52439d149fb228bc1606a0f8d5ed56f2ec97b7e83574aab96f71df4bdc1c9fba

Analysis

max time kernel
186s
max time network
214s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
29/11/2022, 17:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

52439d149fb228bc1606a0f8d5ed56f2ec97b7e83574aab96f71df4bdc1c9fba.exe
Size

166KB
MD5

887cc318887bc7c8e147e54117229068
SHA1

60e44f157707277dc2f2adcaa778430531340983
SHA256

52439d149fb228bc1606a0f8d5ed56f2ec97b7e83574aab96f71df4bdc1c9fba
SHA512

84184f1dac740981270558a9c189f3a5a88725b1fec6ac6671a121f9722ed0bf0953369300e982cdffe6a9b2690f6ead1bb157c2209cc0cafce49f18389bd732
SSDEEP

3072:nBAp5XhKpN4eOyVTGfhEClj8jTk+0h37fWgAmDG2+9s:qbXE9OiTGfhEClq92ugAiGw

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
35	2184	WScript.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	cmd.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	52439d149fb228bc1606a0f8d5ed56f2ec97b7e83574aab96f71df4bdc1c9fba.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\installation\inistall\nakusaki.bat	52439d149fb228bc1606a0f8d5ed56f2ec97b7e83574aab96f71df4bdc1c9fba.exe
File opened for modification	C:\Program Files (x86)\installation\inistall\fukudori.vbs	52439d149fb228bc1606a0f8d5ed56f2ec97b7e83574aab96f71df4bdc1c9fba.exe
File opened for modification	C:\Program Files (x86)\installation\inistall\kolitsa.txt	52439d149fb228bc1606a0f8d5ed56f2ec97b7e83574aab96f71df4bdc1c9fba.exe
File opened for modification	C:\Program Files (x86)\installation\inistall\lolkin.txt	52439d149fb228bc1606a0f8d5ed56f2ec97b7e83574aab96f71df4bdc1c9fba.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings	52439d149fb228bc1606a0f8d5ed56f2ec97b7e83574aab96f71df4bdc1c9fba.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4668 wrote to memory of 3728	4668	52439d149fb228bc1606a0f8d5ed56f2ec97b7e83574aab96f71df4bdc1c9fba.exe	82
PID 4668 wrote to memory of 3728	4668	52439d149fb228bc1606a0f8d5ed56f2ec97b7e83574aab96f71df4bdc1c9fba.exe	82
PID 4668 wrote to memory of 3728	4668	52439d149fb228bc1606a0f8d5ed56f2ec97b7e83574aab96f71df4bdc1c9fba.exe	82
PID 4668 wrote to memory of 2184	4668	52439d149fb228bc1606a0f8d5ed56f2ec97b7e83574aab96f71df4bdc1c9fba.exe	85
PID 4668 wrote to memory of 2184	4668	52439d149fb228bc1606a0f8d5ed56f2ec97b7e83574aab96f71df4bdc1c9fba.exe	85
PID 4668 wrote to memory of 2184	4668	52439d149fb228bc1606a0f8d5ed56f2ec97b7e83574aab96f71df4bdc1c9fba.exe	85

C:\Users\Admin\AppData\Local\Temp\52439d149fb228bc1606a0f8d5ed56f2ec97b7e83574aab96f71df4bdc1c9fba.exe
"C:\Users\Admin\AppData\Local\Temp\52439d149fb228bc1606a0f8d5ed56f2ec97b7e83574aab96f71df4bdc1c9fba.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4668
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\installation\inistall\nakusaki.bat" "
  2⤵
  - Drops file in Drivers directory
  PID:3728
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\installation\inistall\fukudori.vbs"
  2⤵
  - Blocklisted process makes network request
  PID:2184

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\installation\inistall\fukudori.vbs

Filesize
1KB

MD5
a62d818533ab095b9033aed6206c0f57

SHA1
f94d59acef67627f0351425be3cb5dc5f93c475e

SHA256
9569fafb44bbffa0affbe24411d8863582aad27a6d55254636fe5226e7878190

SHA512
a3907721d02be32a2c633f28e740a9c34b01231819f7d9b92e7c9fed77778cd33d058da9fd14750f5981c6b7841dc599d88d98570402f659c880d4de65330d82

Download Submit
C:\Program Files (x86)\installation\inistall\kolitsa.txt

Filesize
4B

MD5
e65f6d7f08d9245461e19a296fbea585

SHA1
71ccbed1e7dc1f5a96e23c6cc44a8c113613a396

SHA256
4c50d27c5031d7f039fe61dbd05b1e84b02d76786f79c569be88aa04c95aa417

SHA512
c0b4b359e61a98d8e0dc8197e59f4e541be174c05b5455cb08c7aaa2e1453a0f3bb24f2147dd95e95d1d36c79091a3401abb49a47ec973e9fe87e2399f8cf4cf

Download Submit
C:\Program Files (x86)\installation\inistall\lolkin.txt

Filesize
1B

MD5
fc1262746424402278e88f6c1f02f581

SHA1
77ac341feebeb7c0a7ff8f9c6540531500693bac

SHA256
94455e3ed9f716bea425ef99b51fae47128769a1a0cd04244221e4e14631ab83

SHA512
f9cd8ac2f900da287babe09ec5a017506809531fa60d273a75eb2d5c7d9ad2d7596b4deb3dfd01638295e06a572c306fc0014dd36def8aa6c72de426a9bacff6

Download Submit
C:\Program Files (x86)\installation\inistall\nakusaki.bat

Filesize
5KB

MD5
461497c4c85f1df4045069cc2f09f049

SHA1
b9ce82ece22fd272735fa48bd76737b68223526c

SHA256
0d397ac12d298f9e18366112d493bfd02176b40b2cb3a4561a63b38e91b847ca

SHA512
4c5cbd9cd550cd7a98705a21da788286d7924f067db763fde2a32cf7732d2af53b613631c14b763912b6e48ce20a42bad3d684a4143ab9a4abf9463e0abd7d27

Download Submit