3031ee6ba5187fc441cdb27a84fdd225c16347267c5adfed219f3975034d082f

General

Target

3031ee6ba5187fc441cdb27a84fdd225c16347267c5adfed219f3975034d082f.exe
Size

172KB
MD5

4b38173517e39afebab1baf07a376469
SHA1

c2d67e3d521b67d301ba4a30073d9dea5429b077
SHA256

3031ee6ba5187fc441cdb27a84fdd225c16347267c5adfed219f3975034d082f
SHA512

dfdbac7e9dede48bdba05fcc2bf6074848c18fd333b7cd43ad127edc879d298d9a685fdba51f123beedd73c8ee7826a9c6ddddd6fd5e5434165472557f8449d9
SSDEEP

3072:kBAp5XhKpN4eOyVTGfhEClj8jTk+0hDx4jpVCTmcCu45oS48lFT0Vqtq5YyjkkrU:zbXE9OiTGfhEClq9i4EVmJ/

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
3	1616	WScript.exe
4	1616	WScript.exe

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	cmd.exe
File opened for modification	C:\Windows\System32\drivers\etc\hîsts	WScript.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	WScript.exe

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\proslo\gooo\ml.txt	3031ee6ba5187fc441cdb27a84fdd225c16347267c5adfed219f3975034d082f.exe
File opened for modification	C:\Program Files (x86)\proslo\gooo\01.txt	3031ee6ba5187fc441cdb27a84fdd225c16347267c5adfed219f3975034d082f.exe
File opened for modification	C:\Program Files (x86)\proslo\gooo\zaebat.bat	3031ee6ba5187fc441cdb27a84fdd225c16347267c5adfed219f3975034d082f.exe
File opened for modification	C:\Program Files (x86)\proslo\gooo\onskel.vbs	3031ee6ba5187fc441cdb27a84fdd225c16347267c5adfed219f3975034d082f.exe
File opened for modification	C:\Program Files (x86)\proslo\gooo\oposrt0.vbs	3031ee6ba5187fc441cdb27a84fdd225c16347267c5adfed219f3975034d082f.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1972 wrote to memory of 1320	1972	3031ee6ba5187fc441cdb27a84fdd225c16347267c5adfed219f3975034d082f.exe	28
PID 1972 wrote to memory of 1320	1972	3031ee6ba5187fc441cdb27a84fdd225c16347267c5adfed219f3975034d082f.exe	28
PID 1972 wrote to memory of 1320	1972	3031ee6ba5187fc441cdb27a84fdd225c16347267c5adfed219f3975034d082f.exe	28
PID 1972 wrote to memory of 1320	1972	3031ee6ba5187fc441cdb27a84fdd225c16347267c5adfed219f3975034d082f.exe	28
PID 1972 wrote to memory of 1616	1972	3031ee6ba5187fc441cdb27a84fdd225c16347267c5adfed219f3975034d082f.exe	30
PID 1972 wrote to memory of 1616	1972	3031ee6ba5187fc441cdb27a84fdd225c16347267c5adfed219f3975034d082f.exe	30
PID 1972 wrote to memory of 1616	1972	3031ee6ba5187fc441cdb27a84fdd225c16347267c5adfed219f3975034d082f.exe	30
PID 1972 wrote to memory of 1616	1972	3031ee6ba5187fc441cdb27a84fdd225c16347267c5adfed219f3975034d082f.exe	30
PID 1972 wrote to memory of 1684	1972	3031ee6ba5187fc441cdb27a84fdd225c16347267c5adfed219f3975034d082f.exe	31
PID 1972 wrote to memory of 1684	1972	3031ee6ba5187fc441cdb27a84fdd225c16347267c5adfed219f3975034d082f.exe	31
PID 1972 wrote to memory of 1684	1972	3031ee6ba5187fc441cdb27a84fdd225c16347267c5adfed219f3975034d082f.exe	31
PID 1972 wrote to memory of 1684	1972	3031ee6ba5187fc441cdb27a84fdd225c16347267c5adfed219f3975034d082f.exe	31

C:\Users\Admin\AppData\Local\Temp\3031ee6ba5187fc441cdb27a84fdd225c16347267c5adfed219f3975034d082f.exe
"C:\Users\Admin\AppData\Local\Temp\3031ee6ba5187fc441cdb27a84fdd225c16347267c5adfed219f3975034d082f.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1972
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Program Files (x86)\proslo\gooo\zaebat.bat" "
  2⤵
  - Drops file in Drivers directory
  PID:1320
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\proslo\gooo\onskel.vbs"
  2⤵
  - Blocklisted process makes network request
  PID:1616
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\proslo\gooo\oposrt0.vbs"
  2⤵
  - Drops file in Drivers directory
  PID:1684

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\proslo\gooo\01.txt

Filesize
5B

MD5
5ab0ae87fb788f9e5f5b4bf4ce8280ed

SHA1
7549330d191a24add2dc8eec58e5765121a68674

SHA256
4282b8db96951d71d70e1cb68b542c23b9ab2c82a5854738dbe7212cee761d5e

SHA512
96c666bbc28e73c3567aaa0a7f803f07d407338ce80826bbc878a210b30f4b34d29d3e3c4c36cd1df6b1d4ba433e7df7bd4f0980e1344fc107985deb2216ec8c

Download Submit
C:\Program Files (x86)\proslo\gooo\ml.txt

Filesize
5B

MD5
f2491291ff43220e3e4d3940def665d8

SHA1
b764191b478e6830ba8e560551e647b08db99141

SHA256
80731e509010675dd959604378ee433a8b0aca59abd86f4e9965bf4781c07abc

SHA512
ffdf911995494ca174a94e75d42e6841654dcaae7c77590cb2f2bde4056cc3caeda35a29e23690dfdc5b306cafbfe0bb4d481e3572b6b3c63da8715cd82f842b

Download Submit
C:\Program Files (x86)\proslo\gooo\onskel.vbs

Filesize
458B

MD5
c6402961b5e81b317ed979506709af8e

SHA1
ce11f6dbff0a8e14f243ad1193b74d3be3754881

SHA256
1629bf2b9a1c31bfeb8694c987812f29d048bd3629010b266a77d87e4ff45e89

SHA512
25f2f57a79b551ffa6f44b99c4cac6d99fee0c3dbf1ec220bacd37138300a4d66c83ac1931908e0abec13ef5b8aa2ce0b23077f3c1e36525b0a8ae4dbb80f43d

Download Submit
C:\Program Files (x86)\proslo\gooo\oposrt0.vbs

Filesize
726B

MD5
5599cb25e711aa7856aa1b6123e683bb

SHA1
866ff6b6ba77adab9cb4718c091ad03d980c6d36

SHA256
36d5818d454f65abb23bff7f6eec120583225ede13535129d96ff232ef37d8dd

SHA512
3e12319daa6b73427e0ff378bf5e89d78f816731a5a77ddbd54f146bbe50b18df7a7a0dd67ad53e12f3b7d1efb783ec235f00f2bb8dc7ac74abf58bb51f0019d

Download Submit
C:\Program Files (x86)\proslo\gooo\zaebat.bat

Filesize
2KB

MD5
379449eab0dff37e4ae011abebff8d14

SHA1
b569cebe9b7525207401c508d0651c404e45e253

SHA256
016e4986f3ef7322da1fbfd070f72424799de8ccc01363282470d7caea2630d0

SHA512
47c25f37ce301f3edd9ed758b496c00d846283eff7af345d0754d34760d6aa1837d2185253f05688567ec3c6014b4b7e1ff74259f5ef86eb68e72485d86c00ef

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
1KB

MD5
28ee56c161c2f55d84913fa707ca38eb

SHA1
4d55eab718413f4edd390d79712159fdf44a2b43

SHA256
e211de2bed96a92ee0c2f84da369d71e6ade062907796bcff8532bc00a1137f7

SHA512
0008c2bb6e7b5cde314dfb0874e0d31fb823fab2ea67ca9c23718d0f50038762246a9f22facf9e15f376795ec172bcf312198efbf2e27cc7d8d8a99287b96240

Download Submit
memory/1972-54-0x00000000751A1000-0x00000000751A3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing