd1e6ed5128b324ad52fba017f43c608a996ad898477ed451255da5f6ee72582

SHA512
6bd5ee656424db941cf98d79aacb34a8fe0c348c127ed8dc759ae542b2e86d61f2dc03667cf642ad0dbd382a8c04db07e12332656c0b3007dc5d85e32bd1de4c

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
1KB

MD5
726cb20f68339bc61b967471b7c7e70d

SHA1
f6b8b00acbf9c5bb78ff9d0bcffab004d68ae68d

SHA256
49a7ee10a25aaebf3ae07acf1e5504d4444e3e0d998f02fd48e87150367bafe2

SHA512
0b554ef2ba0a1df9b416da44aaf2d750e4c7a1651d500f9b14ed1a6a893561d2ac4d4203811dd24311fd4b21c1316bdb6f3a0bcb9b8824a8d39653151b5709a6

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads