d0f288eebf37c2657113d395cf319a72f3c61345df5f48d3e85c065c1e7914d9

General

Target

d0f288eebf37c2657113d395cf319a72f3c61345df5f48d3e85c065c1e7914d9.exe
Size

158KB
MD5

576d04b86b9e7f543ae2174be143801b
SHA1

e1b564adeee2e58e532fe9b75a4e642fd17fa139
SHA256

d0f288eebf37c2657113d395cf319a72f3c61345df5f48d3e85c065c1e7914d9
SHA512

1d95ad6191eb81a851d39d4c8db98e2b5b138e1494f52ad38692f5689f6fdab855243ab04f0f839ecac86320512c4f38c97f3f74d3dcab94c4cc681115397786
SSDEEP

3072:YBAp5XhKpN4eOyVTGfhEClj8jTk+0hMKBz65ahaMy:PbXE9OiTGfhEClq9FKxvhaMy

Score

8^/10

discovery

Malware Config

Signatures

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	cmd.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	WScript.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\iR\Aas\sdfsdfsdfsdfsdfsdfsdfsdfollandsikoolsiskitezetelkisuters.bat	d0f288eebf37c2657113d395cf319a72f3c61345df5f48d3e85c065c1e7914d9.exe
File opened for modification	C:\Program Files (x86)\iR\Aas\Uninstall.exe	d0f288eebf37c2657113d395cf319a72f3c61345df5f48d3e85c065c1e7914d9.exe
File created	C:\Program Files (x86)\iR\Aas\Uninstall.ini	d0f288eebf37c2657113d395cf319a72f3c61345df5f48d3e85c065c1e7914d9.exe
File opened for modification	C:\Program Files (x86)\iR\Aas\goodofofofofosdsfdfsfd.vbs	d0f288eebf37c2657113d395cf319a72f3c61345df5f48d3e85c065c1e7914d9.exe
File opened for modification	C:\Program Files (x86)\iR\Aas\prisosalsanize.vbs	d0f288eebf37c2657113d395cf319a72f3c61345df5f48d3e85c065c1e7914d9.exe
File opened for modification	C:\Program Files (x86)\iR\Aas\kudaihpovesti.kar	d0f288eebf37c2657113d395cf319a72f3c61345df5f48d3e85c065c1e7914d9.exe
File opened for modification	C:\Program Files (x86)\iR\Aas\polnistri.oka	d0f288eebf37c2657113d395cf319a72f3c61345df5f48d3e85c065c1e7914d9.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1204 wrote to memory of 1488	1204	d0f288eebf37c2657113d395cf319a72f3c61345df5f48d3e85c065c1e7914d9.exe	27
PID 1204 wrote to memory of 1488	1204	d0f288eebf37c2657113d395cf319a72f3c61345df5f48d3e85c065c1e7914d9.exe	27
PID 1204 wrote to memory of 1488	1204	d0f288eebf37c2657113d395cf319a72f3c61345df5f48d3e85c065c1e7914d9.exe	27
PID 1204 wrote to memory of 1488	1204	d0f288eebf37c2657113d395cf319a72f3c61345df5f48d3e85c065c1e7914d9.exe	27
PID 1488 wrote to memory of 1964	1488	cmd.exe	29
PID 1488 wrote to memory of 1964	1488	cmd.exe	29
PID 1488 wrote to memory of 1964	1488	cmd.exe	29
PID 1488 wrote to memory of 1964	1488	cmd.exe	29
PID 1488 wrote to memory of 676	1488	cmd.exe	30
PID 1488 wrote to memory of 676	1488	cmd.exe	30
PID 1488 wrote to memory of 676	1488	cmd.exe	30
PID 1488 wrote to memory of 676	1488	cmd.exe	30

C:\Users\Admin\AppData\Local\Temp\d0f288eebf37c2657113d395cf319a72f3c61345df5f48d3e85c065c1e7914d9.exe
"C:\Users\Admin\AppData\Local\Temp\d0f288eebf37c2657113d395cf319a72f3c61345df5f48d3e85c065c1e7914d9.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1204
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Program Files (x86)\iR\Aas\sdfsdfsdfsdfsdfsdfsdfsdfollandsikoolsiskitezetelkisuters.bat" "
  2⤵
  - Drops file in Drivers directory
  - Suspicious use of WriteProcessMemory
  PID:1488
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\iR\Aas\goodofofofofosdsfdfsfd.vbs"
    3⤵
    - Drops file in Drivers directory
    PID:1964
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\iR\Aas\prisosalsanize.vbs"
    3⤵
    PID:676

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\iR\Aas\goodofofofofosdsfdfsfd.vbs

Filesize
229B

MD5
a742b9dc10d7d57fe263b46799521018

SHA1
c584510e054c9c4b5cd15b2a898973b9ba74d499

SHA256
46f76cbedcc6ffc635ce17e14acc007c341fada992f261ea10d9b95d040a7f20

SHA512
e4349dae7d9529854585490389c36e117c9eabfd1c8023f033ae0b8eeea5c5b7becaab2d7e1a48ef04d99fb9d125c3311dfd089b03a2e0cd34a78adb50fd2f9e

Download Submit
C:\Program Files (x86)\iR\Aas\kudaihpovesti.kar

Filesize
27B

MD5
213c0742081a9007c9093a01760f9f8c

SHA1
df53bb518c732df777b5ce19fc7c02dcb2f9d81b

SHA256
9681429a2b00c27fe6cb0453f255024813944a7cd460d18797e3c35e81c53d69

SHA512
55182c2e353a0027f585535a537b9c309c3bf57f47da54a16e0c415ed6633b725bf40e40a664b1071575feeb7e589d775983516728ec3e51e87a0a29010c4eb9

Download Submit
C:\Program Files (x86)\iR\Aas\prisosalsanize.vbs

Filesize
174B

MD5
b8222b0c2ba6e7c668fb4a82ea22f77e

SHA1
cd64ea637693c9ab4ea848802f2463d378d331b5

SHA256
966fecc0fa03f874e3406131c7f13f8e4a69b491f8c069f109eb0b0716e8319a

SHA512
de7fa4f985c089c039b9b4e974b03ae04cdd3fbc1fb0ae047e3986853f42932d01e723b8c1daccc99319779fccc3e532860eb502ae377d2ba474d45a69736993

Download Submit
C:\Program Files (x86)\iR\Aas\sdfsdfsdfsdfsdfsdfsdfsdfollandsikoolsiskitezetelkisuters.bat

Filesize
2KB

MD5
74c4aeb6e3df2a1c03e5ffe660ddc883

SHA1
81260cfb87e133b06eb3968ac06f13ba81c414d7

SHA256
4bcf36bc3f70db06838bc460b682f83d8b8228cfa3388dbefa412bf5f137d78c

SHA512
21a4fbcd8e31a09666266e0f14e0756587e9b997e3aabf11af9466675f7e3a25b030989fbb9a1dd58903b7676b87de38de308ae850c18a75b21f3a982b4d4655

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
1KB

MD5
2295a19ddc9c09ead5ec9ba22897c8a5

SHA1
12b9fb35e0f1e16d245918b2ec7a86b84d7c1b20

SHA256
0f01b56eb30999f1b1a6b345c4a6d78ec4b8607307b24d014c5b1e01f6aef0d6

SHA512
4c8352df97da89ce04e92bb4963065f782d28b020d3f86af692beb8184d73026e957dd85a99aa6d4b0a048922bd3829546dae3cee2fc59ae97ae99f7449fee52

Download Submit
memory/1204-54-0x0000000076201000-0x0000000076203000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing