f31bdcd179f316b4d517e9394026a52c5736e6abd8ac94e862fd49f23f785b3b

General

Target

f31bdcd179f316b4d517e9394026a52c5736e6abd8ac94e862fd49f23f785b3b.exe
Size

180KB
MD5

13da87e3d84c4f19d4e073eccf5e29f2
SHA1

fa3ea8a1095144192599f8be96a3f5cd03a0e334
SHA256

f31bdcd179f316b4d517e9394026a52c5736e6abd8ac94e862fd49f23f785b3b
SHA512

d5c9a09a41f9bd72ad01e1ad34b4d770eb5bda60fcc79c143818b106ec6921b9c99c6a46e9f726a81dd91a03fa7e59034a4395346a9de141b3f831d9efc19f25
SSDEEP

3072:OBAp5XhKpN4eOyVTGfhEClj8jTk+0hJiaqR//1Wcjej5EqhnBWz9T6M33rb2p:lbXE9OiTGfhEClq9mqR//1Wcjej5Eqh3

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
3	2496	WScript.exe

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	cmd.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	WScript.exe
File opened for modification	C:\Windows\System32\drivers\etc\hîsts	WScript.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	f31bdcd179f316b4d517e9394026a52c5736e6abd8ac94e862fd49f23f785b3b.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\hulioeglesias\give me malchik\kandyvi\ebi_manya_kon.rud	f31bdcd179f316b4d517e9394026a52c5736e6abd8ac94e862fd49f23f785b3b.exe
File opened for modification	C:\Program Files (x86)\hulioeglesias\give me malchik\ebi_manya_kon\so_my_name_is_brus_dick.bat	f31bdcd179f316b4d517e9394026a52c5736e6abd8ac94e862fd49f23f785b3b.exe
File opened for modification	C:\Program Files (x86)\hulioeglesias\give me malchik\kandyvi\krasota_ta_kakaya.vbs	f31bdcd179f316b4d517e9394026a52c5736e6abd8ac94e862fd49f23f785b3b.exe
File opened for modification	C:\Program Files (x86)\hulioeglesias\give me malchik\kandyvi\prich4ki_pouuuuut.vbs	f31bdcd179f316b4d517e9394026a52c5736e6abd8ac94e862fd49f23f785b3b.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	f31bdcd179f316b4d517e9394026a52c5736e6abd8ac94e862fd49f23f785b3b.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 5044 wrote to memory of 1388	5044	f31bdcd179f316b4d517e9394026a52c5736e6abd8ac94e862fd49f23f785b3b.exe	80
PID 5044 wrote to memory of 1388	5044	f31bdcd179f316b4d517e9394026a52c5736e6abd8ac94e862fd49f23f785b3b.exe	80
PID 5044 wrote to memory of 1388	5044	f31bdcd179f316b4d517e9394026a52c5736e6abd8ac94e862fd49f23f785b3b.exe	80
PID 5044 wrote to memory of 3016	5044	f31bdcd179f316b4d517e9394026a52c5736e6abd8ac94e862fd49f23f785b3b.exe	82
PID 5044 wrote to memory of 3016	5044	f31bdcd179f316b4d517e9394026a52c5736e6abd8ac94e862fd49f23f785b3b.exe	82
PID 5044 wrote to memory of 3016	5044	f31bdcd179f316b4d517e9394026a52c5736e6abd8ac94e862fd49f23f785b3b.exe	82
PID 5044 wrote to memory of 2496	5044	f31bdcd179f316b4d517e9394026a52c5736e6abd8ac94e862fd49f23f785b3b.exe	83
PID 5044 wrote to memory of 2496	5044	f31bdcd179f316b4d517e9394026a52c5736e6abd8ac94e862fd49f23f785b3b.exe	83
PID 5044 wrote to memory of 2496	5044	f31bdcd179f316b4d517e9394026a52c5736e6abd8ac94e862fd49f23f785b3b.exe	83

C:\Users\Admin\AppData\Local\Temp\f31bdcd179f316b4d517e9394026a52c5736e6abd8ac94e862fd49f23f785b3b.exe
"C:\Users\Admin\AppData\Local\Temp\f31bdcd179f316b4d517e9394026a52c5736e6abd8ac94e862fd49f23f785b3b.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5044
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\hulioeglesias\give me malchik\ebi_manya_kon\so_my_name_is_brus_dick.bat" "
  2⤵
  - Drops file in Drivers directory
  PID:1388
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\hulioeglesias\give me malchik\kandyvi\krasota_ta_kakaya.vbs"
  2⤵
  - Drops file in Drivers directory
  PID:3016
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\hulioeglesias\give me malchik\kandyvi\prich4ki_pouuuuut.vbs"
  2⤵
  - Blocklisted process makes network request
  PID:2496

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\hulioeglesias\give me malchik\ebi_manya_kon\so_my_name_is_brus_dick.bat

Filesize
2KB

MD5
ff084e6e7dc5c24496a80a202eab9d6d

SHA1
e26087d935c9769392eb08f73ff60577b282a3fe

SHA256
7ccb5d0a48b3162a2ad3a92baeac8d5de8231f78755d2a12ad9855e26664eb96

SHA512
c7851f6e768e4481e1f4b3a8968712a0cc50f498c5e83b51d1ee0d51f1bfb3df37970e08c70fe288e04d36ce98f06057dacf7a1ac511153c3813d065de6f3a3c

Download Submit
C:\Program Files (x86)\hulioeglesias\give me malchik\kandyvi\ebi_manya_kon.rud

Filesize
33B

MD5
332d683ba552d67383ad13b6ce9ba772

SHA1
0017392ee6adb57e4b8f71e54bf24e606eaac773

SHA256
d6d630ef2f0879dc1e12b44bdc2092c7b0d72df3c1cf48b3117b63cea98fe752

SHA512
143fbb1abf9b0307f35343d08ff49ca0e5d1843836fa36033260d7a34a2081ffe9b13e97b2de5517648cbc38e4a509a53fa37bfe09952ed8873602780014292e

Download Submit
C:\Program Files (x86)\hulioeglesias\give me malchik\kandyvi\krasota_ta_kakaya.vbs

Filesize
916B

MD5
67e1d51993ed12432fd75fd20092a917

SHA1
c08fbfb72aad721c0d6e2462b95f4791aaf254b7

SHA256
51e3215c072e2736d8e0f0dfb214576ebe9be0d65fbad14da390b22bc1174398

SHA512
35ce72b6de2e3cab059245529770e100527afcaada2344a88ba01a4e3ffca7dab372d88515a82fa4465961a6552460f9e6951fc377f6e4422881023f96ba19df

Download Submit
C:\Program Files (x86)\hulioeglesias\give me malchik\kandyvi\prich4ki_pouuuuut.vbs

Filesize
659B

MD5
01f4fe67b1f826d41ec440ec43256da9

SHA1
4ee7038e44a2e8387b1f7247ecb2c50a9af040d7

SHA256
4d06cd27e90aa2089d95d95e2277eae858861b084f8d066c5616121c79e861b5

SHA512
1ca9f4eb2bd16de93561b094f58259fdd94d6b227a57d2a218919acf24da124f6974eba3ebb1d65ed4d1a4fe0a871661dbc227eac83836aed0678ae9bfb9d22d

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
1KB

MD5
7f50b4c32bd25de2b4a756cde4f9bb9d

SHA1
0e20ddfe6c3272c895900217849eb5bc3597d387

SHA256
0ca2cd50aae4247a9cbac2f5f3800812b8b7085485075d1aa09cdd17a7b9bc28

SHA512
d38d0a90401ecded9d7e2c17480df2040ecab49d47d0b1ae3752a4d83e0c8670c6119b33cc895de5c46269592a5e3ddb897ccaa5967ad6e0f289e99a8ae762d4

Download Submit

Analysis

Sharing