d3ce203195779bd413916f0e93ac0e44ba8b3822128dc2add9cf1427b5d6abb2

General

Target

d3ce203195779bd413916f0e93ac0e44ba8b3822128dc2add9cf1427b5d6abb2.exe
Size

179KB
MD5

ca3ef69e153ad4502fb2a1afc1bb6e09
SHA1

3fcff210264e750b093df112d88c645fd8ec9c1c
SHA256

d3ce203195779bd413916f0e93ac0e44ba8b3822128dc2add9cf1427b5d6abb2
SHA512

1ed6a3e93d2844eea2274eccb701600360315c9833573fb2f48c5013344a0611ce81d1bf26f7e498f8d02a195e4c25db6fce9bc8a2bd53a408946f4f24030766
SSDEEP

3072:8BAp5XhKpN4eOyVTGfhEClj8jTk+0hxNWN6ovFhxRg:rbXE9OiTGfhEClq9CNWN6ovFhxRg

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
10	4864	WScript.exe

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	cmd.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	WScript.exe
File opened for modification	C:\Windows\System32\drivers\etc\hîsts	WScript.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	d3ce203195779bd413916f0e93ac0e44ba8b3822128dc2add9cf1427b5d6abb2.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\LUSK\PSja\_ska_dver.bat	d3ce203195779bd413916f0e93ac0e44ba8b3822128dc2add9cf1427b5d6abb2.exe
File opened for modification	C:\Program Files (x86)\LUSK\PSja\nam_n13ada_krasit.vbs	d3ce203195779bd413916f0e93ac0e44ba8b3822128dc2add9cf1427b5d6abb2.exe
File opened for modification	C:\Program Files (x86)\LUSK\PSja\i1_rihtovat1_bleat.vbs	d3ce203195779bd413916f0e93ac0e44ba8b3822128dc2add9cf1427b5d6abb2.exe
File opened for modification	C:\Program Files (x86)\LUSK\PSja\sensemilia.txt	d3ce203195779bd413916f0e93ac0e44ba8b3822128dc2add9cf1427b5d6abb2.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	d3ce203195779bd413916f0e93ac0e44ba8b3822128dc2add9cf1427b5d6abb2.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4948 wrote to memory of 2820	4948	d3ce203195779bd413916f0e93ac0e44ba8b3822128dc2add9cf1427b5d6abb2.exe	81
PID 4948 wrote to memory of 2820	4948	d3ce203195779bd413916f0e93ac0e44ba8b3822128dc2add9cf1427b5d6abb2.exe	81
PID 4948 wrote to memory of 2820	4948	d3ce203195779bd413916f0e93ac0e44ba8b3822128dc2add9cf1427b5d6abb2.exe	81
PID 4948 wrote to memory of 4864	4948	d3ce203195779bd413916f0e93ac0e44ba8b3822128dc2add9cf1427b5d6abb2.exe	83
PID 4948 wrote to memory of 4864	4948	d3ce203195779bd413916f0e93ac0e44ba8b3822128dc2add9cf1427b5d6abb2.exe	83
PID 4948 wrote to memory of 4864	4948	d3ce203195779bd413916f0e93ac0e44ba8b3822128dc2add9cf1427b5d6abb2.exe	83
PID 4948 wrote to memory of 2292	4948	d3ce203195779bd413916f0e93ac0e44ba8b3822128dc2add9cf1427b5d6abb2.exe	84
PID 4948 wrote to memory of 2292	4948	d3ce203195779bd413916f0e93ac0e44ba8b3822128dc2add9cf1427b5d6abb2.exe	84
PID 4948 wrote to memory of 2292	4948	d3ce203195779bd413916f0e93ac0e44ba8b3822128dc2add9cf1427b5d6abb2.exe	84

C:\Users\Admin\AppData\Local\Temp\d3ce203195779bd413916f0e93ac0e44ba8b3822128dc2add9cf1427b5d6abb2.exe
"C:\Users\Admin\AppData\Local\Temp\d3ce203195779bd413916f0e93ac0e44ba8b3822128dc2add9cf1427b5d6abb2.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4948
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\LUSK\PSja\_ska_dver.bat" "
  2⤵
  - Drops file in Drivers directory
  PID:2820
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\LUSK\PSja\nam_n13ada_krasit.vbs"
  2⤵
  - Blocklisted process makes network request
  PID:4864
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\LUSK\PSja\i1_rihtovat1_bleat.vbs"
  2⤵
  - Drops file in Drivers directory
  PID:2292

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\LUSK\PSja\_ska_dver.bat

Filesize
2KB

MD5
c1f6c44847edcd62a5190c6659b39ef7

SHA1
dc7e957b72921851ca09fe144b4df34bc538e0a7

SHA256
947ba2d1b5d055917bc91bcaf2fd1964379dbbeeea18143b1f531d862fc837d3

SHA512
61f756b36e5cb434d5453416d98eeec3c13384e3955d3c0135a13a5b8eabf48dc69ebafa0a94a6ef333ef107b7bf74aa6f9f21148d99fa7f376ac155f74aa358

Download Submit
C:\Program Files (x86)\LUSK\PSja\i1_rihtovat1_bleat.vbs

Filesize
568B

MD5
f7a84054718f7ba4630c2fbd408bbc97

SHA1
2e4b68f91e43c3a72c78d053a51e54196be34964

SHA256
c669f4a228b56e00a55a3d9abcf9651476bb9338174dd9a241fa0640a7ba96bc

SHA512
1c752294f03ba57a9e748f7053ab59290c48289b067256944354eb9165a4366b4f2eefe5c4984d3a35f1fb615a8694162b843d24091fc5296bd3792f6c6f6ba1

Download Submit
C:\Program Files (x86)\LUSK\PSja\nam_n13ada_krasit.vbs

Filesize
366B

MD5
fcbe28bcd4521049b15afabc442975f3

SHA1
749536bd45880b67eb73b550ba40f452758a8c46

SHA256
6a922166c1044819f9611784470ef639ad115b5d600036f18cf1df06f6fc2716

SHA512
85ad40d9a5af38f13248218aa3239f9cbaedd75045104a8418a34716878a91d1267db63f4ae4e2532ba5a94578f26549b68b7257a7102fd237c4178a65e9c0ea

Download Submit
C:\Program Files (x86)\LUSK\PSja\sensemilia.txt

Filesize
44B

MD5
c6c69b6255f1e93532b6a50f0a83ce0a

SHA1
508e1a7ce422ce5c3251ea5262ffbd8db050fbcd

SHA256
9d9a25ab7f7a5210b53043ffc1ef083282c64f6276463988b4adfd076bb43af5

SHA512
f810a9f7263c27146603abd8773462178a612f7af521bacddde7d6f735882c785de5de197bac2ee35139877e2a737324830f4d2b79b1377628707ef34aac2187

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
995B

MD5
51139c8a7ce82026c7e3571dbfa32470

SHA1
8fa53a23c28652f4fa6f8dc9a22718795ae8db07

SHA256
15f683c28cf7dddcf6b3fe80c7a896038d4fc52fb709781098b8c594de1d9905

SHA512
c415397890acb02151ffd3e48648118bc7e80db775e4e857f7cf184ec8c7ae99266004d606fbc420208ec7b35531a5b34a080f01668e80315c5cf5887f24ba23

Download Submit

Analysis

Sharing