5ba32928ab5660b4ef53179020dc7af86793aa0bbc0a825bbb43b8187eddeb51

General

Target

5ba32928ab5660b4ef53179020dc7af86793aa0bbc0a825bbb43b8187eddeb51.exe
Size

128KB
MD5

a53a8f1311fc463ec059843d59b2ac8a
SHA1

91246bf9d2d0fb35f933463dbeaf388708408cf3
SHA256

5ba32928ab5660b4ef53179020dc7af86793aa0bbc0a825bbb43b8187eddeb51
SHA512

29a0ee34c4edf6c84368d140286b6852118bfefe904f9551b212ef7dcfa26a2858b9e92c40fbcf8ebc43a6c18557de1b8dd9a3723b3ab132c139a5f8a2b08b29
SSDEEP

3072:YBAp5XhKpN4eOyVTGfhEClj8jTk+0hMKBz610hO:PbXE9OiTGfhEClq9FKx3g

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
4	3792	WScript.exe

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	cmd.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	WScript.exe
File opened for modification	C:\Windows\System32\drivers\etc\hîsts	WScript.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	5ba32928ab5660b4ef53179020dc7af86793aa0bbc0a825bbb43b8187eddeb51.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	cmd.exe

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Fe\Oa\a0000000.vbs	5ba32928ab5660b4ef53179020dc7af86793aa0bbc0a825bbb43b8187eddeb51.exe
File opened for modification	C:\Program Files (x86)\Fe\Oa\b222222.vbs	5ba32928ab5660b4ef53179020dc7af86793aa0bbc0a825bbb43b8187eddeb51.exe
File opened for modification	C:\Program Files (x86)\Fe\Oa\cizfffffffffff.az	5ba32928ab5660b4ef53179020dc7af86793aa0bbc0a825bbb43b8187eddeb51.exe
File opened for modification	C:\Program Files (x86)\Fe\Oa\kk099999999999kk.qrw	5ba32928ab5660b4ef53179020dc7af86793aa0bbc0a825bbb43b8187eddeb51.exe
File opened for modification	C:\Program Files (x86)\Fe\Oa\ooooooooopopopopopopopopopppopopo.bat	5ba32928ab5660b4ef53179020dc7af86793aa0bbc0a825bbb43b8187eddeb51.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	cmd.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2224 wrote to memory of 2972	2224	5ba32928ab5660b4ef53179020dc7af86793aa0bbc0a825bbb43b8187eddeb51.exe	82
PID 2224 wrote to memory of 2972	2224	5ba32928ab5660b4ef53179020dc7af86793aa0bbc0a825bbb43b8187eddeb51.exe	82
PID 2224 wrote to memory of 2972	2224	5ba32928ab5660b4ef53179020dc7af86793aa0bbc0a825bbb43b8187eddeb51.exe	82
PID 2972 wrote to memory of 3980	2972	cmd.exe	85
PID 2972 wrote to memory of 3980	2972	cmd.exe	85
PID 2972 wrote to memory of 3980	2972	cmd.exe	85
PID 2972 wrote to memory of 3792	2972	cmd.exe	86
PID 2972 wrote to memory of 3792	2972	cmd.exe	86
PID 2972 wrote to memory of 3792	2972	cmd.exe	86

C:\Users\Admin\AppData\Local\Temp\5ba32928ab5660b4ef53179020dc7af86793aa0bbc0a825bbb43b8187eddeb51.exe
"C:\Users\Admin\AppData\Local\Temp\5ba32928ab5660b4ef53179020dc7af86793aa0bbc0a825bbb43b8187eddeb51.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2224
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\Fe\Oa\ooooooooopopopopopopopopopppopopo.bat" "
  2⤵
  - Drops file in Drivers directory
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2972
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\Fe\Oa\a0000000.vbs"
    3⤵
    - Drops file in Drivers directory
    PID:3980
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\Fe\Oa\b222222.vbs"
    3⤵
    - Blocklisted process makes network request
    PID:3792

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Fe\Oa\a0000000.vbs

Filesize
1KB

MD5
58eeef7fad223983c70b5d0c91aba472

SHA1
b42ca4c0b460f92d70bd0f3833b225a107a52cfe

SHA256
6d80a4d9927fae66e838dc195c857630a81ffc970cab587778e1dea21cff49db

SHA512
e85edb73a639fe947904960956a28d701dee62d1c434ffb11b1d55254705eaf335524c4240bd7dfd22d455acdee68d6600d03f95298ee466148faf58aa680432

Download Submit
C:\Program Files (x86)\Fe\Oa\b222222.vbs

Filesize
161B

MD5
6da20de23e1f5a3acb94c7cf8255f4f7

SHA1
a02641becbafc4e412836d83ce91e7b77766aa8f

SHA256
61d441fad4482638801440e386aecb33790072549a809fa11f6f5a9e5e33baa6

SHA512
3ecca53e7fd31b883ebf338dac94ea1035cdc8324405d7c5b78cada5b0582c6006302768a6d273bf5e5d472ba7693bebe61c09d7adb91fe3923e86833dd4e3f0

Download Submit
C:\Program Files (x86)\Fe\Oa\cizfffffffffff.az

Filesize
27B

MD5
213c0742081a9007c9093a01760f9f8c

SHA1
df53bb518c732df777b5ce19fc7c02dcb2f9d81b

SHA256
9681429a2b00c27fe6cb0453f255024813944a7cd460d18797e3c35e81c53d69

SHA512
55182c2e353a0027f585535a537b9c309c3bf57f47da54a16e0c415ed6633b725bf40e40a664b1071575feeb7e589d775983516728ec3e51e87a0a29010c4eb9

Download Submit
C:\Program Files (x86)\Fe\Oa\kk099999999999kk.qrw

Filesize
65B

MD5
3e08a7aa432b615b5d0a8d01704b20c1

SHA1
db1f8fa524f7b078404466d3175f371c39aabb83

SHA256
e6ff55027225808db193cc6367122b7285f101150bd49333cb872e3266d46cd9

SHA512
0048d76339bf007e53c04c71aa0982ab09082c51fd8533ca652610bb54481e123dea4fb80653585d5285651ed85b4093308bed50b68cbfe75afd32714d670785

Download Submit
C:\Program Files (x86)\Fe\Oa\ooooooooopopopopopopopopopppopopo.bat

Filesize
1KB

MD5
8a1bc74671d1ae440b547d568ee9ba5e

SHA1
8b6d40bc8eb9e258973158f31dae105bb3b6ac1a

SHA256
eaa6c36f24f5ce76a862b386b3bd32fe1f1cb257ed6fbae2195ce95605e11bdb

SHA512
2c80d739e34a0bf2da07c94002c9973cb713f399bde1f5a28e1945c4e0b393202acfcee607ef3e2243e7a93c30df5728243706f5c51de888c1e0711d22fee1b6

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
1KB

MD5
fa5a7d396b64b941e2cec0c8d66f0e6f

SHA1
f2fd1168e6333006b18ed91543b86828ee8f4cb1

SHA256
0ebcd0c0b2481f529f3f831e2baf53a394dab79369dbd2004205982927972349

SHA512
3ba02e9b013ff0c2ec1ca7846a58c830f271064d3eb6a2e0b13f158a94e40c2436fb935ff45c31ce77cb89a9651f41174fe91b6125496cc85c46a60385cbce35

Download Submit
memory/2972-132-0x0000000000000000-mapping.dmp

Download
memory/3792-138-0x0000000000000000-mapping.dmp

Download
memory/3980-136-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing