af40cf15c8223e33a8f75df28d65a9c48740a75db426c63524503b9a472c5f71

General

Target

af40cf15c8223e33a8f75df28d65a9c48740a75db426c63524503b9a472c5f71.exe
Size

158KB
MD5

db30911bb0ca1ad11e9d6bcd66bcda18
SHA1

d536d50b6cfa3961d1b4179690c4ce88c5fb4b02
SHA256

af40cf15c8223e33a8f75df28d65a9c48740a75db426c63524503b9a472c5f71
SHA512

2218dd5595b2408982619e5cbebb32c9c8673e99646564b31ea619eb5fa44fa83be58a2125e75f0289ec6e3183226dcaba4dab23ee5270fad84aad06ee022c1d
SSDEEP

3072:YBAp5XhKpN4eOyVTGfhEClj8jTk+0hMKBz6jp7gsFQ5BjT:PbXE9OiTGfhEClq9FKx2p7YjjT

Score

8^/10

discovery

Malware Config

Signatures

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	cmd.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	WScript.exe
File opened for modification	C:\Windows\System32\drivers\etc\hîsts	WScript.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	af40cf15c8223e33a8f75df28d65a9c48740a75db426c63524503b9a472c5f71.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 7 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Sl\Zp\Uninstall.ini	af40cf15c8223e33a8f75df28d65a9c48740a75db426c63524503b9a472c5f71.exe
File opened for modification	C:\Program Files (x86)\Sl\Zp\gde_manya_zdut.vbs	af40cf15c8223e33a8f75df28d65a9c48740a75db426c63524503b9a472c5f71.exe
File opened for modification	C:\Program Files (x86)\Sl\Zp\gde_mne_radi.vbs	af40cf15c8223e33a8f75df28d65a9c48740a75db426c63524503b9a472c5f71.exe
File opened for modification	C:\Program Files (x86)\Sl\Zp\vitalik.kil	af40cf15c8223e33a8f75df28d65a9c48740a75db426c63524503b9a472c5f71.exe
File opened for modification	C:\Program Files (x86)\Sl\Zp\adsense.ko	af40cf15c8223e33a8f75df28d65a9c48740a75db426c63524503b9a472c5f71.exe
File opened for modification	C:\Program Files (x86)\Sl\Zp\eche_razok_s_nim_vstretilsuai.bat	af40cf15c8223e33a8f75df28d65a9c48740a75db426c63524503b9a472c5f71.exe
File opened for modification	C:\Program Files (x86)\Sl\Zp\Uninstall.exe	af40cf15c8223e33a8f75df28d65a9c48740a75db426c63524503b9a472c5f71.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings	cmd.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3520 wrote to memory of 116	3520	af40cf15c8223e33a8f75df28d65a9c48740a75db426c63524503b9a472c5f71.exe	84
PID 3520 wrote to memory of 116	3520	af40cf15c8223e33a8f75df28d65a9c48740a75db426c63524503b9a472c5f71.exe	84
PID 3520 wrote to memory of 116	3520	af40cf15c8223e33a8f75df28d65a9c48740a75db426c63524503b9a472c5f71.exe	84
PID 116 wrote to memory of 1624	116	cmd.exe	87
PID 116 wrote to memory of 1624	116	cmd.exe	87
PID 116 wrote to memory of 1624	116	cmd.exe	87
PID 116 wrote to memory of 4148	116	cmd.exe	88
PID 116 wrote to memory of 4148	116	cmd.exe	88
PID 116 wrote to memory of 4148	116	cmd.exe	88

C:\Users\Admin\AppData\Local\Temp\af40cf15c8223e33a8f75df28d65a9c48740a75db426c63524503b9a472c5f71.exe
"C:\Users\Admin\AppData\Local\Temp\af40cf15c8223e33a8f75df28d65a9c48740a75db426c63524503b9a472c5f71.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:3520
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\Sl\Zp\eche_razok_s_nim_vstretilsuai.bat" "
  2⤵
  - Drops file in Drivers directory
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:116
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\Sl\Zp\gde_manya_zdut.vbs"
    3⤵
    - Drops file in Drivers directory
    PID:1624
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\Sl\Zp\gde_mne_radi.vbs"
    3⤵
    PID:4148

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Sl\Zp\adsense.ko

Filesize
43B

MD5
94566a6012c6f7a59c8197d04ef637dc

SHA1
14c832ffa154222af0a7749a6de64a28e90bac34

SHA256
c153f7936206460f7f152da0b675e6e51ac6bcbd95ffe1cebb62f238fa0c5d44

SHA512
3a88a60a8aa0195bbf6b7c0a4c71752bb9d7d1412bc05a4f9c6e9a2b32c60bf4853a0e29f3be9407951a378943c4328362b80c32d41238d69fadbfe1d4e6fa8b

Download Submit
C:\Program Files (x86)\Sl\Zp\eche_razok_s_nim_vstretilsuai.bat

Filesize
1KB

MD5
51b6dccae22f740d5abfc9cf42e3c628

SHA1
f5dee976c40646b0c77ebbd9008df5318cadb13f

SHA256
61aa7db9523150f22407c52f974156cb1f69efd915a8420cef0913cb8daa1678

SHA512
a41871aee97f0a0a4ffb9728f88e20029c0e5b0acc7f74f55fde1bfc9ceae3b30233499a931a0228b7a7f6a14765e42cedaaae940a1a4bb96ea9cd023bd573a2

Download Submit
C:\Program Files (x86)\Sl\Zp\gde_manya_zdut.vbs

Filesize
1KB

MD5
f5eae3e46fdee73cfcd2352edd09c926

SHA1
e956b5bf9d2f925f14c35c0cd7b44492131c24d7

SHA256
1d99f10d1ca7ebb69a90eec2a445af1304163a6059063be2e8034a87e64ea303

SHA512
1231bbecab482977ec5b4c6b29a754832f390948cc34d0950978a52008ace2e5f0ed97040767994acc19549a2e735d976f784225a16d60b914f259976efad1e9

Download Submit
C:\Program Files (x86)\Sl\Zp\gde_mne_radi.vbs

Filesize
169B

MD5
d2a8cd94c5fc27a447278385759c1a4b

SHA1
1af303b47c1b3dcaa196d2b3d01f094de20d5d18

SHA256
d9a924992a3849e862e8b47e2b61244a6f0777404b28df7d38b55d4b705ea4cb

SHA512
ea6bd971679ddad0b890eee518b037d88f2994ba787145043af08e82802c0c20e1076287e1689c0febfe22abccf8ced1a0d870b0b5134291a4a3b613607fe916

Download Submit
C:\Program Files (x86)\Sl\Zp\vitalik.kil

Filesize
27B

MD5
213c0742081a9007c9093a01760f9f8c

SHA1
df53bb518c732df777b5ce19fc7c02dcb2f9d81b

SHA256
9681429a2b00c27fe6cb0453f255024813944a7cd460d18797e3c35e81c53d69

SHA512
55182c2e353a0027f585535a537b9c309c3bf57f47da54a16e0c415ed6633b725bf40e40a664b1071575feeb7e589d775983516728ec3e51e87a0a29010c4eb9

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
1KB

MD5
d1c217fc034babf70c63f6c5d6bc3ee1

SHA1
ac837594567240496ea23f650ccdf432871614c2

SHA256
dbdf75e022de72fbc52381f107a1a8f0e2d034d1a5d3fbf2858a14387bf75f62

SHA512
185200dc624db20bb374dd4393c5f82ae706693b26a25f3f9283dc031496bb4299d97953f2002f022faa99f2a0bc131cfe22ac1f2dc808d38fef01df18e284d3

Download Submit

Analysis

Sharing