90dab12fe7f1384f91001f83711e553a4c515c8252148752d94fa0510dbdc76f

Analysis

max time kernel
57s
max time network
51s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
05/12/2022, 23:59

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

90dab12fe7f1384f91001f83711e553a4c515c8252148752d94fa0510dbdc76f.exe
Size

153KB
MD5

c53ae0066fe74a0b3b8f0066a4438bd4
SHA1

10ad4a20b752f78306e2c60ba7903480ebed1323
SHA256

90dab12fe7f1384f91001f83711e553a4c515c8252148752d94fa0510dbdc76f
SHA512

787f21cb7656f52db32001aafbc0b2f4f4105d31b4b4c6050ddcdd73a0839bb74e47c8a2b38d6701487ef581b25d5249fafda9d486d83d63a423e484f0a92be1
SSDEEP

3072:yBAp5XhKpN4eOyVTGfhEClj8jTk+0hAdYq0:BbXE9OiTGfhEClq9BdC

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
3	1736	WScript.exe
4	1736	WScript.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	cmd.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\arhivd\insalld\gemoroi.txt	90dab12fe7f1384f91001f83711e553a4c515c8252148752d94fa0510dbdc76f.exe
File opened for modification	C:\Program Files (x86)\arhivd\insalld\shaibu.bat	90dab12fe7f1384f91001f83711e553a4c515c8252148752d94fa0510dbdc76f.exe
File opened for modification	C:\Program Files (x86)\arhivd\insalld\lovi.vbs	90dab12fe7f1384f91001f83711e553a4c515c8252148752d94fa0510dbdc76f.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1324 wrote to memory of 1200	1324	90dab12fe7f1384f91001f83711e553a4c515c8252148752d94fa0510dbdc76f.exe	27
PID 1324 wrote to memory of 1200	1324	90dab12fe7f1384f91001f83711e553a4c515c8252148752d94fa0510dbdc76f.exe	27
PID 1324 wrote to memory of 1200	1324	90dab12fe7f1384f91001f83711e553a4c515c8252148752d94fa0510dbdc76f.exe	27
PID 1324 wrote to memory of 1200	1324	90dab12fe7f1384f91001f83711e553a4c515c8252148752d94fa0510dbdc76f.exe	27
PID 1324 wrote to memory of 1736	1324	90dab12fe7f1384f91001f83711e553a4c515c8252148752d94fa0510dbdc76f.exe	29
PID 1324 wrote to memory of 1736	1324	90dab12fe7f1384f91001f83711e553a4c515c8252148752d94fa0510dbdc76f.exe	29
PID 1324 wrote to memory of 1736	1324	90dab12fe7f1384f91001f83711e553a4c515c8252148752d94fa0510dbdc76f.exe	29
PID 1324 wrote to memory of 1736	1324	90dab12fe7f1384f91001f83711e553a4c515c8252148752d94fa0510dbdc76f.exe	29

C:\Users\Admin\AppData\Local\Temp\90dab12fe7f1384f91001f83711e553a4c515c8252148752d94fa0510dbdc76f.exe
"C:\Users\Admin\AppData\Local\Temp\90dab12fe7f1384f91001f83711e553a4c515c8252148752d94fa0510dbdc76f.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1324
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Program Files (x86)\arhivd\insalld\shaibu.bat" "
  2⤵
  - Drops file in Drivers directory
  PID:1200
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\arhivd\insalld\lovi.vbs"
  2⤵
  - Blocklisted process makes network request
  PID:1736

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\arhivd\insalld\gemoroi.txt

Filesize
5B

MD5
4420279662574754dfd5bef14ee49b5b

SHA1
64dedbd9276bbcf8e2f2e42d81288d073d930892

SHA256
86ddeccd15c9bffccf0ab2b7f7ec3a40b0ba1ce8356317624bea66a0e20c2aa1

SHA512
952c16e86e009f6726250b4e5ab5e4a5b7a41da3247ab82b88580d246f018f34791c06d345230e7dad388021616f149e458b5bcf5993ecdcae6135b6dc33de99

Download Submit
C:\Program Files (x86)\arhivd\insalld\lovi.vbs

Filesize
1KB

MD5
8935d2c18286235595a63a129970dd3d

SHA1
4459381028d33dd5ac3a22f4f7ce80acdab8fccb

SHA256
4a76452cd02a58c7ff97c447a287a8e39f5ec072c7b59b11196e99c0e075da9a

SHA512
b7bf8da3ac8fb5bda0b9c892dca2396b6cc27b8cd766e5076bc5047762e4e3f865aabfb7a1d3f108d4e84524c7afdb7322dfe593baffe9518dac160505b60204

Download Submit
C:\Program Files (x86)\arhivd\insalld\shaibu.bat

Filesize
4KB

MD5
73307829bd885e1a2aa590043be39660

SHA1
24f3f175249d32da7cf9e3d8c0403da036b9ecc7

SHA256
a548727c1e25e767ec537c64d6dc1581344777f6e86f924cde6a450a35327660

SHA512
2b64c28c7378d666827aa1a7659d20d03327e589443065cc72d101442147c48cff8d93863364367515293c264b5146d8f329f2bcd08d8078a570f3c1ec8bcc5a

Download Submit
memory/1324-54-0x00000000752B1000-0x00000000752B3000-memory.dmp

Filesize
8KB

Download