d7b0d1f6981c1df80f0b10889402c1e075f083b74105c4a67efa60c573c4ce67

General

Target

d7b0d1f6981c1df80f0b10889402c1e075f083b74105c4a67efa60c573c4ce67.exe
Size

238KB
MD5

4393bda6237383acfac0b03f1c3ae61f
SHA1

534e51a77890bd2ef0d7b2fd3e4d7286a67b57ed
SHA256

d7b0d1f6981c1df80f0b10889402c1e075f083b74105c4a67efa60c573c4ce67
SHA512

87ee81e1911855c0ba83938279e6ce1542ee06829e95988c8d1453e6d72e1d6f40c3f79993c7f678b6476003c2734927f2696f43e19d71c2d05906df4bdd3f29
SSDEEP

6144:MbXE9OiTGfhEClq9528TfdRoWRg+lN5JJUm:oU9XiuiJ8DRxlH

Score

8^/10

discovery

Malware Config

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
4	1492	WScript.exe
5	1492	WScript.exe

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	cmd.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	WScript.exe
File opened for modification	C:\Windows\System32\drivers\etc\hîsts	WScript.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 13 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\sri teplim kalom\singaraja eto les\fresh_meamings_cold_not_to_be_hero.bat	d7b0d1f6981c1df80f0b10889402c1e075f083b74105c4a67efa60c573c4ce67.exe
File created	C:\Program Files (x86)\sri teplim kalom\singaraja eto les\sobaki_ya_edu_vas_ebat.yahaha	d7b0d1f6981c1df80f0b10889402c1e075f083b74105c4a67efa60c573c4ce67.exe
File opened for modification	C:\Program Files (x86)\sri teplim kalom\singaraja eto les\sobaki_ya_edu_vas_ebat.yahaha	d7b0d1f6981c1df80f0b10889402c1e075f083b74105c4a67efa60c573c4ce67.exe
File created	C:\Program Files (x86)\sri teplim kalom\singaraja eto les\Uninstall.exe	d7b0d1f6981c1df80f0b10889402c1e075f083b74105c4a67efa60c573c4ce67.exe
File created	C:\Program Files (x86)\sri teplim kalom\singaraja eto les\Uninstall.ini	d7b0d1f6981c1df80f0b10889402c1e075f083b74105c4a67efa60c573c4ce67.exe
File opened for modification	C:\Program Files (x86)\sri teplim kalom\singaraja eto les\sleep_my_darling_sleppp.vbs	cmd.exe
File opened for modification	C:\Program Files (x86)\sri teplim kalom\singaraja eto les\fresh_meamings_cold_not_to_be_hero.bat	d7b0d1f6981c1df80f0b10889402c1e075f083b74105c4a67efa60c573c4ce67.exe
File created	C:\Program Files (x86)\sri teplim kalom\singaraja eto les\net_v_zizni_nehera_etogo_kak_ego_o_stastia.jog	d7b0d1f6981c1df80f0b10889402c1e075f083b74105c4a67efa60c573c4ce67.exe
File opened for modification	C:\Program Files (x86)\sri teplim kalom\singaraja eto les\net_v_zizni_nehera_etogo_kak_ego_o_stastia.jog	d7b0d1f6981c1df80f0b10889402c1e075f083b74105c4a67efa60c573c4ce67.exe
File created	C:\Program Files (x86)\sri teplim kalom\singaraja eto les\sleep_my_darling_sleppp.lll	d7b0d1f6981c1df80f0b10889402c1e075f083b74105c4a67efa60c573c4ce67.exe
File opened for modification	C:\Program Files (x86)\sri teplim kalom\singaraja eto les\sleep_my_darling_sleppp.lll	d7b0d1f6981c1df80f0b10889402c1e075f083b74105c4a67efa60c573c4ce67.exe
File opened for modification	C:\Program Files (x86)\sri teplim kalom\singaraja eto les\Uninstall.exe	d7b0d1f6981c1df80f0b10889402c1e075f083b74105c4a67efa60c573c4ce67.exe
File created	C:\Program Files (x86)\sri teplim kalom\singaraja eto les\sleep_my_darling_sleppp.vbs	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1400 wrote to memory of 1712	1400	d7b0d1f6981c1df80f0b10889402c1e075f083b74105c4a67efa60c573c4ce67.exe	28
PID 1400 wrote to memory of 1712	1400	d7b0d1f6981c1df80f0b10889402c1e075f083b74105c4a67efa60c573c4ce67.exe	28
PID 1400 wrote to memory of 1712	1400	d7b0d1f6981c1df80f0b10889402c1e075f083b74105c4a67efa60c573c4ce67.exe	28
PID 1400 wrote to memory of 1712	1400	d7b0d1f6981c1df80f0b10889402c1e075f083b74105c4a67efa60c573c4ce67.exe	28
PID 1400 wrote to memory of 1492	1400	d7b0d1f6981c1df80f0b10889402c1e075f083b74105c4a67efa60c573c4ce67.exe	30
PID 1400 wrote to memory of 1492	1400	d7b0d1f6981c1df80f0b10889402c1e075f083b74105c4a67efa60c573c4ce67.exe	30
PID 1400 wrote to memory of 1492	1400	d7b0d1f6981c1df80f0b10889402c1e075f083b74105c4a67efa60c573c4ce67.exe	30
PID 1400 wrote to memory of 1492	1400	d7b0d1f6981c1df80f0b10889402c1e075f083b74105c4a67efa60c573c4ce67.exe	30

C:\Users\Admin\AppData\Local\Temp\d7b0d1f6981c1df80f0b10889402c1e075f083b74105c4a67efa60c573c4ce67.exe
"C:\Users\Admin\AppData\Local\Temp\d7b0d1f6981c1df80f0b10889402c1e075f083b74105c4a67efa60c573c4ce67.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1400
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Program Files (x86)\sri teplim kalom\singaraja eto les\fresh_meamings_cold_not_to_be_hero.bat" "
  2⤵
  - Drops file in Drivers directory
  - Drops file in Program Files directory
  PID:1712
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\sri teplim kalom\singaraja eto les\sleep_my_darling_sleppp.vbs"
  2⤵
  - Blocklisted process makes network request
  - Drops file in Drivers directory
  PID:1492

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\sri teplim kalom\singaraja eto les\fresh_meamings_cold_not_to_be_hero.bat

Filesize
1KB

MD5
a7d229b8bb48c2aa979a63a852a8c8ac

SHA1
b3a074bade8a761ce207e717b01bb1f4aa4241b7

SHA256
583b363c3b215bb1a01d668757003741baba59f51f0f4b42507d1fa35bdada9b

SHA512
5a4809ad8f9c3d6299abd760c1eaca511f0e491897490ea1544c3c1921ae0ba2361e39726d79aeb165f377ba18d71d999046cc04cd85ffaf5627ce96e8041a9b

Download Submit
C:\Program Files (x86)\sri teplim kalom\singaraja eto les\net_v_zizni_nehera_etogo_kak_ego_o_stastia.jog

Filesize
97B

MD5
de237cd8b09ab54e70f56b1209d5f973

SHA1
4eae759f7264f1dcd7350399ecea648b3ebba619

SHA256
f31e442aedc63168503f7d913fadda7debd2fc0c0259ab17fe1af3870dbda2ec

SHA512
e0af4fc3ace07785da84eb3772f1fc8416f3b99f1ec576a7832f801987909dbcb7465cf10513012538e2f28fa0577d2bd3b8fbcfd43b12235452667d9379c4bd

Download Submit
C:\Program Files (x86)\sri teplim kalom\singaraja eto les\sleep_my_darling_sleppp.lll

Filesize
1KB

MD5
468dcabec01fda55f1f75354f8bf22f5

SHA1
230fda1f911fe9628862d9799f1ef341691c75b9

SHA256
6a8569bf3bb20857b553e45a85be0e2160a67a499a51f2d9db68154304f1015f

SHA512
266a68124bddea1ff3410c3fe50b39ed94a5a02b7e72c15a79f4958256fe60a51f7c82b2b57484d86c897453f3c696d4ce61172145e39af6c40e3e7094703dfa

Download Submit
C:\Program Files (x86)\sri teplim kalom\singaraja eto les\sleep_my_darling_sleppp.vbs

Filesize
1KB

MD5
468dcabec01fda55f1f75354f8bf22f5

SHA1
230fda1f911fe9628862d9799f1ef341691c75b9

SHA256
6a8569bf3bb20857b553e45a85be0e2160a67a499a51f2d9db68154304f1015f

SHA512
266a68124bddea1ff3410c3fe50b39ed94a5a02b7e72c15a79f4958256fe60a51f7c82b2b57484d86c897453f3c696d4ce61172145e39af6c40e3e7094703dfa

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
1KB

MD5
3b07adfa651bb5cc82c1617d48f1ac24

SHA1
d035f283e4fced6b0d530deb05e0f16e743f5add

SHA256
0ffa031d9207ca351e3c994359950ece081dd39bde570e3fb7d80ee8f1473e37

SHA512
851698ac678f6382b980366e74c8327929ae2681179f6f834c3650777202714129dad1032c5052c9aae9883fa8141b58160069956aef3f534c27bcab5e5a5c4f

Download Submit
memory/1400-54-0x0000000074F01000-0x0000000074F03000-memory.dmp

Filesize
8KB

Download
memory/1492-59-0x0000000000000000-mapping.dmp

Download
memory/1712-55-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing