db9d6535fb9f0cb2b90708ea1d81f8a69bec20598442f67a640d87c51ab18081

General

Target

db9d6535fb9f0cb2b90708ea1d81f8a69bec20598442f67a640d87c51ab18081.exe
Size

158KB
MD5

e4aa4bbef109d1a7095568b9c87e86f9
SHA1

64c40518ac920ddbe6c7f0db47cbdcb8f225aeba
SHA256

db9d6535fb9f0cb2b90708ea1d81f8a69bec20598442f67a640d87c51ab18081
SHA512

5e7db3e23859ad0a72fd8fbb84f688d2f80ccdf80da8946a88b310155f64dd29d7ad63989912445ddafd024591089393eb2909c1372a5e1fc206bf29d1a037d3
SSDEEP

3072:YBAp5XhKpN4eOyVTGfhEClj8jTk+0hMKBz6QCnOBXcV2Ok:PbXE9OiTGfhEClq9FKx3DXI6

Score

8^/10

discovery

Malware Config

Signatures

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	cmd.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	WScript.exe
File opened for modification	C:\Windows\System32\drivers\etc\hîsts	WScript.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	db9d6535fb9f0cb2b90708ea1d81f8a69bec20598442f67a640d87c51ab18081.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	cmd.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Ss\Tl\sklinkolo.vbs	db9d6535fb9f0cb2b90708ea1d81f8a69bec20598442f67a640d87c51ab18081.exe
File opened for modification	C:\Program Files (x86)\Ss\Tl\abrekovich.vbs	db9d6535fb9f0cb2b90708ea1d81f8a69bec20598442f67a640d87c51ab18081.exe
File opened for modification	C:\Program Files (x86)\Ss\Tl\okdodldddd.po	db9d6535fb9f0cb2b90708ea1d81f8a69bec20598442f67a640d87c51ab18081.exe
File opened for modification	C:\Program Files (x86)\Ss\Tl\indula.dha	db9d6535fb9f0cb2b90708ea1d81f8a69bec20598442f67a640d87c51ab18081.exe
File opened for modification	C:\Program Files (x86)\Ss\Tl\chelovek_i_koshkai.bat	db9d6535fb9f0cb2b90708ea1d81f8a69bec20598442f67a640d87c51ab18081.exe
File opened for modification	C:\Program Files (x86)\Ss\Tl\Uninstall.exe	db9d6535fb9f0cb2b90708ea1d81f8a69bec20598442f67a640d87c51ab18081.exe
File created	C:\Program Files (x86)\Ss\Tl\Uninstall.ini	db9d6535fb9f0cb2b90708ea1d81f8a69bec20598442f67a640d87c51ab18081.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	cmd.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4216 wrote to memory of 2620	4216	db9d6535fb9f0cb2b90708ea1d81f8a69bec20598442f67a640d87c51ab18081.exe	80
PID 4216 wrote to memory of 2620	4216	db9d6535fb9f0cb2b90708ea1d81f8a69bec20598442f67a640d87c51ab18081.exe	80
PID 4216 wrote to memory of 2620	4216	db9d6535fb9f0cb2b90708ea1d81f8a69bec20598442f67a640d87c51ab18081.exe	80
PID 2620 wrote to memory of 4960	2620	cmd.exe	82
PID 2620 wrote to memory of 4960	2620	cmd.exe	82
PID 2620 wrote to memory of 4960	2620	cmd.exe	82
PID 2620 wrote to memory of 2972	2620	cmd.exe	83
PID 2620 wrote to memory of 2972	2620	cmd.exe	83
PID 2620 wrote to memory of 2972	2620	cmd.exe	83

C:\Users\Admin\AppData\Local\Temp\db9d6535fb9f0cb2b90708ea1d81f8a69bec20598442f67a640d87c51ab18081.exe
"C:\Users\Admin\AppData\Local\Temp\db9d6535fb9f0cb2b90708ea1d81f8a69bec20598442f67a640d87c51ab18081.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:4216
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\Ss\Tl\chelovek_i_koshkai.bat" "
  2⤵
  - Drops file in Drivers directory
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2620
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\Ss\Tl\sklinkolo.vbs"
    3⤵
    - Drops file in Drivers directory
    PID:4960
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\Ss\Tl\abrekovich.vbs"
    3⤵
    PID:2972

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Ss\Tl\abrekovich.vbs

Filesize
150B

MD5
c189f6cf1866fd5a35e339db4e909127

SHA1
cad771878d1fa1fcc5d0d21fb4dfd5808ba9c059

SHA256
fba6b0cf83f1897829921ca5ca68a7735fa5866ebf45f5825af94ae7e655a9f1

SHA512
7d0538106ac2fa1e4048e8aaa61ec4f6e0f67447133127a947f673a625c71ac46d49aebd2a4c167f3ce91e43dbbd7992cb3b859cf3904672e298446600dcc485

Download Submit
C:\Program Files (x86)\Ss\Tl\chelovek_i_koshkai.bat

Filesize
1KB

MD5
714e8a4ff64ed1a4533e9492e2a7b589

SHA1
485b4a8229703ce28276ec0955b4cd7e2c94d27e

SHA256
c1fd279db62e055d0667ab28a948982c7739b25a546d8d462aee58e77d22de16

SHA512
ded0ff34a4120de6cf3163048aa12250dbfc7334e5f2d1acd2796c79579686b34cb87c466a490789eb29498495abb4427dfe45e2ac531d143295bbdbc69378bc

Download Submit
C:\Program Files (x86)\Ss\Tl\indula.dha

Filesize
52B

MD5
0bc93356c6e9ea8f11a3f602f575ad67

SHA1
62ead2390972c45e2da8ee962e1d98de259ce747

SHA256
0f46cf882c770c8d279c8d1b5c976cefedac5e18d2a35372b1ecc019281ad66b

SHA512
c3cbad17bc60340b343d2b678f3090807acb1466a8c31f0c4b317de07b63b0c828729d8db72126aa4db1a96aa7fd1db5edbd989eacc75893012c089fac462796

Download Submit
C:\Program Files (x86)\Ss\Tl\okdodldddd.po

Filesize
27B

MD5
213c0742081a9007c9093a01760f9f8c

SHA1
df53bb518c732df777b5ce19fc7c02dcb2f9d81b

SHA256
9681429a2b00c27fe6cb0453f255024813944a7cd460d18797e3c35e81c53d69

SHA512
55182c2e353a0027f585535a537b9c309c3bf57f47da54a16e0c415ed6633b725bf40e40a664b1071575feeb7e589d775983516728ec3e51e87a0a29010c4eb9

Download Submit
C:\Program Files (x86)\Ss\Tl\sklinkolo.vbs

Filesize
881B

MD5
118a405691ed64e0b6273b08d1ecce60

SHA1
4864ae715c1294b3e20e6546d37814d8a7d6cc7f

SHA256
33c6767cb9c5a36666cc7b51a787a0aed9780f328d3b4ffa06b9df668cd2c733

SHA512
acad5766b9fa871ea5ad15b5863f55ac11a473442b9ba4b3e604e10091527b44b30d46808de81fe490ee04be71be9fea03db9ea4855ac0974a3bd2c2e7a6849a

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
1KB

MD5
b1f9e83b996b9963a375d6aa48ee7004

SHA1
61a050eb36d28b3a76ecdb2fe30e3dd75fe05331

SHA256
42482cac585502a1e468bd1003e51a4ebfb3fc36c5a029e9585ea4c9fb9ab465

SHA512
f5c5b27b9c002cf1a7e416738da12258f6784ba04cab0ba6e259c29eb89c44f1a5e3373252c424b6ff397202c17fdd38e51ce21ffeeb866956780eb66d31029f

Download Submit

Analysis

Sharing