f81716c59947b0fa283a7ce9613f15b090e2d87e3fcfc25443d758f8bcf84f57

General

Target

f81716c59947b0fa283a7ce9613f15b090e2d87e3fcfc25443d758f8bcf84f57.exe
Size

158KB
MD5

51e43e48dcb2fd793e5d78de0dc96f19
SHA1

f3f8efc48628a059fd7d2a3d063983d790705013
SHA256

f81716c59947b0fa283a7ce9613f15b090e2d87e3fcfc25443d758f8bcf84f57
SHA512

e3c65821013bec7737d4a6d96e39034e8057a57a250bb74ccd22f267302a71c737a947ab9becb6db4bf9158135208be848e8c706ff1c9ddc6a319f4d89a380ae
SSDEEP

3072:YBAp5XhKpN4eOyVTGfhEClj8jTk+0hMKBz6uMN4hRI9wZVOC:PbXE9OiTGfhEClq9FKxPryyB

Score

8^/10

discovery

Malware Config

Signatures

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	cmd.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	WScript.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 7 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Ik\Ed\Uninstall.ini	f81716c59947b0fa283a7ce9613f15b090e2d87e3fcfc25443d758f8bcf84f57.exe
File opened for modification	C:\Program Files (x86)\Ik\Ed\dvadsatsdelokvmesuats.vbs	f81716c59947b0fa283a7ce9613f15b090e2d87e3fcfc25443d758f8bcf84f57.exe
File opened for modification	C:\Program Files (x86)\Ik\Ed\roznichnieibolshiesdelki.vbs	f81716c59947b0fa283a7ce9613f15b090e2d87e3fcfc25443d758f8bcf84f57.exe
File opened for modification	C:\Program Files (x86)\Ik\Ed\yanhuidirect.tt	f81716c59947b0fa283a7ce9613f15b090e2d87e3fcfc25443d758f8bcf84f57.exe
File opened for modification	C:\Program Files (x86)\Ik\Ed\kushaikakashil.oo	f81716c59947b0fa283a7ce9613f15b090e2d87e3fcfc25443d758f8bcf84f57.exe
File opened for modification	C:\Program Files (x86)\Ik\Ed\kakchastoetoproishoditvmesyatssuchkanahddddd.bat	f81716c59947b0fa283a7ce9613f15b090e2d87e3fcfc25443d758f8bcf84f57.exe
File opened for modification	C:\Program Files (x86)\Ik\Ed\Uninstall.exe	f81716c59947b0fa283a7ce9613f15b090e2d87e3fcfc25443d758f8bcf84f57.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1960 wrote to memory of 1076	1960	f81716c59947b0fa283a7ce9613f15b090e2d87e3fcfc25443d758f8bcf84f57.exe	28
PID 1960 wrote to memory of 1076	1960	f81716c59947b0fa283a7ce9613f15b090e2d87e3fcfc25443d758f8bcf84f57.exe	28
PID 1960 wrote to memory of 1076	1960	f81716c59947b0fa283a7ce9613f15b090e2d87e3fcfc25443d758f8bcf84f57.exe	28
PID 1960 wrote to memory of 1076	1960	f81716c59947b0fa283a7ce9613f15b090e2d87e3fcfc25443d758f8bcf84f57.exe	28
PID 1076 wrote to memory of 1804	1076	cmd.exe	30
PID 1076 wrote to memory of 1804	1076	cmd.exe	30
PID 1076 wrote to memory of 1804	1076	cmd.exe	30
PID 1076 wrote to memory of 1804	1076	cmd.exe	30
PID 1076 wrote to memory of 1988	1076	cmd.exe	31
PID 1076 wrote to memory of 1988	1076	cmd.exe	31
PID 1076 wrote to memory of 1988	1076	cmd.exe	31
PID 1076 wrote to memory of 1988	1076	cmd.exe	31

C:\Users\Admin\AppData\Local\Temp\f81716c59947b0fa283a7ce9613f15b090e2d87e3fcfc25443d758f8bcf84f57.exe
"C:\Users\Admin\AppData\Local\Temp\f81716c59947b0fa283a7ce9613f15b090e2d87e3fcfc25443d758f8bcf84f57.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1960
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Program Files (x86)\Ik\Ed\kakchastoetoproishoditvmesyatssuchkanahddddd.bat" "
  2⤵
  - Drops file in Drivers directory
  - Suspicious use of WriteProcessMemory
  PID:1076
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\Ik\Ed\dvadsatsdelokvmesuats.vbs"
    3⤵
    - Drops file in Drivers directory
    PID:1804
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\Ik\Ed\roznichnieibolshiesdelki.vbs"
    3⤵
    PID:1988

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Ik\Ed\dvadsatsdelokvmesuats.vbs

Filesize
228B

MD5
b99237809014a06f99eabc55d2f5a364

SHA1
1b810e31da125fdd1663795c34e6a7011ea8e6dc

SHA256
ecbffb9d445e74a2d4d1085dded375264727a10e0860988e6136a8e22540fc69

SHA512
627ced7f0a3e021ce5c7e3c3da589889643c9507bd54e55c5ed02b02e12e0967380737efb95209f742cc91ed0bfa76c0406756206901c0acb0a8b17882c38933

Download Submit
C:\Program Files (x86)\Ik\Ed\kakchastoetoproishoditvmesyatssuchkanahddddd.bat

Filesize
2KB

MD5
713648a9fea60e8f16e05017a60c0d78

SHA1
7251903592a551256ffcd6c622ab155f94087f43

SHA256
ec32361cd45f9b611c10724b2d1600c13d2c76f4c56901aa47e7323fe3baf1ad

SHA512
af9df0aaa22a3a8bd353133a2218ffd469dcc2a570ec2846de39c92384fe7f5afea7df8147a734624e22b361db54d6db2552337ea22b598d782bbe0640acdac6

Download Submit
C:\Program Files (x86)\Ik\Ed\roznichnieibolshiesdelki.vbs

Filesize
153B

MD5
88006170f635e5aa130a41520eeb0978

SHA1
a5b576d4a407769dd1b50eff76fe7a6f1937ec22

SHA256
51cc7c49ab0085a5b1f33b04d489845561dab8c6cf7c6f87e000edf2aee05c57

SHA512
c0120849c2d31c52ed490eb5f43000a85d089dc4343e12b8d45f4b38ee4a5cefe76344665ead038479adcc475c951df8c12ced8a2930ebf579f96787ea9114ef

Download Submit
C:\Program Files (x86)\Ik\Ed\yanhuidirect.tt

Filesize
27B

MD5
213c0742081a9007c9093a01760f9f8c

SHA1
df53bb518c732df777b5ce19fc7c02dcb2f9d81b

SHA256
9681429a2b00c27fe6cb0453f255024813944a7cd460d18797e3c35e81c53d69

SHA512
55182c2e353a0027f585535a537b9c309c3bf57f47da54a16e0c415ed6633b725bf40e40a664b1071575feeb7e589d775983516728ec3e51e87a0a29010c4eb9

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
1KB

MD5
25d003bfee5ab825611b187c29fab298

SHA1
5790e27656ec129e9f16ce9dd22eeab03d9a407d

SHA256
54cfd761d1ebb73908d8bd1ec02c6a77db16adf0566d5a28244518b7bd920d90

SHA512
5d784865904e7998ecb94bfe89f02fba50e6edff0f78691c7e030d0ca39802f75fbcfca3a0c07ec967c5883d85f32f4560109b1e3a69fa6aa816dc609de156a7

Download Submit
memory/1960-54-0x0000000076321000-0x0000000076323000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing