e0a423ec4e8478d81d99349e432321adf6566d026a93d2e8d805c9aee6a25062

General

Target

e0a423ec4e8478d81d99349e432321adf6566d026a93d2e8d805c9aee6a25062.exe
Size

128KB
MD5

034f86d151318e67cfd502d170a1c820
SHA1

4e98c5e602d77bf65ce51b6d75cd2385930387af
SHA256

e0a423ec4e8478d81d99349e432321adf6566d026a93d2e8d805c9aee6a25062
SHA512

700e412a525414bf451b4d6948d711f898d966d2565813ad045d626e5d7fe02401144e4cec5619cf547ffd346acb4836a11668b1db738cd39fd735fcee50832a
SSDEEP

3072:YBAp5XhKpN4eOyVTGfhEClj8jTk+0hMKBz6T2pf:PbXE9OiTGfhEClq9FKxJpf

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
65	2112	WScript.exe

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	cmd.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	WScript.exe
File opened for modification	C:\Windows\System32\drivers\etc\hîsts	WScript.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	e0a423ec4e8478d81d99349e432321adf6566d026a93d2e8d805c9aee6a25062.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	cmd.exe

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Ka\Mi\tvoiglaza.vbs	e0a423ec4e8478d81d99349e432321adf6566d026a93d2e8d805c9aee6a25062.exe
File opened for modification	C:\Program Files (x86)\Ka\Mi\la.don	e0a423ec4e8478d81d99349e432321adf6566d026a93d2e8d805c9aee6a25062.exe
File opened for modification	C:\Program Files (x86)\Ka\Mi\gon.vo	e0a423ec4e8478d81d99349e432321adf6566d026a93d2e8d805c9aee6a25062.exe
File opened for modification	C:\Program Files (x86)\Ka\Mi\111111111111111122222222222222222222222.bat	e0a423ec4e8478d81d99349e432321adf6566d026a93d2e8d805c9aee6a25062.exe
File opened for modification	C:\Program Files (x86)\Ka\Mi\lubvipozar.vbs	e0a423ec4e8478d81d99349e432321adf6566d026a93d2e8d805c9aee6a25062.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings	cmd.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4876 wrote to memory of 4284	4876	e0a423ec4e8478d81d99349e432321adf6566d026a93d2e8d805c9aee6a25062.exe	81
PID 4876 wrote to memory of 4284	4876	e0a423ec4e8478d81d99349e432321adf6566d026a93d2e8d805c9aee6a25062.exe	81
PID 4876 wrote to memory of 4284	4876	e0a423ec4e8478d81d99349e432321adf6566d026a93d2e8d805c9aee6a25062.exe	81
PID 4284 wrote to memory of 4588	4284	cmd.exe	84
PID 4284 wrote to memory of 4588	4284	cmd.exe	84
PID 4284 wrote to memory of 4588	4284	cmd.exe	84
PID 4284 wrote to memory of 2112	4284	cmd.exe	85
PID 4284 wrote to memory of 2112	4284	cmd.exe	85
PID 4284 wrote to memory of 2112	4284	cmd.exe	85

C:\Users\Admin\AppData\Local\Temp\e0a423ec4e8478d81d99349e432321adf6566d026a93d2e8d805c9aee6a25062.exe
"C:\Users\Admin\AppData\Local\Temp\e0a423ec4e8478d81d99349e432321adf6566d026a93d2e8d805c9aee6a25062.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:4876
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\Ka\Mi\111111111111111122222222222222222222222.bat" "
  2⤵
  - Drops file in Drivers directory
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4284
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\Ka\Mi\lubvipozar.vbs"
    3⤵
    - Drops file in Drivers directory
    PID:4588
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\Ka\Mi\tvoiglaza.vbs"
    3⤵
    - Blocklisted process makes network request
    PID:2112

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Ka\Mi\111111111111111122222222222222222222222.bat

Filesize
1KB

MD5
17348600b6be25228cb8a3b7b6fd6093

SHA1
7cc99be41f82d86ff30aece251bade3baf9430bf

SHA256
483bb6a1df61beb89eff5eab5da4f4763b74e0e91913217086896939726c82b2

SHA512
ab0494657722cb610635f5524a75e95b7ceea8fe2448d36e5d4e0d461aa3b9ed4fbd7fb2c4b453827ff6073c2161bfe5592491aebb07b2ec997e40e76b90f93d

Download Submit
C:\Program Files (x86)\Ka\Mi\gon.vo

Filesize
70B

MD5
8196ee392182427c07580922975315f0

SHA1
c592d094fe5e74a94c22bcc3394328c63b842bb7

SHA256
4778ccf7e346cb042a07952bae24bfee5affc0d3c44c1c66692b84533b1e92a5

SHA512
1746fa872f7b3fb08649cc7f006ee99cc50cd8d06019e1d6abfb08999b8a1e3e182214fc892ace1db837b70d53a61a6bbbadb49890eb1f973337e9bbdd1b7b9b

Download Submit
C:\Program Files (x86)\Ka\Mi\la.don

Filesize
27B

MD5
213c0742081a9007c9093a01760f9f8c

SHA1
df53bb518c732df777b5ce19fc7c02dcb2f9d81b

SHA256
9681429a2b00c27fe6cb0453f255024813944a7cd460d18797e3c35e81c53d69

SHA512
55182c2e353a0027f585535a537b9c309c3bf57f47da54a16e0c415ed6633b725bf40e40a664b1071575feeb7e589d775983516728ec3e51e87a0a29010c4eb9

Download Submit
C:\Program Files (x86)\Ka\Mi\lubvipozar.vbs

Filesize
1KB

MD5
17038621377eb06b09e6b793b90ef7d0

SHA1
061f069da7d0b26d603d6b0dce10afc2fbbe9fc4

SHA256
bdfafcd99c5d74204719e318f41675eaf8f64272e36010d0676117d34ceceaaf

SHA512
7e70ab5e7b1ef9986e3aa19da8bd1da452e33dbc99c4b21556ceb524e260f7b1a98543d48fd50a57d7ba5a27c32b33293e96c167489600cf107cb772d1187c2d

Download Submit
C:\Program Files (x86)\Ka\Mi\tvoiglaza.vbs

Filesize
434B

MD5
cc5a3c644fe9150e5ae324d9f2f30053

SHA1
bc36ce714299db3c6d363721645f3a7fc5a9fbc1

SHA256
d8abac8b8966cb2a36f52a22eea992fe5efde81da7416f960288635f8eca75b7

SHA512
bc0e30436c31693062a68cc80fcb869ae2e847f73a22a65f86d104f68c50152a36a73f2172982168e3c75c06ca8b40301e9e2376b96aeb7f117a5404025a01fd

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
1KB

MD5
7b05897ad866dbd5956e1f25939490cd

SHA1
c43e2122f5db6b1ac4395377540e31b0324ca1cd

SHA256
00138160ae648c67e7a710f22efe23892a596fc875a160f91ea6feeb7f1dd464

SHA512
2d44d5a3e70bfb71baf84d0ca56c9f7a39d9609a58a1660bc0ff244fa5b8c49d2911c2a980477ea72a7539ee55544766287f6ee1716ce6d6fa66f266ed0198c7

Download Submit

Analysis

Sharing