41a12fa17e8827a67f894471aa614e555fb4cd84b1609500f36cb0d807daeffe

General

Target

41a12fa17e8827a67f894471aa614e555fb4cd84b1609500f36cb0d807daeffe.exe
Size

159KB
MD5

0b705a73136691aad6cd617e903a7564
SHA1

8edfdd14a678444ba45c540c301afd2e89667fea
SHA256

41a12fa17e8827a67f894471aa614e555fb4cd84b1609500f36cb0d807daeffe
SHA512

8fb8f8c6890192d6e2fb646891c2adfe7a9bee7b50340304a66b1f94691119d9b1b83129115227e905daffbc9c3c333dc8188dcd30bbbfcc0ce9aa7a0a46c73e
SSDEEP

3072:YBAp5XhKpN4eOyVTGfhEClj8jTk+0hMKBz66UaMSgn:PbXE9OiTGfhEClq9FKxdtgn

Score

8^/10

discovery

Malware Config

Signatures

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	cmd.exe
File opened for modification	C:\Windows\System32\drivers\etc\hîsts	WScript.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	WScript.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	41a12fa17e8827a67f894471aa614e555fb4cd84b1609500f36cb0d807daeffe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	cmd.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Lshizm\She\posdfapahfoshflf.aad	41a12fa17e8827a67f894471aa614e555fb4cd84b1609500f36cb0d807daeffe.exe
File opened for modification	C:\Program Files (x86)\Lshizm\She\pochemupechaltoskaebashitoptom.bat	41a12fa17e8827a67f894471aa614e555fb4cd84b1609500f36cb0d807daeffe.exe
File opened for modification	C:\Program Files (x86)\Lshizm\She\Uninstall.exe	41a12fa17e8827a67f894471aa614e555fb4cd84b1609500f36cb0d807daeffe.exe
File created	C:\Program Files (x86)\Lshizm\She\Uninstall.ini	41a12fa17e8827a67f894471aa614e555fb4cd84b1609500f36cb0d807daeffe.exe
File opened for modification	C:\Program Files (x86)\Lshizm\She\tun_tun_tun_pa.vbs	41a12fa17e8827a67f894471aa614e555fb4cd84b1609500f36cb0d807daeffe.exe
File opened for modification	C:\Program Files (x86)\Lshizm\She\fillenillanddraketonight.vbs	41a12fa17e8827a67f894471aa614e555fb4cd84b1609500f36cb0d807daeffe.exe
File opened for modification	C:\Program Files (x86)\Lshizm\She\instrumentalnay.ay	41a12fa17e8827a67f894471aa614e555fb4cd84b1609500f36cb0d807daeffe.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings	cmd.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4644 wrote to memory of 4144	4644	41a12fa17e8827a67f894471aa614e555fb4cd84b1609500f36cb0d807daeffe.exe	87
PID 4644 wrote to memory of 4144	4644	41a12fa17e8827a67f894471aa614e555fb4cd84b1609500f36cb0d807daeffe.exe	87
PID 4644 wrote to memory of 4144	4644	41a12fa17e8827a67f894471aa614e555fb4cd84b1609500f36cb0d807daeffe.exe	87
PID 4144 wrote to memory of 1340	4144	cmd.exe	90
PID 4144 wrote to memory of 1340	4144	cmd.exe	90
PID 4144 wrote to memory of 1340	4144	cmd.exe	90
PID 4144 wrote to memory of 4688	4144	cmd.exe	91
PID 4144 wrote to memory of 4688	4144	cmd.exe	91
PID 4144 wrote to memory of 4688	4144	cmd.exe	91

C:\Users\Admin\AppData\Local\Temp\41a12fa17e8827a67f894471aa614e555fb4cd84b1609500f36cb0d807daeffe.exe
"C:\Users\Admin\AppData\Local\Temp\41a12fa17e8827a67f894471aa614e555fb4cd84b1609500f36cb0d807daeffe.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:4644
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\Lshizm\She\pochemupechaltoskaebashitoptom.bat" "
  2⤵
  - Drops file in Drivers directory
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4144
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\Lshizm\She\tun_tun_tun_pa.vbs"
    3⤵
    - Drops file in Drivers directory
    PID:1340
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\Lshizm\She\fillenillanddraketonight.vbs"
    3⤵
    PID:4688

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Lshizm\She\fillenillanddraketonight.vbs

Filesize
162B

MD5
5a20d53eb0ca74820177d024c3a9d95c

SHA1
2405b1fd13a38b5a1b6e8c726aa48b664ac1ff4b

SHA256
0a2b38f5339c7c6020242360ad37dbc8e82662c13bc13dbb84e92d89a1576a28

SHA512
7eea0c490920cb868794b9ad73d5a710bd090960fad861028482a7b42a7a0627fe9ae77b62df9e240b01f17ea1467f2455fd63ee90b9e234f86d85bf267233a6

Download Submit
C:\Program Files (x86)\Lshizm\She\instrumentalnay.ay

Filesize
27B

MD5
213c0742081a9007c9093a01760f9f8c

SHA1
df53bb518c732df777b5ce19fc7c02dcb2f9d81b

SHA256
9681429a2b00c27fe6cb0453f255024813944a7cd460d18797e3c35e81c53d69

SHA512
55182c2e353a0027f585535a537b9c309c3bf57f47da54a16e0c415ed6633b725bf40e40a664b1071575feeb7e589d775983516728ec3e51e87a0a29010c4eb9

Download Submit
C:\Program Files (x86)\Lshizm\She\pochemupechaltoskaebashitoptom.bat

Filesize
2KB

MD5
04329c7756d098709cb6d33587aa0fc1

SHA1
b6d557c13de5bed5b3bf3edf8e2873292bfba961

SHA256
9e8b2a8d394d7ca85529a485659c461e46644f2befcfd25b3f3ff8af1ba4d1c2

SHA512
d6ca62f5ed3e9de3a97f1ff079ebd47d0054200ce00ded9fb0ac6abb9267a848f2b9c161be9a0ddbd3de6282c82a9c40c657b2b660173ed92f48a9b444f498a8

Download Submit
C:\Program Files (x86)\Lshizm\She\posdfapahfoshflf.aad

Filesize
40B

MD5
fe323aa9eeebbc35121095994dc3dfff

SHA1
965ce94d6bcbdf73aff427af07eeb91af6058e88

SHA256
55fc486a31158fb17cfe8112cd3d7df0be52d8b60e31f373e2040fa6e3a90608

SHA512
016a3348d23caa588f7e1ed325220085888ccb07ffe134d4d6dd25b538f15e9c337baffd4833e2fdb36ffeed3771b1faa851105e1ee5936104982b4e0e10cd95

Download Submit
C:\Program Files (x86)\Lshizm\She\tun_tun_tun_pa.vbs

Filesize
986B

MD5
c696d3d90a82108b50e05952968813b2

SHA1
06de9dbafb880347542a061598aa40024b3e52ae

SHA256
87d7ee5eba5d3001583ff51d67fca01d87578ec231c82ee9e9793d453e602f32

SHA512
f6ce4d3e1dde7bb56fb018852ce5aab720da18829174689a1267b7b5bb9b30bf211ac7d37c6acb77314048bc77ecb437a07798d9fe97764b2a7350efcdd61571

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
1KB

MD5
4b37dba4a22a6568e31950687eb8900c

SHA1
ac2da111f01769994943f4c15decddddd54142a3

SHA256
50991300e18eaf015c847a69b2d6adfe0a62832b311abb5f9efcdc1fba0d7cfb

SHA512
4735217e5b4bcc2a0405f95b8b0c48bddda37f5fbf15c3becf0c105900d06a00c425dbe874a8d74fb5daab441d68e6c68d9d2de616dcdae39709c36b53ad4271

Download Submit

Analysis

Sharing