757f8a7c68596eae45246704531031f96d3eed5080ecf0a9fb44c595a36c36bf

General

Target

757f8a7c68596eae45246704531031f96d3eed5080ecf0a9fb44c595a36c36bf.exe
Size

239KB
MD5

4318387139d9e7dced22208567eb3a0c
SHA1

919e43e34d0291030039af1e42dc007a57b1054b
SHA256

757f8a7c68596eae45246704531031f96d3eed5080ecf0a9fb44c595a36c36bf
SHA512

db564f620b8671d35fe162a5e03a744fe4935ce37bde31af500b138f7b1c90830506e72950b673d50ba8abe1d63d8650b3b16c84fee4de508edd459614b04881
SSDEEP

3072:OBAp5XhKpN4eOyVTGfhEClj8jTk+0hbRBrICPwXAFxTTw1BV56nt1UrknjaT5/ey:lbXE9OiTGfhEClq9aW6EBMb1CJJUG

Score

8^/10

discovery

Malware Config

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
3	1340	WScript.exe
5	1340	WScript.exe

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	cmd.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	WScript.exe
File opened for modification	C:\Windows\System32\drivers\etc\hîsts	WScript.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 17 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\win23driverKernek\batreya\sloupokerstvoederosngoejbfawfw3jfbkksksh0o3i9f.gggggg	757f8a7c68596eae45246704531031f96d3eed5080ecf0a9fb44c595a36c36bf.exe
File created	C:\Program Files (x86)\win23driverKernek\batreya\stolprovodetokompstoitnanem.ogo	757f8a7c68596eae45246704531031f96d3eed5080ecf0a9fb44c595a36c36bf.exe
File created	C:\Program Files (x86)\win23driverKernek\batreya\russkaya_vodka_chto_ti_natvorila.bat	757f8a7c68596eae45246704531031f96d3eed5080ecf0a9fb44c595a36c36bf.exe
File created	C:\Program Files (x86)\win23driverKernek\batreya\russkaya_ssamogonka.oik	757f8a7c68596eae45246704531031f96d3eed5080ecf0a9fb44c595a36c36bf.exe
File opened for modification	C:\Program Files (x86)\win23driverKernek\batreya\russkaya_ssamogonka.oik	757f8a7c68596eae45246704531031f96d3eed5080ecf0a9fb44c595a36c36bf.exe
File opened for modification	C:\Program Files (x86)\win23driverKernek\batreya\blevantina_edet_na_more.ore	757f8a7c68596eae45246704531031f96d3eed5080ecf0a9fb44c595a36c36bf.exe
File opened for modification	C:\Program Files (x86)\win23driverKernek\batreya\blevantina_edet_na_more.vbs	cmd.exe
File created	C:\Program Files (x86)\win23driverKernek\batreya\stolprovodetokompstoitnanem.vbs	cmd.exe
File created	C:\Program Files (x86)\win23driverKernek\batreya\Uninstall.exe	757f8a7c68596eae45246704531031f96d3eed5080ecf0a9fb44c595a36c36bf.exe
File opened for modification	C:\Program Files (x86)\win23driverKernek\batreya\Uninstall.exe	757f8a7c68596eae45246704531031f96d3eed5080ecf0a9fb44c595a36c36bf.exe
File created	C:\Program Files (x86)\win23driverKernek\batreya\Uninstall.ini	757f8a7c68596eae45246704531031f96d3eed5080ecf0a9fb44c595a36c36bf.exe
File created	C:\Program Files (x86)\win23driverKernek\batreya\blevantina_edet_na_more.vbs	cmd.exe
File opened for modification	C:\Program Files (x86)\win23driverKernek\batreya\stolprovodetokompstoitnanem.vbs	cmd.exe
File opened for modification	C:\Program Files (x86)\win23driverKernek\batreya\russkaya_vodka_chto_ti_natvorila.bat	757f8a7c68596eae45246704531031f96d3eed5080ecf0a9fb44c595a36c36bf.exe
File created	C:\Program Files (x86)\win23driverKernek\batreya\blevantina_edet_na_more.ore	757f8a7c68596eae45246704531031f96d3eed5080ecf0a9fb44c595a36c36bf.exe
File opened for modification	C:\Program Files (x86)\win23driverKernek\batreya\sloupokerstvoederosngoejbfawfw3jfbkksksh0o3i9f.gggggg	757f8a7c68596eae45246704531031f96d3eed5080ecf0a9fb44c595a36c36bf.exe
File opened for modification	C:\Program Files (x86)\win23driverKernek\batreya\stolprovodetokompstoitnanem.ogo	757f8a7c68596eae45246704531031f96d3eed5080ecf0a9fb44c595a36c36bf.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1028 wrote to memory of 2024	1028	757f8a7c68596eae45246704531031f96d3eed5080ecf0a9fb44c595a36c36bf.exe	27
PID 1028 wrote to memory of 2024	1028	757f8a7c68596eae45246704531031f96d3eed5080ecf0a9fb44c595a36c36bf.exe	27
PID 1028 wrote to memory of 2024	1028	757f8a7c68596eae45246704531031f96d3eed5080ecf0a9fb44c595a36c36bf.exe	27
PID 1028 wrote to memory of 2024	1028	757f8a7c68596eae45246704531031f96d3eed5080ecf0a9fb44c595a36c36bf.exe	27
PID 1028 wrote to memory of 1324	1028	757f8a7c68596eae45246704531031f96d3eed5080ecf0a9fb44c595a36c36bf.exe	29
PID 1028 wrote to memory of 1324	1028	757f8a7c68596eae45246704531031f96d3eed5080ecf0a9fb44c595a36c36bf.exe	29
PID 1028 wrote to memory of 1324	1028	757f8a7c68596eae45246704531031f96d3eed5080ecf0a9fb44c595a36c36bf.exe	29
PID 1028 wrote to memory of 1324	1028	757f8a7c68596eae45246704531031f96d3eed5080ecf0a9fb44c595a36c36bf.exe	29
PID 1028 wrote to memory of 1340	1028	757f8a7c68596eae45246704531031f96d3eed5080ecf0a9fb44c595a36c36bf.exe	30
PID 1028 wrote to memory of 1340	1028	757f8a7c68596eae45246704531031f96d3eed5080ecf0a9fb44c595a36c36bf.exe	30
PID 1028 wrote to memory of 1340	1028	757f8a7c68596eae45246704531031f96d3eed5080ecf0a9fb44c595a36c36bf.exe	30
PID 1028 wrote to memory of 1340	1028	757f8a7c68596eae45246704531031f96d3eed5080ecf0a9fb44c595a36c36bf.exe	30

C:\Users\Admin\AppData\Local\Temp\757f8a7c68596eae45246704531031f96d3eed5080ecf0a9fb44c595a36c36bf.exe
"C:\Users\Admin\AppData\Local\Temp\757f8a7c68596eae45246704531031f96d3eed5080ecf0a9fb44c595a36c36bf.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1028
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Program Files (x86)\win23driverKernek\batreya\russkaya_vodka_chto_ti_natvorila.bat" "
  2⤵
  - Drops file in Drivers directory
  - Drops file in Program Files directory
  PID:2024
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\win23driverKernek\batreya\blevantina_edet_na_more.vbs"
  2⤵
  - Drops file in Drivers directory
  PID:1324
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\win23driverKernek\batreya\stolprovodetokompstoitnanem.vbs"
  2⤵
  - Blocklisted process makes network request
  PID:1340

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\win23driverKernek\batreya\blevantina_edet_na_more.ore

Filesize
820B

MD5
4e0ba70e25a10a41ab7f3df17350884b

SHA1
530967e7981801923e11fa1c7016ee96cc4fcf2a

SHA256
faf5106c623b2604eaeb4e660e5a2773a5c8f77fcfaf17fb2f3de8a95f368e24

SHA512
b1cfcb19de374a8172f033b9865a66a5de71cea7b4fcafef56b138b1d9d8ec96f4f197f87112ffbb80c4b10c7027d3433cc5b1b0082ac0a6eaafb15e45fa7c5a

Download Submit
C:\Program Files (x86)\win23driverKernek\batreya\blevantina_edet_na_more.vbs

Filesize
820B

MD5
4e0ba70e25a10a41ab7f3df17350884b

SHA1
530967e7981801923e11fa1c7016ee96cc4fcf2a

SHA256
faf5106c623b2604eaeb4e660e5a2773a5c8f77fcfaf17fb2f3de8a95f368e24

SHA512
b1cfcb19de374a8172f033b9865a66a5de71cea7b4fcafef56b138b1d9d8ec96f4f197f87112ffbb80c4b10c7027d3433cc5b1b0082ac0a6eaafb15e45fa7c5a

Download Submit
C:\Program Files (x86)\win23driverKernek\batreya\russkaya_ssamogonka.oik

Filesize
140B

MD5
659e43ef650eaec848d8788da35aa996

SHA1
6927370e1784c1bc7b4d241d8fa90acc5aa14e25

SHA256
e6e05dff5e39f0f2458cba0a8c2ea174c79ee7cbb297db8cd21a22bbc39fcb94

SHA512
f845530e6a1aa27b672ed9fa96e5ce3231ebafe7b688815172ba013218fd9140fd7d30319794b61258dbc3c104f0dffb10ef991da6a72afb8baf033e83c4791f

Download Submit
C:\Program Files (x86)\win23driverKernek\batreya\russkaya_vodka_chto_ti_natvorila.bat

Filesize
1KB

MD5
178d818ea699240c8f94ff2be71f09b7

SHA1
03b2a96532999a284120bd8dae0d4e12b592b6fc

SHA256
e2d4f27be285ebc24eb48a96663b7a1ce5510d91120fb8a75ec4700d874a445a

SHA512
9c2c58fbf7a17e666a56aa3b791df3254d397eefdbe2063c7235b718dcc41fdbf8c1e99099aefea629e3513b9ded6aab986edf38e48da3cc507d82781c077144

Download Submit
C:\Program Files (x86)\win23driverKernek\batreya\stolprovodetokompstoitnanem.ogo

Filesize
689B

MD5
2ee41d11db94e703fb0c2ed233cebb09

SHA1
aae4a0b05a112060f19a7d851aa32f2f02fe4670

SHA256
daecfc85967a5c12620ad05274e70d969d7f51fe368dbaa588d530f341ada135

SHA512
78f6120559d75322d6bc0b3a638d980599ddf81fa28f403dd751ff89b5544d6a4303660b91d07e4ce077155ef67240d2bc8f6c5561ec033ce8ad162cd400c170

Download Submit
C:\Program Files (x86)\win23driverKernek\batreya\stolprovodetokompstoitnanem.vbs

Filesize
689B

MD5
2ee41d11db94e703fb0c2ed233cebb09

SHA1
aae4a0b05a112060f19a7d851aa32f2f02fe4670

SHA256
daecfc85967a5c12620ad05274e70d969d7f51fe368dbaa588d530f341ada135

SHA512
78f6120559d75322d6bc0b3a638d980599ddf81fa28f403dd751ff89b5544d6a4303660b91d07e4ce077155ef67240d2bc8f6c5561ec033ce8ad162cd400c170

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
1KB

MD5
6c29553f3f6ab0bfd34f3c884fff4148

SHA1
a309f00b1fb4c47b85cc7ea571ade0bcd1a7f55c

SHA256
11611affd90654690af7954f5b431ac956714e92a573f3e2d4e5143d11dffa73

SHA512
d46b01326c1d0644094783900b25f1de3a49dd632583228f0ffc1dff813d0ecc3a3d07c3d7e0e8599b68695f87d2099d26e8a5d6af3dae349e24cb876c385fa6

Download Submit
memory/1028-54-0x0000000075071000-0x0000000075073000-memory.dmp

Filesize
8KB

Download
memory/1324-60-0x0000000000000000-mapping.dmp

Download
memory/1340-65-0x0000000000000000-mapping.dmp

Download
memory/2024-55-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing