99e70dec4cb48099dd531da5683195e27d08981c9c4627c2864c238f27c43d56

General

Target

99e70dec4cb48099dd531da5683195e27d08981c9c4627c2864c238f27c43d56.exe
Size

180KB
MD5

df47cb0b73b2927b4ff47b2f0985884d
SHA1

b15ad7938738f406b6446f26b6bc61043a1fa80d
SHA256

99e70dec4cb48099dd531da5683195e27d08981c9c4627c2864c238f27c43d56
SHA512

13a2be76435cd960c6f193beb134e187b6042977a1a1f8dfcc56ff703f54dd7f751301177bc089dc3eb29e30afa3c6e70e4a1cc39a7e85475d551aaf8c870470
SSDEEP

3072:ABAp5XhKpN4eOyVTGfhEClj8jTk+0h1wk09+g8FE6I:3bXE9OiTGfhEClq97k09+DlI

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
11	2336	WScript.exe

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hîsts	WScript.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	cmd.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	WScript.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	99e70dec4cb48099dd531da5683195e27d08981c9c4627c2864c238f27c43d56.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\ollli\take me to the hospital\aguram\____000000_____.vbs	99e70dec4cb48099dd531da5683195e27d08981c9c4627c2864c238f27c43d56.exe
File opened for modification	C:\Program Files (x86)\ollli\take me to the hospital\aguram\_______22222_______.vbs	99e70dec4cb48099dd531da5683195e27d08981c9c4627c2864c238f27c43d56.exe
File opened for modification	C:\Program Files (x86)\ollli\take me to the hospital\aguram\popizdota.dot	99e70dec4cb48099dd531da5683195e27d08981c9c4627c2864c238f27c43d56.exe
File opened for modification	C:\Program Files (x86)\ollli\take me to the hospital\333\123456789876______________432.bat	99e70dec4cb48099dd531da5683195e27d08981c9c4627c2864c238f27c43d56.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	99e70dec4cb48099dd531da5683195e27d08981c9c4627c2864c238f27c43d56.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3392 wrote to memory of 612	3392	99e70dec4cb48099dd531da5683195e27d08981c9c4627c2864c238f27c43d56.exe	80
PID 3392 wrote to memory of 612	3392	99e70dec4cb48099dd531da5683195e27d08981c9c4627c2864c238f27c43d56.exe	80
PID 3392 wrote to memory of 612	3392	99e70dec4cb48099dd531da5683195e27d08981c9c4627c2864c238f27c43d56.exe	80
PID 3392 wrote to memory of 4192	3392	99e70dec4cb48099dd531da5683195e27d08981c9c4627c2864c238f27c43d56.exe	82
PID 3392 wrote to memory of 4192	3392	99e70dec4cb48099dd531da5683195e27d08981c9c4627c2864c238f27c43d56.exe	82
PID 3392 wrote to memory of 4192	3392	99e70dec4cb48099dd531da5683195e27d08981c9c4627c2864c238f27c43d56.exe	82
PID 3392 wrote to memory of 2336	3392	99e70dec4cb48099dd531da5683195e27d08981c9c4627c2864c238f27c43d56.exe	83
PID 3392 wrote to memory of 2336	3392	99e70dec4cb48099dd531da5683195e27d08981c9c4627c2864c238f27c43d56.exe	83
PID 3392 wrote to memory of 2336	3392	99e70dec4cb48099dd531da5683195e27d08981c9c4627c2864c238f27c43d56.exe	83

C:\Users\Admin\AppData\Local\Temp\99e70dec4cb48099dd531da5683195e27d08981c9c4627c2864c238f27c43d56.exe
"C:\Users\Admin\AppData\Local\Temp\99e70dec4cb48099dd531da5683195e27d08981c9c4627c2864c238f27c43d56.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3392
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\ollli\take me to the hospital\333\123456789876______________432.bat" "
  2⤵
  - Drops file in Drivers directory
  PID:612
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\ollli\take me to the hospital\aguram\____000000_____.vbs"
  2⤵
  - Drops file in Drivers directory
  PID:4192
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\ollli\take me to the hospital\aguram\_______22222_______.vbs"
  2⤵
  - Blocklisted process makes network request
  PID:2336

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\ollli\take me to the hospital\333\123456789876______________432.bat

Filesize
2KB

MD5
17c7b0d7aa583e837748dca5c59c8b0e

SHA1
912638090f3bf4e687e6d4ee29c6e2fb686bc9ac

SHA256
02c85e965e395568f5967f76ebfa6411861406f8c7b43f03de3289b89e08a101

SHA512
8b19ed7a0efdc8be3945cae9ef65df4f378c205d176211a0203fcdafafa076128ea287fbc47620bbb959ced28db2f3b78cdb06cb02d349ae453d793d157dd54e

Download Submit
C:\Program Files (x86)\ollli\take me to the hospital\aguram\____000000_____.vbs

Filesize
798B

MD5
cd4305e87ea28561bd699634abe11965

SHA1
2a176df2d6e8961d474afbcb7c1d72984359b8a1

SHA256
5c8511ea7ecb99bd13a3c9156ce8b561b5dfbe1fdf886939642048090a9c6280

SHA512
fce3252c9d823a2820ef293258ea04872c05e442d262a2bf8661808a3f4104b3f984fe5eba815d359a02f8c340c13ef3963c67d672b4e9bb681fd852c818b178

Download Submit
C:\Program Files (x86)\ollli\take me to the hospital\aguram\_______22222_______.vbs

Filesize
592B

MD5
36939b6bc2db512f71e340765af38bda

SHA1
60119807c0c79111cb05fd5c1a84ee9d8438de91

SHA256
0044582a7d97e84aa914515458e1b7d2e0cc5913cbf3ac947278e86aed867a8a

SHA512
a74f8b29907588fa63c74befaac57d6ce524fbf086a31a44976d685ebe55bc24e9c7caab6a37d766089aefd8f69032872665cc6548beabaac06e750c41b37bcf

Download Submit
C:\Program Files (x86)\ollli\take me to the hospital\aguram\popizdota.dot

Filesize
52B

MD5
cf268c61e209acaa407a4f819f159dc2

SHA1
edde8406d238b8496ace50f9b9a21b7d17f771aa

SHA256
05c2003affe14321c537416c2acc66cfca2b309a33abc8e496c757feb36ab93b

SHA512
2623183273a2488b04dcc365e48f96fe971d3754dcc41c95d0b78eee092d95d321717ce148e47d98b234f8140e816d470aa69e14e9d505a1d26a6130496f28de

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
1KB

MD5
7914737d01ea7dec5fbd103a57784fa2

SHA1
26076c1879fb68499967ba33d8610612a21b83c4

SHA256
fad3c2c359bc274c03fd7a23bc246fbf0385676e728abdc4d4e95d51e8fedb03

SHA512
7493b6f5d52ad9f47fd40483a3e39ac1f66bd312686599c35ea6ddef0d4adef3b2f09e0a3cd395f68ceb49e4393cd7e78ee16b048098fd9da237be65d30b4e90

Download Submit

Analysis

Sharing