9b6d5394830b08a9ce69e56878d1abbaa4f5491df5ee067dc3f5e834e543cd59

General

Target

9b6d5394830b08a9ce69e56878d1abbaa4f5491df5ee067dc3f5e834e543cd59.exe
Size

4.0MB
MD5

a9f01eb697acc0e76024d77fcb62a14d
SHA1

8f6b0623d264e68206cd33e5e712453b8277269e
SHA256

9b6d5394830b08a9ce69e56878d1abbaa4f5491df5ee067dc3f5e834e543cd59
SHA512

2057c1aa58bba04c6ce86745a8ae3c90b6725eb6a4aa237416f1aa65d9bc1bace5136ed24fc87e7d542be36cdd53c21883842bf16c663d7d37854333dcf30823
SSDEEP

98304:1nFy46gTWZMmAbYfSdWAXVjLFvYhcTgr1jLheG:NFH6E05foXVPehcTk1jLhr

Score

8^/10

Malware Config

Signatures

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	mrvujoukrvz.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	cmd.exe
File created	C:\Windows\system32\drivers\etc\hоsts	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2200	mrvujoukrvz.exe
4664	Kopatel-Online-new-Chit-na-DENGI.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	9b6d5394830b08a9ce69e56878d1abbaa4f5491df5ee067dc3f5e834e543cd59.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	mrvujoukrvz.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Kills process with taskkill 1 IoCs

evasion

pid	Process
1520	taskkill.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4664	Kopatel-Online-new-Chit-na-DENGI.exe
4664	Kopatel-Online-new-Chit-na-DENGI.exe
4664	Kopatel-Online-new-Chit-na-DENGI.exe
4664	Kopatel-Online-new-Chit-na-DENGI.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1520	taskkill.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
2200	mrvujoukrvz.exe
2200	mrvujoukrvz.exe
4888	cmd.exe
4664	Kopatel-Online-new-Chit-na-DENGI.exe
4664	Kopatel-Online-new-Chit-na-DENGI.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 4584 wrote to memory of 2200	4584	9b6d5394830b08a9ce69e56878d1abbaa4f5491df5ee067dc3f5e834e543cd59.exe	78
PID 4584 wrote to memory of 2200	4584	9b6d5394830b08a9ce69e56878d1abbaa4f5491df5ee067dc3f5e834e543cd59.exe	78
PID 4584 wrote to memory of 2200	4584	9b6d5394830b08a9ce69e56878d1abbaa4f5491df5ee067dc3f5e834e543cd59.exe	78
PID 2200 wrote to memory of 4888	2200	mrvujoukrvz.exe	80
PID 2200 wrote to memory of 4888	2200	mrvujoukrvz.exe	80
PID 2200 wrote to memory of 4888	2200	mrvujoukrvz.exe	80
PID 4888 wrote to memory of 3612	4888	cmd.exe	82
PID 4888 wrote to memory of 3612	4888	cmd.exe	82
PID 4888 wrote to memory of 3612	4888	cmd.exe	82
PID 2200 wrote to memory of 4664	2200	mrvujoukrvz.exe	83
PID 2200 wrote to memory of 4664	2200	mrvujoukrvz.exe	83
PID 2200 wrote to memory of 4664	2200	mrvujoukrvz.exe	83
PID 4888 wrote to memory of 1520	4888	cmd.exe	84
PID 4888 wrote to memory of 1520	4888	cmd.exe	84
PID 4888 wrote to memory of 1520	4888	cmd.exe	84

C:\Users\Admin\AppData\Local\Temp\9b6d5394830b08a9ce69e56878d1abbaa4f5491df5ee067dc3f5e834e543cd59.exe
"C:\Users\Admin\AppData\Local\Temp\9b6d5394830b08a9ce69e56878d1abbaa4f5491df5ee067dc3f5e834e543cd59.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4584
- C:\Users\Admin\AppData\Local\Temp\mrvujoukrvz.exe
  "C:\Users\Admin\AppData\Local\Temp\mrvujoukrvz.exe" exuuhyr.bat++Kopatel-Online-new-Chit-na-DENGI.exe++++++++
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Checks computer location settings
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2200
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c exuuhyr.bat
    3⤵
    - Drops file in Drivers directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4888
  - - C:\Windows\SysWOW64\chcp.com
      chcp 866
      4⤵
      PID:3612
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im "praetorian.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1520
- - C:\Users\Admin\AppData\Local\Temp\Kopatel-Online-new-Chit-na-DENGI.exe
    "C:\Users\Admin\AppData\Local\Temp\Kopatel-Online-new-Chit-na-DENGI.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:4664

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Kopatel-Online-new-Chit-na-DENGI.exe

Filesize
4.4MB

MD5
71adbe0979989bbe9f71f35aac23706f

SHA1
76264dd225f0672162c3c0c654b966798953343c

SHA256
ec189b25868064e6056a9fd34cfc9797b856dc2c4b4f4c04ad4d4b966e98dc0a

SHA512
1d9dce0b604b7bccc32b89a72b3dbacaecc61d566e68b6faa762d50ab854b5be7b4b12d93546dfd6e609aa31140340f8857ac0d0bd150d68d74edf8c44286aa3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Kopatel-Online-new-Chit-na-DENGI.exe

Filesize
4.4MB

MD5
71adbe0979989bbe9f71f35aac23706f

SHA1
76264dd225f0672162c3c0c654b966798953343c

SHA256
ec189b25868064e6056a9fd34cfc9797b856dc2c4b4f4c04ad4d4b966e98dc0a

SHA512
1d9dce0b604b7bccc32b89a72b3dbacaecc61d566e68b6faa762d50ab854b5be7b4b12d93546dfd6e609aa31140340f8857ac0d0bd150d68d74edf8c44286aa3

Download Submit
C:\Users\Admin\AppData\Local\Temp\exuuhyr.bat

Filesize
6KB

MD5
1e1c897ec096ce398e6ea97c45250418

SHA1
556d757b1659da91205533bb180245e60222dba9

SHA256
10b69869db046bc520f1320b893ea3930f9745f6057dc0d5bc16ac39ccbb29f9

SHA512
b4cdfa779db06713027fae05972c108c82556746d5ce9a8f79c539659831e3e5728c15a9104922d21e2896198a74153e1b80de215c3be6184ace585bf36bfd82

Download Submit
C:\Users\Admin\AppData\Local\Temp\mrvujoukrvz.exe

Filesize
79KB

MD5
b49d04a1ba0b7b996d5796291cb100f6

SHA1
a6b9d7744d737fd9e6a63cfd1453429791a9c2c3

SHA256
e0b7e1e3ca55e72e1c24ebecd851a7b0b6316c0db0d128a6dc8bd587cf280b7d

SHA512
e9e0af58b69c438426ce618c9b8d975aab6c6219f19d3e889a1203d972c8feb78ac9669544fb9272d0bdbc13110e0c43c9b09423371a665ec33c85e5ac8733d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\mrvujoukrvz.exe

Filesize
79KB

MD5
b49d04a1ba0b7b996d5796291cb100f6

SHA1
a6b9d7744d737fd9e6a63cfd1453429791a9c2c3

SHA256
e0b7e1e3ca55e72e1c24ebecd851a7b0b6316c0db0d128a6dc8bd587cf280b7d

SHA512
e9e0af58b69c438426ce618c9b8d975aab6c6219f19d3e889a1203d972c8feb78ac9669544fb9272d0bdbc13110e0c43c9b09423371a665ec33c85e5ac8733d3

Download Submit
C:\Windows\system32\drivers\etc\hosts

Filesize
609B

MD5
a99a2ac6ad1054d50981cb6220b19812

SHA1
c41d8af4ea09ee3287175043355af1f9003ad085

SHA256
72f44f0ba6f691c091ad6d2b254adfbe8ef8d5ba7aa224dbf65b7e8537862532

SHA512
9b00a060b0ae28f998e2e1eebe2f5f1d31c7e1b8b8edf148f8becddd596edc6105274eccb39cb299438226745376af58fd903f7d08d0d8518f6f24eb47dbca02

Download Submit
memory/2200-136-0x0000000000410000-0x000000000041A000-memory.dmp

Filesize
40KB

Download
memory/2200-149-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/2200-147-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2200-144-0x0000000000490000-0x0000000000497000-memory.dmp

Filesize
28KB

Download
memory/2200-145-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4664-146-0x0000000000400000-0x000000000087F000-memory.dmp

Filesize
4.5MB

Download
memory/4664-150-0x0000000000400000-0x000000000087F000-memory.dmp

Filesize
4.5MB

Download

Analysis

Sharing