272da12e60636882942fd09c22067471b2f0a0428d53755a1a6072747009fe37

General

Target

272da12e60636882942fd09c22067471b2f0a0428d53755a1a6072747009fe37.exe
Size

128KB
MD5

c37482ffea10804ae03ac6d5f9172ca0
SHA1

780fd7f5308c2c7d143e769dbc84c14f14b70608
SHA256

272da12e60636882942fd09c22067471b2f0a0428d53755a1a6072747009fe37
SHA512

c90003af988058b8058838635760851e7882bf4fb2aa96e92aef349226a5fea40d9ea1610a4fbdc7dc51c24d0b1642b7bb4716e0addca995aff9b6b0df30d576
SSDEEP

3072:YBAp5XhKpN4eOyVTGfhEClj8jTk+0hMKBz6buY:PbXE9OiTGfhEClq9FKxhY

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
26	4768	WScript.exe

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	cmd.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	WScript.exe
File opened for modification	C:\Windows\System32\drivers\etc\hîsts	WScript.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	272da12e60636882942fd09c22067471b2f0a0428d53755a1a6072747009fe37.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	cmd.exe

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Wi\Se\zabitayalubov.vbs	272da12e60636882942fd09c22067471b2f0a0428d53755a1a6072747009fe37.exe
File opened for modification	C:\Program Files (x86)\Wi\Se\neznostlietsya.vbs	272da12e60636882942fd09c22067471b2f0a0428d53755a1a6072747009fe37.exe
File opened for modification	C:\Program Files (x86)\Wi\Se\zabitayanahlubo.ovs	272da12e60636882942fd09c22067471b2f0a0428d53755a1a6072747009fe37.exe
File opened for modification	C:\Program Files (x86)\Wi\Se\pruzinka.setp	272da12e60636882942fd09c22067471b2f0a0428d53755a1a6072747009fe37.exe
File opened for modification	C:\Program Files (x86)\Wi\Se\alennavinnitskayayadrochunatebya.bat	272da12e60636882942fd09c22067471b2f0a0428d53755a1a6072747009fe37.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings	cmd.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1868 wrote to memory of 4956	1868	272da12e60636882942fd09c22067471b2f0a0428d53755a1a6072747009fe37.exe	84
PID 1868 wrote to memory of 4956	1868	272da12e60636882942fd09c22067471b2f0a0428d53755a1a6072747009fe37.exe	84
PID 1868 wrote to memory of 4956	1868	272da12e60636882942fd09c22067471b2f0a0428d53755a1a6072747009fe37.exe	84
PID 4956 wrote to memory of 3320	4956	cmd.exe	87
PID 4956 wrote to memory of 3320	4956	cmd.exe	87
PID 4956 wrote to memory of 3320	4956	cmd.exe	87
PID 4956 wrote to memory of 4768	4956	cmd.exe	89
PID 4956 wrote to memory of 4768	4956	cmd.exe	89
PID 4956 wrote to memory of 4768	4956	cmd.exe	89

C:\Users\Admin\AppData\Local\Temp\272da12e60636882942fd09c22067471b2f0a0428d53755a1a6072747009fe37.exe
"C:\Users\Admin\AppData\Local\Temp\272da12e60636882942fd09c22067471b2f0a0428d53755a1a6072747009fe37.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1868
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\Wi\Se\alennavinnitskayayadrochunatebya.bat" "
  2⤵
  - Drops file in Drivers directory
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4956
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\Wi\Se\zabitayalubov.vbs"
    3⤵
    - Drops file in Drivers directory
    PID:3320
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\Wi\Se\neznostlietsya.vbs"
    3⤵
    - Blocklisted process makes network request
    PID:4768

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Wi\Se\alennavinnitskayayadrochunatebya.bat

Filesize
2KB

MD5
e4e7f3e2f9f4085cbbcac3d5dda607ef

SHA1
8aec5a00ce7784859d295b07f0daf79af9a3417e

SHA256
298543c28833aa974ab6635291b69b383d01e739b96585a936bd3d772358e941

SHA512
33c0607abd9cd3f06569db8c0cb8d21f26741383dbec0630eb1420183cd4a7ac014ca35013dd01c9da825255fc6124e0f680a92f89f0797342c7f9efe0d361c7

Download Submit
C:\Program Files (x86)\Wi\Se\neznostlietsya.vbs

Filesize
275B

MD5
e2b2840c0a16d95d5eaf5b3eb9184539

SHA1
c00320a5c5654ce3c58f352f9d08d75e7528614a

SHA256
b9eb8baeaf63189ed7fa9dd5e77fccd34616f1bfb1efb3c87ed3342b1d8b8ca1

SHA512
2c95898cec3bc5a4072d15ab7c3a296f6866955d269a88ace4fc8408d1212126fb49958c9cc9095a7cae752c153879071dde12693113362804eb91db4a174fb6

Download Submit
C:\Program Files (x86)\Wi\Se\pruzinka.setp

Filesize
75B

MD5
2c60f3d633d4a9f85b138670ef820724

SHA1
4b28b487aa4aed37241ca8d50eeab9a795156eee

SHA256
4d445656e7fbfe629ec4a9c91e33c772afa2deca78c0b10b5b52f78f6006e683

SHA512
ebd5da98489efe0c4a4ec23fdfa12610a2a39b80b7e864fd24ef7999e174c50a062b0dc256939f24fc90a99d5b856c7a3fcbb924726be26b2870699c2ea451bd

Download Submit
C:\Program Files (x86)\Wi\Se\zabitayalubov.vbs

Filesize
1KB

MD5
b466c30849ae5c2eb9be72da47564ca1

SHA1
df9d44804db4b36a3567340557f6eecaab82e45d

SHA256
7f4f35f111813fe63f3fb7a27175f68a04bf195cb38ecdab60e1e5a7af417954

SHA512
525ccca87f418f3ceba550daee588596b7b57b372d534ba992ec75307da21b40802b6d20e8d9a48eb6dd2fe4722df31efbf602a81c693e6dc6459734b3b7e024

Download Submit
C:\Program Files (x86)\Wi\Se\zabitayanahlubo.ovs

Filesize
27B

MD5
213c0742081a9007c9093a01760f9f8c

SHA1
df53bb518c732df777b5ce19fc7c02dcb2f9d81b

SHA256
9681429a2b00c27fe6cb0453f255024813944a7cd460d18797e3c35e81c53d69

SHA512
55182c2e353a0027f585535a537b9c309c3bf57f47da54a16e0c415ed6633b725bf40e40a664b1071575feeb7e589d775983516728ec3e51e87a0a29010c4eb9

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
1KB

MD5
2c9f94faf8bd9f342b0cd58092560479

SHA1
94487428984789867771c5ef2cbd19f0ab4b8759

SHA256
46789e9bd60b8f4b5f4dddb4af90aeb79356d7bca1fb70d406a42af41678cb3a

SHA512
dfd0000d62d415cce8758faff64864f8b8469c80afa0222a93c2256eac5326c1c382c818f96003cbd009286288d1ccb1300afc07b013048aeb17cc241200ec86

Download Submit

Analysis

Sharing