Overview

overview

8

Static

static

6af5234975...f0.exe

windows7-x64

8

6af5234975...f0.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    42s
  • max time network
    47s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    04-12-2022 13:25

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6af52349754eba830ee07cd195a7c097ff5a503509b11efa1f11705d3243ddf0.exe

  • Size

    158KB

  • MD5

    43dc56eeea5dc933dc22294de27ef3d0

  • SHA1

    a4c7de828956cd6a57f7f32523698f430c550483

  • SHA256

    6af52349754eba830ee07cd195a7c097ff5a503509b11efa1f11705d3243ddf0

  • SHA512

    2a1d252243a3756e366134e79644db9728af2dc353fd152c84beb0cb8e8c84ed76221cadb8dd39c155c0aabc8bc609fb9d68b3de5d5aa36ca43f1ec3fd35b7e0

  • SSDEEP

    3072:YBAp5XhKpN4eOyVTGfhEClj8jTk+0hMKBz6TAdIeT+h:PbXE9OiTGfhEClq9FKxwYw

Score
8/10
discovery

Malware Config

Signatures

  • Drops file in Drivers directory 3 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in Program Files directory 7 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6af52349754eba830ee07cd195a7c097ff5a503509b11efa1f11705d3243ddf0.exe
    "C:\Users\Admin\AppData\Local\Temp\6af52349754eba830ee07cd195a7c097ff5a503509b11efa1f11705d3243ddf0.exe"
    1⤵
    • Drops file in Program Files directory
    • Suspicious use of WriteProcessMemory
    PID:1184
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Program Files (x86)\So\Sa\yaveruchtoonadoidetdonasi.bat" "
      2⤵
      • Drops file in Drivers directory
      • Suspicious use of WriteProcessMemory
      PID:1948
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\So\Sa\begom_na_zore.vbs"
        3⤵
        • Drops file in Drivers directory
        PID:1128
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\So\Sa\sasha_po_soshe.vbs"
        3⤵
          PID:2036

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\So\Sa\begom_na_zore.vbs
      Filesize

      952B

      MD5

      8b2e3d25e22a3a1ecd0c9fff200188e8

      SHA1

      47ae75cbe91fdf2a01632fbc13138f4baeafcb6a

      SHA256

      d36f5ab1c3c5564773e2f175aa82c78dbd898fdccdaa938925c6b3d336931a4d

      SHA512

      d5f3de1989f758360ec80210f8c68374e80a7ce2c85d55081190dc012e0b8f13f323142cabe9f83a7835fbdba7b8b6e3a5e024a9375663e4decdc1563f161390

      Download Submit

    • C:\Program Files (x86)\So\Sa\nalei_tr.af
      Filesize

      27B

      MD5

      213c0742081a9007c9093a01760f9f8c

      SHA1

      df53bb518c732df777b5ce19fc7c02dcb2f9d81b

      SHA256

      9681429a2b00c27fe6cb0453f255024813944a7cd460d18797e3c35e81c53d69

      SHA512

      55182c2e353a0027f585535a537b9c309c3bf57f47da54a16e0c415ed6633b725bf40e40a664b1071575feeb7e589d775983516728ec3e51e87a0a29010c4eb9

      Download Submit

    • C:\Program Files (x86)\So\Sa\niznitor.cho
      Filesize

      54B

      MD5

      cc72b575eeda1dfb03e648e3d73e9ed5

      SHA1

      b44a8e23e0af940bd59aa43371df5776a9dd180e

      SHA256

      732e2210d21771b9e682e7896877f9d48045744150abf18d7eded10789b5d78d

      SHA512

      2586c516bf44c34388eb8257fe5c24929ded993945c093820d57f46b5195d36e6a7e1a6e75da97e5a233336bfdcfd365d810ad81915ebbd5499961162157f282

      Download Submit

    • C:\Program Files (x86)\So\Sa\sasha_po_soshe.vbs
      Filesize

      179B

      MD5

      d8a6e0c537c0dc29c9420fc2e13cfd4a

      SHA1

      4ba3e8bd90492f025b0c4a4edd8b6003b5581335

      SHA256

      64a9dd83af4268a4b4b911636b3df8622c28fe8643a8529a704da48ba65dc5d6

      SHA512

      f368eceefc43dd2d194b5682a1407e5ba3bf090a2744f6742e86139616636d5d987617bfe8bc2da278421a007d008606979f66f1f4b841e1a909fe72931f5966

      Download Submit

    • C:\Program Files (x86)\So\Sa\yaveruchtoonadoidetdonasi.bat
      Filesize

      1KB

      MD5

      e65ef69f61ffcbd46bf09404433e33a1

      SHA1

      14a1e8eab1a96c4c55ac80e4ae2602e696d19b89

      SHA256

      0413176d4c7aa51863583a37ccd1fa5718b1435c0fa39d553780be5203708e71

      SHA512

      f1cff5fc63a1086390db7e5da1dfdc910ba186bf8d94234481af64aa69885aefc1da1e556e9e128043855b795889e93f15f14c2f47d43decd617ef3812b79cca

      Download Submit

    • C:\Windows\System32\drivers\etc\hosts
      Filesize

      1KB

      MD5

      66f8fb5907204726b018d2f4714cde99

      SHA1

      211f0f8ebb91aa290e1f5465b193528cb8c87c51

      SHA256

      e61a2ed8130b04d310791d922104ebc81501bda5226ba3bac558eab8605e29dd

      SHA512

      2055db4ab1d2f83dbf7870d10df6e53a6c935e46c5b0078945d10890faec6794a72a3e6257ba5c38d7cd09a506ce5be534e7f000cb7b0df02c76359ee8384c42

      Download Submit

    • memory/1128-60-0x0000000000000000-mapping.dmp

      Download

    • memory/1184-54-0x0000000074BB1000-0x0000000074BB3000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1948-55-0x0000000000000000-mapping.dmp

      Download

    • memory/2036-62-0x0000000000000000-mapping.dmp

      Download