dd0fa6af98204c6e0731c6591b6561ed23145f7038029fe55c32b4a7e6872132

General

Target

dd0fa6af98204c6e0731c6591b6561ed23145f7038029fe55c32b4a7e6872132.exe
Size

158KB
MD5

d739e0efedc6dd131cc897d60b1876a6
SHA1

f5b4c26558e689daec91859619133fa14e0509a7
SHA256

dd0fa6af98204c6e0731c6591b6561ed23145f7038029fe55c32b4a7e6872132
SHA512

38cf5c693492d634f5a1d57ef666580cd243a12a8dc775fd5f183eabe7c6d3a2230296c0a37bd5fb4f4cfda89ffa08f1abb73cb7e1c1defd3a52e53c711017fa
SSDEEP

3072:YBAp5XhKpN4eOyVTGfhEClj8jTk+0hMKBz6R1/8FVDDe:PbXE9OiTGfhEClq9FKxWWF5De

Score

8^/10

discovery

Malware Config

Signatures

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	cmd.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	WScript.exe
File opened for modification	C:\Windows\System32\drivers\etc\hîsts	WScript.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 7 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\So\Sa\Uninstall.ini	dd0fa6af98204c6e0731c6591b6561ed23145f7038029fe55c32b4a7e6872132.exe
File opened for modification	C:\Program Files (x86)\So\Sa\begom_na_zore.vbs	dd0fa6af98204c6e0731c6591b6561ed23145f7038029fe55c32b4a7e6872132.exe
File opened for modification	C:\Program Files (x86)\So\Sa\sasha_po_soshe.vbs	dd0fa6af98204c6e0731c6591b6561ed23145f7038029fe55c32b4a7e6872132.exe
File opened for modification	C:\Program Files (x86)\So\Sa\nalei_tr.af	dd0fa6af98204c6e0731c6591b6561ed23145f7038029fe55c32b4a7e6872132.exe
File opened for modification	C:\Program Files (x86)\So\Sa\niznitor.cho	dd0fa6af98204c6e0731c6591b6561ed23145f7038029fe55c32b4a7e6872132.exe
File opened for modification	C:\Program Files (x86)\So\Sa\yaveruchtoonadoidetdonasi.bat	dd0fa6af98204c6e0731c6591b6561ed23145f7038029fe55c32b4a7e6872132.exe
File opened for modification	C:\Program Files (x86)\So\Sa\Uninstall.exe	dd0fa6af98204c6e0731c6591b6561ed23145f7038029fe55c32b4a7e6872132.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2008 wrote to memory of 680	2008	dd0fa6af98204c6e0731c6591b6561ed23145f7038029fe55c32b4a7e6872132.exe	28
PID 2008 wrote to memory of 680	2008	dd0fa6af98204c6e0731c6591b6561ed23145f7038029fe55c32b4a7e6872132.exe	28
PID 2008 wrote to memory of 680	2008	dd0fa6af98204c6e0731c6591b6561ed23145f7038029fe55c32b4a7e6872132.exe	28
PID 2008 wrote to memory of 680	2008	dd0fa6af98204c6e0731c6591b6561ed23145f7038029fe55c32b4a7e6872132.exe	28
PID 680 wrote to memory of 1556	680	cmd.exe	31
PID 680 wrote to memory of 1556	680	cmd.exe	31
PID 680 wrote to memory of 1556	680	cmd.exe	31
PID 680 wrote to memory of 1556	680	cmd.exe	31
PID 680 wrote to memory of 884	680	cmd.exe	32
PID 680 wrote to memory of 884	680	cmd.exe	32
PID 680 wrote to memory of 884	680	cmd.exe	32
PID 680 wrote to memory of 884	680	cmd.exe	32

C:\Users\Admin\AppData\Local\Temp\dd0fa6af98204c6e0731c6591b6561ed23145f7038029fe55c32b4a7e6872132.exe
"C:\Users\Admin\AppData\Local\Temp\dd0fa6af98204c6e0731c6591b6561ed23145f7038029fe55c32b4a7e6872132.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2008
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Program Files (x86)\So\Sa\yaveruchtoonadoidetdonasi.bat" "
  2⤵
  - Drops file in Drivers directory
  - Suspicious use of WriteProcessMemory
  PID:680
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\So\Sa\begom_na_zore.vbs"
    3⤵
    - Drops file in Drivers directory
    PID:1556
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\So\Sa\sasha_po_soshe.vbs"
    3⤵
    PID:884

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\So\Sa\begom_na_zore.vbs

Filesize
952B

MD5
8b2e3d25e22a3a1ecd0c9fff200188e8

SHA1
47ae75cbe91fdf2a01632fbc13138f4baeafcb6a

SHA256
d36f5ab1c3c5564773e2f175aa82c78dbd898fdccdaa938925c6b3d336931a4d

SHA512
d5f3de1989f758360ec80210f8c68374e80a7ce2c85d55081190dc012e0b8f13f323142cabe9f83a7835fbdba7b8b6e3a5e024a9375663e4decdc1563f161390

Download Submit
C:\Program Files (x86)\So\Sa\nalei_tr.af

Filesize
27B

MD5
213c0742081a9007c9093a01760f9f8c

SHA1
df53bb518c732df777b5ce19fc7c02dcb2f9d81b

SHA256
9681429a2b00c27fe6cb0453f255024813944a7cd460d18797e3c35e81c53d69

SHA512
55182c2e353a0027f585535a537b9c309c3bf57f47da54a16e0c415ed6633b725bf40e40a664b1071575feeb7e589d775983516728ec3e51e87a0a29010c4eb9

Download Submit
C:\Program Files (x86)\So\Sa\niznitor.cho

Filesize
54B

MD5
cc72b575eeda1dfb03e648e3d73e9ed5

SHA1
b44a8e23e0af940bd59aa43371df5776a9dd180e

SHA256
732e2210d21771b9e682e7896877f9d48045744150abf18d7eded10789b5d78d

SHA512
2586c516bf44c34388eb8257fe5c24929ded993945c093820d57f46b5195d36e6a7e1a6e75da97e5a233336bfdcfd365d810ad81915ebbd5499961162157f282

Download Submit
C:\Program Files (x86)\So\Sa\sasha_po_soshe.vbs

Filesize
179B

MD5
8e2869601926526525b0c8380e639e24

SHA1
a11c6630d59a1aeb49a6e44b757d265f0822f4c6

SHA256
d1e2850b761eb722fa296f755d4f2a4928e29b095e0364ce8a6aac19074f7bc0

SHA512
792478f98b55aa649b18c8ad51c2c7e52a6c0dce62f8dcada382a01640f0d71079efc22bb9b4df2ac583d93c5b49f0169da93de22d3a19e4364b6a104ef47932

Download Submit
C:\Program Files (x86)\So\Sa\yaveruchtoonadoidetdonasi.bat

Filesize
1KB

MD5
3a9bb75c5c11493fb504b9eb073eab62

SHA1
b56df9e2b20ceea77e8a02add94dbea3bfd6f2b7

SHA256
1fbc938474679564751822e9df99c7c5c6491eb20c6ee342e304bfc2f521bb28

SHA512
3c23ca9cfbc6c82329b81406b4a3370a0c1189f1ca3b767b90f23920407883a026083a1b24ad2f39a9c2bf25ddad2d47e007c399027abb9a32cea3b0484da761

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
1KB

MD5
b885a17f77f15785f3e84b6a7280e641

SHA1
16f481a03817326d53376af773a3570ee3ff4ed7

SHA256
e5dcaf1283f3bdb34079b412849617440d00cb9eb77f4cf48ffeae05a619d8a1

SHA512
fde4577d33f63250478c27788e44972a0b5ddce8fcfdc5cecaa85dac649e19fcdda20eadce5ca022258fad3551e6c173f9a1ba5c892c1ee0d1e26a5282536750

Download Submit
memory/2008-54-0x00000000767D1000-0x00000000767D3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing