8fd33fced43bc0613e0beddb307840365db8c39637389443e1e26b58ebf50e53

General

Target

8fd33fced43bc0613e0beddb307840365db8c39637389443e1e26b58ebf50e53.exe
Size

1.5MB
MD5

a83524600f0c8325ea4235f0f4afaa8a
SHA1

dfecbb9aa82d4bffe4709e252b113652ac860e1f
SHA256

8fd33fced43bc0613e0beddb307840365db8c39637389443e1e26b58ebf50e53
SHA512

621bc5e109dab21100518cc73cd7ff60df202fb17a5870062362dc16aaaeec562d5c170568e1d3df105f7af1125ea6ffa6c925a840c28a23aa5053a94682e15d
SSDEEP

24576:8oV9MQIcSuxwOGyb/qIouL4bPhg/pSgvj98hmDIBXrg6A9tYQIMYYWvlo6AhdprQ:ZV9wWf/XLlj9JMXrgyRNuKEYR

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
4956	-=Ðûáàëêà v.3.7=-.exe
2312	-=Ðûáàëêà WiFi=-.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	8fd33fced43bc0613e0beddb307840365db8c39637389443e1e26b58ebf50e53.exe

Loads dropped DLL 1 IoCs

pid	Process
4956	-=Ðûáàëêà v.3.7=-.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\user16 = "C:\\Windows\\system32\\winhlp.exe"	8fd33fced43bc0613e0beddb307840365db8c39637389443e1e26b58ebf50e53.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2708	2312	WerFault.exe	86

Runs ping.exe 1 TTPs 4 IoCs

Remote System Discovery

T1018

pid	Process
2128	PING.EXE
232	PING.EXE
3216	PING.EXE
2292	PING.EXE

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 2348 wrote to memory of 1496	2348	8fd33fced43bc0613e0beddb307840365db8c39637389443e1e26b58ebf50e53.exe	82
PID 2348 wrote to memory of 1496	2348	8fd33fced43bc0613e0beddb307840365db8c39637389443e1e26b58ebf50e53.exe	82
PID 2348 wrote to memory of 1496	2348	8fd33fced43bc0613e0beddb307840365db8c39637389443e1e26b58ebf50e53.exe	82
PID 1496 wrote to memory of 2128	1496	cmd.exe	84
PID 1496 wrote to memory of 2128	1496	cmd.exe	84
PID 1496 wrote to memory of 2128	1496	cmd.exe	84
PID 2348 wrote to memory of 4956	2348	8fd33fced43bc0613e0beddb307840365db8c39637389443e1e26b58ebf50e53.exe	85
PID 2348 wrote to memory of 4956	2348	8fd33fced43bc0613e0beddb307840365db8c39637389443e1e26b58ebf50e53.exe	85
PID 2348 wrote to memory of 4956	2348	8fd33fced43bc0613e0beddb307840365db8c39637389443e1e26b58ebf50e53.exe	85
PID 2348 wrote to memory of 2312	2348	8fd33fced43bc0613e0beddb307840365db8c39637389443e1e26b58ebf50e53.exe	86
PID 2348 wrote to memory of 2312	2348	8fd33fced43bc0613e0beddb307840365db8c39637389443e1e26b58ebf50e53.exe	86
PID 2348 wrote to memory of 2312	2348	8fd33fced43bc0613e0beddb307840365db8c39637389443e1e26b58ebf50e53.exe	86
PID 1496 wrote to memory of 232	1496	cmd.exe	88
PID 1496 wrote to memory of 232	1496	cmd.exe	88
PID 1496 wrote to memory of 232	1496	cmd.exe	88
PID 1496 wrote to memory of 3216	1496	cmd.exe	90
PID 1496 wrote to memory of 3216	1496	cmd.exe	90
PID 1496 wrote to memory of 3216	1496	cmd.exe	90
PID 1496 wrote to memory of 2292	1496	cmd.exe	91
PID 1496 wrote to memory of 2292	1496	cmd.exe	91
PID 1496 wrote to memory of 2292	1496	cmd.exe	91

C:\Users\Admin\AppData\Local\Temp\8fd33fced43bc0613e0beddb307840365db8c39637389443e1e26b58ebf50e53.exe
"C:\Users\Admin\AppData\Local\Temp\8fd33fced43bc0613e0beddb307840365db8c39637389443e1e26b58ebf50e53.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2348
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\x.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1496
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1 -n 2 -w 1000
    3⤵
    - Runs ping.exe
    PID:2128
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1 -n 2 -w 1000
    3⤵
    - Runs ping.exe
    PID:232
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1 -n 2 -w 1000
    3⤵
    - Runs ping.exe
    PID:3216
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1 -n 2 -w 1000
    3⤵
    - Runs ping.exe
    PID:2292
- C:\Users\Admin\AppData\Local\Temp\-=Ðûáàëêà v.3.7=-.exe
  "C:\Users\Admin\AppData\Local\Temp\-=Ðûáàëêà v.3.7=-.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:4956
- C:\Users\Admin\AppData\Local\Temp\-=Ðûáàëêà WiFi=-.exe
  "C:\Users\Admin\AppData\Local\Temp\-=Ðûáàëêà WiFi=-.exe"
  2⤵
  - Executes dropped EXE
  PID:2312
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2312 -s 264
    3⤵
    - Program crash
    PID:2708

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2312 -ip 2312
1⤵
PID:4992

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

Remote System Discovery

1

T1018

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\-=Ðûáàëêà WiFi=-.exe

Filesize
28KB

MD5
7406f26c79c8bfb0db71e625d692578b

SHA1
e65d490a1e684d39d7a7ac245f8040d7f8b7e392

SHA256
cae761494db7d9e6588eccd90f648a3491394096c81c42b72808e0fca9486fc6

SHA512
7bf09fa51cd3d242cfac2a4df95878e07cef5143fe955d65545138d15f92ed99414dfc2a300d896e6c9d61f1bbe26824245fe39514a114230775ea7f7bdf6e37

Download Submit
C:\Users\Admin\AppData\Local\Temp\-=Ðûáàëêà WiFi=-.exe

Filesize
28KB

MD5
7406f26c79c8bfb0db71e625d692578b

SHA1
e65d490a1e684d39d7a7ac245f8040d7f8b7e392

SHA256
cae761494db7d9e6588eccd90f648a3491394096c81c42b72808e0fca9486fc6

SHA512
7bf09fa51cd3d242cfac2a4df95878e07cef5143fe955d65545138d15f92ed99414dfc2a300d896e6c9d61f1bbe26824245fe39514a114230775ea7f7bdf6e37

Download Submit
C:\Users\Admin\AppData\Local\Temp\-=Ðûáàëêà v.3.7=-.exe

Filesize
1.5MB

MD5
8d377cdbfe9e1ebbf926cd7bb73e0e26

SHA1
4c8cf63aa8c15ce2935599aeb524dfe1dfa1036e

SHA256
d94ff1ba9b7c2a81efe20b4361bff396f8643f34ad79bf9442d101f4dbfd8ca7

SHA512
81c6677d0bfd4b0aec6ac98ce78e68f35d5675cbf10cbe4a646d389adea4708e6879d6df64b2b75d073feb43e0f0a06a85d92f0188f29155bf2c043e05aaa01d

Download Submit
C:\Users\Admin\AppData\Local\Temp\-=Ðûáàëêà v.3.7=-.exe

Filesize
1.5MB

MD5
8d377cdbfe9e1ebbf926cd7bb73e0e26

SHA1
4c8cf63aa8c15ce2935599aeb524dfe1dfa1036e

SHA256
d94ff1ba9b7c2a81efe20b4361bff396f8643f34ad79bf9442d101f4dbfd8ca7

SHA512
81c6677d0bfd4b0aec6ac98ce78e68f35d5675cbf10cbe4a646d389adea4708e6879d6df64b2b75d073feb43e0f0a06a85d92f0188f29155bf2c043e05aaa01d

Download Submit
C:\Users\Admin\AppData\Local\Temp\gert0.dll

Filesize
88KB

MD5
33976355fddbceb0fbe54887ee4d1596

SHA1
914c49a8a58605186d7dabeb3a67b88578c84c14

SHA256
51baaf313b57462eaa38aaf69aea6e8dbbc20f3714343817266e7f35bc2235fb

SHA512
be34e4042074da841cfbdbe3a379489b7a968f69a2bb372ce5925e0328d259af2fc0d29d02a787b8d4cfe70158bfc018bf7f6da35c26e670aea847efe3cb8389

Download Submit
C:\Users\Admin\AppData\Local\Temp\x.bat

Filesize
365B

MD5
18bfb77affa016adfc9c0eb4c354b869

SHA1
0716942707024085e41bf88ea92c587b45536fe5

SHA256
5fb389fe090b55387651cce98c4c8018334f135b6303b671552c78ef6cffacbc

SHA512
253d4c5cf11e642f8ea71dcde491e954b8b7cc2193a3b1dd18b297a7dc12c705b9af9b2c0e808a1240072d9bafce3489e0eb80b579e07b3b645225cfaa0c19b1

Download Submit

Analysis

Sharing