e778c10aee54e9cf8cea0bf6436a59c6055d9c71e9b8661312a09cd95eb94ada

Analysis

max time kernel
164s
max time network
190s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
29-11-2022 17:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e778c10aee54e9cf8cea0bf6436a59c6055d9c71e9b8661312a09cd95eb94ada.exe
Size

171KB
MD5

4946036c0fd9e1b7e88fe5a159c866d7
SHA1

75806444e2bcffdaf3763bc8c4b161a5ff5659a0
SHA256

e778c10aee54e9cf8cea0bf6436a59c6055d9c71e9b8661312a09cd95eb94ada
SHA512

e9bf9d526283ab65adfd04e7e7fdcd6a9a27a364bbd50e344d5ea79d537026f18e0a56db72a7def011f2e4e1b2332cac90cdd92e00c2ec44a1b4f30f366ce371
SSDEEP

3072:OBAp5XhKpN4eOyVTGfhEClj8jTk+0hpo6HdoTV8NP2Zo:lbXE9OiTGfhEClq9bzTit2m

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
21	1852	WScript.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	cmd.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	e778c10aee54e9cf8cea0bf6436a59c6055d9c71e9b8661312a09cd95eb94ada.exe

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\akv\kav\mainlol.txt	e778c10aee54e9cf8cea0bf6436a59c6055d9c71e9b8661312a09cd95eb94ada.exe
File opened for modification	C:\Program Files (x86)\akv\kav\ruoshka.txt	e778c10aee54e9cf8cea0bf6436a59c6055d9c71e9b8661312a09cd95eb94ada.exe
File opened for modification	C:\Program Files (x86)\akv\kav\onanistamnet.bat	e778c10aee54e9cf8cea0bf6436a59c6055d9c71e9b8661312a09cd95eb94ada.exe
File opened for modification	C:\Program Files (x86)\akv\kav\vzleti.vbs	e778c10aee54e9cf8cea0bf6436a59c6055d9c71e9b8661312a09cd95eb94ada.exe
File opened for modification	C:\Program Files (x86)\akv\kav\hohoho.vbs	e778c10aee54e9cf8cea0bf6436a59c6055d9c71e9b8661312a09cd95eb94ada.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings	e778c10aee54e9cf8cea0bf6436a59c6055d9c71e9b8661312a09cd95eb94ada.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1172 wrote to memory of 2448	1172	e778c10aee54e9cf8cea0bf6436a59c6055d9c71e9b8661312a09cd95eb94ada.exe	82
PID 1172 wrote to memory of 2448	1172	e778c10aee54e9cf8cea0bf6436a59c6055d9c71e9b8661312a09cd95eb94ada.exe	82
PID 1172 wrote to memory of 2448	1172	e778c10aee54e9cf8cea0bf6436a59c6055d9c71e9b8661312a09cd95eb94ada.exe	82
PID 1172 wrote to memory of 1852	1172	e778c10aee54e9cf8cea0bf6436a59c6055d9c71e9b8661312a09cd95eb94ada.exe	84
PID 1172 wrote to memory of 1852	1172	e778c10aee54e9cf8cea0bf6436a59c6055d9c71e9b8661312a09cd95eb94ada.exe	84
PID 1172 wrote to memory of 1852	1172	e778c10aee54e9cf8cea0bf6436a59c6055d9c71e9b8661312a09cd95eb94ada.exe	84

C:\Users\Admin\AppData\Local\Temp\e778c10aee54e9cf8cea0bf6436a59c6055d9c71e9b8661312a09cd95eb94ada.exe
"C:\Users\Admin\AppData\Local\Temp\e778c10aee54e9cf8cea0bf6436a59c6055d9c71e9b8661312a09cd95eb94ada.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1172
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\akv\kav\onanistamnet.bat" "
  2⤵
  - Drops file in Drivers directory
  PID:2448
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\akv\kav\vzleti.vbs"
  2⤵
  - Blocklisted process makes network request
  PID:1852

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\akv\kav\mainlol.txt

Filesize
4B

MD5
235e3ce2a2e86591aa93d92d02d1f10a

SHA1
ae1639960db3f5a29406d68578f4e7ab7f3ca39e

SHA256
ec185e1b830b1db532bb59fae58e706de8371497b7a26a48795e7b870de6ab69

SHA512
d56ac6bab05777633daeeae9ca032dd2a6a2f2ec399e649fb9a588374ccf1fb3cce6700d05070a21396b7d1a387a4fd8790194e97a75a69d7705735fd828da55

Download Submit
C:\Program Files (x86)\akv\kav\onanistamnet.bat

Filesize
4KB

MD5
6e162b5650aed037632ad25b664d1f1a

SHA1
3135651d7f26ab4125ef3f9007415963b2d5d91c

SHA256
d1c59427b55ed55152f255359bb726331e88dcc150e48014f9976bb97c2c0886

SHA512
85b29e892673ba913a618b713527d9af1c2d0a34a7115ed2592dc72d7893745d7ffe8a30af6b0d25bc9ae96253fd7c7aca7dcf7af8ca0b10c515a9fe695e9cc1

Download Submit
C:\Program Files (x86)\akv\kav\vzleti.vbs

Filesize
386B

MD5
5a64fd1a32d163d341e2dde1700571fc

SHA1
dda8752020f9bae6eb75d80397e2c510c1a5f8dd

SHA256
65d192335e4b1de8ea4bfe8805af0830826ef49c2b29be2bd6adb4f653fba162

SHA512
b65434c0c46512c1b17627ca12ac38940a4b73bc68ad060f90f4777ad4ffc2c2346183447e471fd920443ca6c6148545a77d788ef87dc511d04465777f51ce00

Download Submit
memory/1852-134-0x0000000000000000-mapping.dmp

Download
memory/2448-132-0x0000000000000000-mapping.dmp

Download