b2861f0005e9010404e63e84e47d799ba856bd09d5bc928a81d41b09c22556af

General

Target

b2861f0005e9010404e63e84e47d799ba856bd09d5bc928a81d41b09c22556af.exe
Size

158KB
MD5

28a0f3c93250760b2d7a528b565f7046
SHA1

1932b183168996a5a8171381838659cb6f9bcc14
SHA256

b2861f0005e9010404e63e84e47d799ba856bd09d5bc928a81d41b09c22556af
SHA512

5182e92d35aba1362c62e0c35cf957f3f4132cbfcbf989199ad9af7c0213102da99f74275d0b2a13a5b4795b6ead682b111fa267702a3cfb28ba03783e84bf8e
SSDEEP

3072:YBAp5XhKpN4eOyVTGfhEClj8jTk+0hMKBz69kxRVO9BtEacpKIx:PbXE9OiTGfhEClq9FKxci+90av6

Score

8^/10

discovery

Malware Config

Signatures

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	cmd.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	WScript.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	b2861f0005e9010404e63e84e47d799ba856bd09d5bc928a81d41b09c22556af.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	cmd.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Ik\Ed\Uninstall.exe	b2861f0005e9010404e63e84e47d799ba856bd09d5bc928a81d41b09c22556af.exe
File created	C:\Program Files (x86)\Ik\Ed\Uninstall.ini	b2861f0005e9010404e63e84e47d799ba856bd09d5bc928a81d41b09c22556af.exe
File opened for modification	C:\Program Files (x86)\Ik\Ed\dvadsatsdelokvmesuats.vbs	b2861f0005e9010404e63e84e47d799ba856bd09d5bc928a81d41b09c22556af.exe
File opened for modification	C:\Program Files (x86)\Ik\Ed\roznichnieibolshiesdelki.vbs	b2861f0005e9010404e63e84e47d799ba856bd09d5bc928a81d41b09c22556af.exe
File opened for modification	C:\Program Files (x86)\Ik\Ed\yanhuidirect.tt	b2861f0005e9010404e63e84e47d799ba856bd09d5bc928a81d41b09c22556af.exe
File opened for modification	C:\Program Files (x86)\Ik\Ed\kushaikakashil.oo	b2861f0005e9010404e63e84e47d799ba856bd09d5bc928a81d41b09c22556af.exe
File opened for modification	C:\Program Files (x86)\Ik\Ed\kakchastoetoproishoditvmesyatssuchkanahddddd.bat	b2861f0005e9010404e63e84e47d799ba856bd09d5bc928a81d41b09c22556af.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	cmd.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2484 wrote to memory of 4984	2484	b2861f0005e9010404e63e84e47d799ba856bd09d5bc928a81d41b09c22556af.exe	83
PID 2484 wrote to memory of 4984	2484	b2861f0005e9010404e63e84e47d799ba856bd09d5bc928a81d41b09c22556af.exe	83
PID 2484 wrote to memory of 4984	2484	b2861f0005e9010404e63e84e47d799ba856bd09d5bc928a81d41b09c22556af.exe	83
PID 4984 wrote to memory of 4228	4984	cmd.exe	85
PID 4984 wrote to memory of 4228	4984	cmd.exe	85
PID 4984 wrote to memory of 4228	4984	cmd.exe	85
PID 4984 wrote to memory of 3784	4984	cmd.exe	86
PID 4984 wrote to memory of 3784	4984	cmd.exe	86
PID 4984 wrote to memory of 3784	4984	cmd.exe	86

C:\Users\Admin\AppData\Local\Temp\b2861f0005e9010404e63e84e47d799ba856bd09d5bc928a81d41b09c22556af.exe
"C:\Users\Admin\AppData\Local\Temp\b2861f0005e9010404e63e84e47d799ba856bd09d5bc928a81d41b09c22556af.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2484
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\Ik\Ed\kakchastoetoproishoditvmesyatssuchkanahddddd.bat" "
  2⤵
  - Drops file in Drivers directory
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4984
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\Ik\Ed\dvadsatsdelokvmesuats.vbs"
    3⤵
    - Drops file in Drivers directory
    PID:4228
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\Ik\Ed\roznichnieibolshiesdelki.vbs"
    3⤵
    PID:3784

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Ik\Ed\dvadsatsdelokvmesuats.vbs

Filesize
202B

MD5
ca6d4cd36912f11d00e364653abc2c14

SHA1
0991a59f2779f8d14a13c344819236d3bb52c9a2

SHA256
d0294671b730a04645d00daa3f0ff93005f468d1c7ceea7d873d584c1ec22c4a

SHA512
504bdae2ecaba221c5e713940f2cb7eb388481f3401b87b03a67138c8be29f13b45f6573de330b4f9ff4843e15712cc422b9ed7bffe7cfd2dadae9e5f2f7f662

Download Submit
C:\Program Files (x86)\Ik\Ed\kakchastoetoproishoditvmesyatssuchkanahddddd.bat

Filesize
2KB

MD5
c29fc56fad17c851f1fa4355caf0c200

SHA1
448decbf17069adcc0879779b4598a14e89a26d0

SHA256
ca7d88d977a986ace01796ee7f4729d6caa3d5e07ca2bf09a394dd0fde501017

SHA512
8fbfdfa14f8a06138cf40840f757958c8ae033807b8d0df918a4dda9b219ec589706128b06865990dcfb1b9b4f5def3dc2c2e2ab6823e0eaab1c55b902a49e43

Download Submit
C:\Program Files (x86)\Ik\Ed\roznichnieibolshiesdelki.vbs

Filesize
148B

MD5
54e62238df297a77206bdd10abe3f698

SHA1
70102a423df790382f21ffacc1c5b0f22c4ed6f0

SHA256
3b8ded816037ee1126a85f1eb3097063c2dd2428fcd922f57570216d8fac09ae

SHA512
053b62e77ee802346220f7ff2ee894a1a599c6b08e043a5a0f8e9b0a3ebec5e995b032552c49d4df8c690f2ebd1eaa2364a0b1538cf56cd09395e997c16d71aa

Download Submit
C:\Program Files (x86)\Ik\Ed\yanhuidirect.tt

Filesize
27B

MD5
213c0742081a9007c9093a01760f9f8c

SHA1
df53bb518c732df777b5ce19fc7c02dcb2f9d81b

SHA256
9681429a2b00c27fe6cb0453f255024813944a7cd460d18797e3c35e81c53d69

SHA512
55182c2e353a0027f585535a537b9c309c3bf57f47da54a16e0c415ed6633b725bf40e40a664b1071575feeb7e589d775983516728ec3e51e87a0a29010c4eb9

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
1KB

MD5
7725c9ab4613f6a85b35211859bd5656

SHA1
b428e0254ec57788d5b3b865e1d168dc215b984a

SHA256
5e7eb8d64bca794660d7bd16a8c7650ec14deb6fda57324cf2bc92b82127ac75

SHA512
2050e8ae83e563a6ff2f41da57f23b23c2c7469fa74833222e7b9dbfd4f4c93d37d6bca85bac09f2f67f8bf44c1eed6c88c0f3f5faa20e6214ef2dcf84daf89c

Download Submit
memory/3784-141-0x0000000000000000-mapping.dmp

Download
memory/4228-139-0x0000000000000000-mapping.dmp

Download
memory/4984-135-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing