4741076bc189ff0790ca18dc87f3ddf037a35d56c17ff82bc2c7f9c13d6f41d4

General

Target

4741076bc189ff0790ca18dc87f3ddf037a35d56c17ff82bc2c7f9c13d6f41d4.exe
Size

172KB
MD5

5b06da69123e9439f139c0d9b394d4a5
SHA1

2e1e3321e0947f2321e338d80df5ec76777da22f
SHA256

4741076bc189ff0790ca18dc87f3ddf037a35d56c17ff82bc2c7f9c13d6f41d4
SHA512

e5c75499faa38da1031c5e0f88a4f9ccbf4f3fef5f27e69b0405d52baa58e5b9563f6508ca0e10e38983927e37777f1dfeb9638f9ba4ba654899d4777cc88252
SSDEEP

3072:sBAp5XhKpN4eOyVTGfhEClj8jTk+0hax4BcPoc:bbXE9OiTGfhEClq9hGQ

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
3	1332	WScript.exe
4	1332	WScript.exe

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hîsts	WScript.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	cmd.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	WScript.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\111234\09091\so1.txt	4741076bc189ff0790ca18dc87f3ddf037a35d56c17ff82bc2c7f9c13d6f41d4.exe
File opened for modification	C:\Program Files (x86)\111234\09091\ad3g3gf.bat	4741076bc189ff0790ca18dc87f3ddf037a35d56c17ff82bc2c7f9c13d6f41d4.exe
File opened for modification	C:\Program Files (x86)\111234\09091\12wgr5yhh.vbs	4741076bc189ff0790ca18dc87f3ddf037a35d56c17ff82bc2c7f9c13d6f41d4.exe
File opened for modification	C:\Program Files (x86)\111234\09091\45h56h56h.vbs	4741076bc189ff0790ca18dc87f3ddf037a35d56c17ff82bc2c7f9c13d6f41d4.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1476 wrote to memory of 1996	1476	4741076bc189ff0790ca18dc87f3ddf037a35d56c17ff82bc2c7f9c13d6f41d4.exe	27
PID 1476 wrote to memory of 1996	1476	4741076bc189ff0790ca18dc87f3ddf037a35d56c17ff82bc2c7f9c13d6f41d4.exe	27
PID 1476 wrote to memory of 1996	1476	4741076bc189ff0790ca18dc87f3ddf037a35d56c17ff82bc2c7f9c13d6f41d4.exe	27
PID 1476 wrote to memory of 1996	1476	4741076bc189ff0790ca18dc87f3ddf037a35d56c17ff82bc2c7f9c13d6f41d4.exe	27
PID 1476 wrote to memory of 1332	1476	4741076bc189ff0790ca18dc87f3ddf037a35d56c17ff82bc2c7f9c13d6f41d4.exe	29
PID 1476 wrote to memory of 1332	1476	4741076bc189ff0790ca18dc87f3ddf037a35d56c17ff82bc2c7f9c13d6f41d4.exe	29
PID 1476 wrote to memory of 1332	1476	4741076bc189ff0790ca18dc87f3ddf037a35d56c17ff82bc2c7f9c13d6f41d4.exe	29
PID 1476 wrote to memory of 1332	1476	4741076bc189ff0790ca18dc87f3ddf037a35d56c17ff82bc2c7f9c13d6f41d4.exe	29
PID 1476 wrote to memory of 1328	1476	4741076bc189ff0790ca18dc87f3ddf037a35d56c17ff82bc2c7f9c13d6f41d4.exe	30
PID 1476 wrote to memory of 1328	1476	4741076bc189ff0790ca18dc87f3ddf037a35d56c17ff82bc2c7f9c13d6f41d4.exe	30
PID 1476 wrote to memory of 1328	1476	4741076bc189ff0790ca18dc87f3ddf037a35d56c17ff82bc2c7f9c13d6f41d4.exe	30
PID 1476 wrote to memory of 1328	1476	4741076bc189ff0790ca18dc87f3ddf037a35d56c17ff82bc2c7f9c13d6f41d4.exe	30

C:\Users\Admin\AppData\Local\Temp\4741076bc189ff0790ca18dc87f3ddf037a35d56c17ff82bc2c7f9c13d6f41d4.exe
"C:\Users\Admin\AppData\Local\Temp\4741076bc189ff0790ca18dc87f3ddf037a35d56c17ff82bc2c7f9c13d6f41d4.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1476
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Program Files (x86)\111234\09091\ad3g3gf.bat" "
  2⤵
  - Drops file in Drivers directory
  PID:1996
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\111234\09091\12wgr5yhh.vbs"
  2⤵
  - Blocklisted process makes network request
  PID:1332
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\111234\09091\45h56h56h.vbs"
  2⤵
  - Drops file in Drivers directory
  PID:1328

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\111234\09091\12wgr5yhh.vbs

Filesize
564B

MD5
7597ebd169bef9aa1793b51822313dfa

SHA1
933cd4d24540d5e2c05bc0619f31c5f31b4afad6

SHA256
5076c9b14e3784ca3e3b502032eaf2d16a304018d68d044ce86784362ffd5a5e

SHA512
12eef8f59cdd753ea73463bb2cd7863a8e8ea4508aa40fd2f7ff064be89c588d5239bd2c2b13b7a97efb10d1d29f8d57edb76a91b0334dcfa8e63047bc33e86b

Download Submit
C:\Program Files (x86)\111234\09091\45h56h56h.vbs

Filesize
516B

MD5
188e68f626518c9a2826116c566598ae

SHA1
ebe5b6126befaefe1958ba71450169d4e27bd7f5

SHA256
044ea05fa9323b769690ffa7fce40bb5246420f54ae8fb2762bf1f60d25ba892

SHA512
d70498cafa12a453544c68721ae486ccbe9095af1826e800ec49221776d88e8594efc1eb70e1b1766dc69754516c4b239eaa9d7b77c790844eadf1f706d8cfed

Download Submit
C:\Program Files (x86)\111234\09091\ad3g3gf.bat

Filesize
3KB

MD5
86f12381185a16f153d4ec8312c41315

SHA1
abce30c6baecb05ac1f31a88a5aa4c4d3372430d

SHA256
d95828fff0817f13397ed441117e0d4dd006a4ea5583a6b146b952a725e601c3

SHA512
58aef4a23846beb2268a902edd67d94626ee61e8b62d615b77a31d6842589d3e5221388f220beff675b975a81bfdfe53d5817b94159b0ff72436878603697983

Download Submit
C:\Program Files (x86)\111234\09091\so1.txt

Filesize
5B

MD5
52dcb739af74efa5ac4af2a3c6b8a009

SHA1
ce97679b4b220bc2941de4bd895974ee131511d3

SHA256
9e2ca23fc6f1f2b7ee4417e6ea8cfdbec0a06e5f26cbc0f9706a7887e4bc7a02

SHA512
b4a0b3212f4f4e8b53e5d64e93f04db75c4644655782560dfa4c600782a90383e8a84ea4fa8fd6c46f7a8e5e4d441177cb8cddeb9e36c0c1ac38b8be61ec8563

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
1KB

MD5
5e02998444ad47d790b5fedc6a3b8091

SHA1
4f8edcde85e6fb3327d04fdbc2bec792f6fb7c22

SHA256
29c7f1301cf899e179a3cfbc4473002daec1d931ef3b506461fff48dfb196373

SHA512
087f93e2233ae56a5a6bbcec14d788dcd7ce171b369c8e2c099993cc56d42866d76eeae4ef6e751509fca978ab819faf619da355a1f17c3d92be211f66fefe2f

Download Submit
memory/1476-54-0x0000000075E51000-0x0000000075E53000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing