d844192668166a6fdfb3aeb0fe0ad26d12acb799af0113799892693ae6a04a2b

General

Target

d844192668166a6fdfb3aeb0fe0ad26d12acb799af0113799892693ae6a04a2b.exe
Size

158KB
MD5

2111d2bcb980045c8996849bec03d482
SHA1

390399696cf3edf8ef38b62697a4eea2d7fcb974
SHA256

d844192668166a6fdfb3aeb0fe0ad26d12acb799af0113799892693ae6a04a2b
SHA512

73f84b31aa80b6c486e8a332df0a8b2b9c22630f71cb8f8c3a8da8746348d61882f147433a764d1715b80b1941db9e9b2671ae51d347d53f8ccaaad203d84a80
SSDEEP

3072:YBAp5XhKpN4eOyVTGfhEClj8jTk+0hMKBz6Q+hGNHNExjjsq:PbXE9OiTGfhEClq9FKxF+EHNkP

Score

8^/10

discovery

Malware Config

Signatures

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	cmd.exe
File opened for modification	C:\Windows\System32\drivers\etc\hîsts	WScript.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	WScript.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	d844192668166a6fdfb3aeb0fe0ad26d12acb799af0113799892693ae6a04a2b.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	cmd.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 7 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Ls\Ik\Uninstall.ini	d844192668166a6fdfb3aeb0fe0ad26d12acb799af0113799892693ae6a04a2b.exe
File opened for modification	C:\Program Files (x86)\Ls\Ik\solnechagnitogorsk.vbs	d844192668166a6fdfb3aeb0fe0ad26d12acb799af0113799892693ae6a04a2b.exe
File opened for modification	C:\Program Files (x86)\Ls\Ik\zachet_nezachet_zachet.vbs	d844192668166a6fdfb3aeb0fe0ad26d12acb799af0113799892693ae6a04a2b.exe
File opened for modification	C:\Program Files (x86)\Ls\Ik\ziznbogom.vt	d844192668166a6fdfb3aeb0fe0ad26d12acb799af0113799892693ae6a04a2b.exe
File opened for modification	C:\Program Files (x86)\Ls\Ik\tanrismika.eb	d844192668166a6fdfb3aeb0fe0ad26d12acb799af0113799892693ae6a04a2b.exe
File opened for modification	C:\Program Files (x86)\Ls\Ik\borzayapizdotaizmemomoyaaa.bat	d844192668166a6fdfb3aeb0fe0ad26d12acb799af0113799892693ae6a04a2b.exe
File opened for modification	C:\Program Files (x86)\Ls\Ik\Uninstall.exe	d844192668166a6fdfb3aeb0fe0ad26d12acb799af0113799892693ae6a04a2b.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	cmd.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3216 wrote to memory of 1932	3216	d844192668166a6fdfb3aeb0fe0ad26d12acb799af0113799892693ae6a04a2b.exe	80
PID 3216 wrote to memory of 1932	3216	d844192668166a6fdfb3aeb0fe0ad26d12acb799af0113799892693ae6a04a2b.exe	80
PID 3216 wrote to memory of 1932	3216	d844192668166a6fdfb3aeb0fe0ad26d12acb799af0113799892693ae6a04a2b.exe	80
PID 1932 wrote to memory of 4748	1932	cmd.exe	82
PID 1932 wrote to memory of 4748	1932	cmd.exe	82
PID 1932 wrote to memory of 4748	1932	cmd.exe	82
PID 1932 wrote to memory of 4896	1932	cmd.exe	83
PID 1932 wrote to memory of 4896	1932	cmd.exe	83
PID 1932 wrote to memory of 4896	1932	cmd.exe	83

C:\Users\Admin\AppData\Local\Temp\d844192668166a6fdfb3aeb0fe0ad26d12acb799af0113799892693ae6a04a2b.exe
"C:\Users\Admin\AppData\Local\Temp\d844192668166a6fdfb3aeb0fe0ad26d12acb799af0113799892693ae6a04a2b.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:3216
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\Ls\Ik\borzayapizdotaizmemomoyaaa.bat" "
  2⤵
  - Drops file in Drivers directory
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1932
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\Ls\Ik\solnechagnitogorsk.vbs"
    3⤵
    - Drops file in Drivers directory
    PID:4748
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\Ls\Ik\zachet_nezachet_zachet.vbs"
    3⤵
    PID:4896

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Ls\Ik\borzayapizdotaizmemomoyaaa.bat

Filesize
2KB

MD5
b6803f1a7ed36f9cbaf042ac321cebdd

SHA1
ab17bf26dec1b4eddf00b923b58b57abe2d12adb

SHA256
8dc8ca059fa97c33f5f993879c5037034c2dd6a26aad1df9eaebeac0165743e3

SHA512
4fd2f5d0c233eca9262881fe42fd2ff50ac2a5d66085efbb1e92f619c7c548987bf9973873ebca97e1fc6a923d55c8ee3367541c08c7e4cdd0f11acdbe6573f5

Download Submit
C:\Program Files (x86)\Ls\Ik\solnechagnitogorsk.vbs

Filesize
990B

MD5
ed241a3ca1852f4dcadd0728185fa727

SHA1
0e59cb304b8bce175fd5bc0d8ab60a5a2a01ee5e

SHA256
aa15cf0188983a7ed6ec2e3097bb847cd1bdfe74a37c9eee6abaf957ab8310d8

SHA512
16146739ea3cf1c9c2785398fb73bbf9e947176e9260bc1e78c96f580bd3f629e1ef5f93c4a0e95a75d268b0906fe6c4a2eafcaaeea55992ff00b7d5bf5c5d9d

Download Submit
C:\Program Files (x86)\Ls\Ik\tanrismika.eb

Filesize
39B

MD5
bd878828448f38ce620f9535dc8aea4b

SHA1
8b4a5a7c795b1404e76e69b51ce85545e5bd8e86

SHA256
c1095efddaa97d50f0fb0beffa3fefa27435cd4444683d25e5398a82601bf285

SHA512
76864327e0cf172869ba3532b51cfb4279eafe78eb5d7cf5a68fea47f395c27156c9add1e29917143b9a37f153b7dd6421edbefb2d7be8a1d21cf3e6ac5651fe

Download Submit
C:\Program Files (x86)\Ls\Ik\zachet_nezachet_zachet.vbs

Filesize
179B

MD5
0604ed22423f5146bcb46c82229a95df

SHA1
e4a0cb9dcd98c9d6f7c87d9c56eb506a7f75bc5f

SHA256
2c62c68be848d62dfe0eceeb9a969b7db05616f9ba0833b45cbf690451df4a4f

SHA512
d73fda22f5af02ebf82517f0e1abca3dd06cc52bda5e51088b649612e903ca90eb1d1313664cbdf55d8d59ee10cd06c4b416c405ef162084b1105386477871cd

Download Submit
C:\Program Files (x86)\Ls\Ik\ziznbogom.vt

Filesize
27B

MD5
213c0742081a9007c9093a01760f9f8c

SHA1
df53bb518c732df777b5ce19fc7c02dcb2f9d81b

SHA256
9681429a2b00c27fe6cb0453f255024813944a7cd460d18797e3c35e81c53d69

SHA512
55182c2e353a0027f585535a537b9c309c3bf57f47da54a16e0c415ed6633b725bf40e40a664b1071575feeb7e589d775983516728ec3e51e87a0a29010c4eb9

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
1KB

MD5
87f793106119d87a3d0fd6b0bacc4374

SHA1
9b72ad9ff4ce8e7084c49d253e222a5a168132d2

SHA256
8087d3b42a5216fa91a1b88f56f9098c8927548294b6d0aea3d69c443b92d721

SHA512
150afe95e5519d2c300b839bc9b352b72f4341146fed1981422c5dd2821633f74d786f9e4dc9b47afd01fd7dbeb474c2c8c15bd318042acd9c80ac674b012fd9

Download Submit

Analysis

Sharing