20c265f64ad1386c663560304e8a0a084aee6418edd2ee88b9170f85095792e8

General

Target

20c265f64ad1386c663560304e8a0a084aee6418edd2ee88b9170f85095792e8.exe
Size

158KB
MD5

f8c5780eafebecc7095930066b93ba9f
SHA1

eedca839448d64723075015256f4cd7108159114
SHA256

20c265f64ad1386c663560304e8a0a084aee6418edd2ee88b9170f85095792e8
SHA512

05ff458152cc28d14dcdc47e3cd3c17930ec80ed92b7bed33ffab3a082c5555af078af0c8bc8a5fd96ae3b9f8bd2948e5f9b55bf6a46b8fc756012fd4c7df16a
SSDEEP

3072:YBAp5XhKpN4eOyVTGfhEClj8jTk+0hMKBz6FHwHCyeGPhsJ7Nnp:PbXE9OiTGfhEClq9FKxwQiyVhsJhp

Score

8^/10

discovery

Malware Config

Signatures

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	cmd.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	WScript.exe
File opened for modification	C:\Windows\System32\drivers\etc\hîsts	WScript.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	20c265f64ad1386c663560304e8a0a084aee6418edd2ee88b9170f85095792e8.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	cmd.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Li\Es\bolshe_treh.me	20c265f64ad1386c663560304e8a0a084aee6418edd2ee88b9170f85095792e8.exe
File opened for modification	C:\Program Files (x86)\Li\Es\plashutnaokoskei.bat	20c265f64ad1386c663560304e8a0a084aee6418edd2ee88b9170f85095792e8.exe
File opened for modification	C:\Program Files (x86)\Li\Es\Uninstall.exe	20c265f64ad1386c663560304e8a0a084aee6418edd2ee88b9170f85095792e8.exe
File created	C:\Program Files (x86)\Li\Es\Uninstall.ini	20c265f64ad1386c663560304e8a0a084aee6418edd2ee88b9170f85095792e8.exe
File opened for modification	C:\Program Files (x86)\Li\Es\nunenadaeto.vbs	20c265f64ad1386c663560304e8a0a084aee6418edd2ee88b9170f85095792e8.exe
File opened for modification	C:\Program Files (x86)\Li\Es\nachinatnam.vbs	20c265f64ad1386c663560304e8a0a084aee6418edd2ee88b9170f85095792e8.exe
File opened for modification	C:\Program Files (x86)\Li\Es\kakunaso.ka	20c265f64ad1386c663560304e8a0a084aee6418edd2ee88b9170f85095792e8.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings	cmd.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1768 wrote to memory of 5036	1768	20c265f64ad1386c663560304e8a0a084aee6418edd2ee88b9170f85095792e8.exe	80
PID 1768 wrote to memory of 5036	1768	20c265f64ad1386c663560304e8a0a084aee6418edd2ee88b9170f85095792e8.exe	80
PID 1768 wrote to memory of 5036	1768	20c265f64ad1386c663560304e8a0a084aee6418edd2ee88b9170f85095792e8.exe	80
PID 5036 wrote to memory of 3392	5036	cmd.exe	83
PID 5036 wrote to memory of 3392	5036	cmd.exe	83
PID 5036 wrote to memory of 3392	5036	cmd.exe	83
PID 5036 wrote to memory of 4540	5036	cmd.exe	84
PID 5036 wrote to memory of 4540	5036	cmd.exe	84
PID 5036 wrote to memory of 4540	5036	cmd.exe	84

C:\Users\Admin\AppData\Local\Temp\20c265f64ad1386c663560304e8a0a084aee6418edd2ee88b9170f85095792e8.exe
"C:\Users\Admin\AppData\Local\Temp\20c265f64ad1386c663560304e8a0a084aee6418edd2ee88b9170f85095792e8.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1768
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\Li\Es\plashutnaokoskei.bat" "
  2⤵
  - Drops file in Drivers directory
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:5036
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\Li\Es\nunenadaeto.vbs"
    3⤵
    - Drops file in Drivers directory
    PID:3392
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\Li\Es\nachinatnam.vbs"
    3⤵
    PID:4540

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Li\Es\bolshe_treh.me

Filesize
50B

MD5
2160e193d211ce21ca6021082c5076f4

SHA1
24d5ec3058279205719ed1e94b46c0f312c75c3d

SHA256
5f7970e19f891c00a9e367d81edb0491c1db193593ffdef9a407d370eada904c

SHA512
e024a2dd600be25becfdd244f3ef692e08c7d79a5ddd3466b6a6ed2e94600f3a0d6e1c04e93fb1880fc2e1067c4c9df48d7a76a770eec2eced5cc02447ab7845

Download Submit
C:\Program Files (x86)\Li\Es\kakunaso.ka

Filesize
27B

MD5
213c0742081a9007c9093a01760f9f8c

SHA1
df53bb518c732df777b5ce19fc7c02dcb2f9d81b

SHA256
9681429a2b00c27fe6cb0453f255024813944a7cd460d18797e3c35e81c53d69

SHA512
55182c2e353a0027f585535a537b9c309c3bf57f47da54a16e0c415ed6633b725bf40e40a664b1071575feeb7e589d775983516728ec3e51e87a0a29010c4eb9

Download Submit
C:\Program Files (x86)\Li\Es\nachinatnam.vbs

Filesize
166B

MD5
ea01d37f436f8848247fc1bf4bd1ff46

SHA1
03fe3c69f4608329049ef55eb5086df3cca20631

SHA256
498c4b3319da205d3cb1a9677357e9a430966658a1794f5a136f0faa3a44d7a2

SHA512
794fcef23060f9a46bc571e596fbfd78944f0781197c3e38bbf2c862a188c15f5bcb0309d8ef435cae451ba855cd6d25146ab742ebd909f46ff08fb85700e3d3

Download Submit
C:\Program Files (x86)\Li\Es\nunenadaeto.vbs

Filesize
1KB

MD5
b28841fec0460fe4dbcb213e1b5e9f59

SHA1
7b29d41e2ef65fc3f3b462f12dadef3e7e2d567a

SHA256
e35c70b22c9ae0a6c328857d632e8c70f8bcc9936b1a414ee044ec6412003f58

SHA512
6057ddeaded589bbb41feae4fdbf367adeea22f8834e20d54dc9991cdaf31915ed2cc815b8ab5cae4cb7dbcd9f6b6a726d12c51fcab1ddcab75cfcb061c7af71

Download Submit
C:\Program Files (x86)\Li\Es\plashutnaokoskei.bat

Filesize
1KB

MD5
2f99a0229b053e649becd8520cd8f870

SHA1
9b2c1d658d36bad704935ae9d7377b3208a79248

SHA256
d7e206e2e9f441461c361b6c6588e56a59858a973a0e3516dadb5c7e49fb5c3b

SHA512
c99f44f1d8cc26404e10c75431c861e2c758cc94e135611fd504785e51fef93c4996076ecc97dc98cb2014340bd9a9e5238e2e8cfe0a38fff077d28daa11584f

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
1KB

MD5
a90bee6f0a14eeb706358b6413641f15

SHA1
618cd8a88702dbeeaba7267ff3461e3c45ea8aff

SHA256
6f806cb10c520ab8461623e5c43dfd41fb2cbcee1fcc2a26b9d3e0ff4ea8a54b

SHA512
9f3195f9a5439ff9ff565312046bff733be4f3088beba80dcca5e8ce397716934470590b7760c5eaa22eba9aa64e3452cce6440638c06a857c6ce195707a72da

Download Submit

Analysis

Sharing