e3292497d937770201813637e98233305eb05c40dfe96a1395d5a9ae68bfaaf1

General

Target

e3292497d937770201813637e98233305eb05c40dfe96a1395d5a9ae68bfaaf1.exe
Size

180KB
MD5

be26ebd5fcac015c6664fb43f23ce6b7
SHA1

cbfdca18519fdcc79e628345221896956ea2aa49
SHA256

e3292497d937770201813637e98233305eb05c40dfe96a1395d5a9ae68bfaaf1
SHA512

17e6af91acdf6a12dc196d8ab70747a7f62170aa06c069b8a8c273014331fca750e0fdd6651fb12d7c949e0654b88c1d24ec711680329714f96c7bfb046f7383
SSDEEP

3072:ABAp5XhKpN4eOyVTGfhEClj8jTk+0h1wk09+g8FCc5:3bXE9OiTGfhEClq97k09+Dt

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
39	2748	WScript.exe

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	WScript.exe
File opened for modification	C:\Windows\System32\drivers\etc\hîsts	WScript.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	cmd.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	e3292497d937770201813637e98233305eb05c40dfe96a1395d5a9ae68bfaaf1.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\ollli\take me to the hospital\aguram\_______22222_______.vbs	e3292497d937770201813637e98233305eb05c40dfe96a1395d5a9ae68bfaaf1.exe
File opened for modification	C:\Program Files (x86)\ollli\take me to the hospital\aguram\popizdota.dot	e3292497d937770201813637e98233305eb05c40dfe96a1395d5a9ae68bfaaf1.exe
File opened for modification	C:\Program Files (x86)\ollli\take me to the hospital\333\123456789876______________432.bat	e3292497d937770201813637e98233305eb05c40dfe96a1395d5a9ae68bfaaf1.exe
File opened for modification	C:\Program Files (x86)\ollli\take me to the hospital\aguram\____000000_____.vbs	e3292497d937770201813637e98233305eb05c40dfe96a1395d5a9ae68bfaaf1.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings	e3292497d937770201813637e98233305eb05c40dfe96a1395d5a9ae68bfaaf1.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4280 wrote to memory of 2416	4280	e3292497d937770201813637e98233305eb05c40dfe96a1395d5a9ae68bfaaf1.exe	84
PID 4280 wrote to memory of 2416	4280	e3292497d937770201813637e98233305eb05c40dfe96a1395d5a9ae68bfaaf1.exe	84
PID 4280 wrote to memory of 2416	4280	e3292497d937770201813637e98233305eb05c40dfe96a1395d5a9ae68bfaaf1.exe	84
PID 4280 wrote to memory of 3584	4280	e3292497d937770201813637e98233305eb05c40dfe96a1395d5a9ae68bfaaf1.exe	86
PID 4280 wrote to memory of 3584	4280	e3292497d937770201813637e98233305eb05c40dfe96a1395d5a9ae68bfaaf1.exe	86
PID 4280 wrote to memory of 3584	4280	e3292497d937770201813637e98233305eb05c40dfe96a1395d5a9ae68bfaaf1.exe	86
PID 4280 wrote to memory of 2748	4280	e3292497d937770201813637e98233305eb05c40dfe96a1395d5a9ae68bfaaf1.exe	88
PID 4280 wrote to memory of 2748	4280	e3292497d937770201813637e98233305eb05c40dfe96a1395d5a9ae68bfaaf1.exe	88
PID 4280 wrote to memory of 2748	4280	e3292497d937770201813637e98233305eb05c40dfe96a1395d5a9ae68bfaaf1.exe	88

C:\Users\Admin\AppData\Local\Temp\e3292497d937770201813637e98233305eb05c40dfe96a1395d5a9ae68bfaaf1.exe
"C:\Users\Admin\AppData\Local\Temp\e3292497d937770201813637e98233305eb05c40dfe96a1395d5a9ae68bfaaf1.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4280
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\ollli\take me to the hospital\333\123456789876______________432.bat" "
  2⤵
  - Drops file in Drivers directory
  PID:2416
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\ollli\take me to the hospital\aguram\____000000_____.vbs"
  2⤵
  - Drops file in Drivers directory
  PID:3584
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\ollli\take me to the hospital\aguram\_______22222_______.vbs"
  2⤵
  - Blocklisted process makes network request
  PID:2748

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\ollli\take me to the hospital\333\123456789876______________432.bat

Filesize
2KB

MD5
008517be7057dc4199ac0dd995af6302

SHA1
2cb52a398a92516248478dd523290023f5aa517a

SHA256
4cd54e6c80f2b697f4acd09da31c87f66cfaf93988d552b539ec7391dc399406

SHA512
d675d1f1db384e8401aad0a4b413e2abd48105386aaa8eb3a7981aa3e8232dd101b2c9cd549dec55c2db0421fc573107aeace85494524d9e153d1b13f61b7b78

Download Submit
C:\Program Files (x86)\ollli\take me to the hospital\aguram\____000000_____.vbs

Filesize
798B

MD5
cd4305e87ea28561bd699634abe11965

SHA1
2a176df2d6e8961d474afbcb7c1d72984359b8a1

SHA256
5c8511ea7ecb99bd13a3c9156ce8b561b5dfbe1fdf886939642048090a9c6280

SHA512
fce3252c9d823a2820ef293258ea04872c05e442d262a2bf8661808a3f4104b3f984fe5eba815d359a02f8c340c13ef3963c67d672b4e9bb681fd852c818b178

Download Submit
C:\Program Files (x86)\ollli\take me to the hospital\aguram\_______22222_______.vbs

Filesize
592B

MD5
36939b6bc2db512f71e340765af38bda

SHA1
60119807c0c79111cb05fd5c1a84ee9d8438de91

SHA256
0044582a7d97e84aa914515458e1b7d2e0cc5913cbf3ac947278e86aed867a8a

SHA512
a74f8b29907588fa63c74befaac57d6ce524fbf086a31a44976d685ebe55bc24e9c7caab6a37d766089aefd8f69032872665cc6548beabaac06e750c41b37bcf

Download Submit
C:\Program Files (x86)\ollli\take me to the hospital\aguram\popizdota.dot

Filesize
52B

MD5
79643ab77f4bca54c08d38bea956a147

SHA1
8e6f24a9ac1f296e3f0ce6eea8dfc9a229563449

SHA256
1c0b8637974a3b3b0364bb6d46ecf40d0cc5b19b9fa12c7b13c90e8da099c0a9

SHA512
43cc43ba7bb2c2dd84df783644bb93bfd0f17f61d18c548f9f3914ceef32fb62ae2567d2fd2d3ec766d7f003a1c87a95a46ef901404e371bcaf392cf8a2176b4

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
1KB

MD5
f062f97c4d2e75a3dd96f63673284aa9

SHA1
c730349adf34338075ee3359d94c20a399f17e3e

SHA256
61f411c721f976b55d3c88abc4fa27c05313d46a3170e51b59875adca7c3d0e2

SHA512
b1a820e1eef699ce3b3a437d9f8548aa4955e06446d54751f331caa19ef5322b9d408837dee0124517a0f7e5be6133e50d7081019db6b9cce8be4601b304b781

Download Submit

Analysis

Sharing