1048c1cd122ad949a3803552076e3712354b006c659daa8fea93315d964edd4b

General

Target

1048c1cd122ad949a3803552076e3712354b006c659daa8fea93315d964edd4b.exe
Size

116KB
MD5

4e8dee02eb91d7d709d02689b66b1e96
SHA1

e8cb8721ee536f96ac43461240829bcb3f3ebd6e
SHA256

1048c1cd122ad949a3803552076e3712354b006c659daa8fea93315d964edd4b
SHA512

393b91980a8e212a1049d0b1eb0ac5da43923c198e475414e5ee1341fa5f21a348f035eb1375cb1222acebfbc99ca73e72e42aee1d38136b788dd3cb11a4f02c
SSDEEP

3072:ABAp5XhKpN4eOyVTGfhEClj8jTk+0h4iu:3bXE9OiTGfhEClq9Gu

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
4	1208	WScript.exe
5	1208	WScript.exe

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	cmd.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	WScript.exe
File opened for modification	C:\Windows\System32\drivers\etc\hîsts	WScript.exe

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\To\Zi\parlament.vbs	1048c1cd122ad949a3803552076e3712354b006c659daa8fea93315d964edd4b.exe
File opened for modification	C:\Program Files (x86)\To\Zi\vismut.vbs	1048c1cd122ad949a3803552076e3712354b006c659daa8fea93315d964edd4b.exe
File opened for modification	C:\Program Files (x86)\To\Zi\ziiil.sa	1048c1cd122ad949a3803552076e3712354b006c659daa8fea93315d964edd4b.exe
File opened for modification	C:\Program Files (x86)\To\Zi\mwerfwerwre.dff	1048c1cd122ad949a3803552076e3712354b006c659daa8fea93315d964edd4b.exe
File opened for modification	C:\Program Files (x86)\To\Zi\chisti_kaif.bat	1048c1cd122ad949a3803552076e3712354b006c659daa8fea93315d964edd4b.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 968 wrote to memory of 1436	968	1048c1cd122ad949a3803552076e3712354b006c659daa8fea93315d964edd4b.exe	28
PID 968 wrote to memory of 1436	968	1048c1cd122ad949a3803552076e3712354b006c659daa8fea93315d964edd4b.exe	28
PID 968 wrote to memory of 1436	968	1048c1cd122ad949a3803552076e3712354b006c659daa8fea93315d964edd4b.exe	28
PID 968 wrote to memory of 1436	968	1048c1cd122ad949a3803552076e3712354b006c659daa8fea93315d964edd4b.exe	28
PID 1436 wrote to memory of 1720	1436	cmd.exe	30
PID 1436 wrote to memory of 1720	1436	cmd.exe	30
PID 1436 wrote to memory of 1720	1436	cmd.exe	30
PID 1436 wrote to memory of 1720	1436	cmd.exe	30
PID 1436 wrote to memory of 1208	1436	cmd.exe	31
PID 1436 wrote to memory of 1208	1436	cmd.exe	31
PID 1436 wrote to memory of 1208	1436	cmd.exe	31
PID 1436 wrote to memory of 1208	1436	cmd.exe	31

C:\Users\Admin\AppData\Local\Temp\1048c1cd122ad949a3803552076e3712354b006c659daa8fea93315d964edd4b.exe
"C:\Users\Admin\AppData\Local\Temp\1048c1cd122ad949a3803552076e3712354b006c659daa8fea93315d964edd4b.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:968
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Program Files (x86)\To\Zi\chisti_kaif.bat" "
  2⤵
  - Drops file in Drivers directory
  - Suspicious use of WriteProcessMemory
  PID:1436
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\To\Zi\parlament.vbs"
    3⤵
    - Drops file in Drivers directory
    PID:1720
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\To\Zi\vismut.vbs"
    3⤵
    - Blocklisted process makes network request
    PID:1208

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\To\Zi\chisti_kaif.bat

Filesize
1KB

MD5
621d365266daa1e252d0a130aac7646c

SHA1
84a4af748a715327c53525568d0992ccabed445d

SHA256
6a77aa99f2e940ea68fa6422eacbab261a552b6f42d8011a2c9d1081c907c0f9

SHA512
5f6d0554781b53ab6f380e75f4da36054990fbbccbb163ae74a872f124fdd49248d73ff4e9cd9ff9057d70b95d5b348c940fc1ff7bda350a7c296b6bc6da46b9

Download Submit
C:\Program Files (x86)\To\Zi\mwerfwerwre.dff

Filesize
38B

MD5
dff33e9ecbfc92e8e37944b4fa307a8e

SHA1
e3e57a13351c647b225047e2e85389833425bc46

SHA256
8fb1fc7636f2f467e70828219482562264fddbc7af34419c8b2f15fd365a9656

SHA512
31c5917d1e2db98dbc5de98cd92d883fe233f160a572bd4dc33b64f305e6d8e5e4d97178cd5a17e477a1737cc3413ba9ef448869b2413e2d295530d486541ba3

Download Submit
C:\Program Files (x86)\To\Zi\parlament.vbs

Filesize
1KB

MD5
f623df94aa20426810e3962075a6b460

SHA1
9f7be280479da3a9f4c91e9f19ae4cef84e5270e

SHA256
9d570d35966f12947bf647c831f741f8e4cec2f7b69b366726a4846b079c82ab

SHA512
acc86c367e7d849eac1018db1522ce03756097a5326164ab697f786d31ef6c144a4f8dedc70d68a17ed8074828ebf029484059a9f7400d86bb1747b5cddd899a

Download Submit
C:\Program Files (x86)\To\Zi\vismut.vbs

Filesize
292B

MD5
b7fbca74e486d11cdc244d5a0566a1aa

SHA1
acd2435f6567bc56a5ba04ded97b828d5bf6c53d

SHA256
fa941a1005d1df515e7a32d4e878b1e49f6d715d1d393676553a0b4cfd05ceaf

SHA512
02b9f4f4537be1654701a0feb25ee343132fa8716a3f0b0aa3ee88f34d3a18c72b7a957fceb03b5904599ab512d6ff58427ec6427cf8291040d15dbf0d123fe0

Download Submit
C:\Program Files (x86)\To\Zi\ziiil.sa

Filesize
27B

MD5
213c0742081a9007c9093a01760f9f8c

SHA1
df53bb518c732df777b5ce19fc7c02dcb2f9d81b

SHA256
9681429a2b00c27fe6cb0453f255024813944a7cd460d18797e3c35e81c53d69

SHA512
55182c2e353a0027f585535a537b9c309c3bf57f47da54a16e0c415ed6633b725bf40e40a664b1071575feeb7e589d775983516728ec3e51e87a0a29010c4eb9

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
1KB

MD5
3bf1b84104026abc9f118195cba2fd11

SHA1
06b4520880368dcf95e20dd2c20816a0989699bd

SHA256
792464bd0224cde5a3bde2f2ccf7f11cef05a17b01f9a3df2fd0257e98b958f7

SHA512
9f1f4a13828ce6ada9036500160402329ad53a36db3b93c9416d88bde127f3cfe4f07587f4b0573d1dd822d810ab1e284b52e897c4eab0baf5ae14d79e3e27c9

Download Submit
memory/968-54-0x0000000076091000-0x0000000076093000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing