d367c5c6794084a90593c5040b1c23522110813e96c6e179abc359743c00f8ac

General

Target

d367c5c6794084a90593c5040b1c23522110813e96c6e179abc359743c00f8ac.exe
Size

179KB
MD5

f8dd91b886d2136eb98eeefbc3e77886
SHA1

5d13e37e9ebf90a9d4db53be414390fa1293e884
SHA256

d367c5c6794084a90593c5040b1c23522110813e96c6e179abc359743c00f8ac
SHA512

8cde9bef8cd92043436f95864bccc0f1ab4308c0ba2c44490a4e8a6369fdd5a58ac89a8c20bd765ac4c430256134d0869ecaf96a67bc196d5a28baef1b301d3f
SSDEEP

3072:ZBAp5XhKpN4eOyVTGfhEClj8jTk+0hyeTamwiKLYlXr6:cbXE9OiTGfhEClq9Yamwel+

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
3	1608	WScript.exe
4	1608	WScript.exe

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	WScript.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	cmd.exe

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\poo\smar\pl.txt	d367c5c6794084a90593c5040b1c23522110813e96c6e179abc359743c00f8ac.exe
File opened for modification	C:\Program Files (x86)\poo\smar\loi.bat	d367c5c6794084a90593c5040b1c23522110813e96c6e179abc359743c00f8ac.exe
File opened for modification	C:\Program Files (x86)\poo\smar\p01.vbs	d367c5c6794084a90593c5040b1c23522110813e96c6e179abc359743c00f8ac.exe
File opened for modification	C:\Program Files (x86)\poo\smar\p20.vbs	d367c5c6794084a90593c5040b1c23522110813e96c6e179abc359743c00f8ac.exe
File opened for modification	C:\Program Files (x86)\poo\smar\sk.txt	d367c5c6794084a90593c5040b1c23522110813e96c6e179abc359743c00f8ac.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1104 wrote to memory of 1960	1104	d367c5c6794084a90593c5040b1c23522110813e96c6e179abc359743c00f8ac.exe	27
PID 1104 wrote to memory of 1960	1104	d367c5c6794084a90593c5040b1c23522110813e96c6e179abc359743c00f8ac.exe	27
PID 1104 wrote to memory of 1960	1104	d367c5c6794084a90593c5040b1c23522110813e96c6e179abc359743c00f8ac.exe	27
PID 1104 wrote to memory of 1960	1104	d367c5c6794084a90593c5040b1c23522110813e96c6e179abc359743c00f8ac.exe	27
PID 1104 wrote to memory of 1608	1104	d367c5c6794084a90593c5040b1c23522110813e96c6e179abc359743c00f8ac.exe	29
PID 1104 wrote to memory of 1608	1104	d367c5c6794084a90593c5040b1c23522110813e96c6e179abc359743c00f8ac.exe	29
PID 1104 wrote to memory of 1608	1104	d367c5c6794084a90593c5040b1c23522110813e96c6e179abc359743c00f8ac.exe	29
PID 1104 wrote to memory of 1608	1104	d367c5c6794084a90593c5040b1c23522110813e96c6e179abc359743c00f8ac.exe	29
PID 1104 wrote to memory of 552	1104	d367c5c6794084a90593c5040b1c23522110813e96c6e179abc359743c00f8ac.exe	30
PID 1104 wrote to memory of 552	1104	d367c5c6794084a90593c5040b1c23522110813e96c6e179abc359743c00f8ac.exe	30
PID 1104 wrote to memory of 552	1104	d367c5c6794084a90593c5040b1c23522110813e96c6e179abc359743c00f8ac.exe	30
PID 1104 wrote to memory of 552	1104	d367c5c6794084a90593c5040b1c23522110813e96c6e179abc359743c00f8ac.exe	30

C:\Users\Admin\AppData\Local\Temp\d367c5c6794084a90593c5040b1c23522110813e96c6e179abc359743c00f8ac.exe
"C:\Users\Admin\AppData\Local\Temp\d367c5c6794084a90593c5040b1c23522110813e96c6e179abc359743c00f8ac.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1104
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Program Files (x86)\poo\smar\loi.bat" "
  2⤵
  - Drops file in Drivers directory
  PID:1960
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\poo\smar\p01.vbs"
  2⤵
  - Blocklisted process makes network request
  PID:1608
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\poo\smar\p20.vbs"
  2⤵
  - Drops file in Drivers directory
  PID:552

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\poo\smar\loi.bat

Filesize
3KB

MD5
18c585396805c18cb6fb0a9245100427

SHA1
1168912160b58f37fd06103392e70785f2156944

SHA256
9b726de3b4de452fa2c8ef7462cd34d88d0edd1948f745ed5c18b13b7cb0681e

SHA512
270c95f1b9fff941e09c734c152f1ce895fd97484194d58024d5c95c1149d3d7a97745c0314a1f751d464aa823089f8e39328a95089a0e713f623ae0f620ac98

Download Submit
C:\Program Files (x86)\poo\smar\p01.vbs

Filesize
474B

MD5
09c9cbce8e1c5247ac87c445fd2c70e0

SHA1
986f4d3b31c7be48e67f5896a3712b6d107d046b

SHA256
6be70113621042778fd375130210d7e6a528f2a78afc98b3ca4e4cef8e130c64

SHA512
e06d2bab64a2ced89f69f690b008899830c50d880a02e83a97bc7646aad9c3ca30073b369ce489fb79c332392c41512efcfe550112e95b28a237c7f6bf749a40

Download Submit
C:\Program Files (x86)\poo\smar\p20.vbs

Filesize
709B

MD5
70a12fb2f36b134e1ddd1b84dbbfde21

SHA1
cd3534c9f1a3c9f8473ddc48321be912505e4d6d

SHA256
7870a33a2200e1aaa1ac7ed5d98a980e5be7000cbf6e51cac3bdecbe7de5eb5b

SHA512
c49690afe5a194436fc20a95f173c300e11ee6a47a3717b75dcb3ffd7506d905e3e874baf5763eb43a91a98700941fe05186d1beae73c205940ddf66d7c08c41

Download Submit
C:\Program Files (x86)\poo\smar\pl.txt

Filesize
1B

MD5
fc1262746424402278e88f6c1f02f581

SHA1
77ac341feebeb7c0a7ff8f9c6540531500693bac

SHA256
94455e3ed9f716bea425ef99b51fae47128769a1a0cd04244221e4e14631ab83

SHA512
f9cd8ac2f900da287babe09ec5a017506809531fa60d273a75eb2d5c7d9ad2d7596b4deb3dfd01638295e06a572c306fc0014dd36def8aa6c72de426a9bacff6

Download Submit
C:\Program Files (x86)\poo\smar\sk.txt

Filesize
5B

MD5
662f571084077a39a7ee622e48b44b9d

SHA1
319a598057c18d903c7e7fe2073763d22ae6d04b

SHA256
46f92e430ee20b98abfaecc6a24d454ffe1aa3e93856beadd471ff41e227d00c

SHA512
a326e2a471fa651e3cdd0b55746058e2927df25b140b8a85bc79c647787d7185046d404503385392152e815293d1451a4a393495af0878d922adb71cdc9d09b5

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
1KB

MD5
c31d628d16ee9933d0ba4d5de6a36eda

SHA1
d2daa99238ca050bd47bbd2ed3e883cc247dd505

SHA256
ccdcf6dd3b12dcc8c265283a359bd09f626e292682b6424f3f2e1e2ef7c1c7db

SHA512
9857541a518cf90a700e30ab9f5272824e8a5f9e8b72a7b841bc3bc3ccd199c061f223fee3cfeaa79e2c27aa2d7e739392872bd5446f8bc466e5ce80a7f1d922

Download Submit
memory/1104-54-0x0000000075BB1000-0x0000000075BB3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing