32295555d0432f01dc85c893e71b84bade6fbb5a735a594339d5dd635ef261b2

Analysis

max time kernel
91s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
03-12-2022 23:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

32295555d0432f01dc85c893e71b84bade6fbb5a735a594339d5dd635ef261b2.exe
Size

177KB
MD5

792a3e07349986019021bac9f3edf042
SHA1

22451e0c86ef369df8100cf896a229768bca5701
SHA256

32295555d0432f01dc85c893e71b84bade6fbb5a735a594339d5dd635ef261b2
SHA512

5227bae9eab059d91b61e03791585f1a5738392126d0928b17604cd7ffe07033ce4f6273947ba69ce86352c98c9f6638b056d1dcd8da3dcb7c91c0a412a4ba30
SSDEEP

3072:rBAp5XhKpN4eOyVTGfhEClj8jTk+0hVHeAx05aA7IU/wOrN4AFh:WbXE9OiTGfhEClq9uHTx0v7IZOJ4AFh

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
10	4288	WScript.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	cmd.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	32295555d0432f01dc85c893e71b84bade6fbb5a735a594339d5dd635ef261b2.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\insta2\insta\data.txt	32295555d0432f01dc85c893e71b84bade6fbb5a735a594339d5dd635ef261b2.exe
File opened for modification	C:\Program Files (x86)\insta2\insta\gudilebedi.bat	32295555d0432f01dc85c893e71b84bade6fbb5a735a594339d5dd635ef261b2.exe
File opened for modification	C:\Program Files (x86)\insta2\insta\letelimimo.vbs	32295555d0432f01dc85c893e71b84bade6fbb5a735a594339d5dd635ef261b2.exe
File opened for modification	C:\Program Files (x86)\insta2\insta\okkk.jpg	32295555d0432f01dc85c893e71b84bade6fbb5a735a594339d5dd635ef261b2.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	32295555d0432f01dc85c893e71b84bade6fbb5a735a594339d5dd635ef261b2.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 384 wrote to memory of 4956	384	32295555d0432f01dc85c893e71b84bade6fbb5a735a594339d5dd635ef261b2.exe	80
PID 384 wrote to memory of 4956	384	32295555d0432f01dc85c893e71b84bade6fbb5a735a594339d5dd635ef261b2.exe	80
PID 384 wrote to memory of 4956	384	32295555d0432f01dc85c893e71b84bade6fbb5a735a594339d5dd635ef261b2.exe	80
PID 384 wrote to memory of 4288	384	32295555d0432f01dc85c893e71b84bade6fbb5a735a594339d5dd635ef261b2.exe	82
PID 384 wrote to memory of 4288	384	32295555d0432f01dc85c893e71b84bade6fbb5a735a594339d5dd635ef261b2.exe	82
PID 384 wrote to memory of 4288	384	32295555d0432f01dc85c893e71b84bade6fbb5a735a594339d5dd635ef261b2.exe	82

C:\Users\Admin\AppData\Local\Temp\32295555d0432f01dc85c893e71b84bade6fbb5a735a594339d5dd635ef261b2.exe
"C:\Users\Admin\AppData\Local\Temp\32295555d0432f01dc85c893e71b84bade6fbb5a735a594339d5dd635ef261b2.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:384
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\insta2\insta\gudilebedi.bat" "
  2⤵
  - Drops file in Drivers directory
  PID:4956
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\insta2\insta\letelimimo.vbs"
  2⤵
  - Blocklisted process makes network request
  PID:4288

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\insta2\insta\data.txt

Filesize
1B

MD5
c9f0f895fb98ab9159f51fd0297e236d

SHA1
fe5dbbcea5ce7e2988b8c69bcfdfde8904aabc1f

SHA256
2c624232cdd221771294dfbb310aca000a0df6ac8b66b696d90ef06fdefb64a3

SHA512
bc23b8b01772d2dd67efb8fe1a5e6bd0f44b97c36101be6cc09f253b53e68d67a22e4643068dfd1341980134ea57570acf65e306e4d96cef4d560384894c88a4

Download Submit
C:\Program Files (x86)\insta2\insta\gudilebedi.bat

Filesize
2KB

MD5
eac346602eea0e2d41ac58f1fff13aa9

SHA1
2dbd5b6ec668bc4a7cc4cf4605f93d9badfdbb09

SHA256
bc647fef24e1a7bdc8575064047d423fc28591857a65d1237870a05578594ef4

SHA512
e78bdb8d7295998d81d0f2725b3b1187fa6fe532b42e1f19236cd695039397572e4b61f3c172b9ab8fe75934607174ba180ca4b2ca865703cfd16d8c41e636aa

Download Submit
C:\Program Files (x86)\insta2\insta\letelimimo.vbs

Filesize
864B

MD5
a8ab8501377f6044feb979e74c91652c

SHA1
06fd366e5a8d1b0fb1fc8eb9461431abee587501

SHA256
d74f0f98fd61752ebf3fba8be07187439c803441a9c9c7dc5e4bf9b55eda1447

SHA512
f9f62f01c6c6d35bd072f2eabfb80b35aa2c7a04b8c298b0167de98015de58c2a81b97a41b8690accf3a306f1895eff67585198793472065c1f6988272bcc7b0

Download Submit
memory/4288-134-0x0000000000000000-mapping.dmp

Download
memory/4956-132-0x0000000000000000-mapping.dmp

Download