b2311a6cb1861355bcb269e71e69b583ff081fed55726fbd23263b8ffb0dbcf4

Analysis

max time kernel
186s
max time network
233s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
05/12/2022, 23:59

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

b2311a6cb1861355bcb269e71e69b583ff081fed55726fbd23263b8ffb0dbcf4.exe
Size

172KB
MD5

bee2204b04aaf4d027939319f2097f41
SHA1

c4ffad1d88497021e3541451d1f7b3206c6dc4a7
SHA256

b2311a6cb1861355bcb269e71e69b583ff081fed55726fbd23263b8ffb0dbcf4
SHA512

2a4e8059cf59fae30f653c9e1ca1c983fa3bfcb4a07ba3dbada664e2141c24ed3bc6ab0e16376dc1d9307f4b05588ceabc8f120e9a42a083894f8391522bd0b0
SSDEEP

3072:uBAp5XhKpN4eOyVTGfhEClj8jTk+0hnVz3OR34Ymo8xI:FbXE9OiTGfhEClq9oMRoNoGI

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
57	3140	WScript.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	cmd.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	b2311a6cb1861355bcb269e71e69b583ff081fed55726fbd23263b8ffb0dbcf4.exe

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\kklaks\linstal\okolozada.bat	b2311a6cb1861355bcb269e71e69b583ff081fed55726fbd23263b8ffb0dbcf4.exe
File opened for modification	C:\Program Files (x86)\kklaks\linstal\kolobahs.vbs	b2311a6cb1861355bcb269e71e69b583ff081fed55726fbd23263b8ffb0dbcf4.exe
File opened for modification	C:\Program Files (x86)\kklaks\linstal\topalakad.vbs	b2311a6cb1861355bcb269e71e69b583ff081fed55726fbd23263b8ffb0dbcf4.exe
File opened for modification	C:\Program Files (x86)\kklaks\linstal\main.txt	b2311a6cb1861355bcb269e71e69b583ff081fed55726fbd23263b8ffb0dbcf4.exe
File opened for modification	C:\Program Files (x86)\kklaks\linstal\rka.txt	b2311a6cb1861355bcb269e71e69b583ff081fed55726fbd23263b8ffb0dbcf4.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings	b2311a6cb1861355bcb269e71e69b583ff081fed55726fbd23263b8ffb0dbcf4.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2408 wrote to memory of 1348	2408	b2311a6cb1861355bcb269e71e69b583ff081fed55726fbd23263b8ffb0dbcf4.exe	81
PID 2408 wrote to memory of 1348	2408	b2311a6cb1861355bcb269e71e69b583ff081fed55726fbd23263b8ffb0dbcf4.exe	81
PID 2408 wrote to memory of 1348	2408	b2311a6cb1861355bcb269e71e69b583ff081fed55726fbd23263b8ffb0dbcf4.exe	81
PID 2408 wrote to memory of 3140	2408	b2311a6cb1861355bcb269e71e69b583ff081fed55726fbd23263b8ffb0dbcf4.exe	85
PID 2408 wrote to memory of 3140	2408	b2311a6cb1861355bcb269e71e69b583ff081fed55726fbd23263b8ffb0dbcf4.exe	85
PID 2408 wrote to memory of 3140	2408	b2311a6cb1861355bcb269e71e69b583ff081fed55726fbd23263b8ffb0dbcf4.exe	85

C:\Users\Admin\AppData\Local\Temp\b2311a6cb1861355bcb269e71e69b583ff081fed55726fbd23263b8ffb0dbcf4.exe
"C:\Users\Admin\AppData\Local\Temp\b2311a6cb1861355bcb269e71e69b583ff081fed55726fbd23263b8ffb0dbcf4.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2408
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\kklaks\linstal\okolozada.bat" "
  2⤵
  - Drops file in Drivers directory
  PID:1348
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\kklaks\linstal\kolobahs.vbs"
  2⤵
  - Blocklisted process makes network request
  PID:3140

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\kklaks\linstal\kolobahs.vbs

Filesize
464B

MD5
69eb94679e213d1cce3d62c472abb209

SHA1
b80cb9c6a224f28b6227215745276067d22617b6

SHA256
b25e5094cfc4d3fd2e89961de2651f878df11dd813395e063392133e9ec7e8bb

SHA512
43bad98d88a78545909afa162e8a7c9e5e44808a1216e638adad2799e5338bd8d09da03b8ce1acd9e3bfb619285c1e9b5ddc509085ec7b174ae40a42c80a0080

Download Submit
C:\Program Files (x86)\kklaks\linstal\main.txt

Filesize
4B

MD5
ef30628fc960a3ac318e25f382512e44

SHA1
be9ea95b0fff7a654505a64076dd4477aed4a236

SHA256
41a7e343498aeee2dc25f9ce0ae87a659e174ccac1e2e4dbc9ff0caeb9d93189

SHA512
c8c61ca858d0f5d41ddbf2fa7d09a8e9927e11a8de0bceec42b1a3787d2d166c5f4f1337d2e52827fb0a506653d36e12492664c78ad477c1ae27724923f70f3f

Download Submit
C:\Program Files (x86)\kklaks\linstal\okolozada.bat

Filesize
3KB

MD5
402fc6b7d7f70bc140adf82a08c0dc25

SHA1
d8b7c695f9090a47c6fdb36b1adeb99df14b1d3f

SHA256
417a2f946fac6bcf5f97be99fb6bcf85cdf664ba2a827d22f62b3cad6c4b00ca

SHA512
dd84c1e35674e8817cdad4a7ff567ddb14d0a83df5487c074cbd3a723c795ecb41020eb16bfd3cf1c55a01aed4371f299c5a28cb2e5307d789864944ad50c52d

Download Submit