cf23d10128a5080e52b625c5d8eeea71fb4bd63fa63df98dbd079fd21074f0ff

General

Target

cf23d10128a5080e52b625c5d8eeea71fb4bd63fa63df98dbd079fd21074f0ff.exe
Size

158KB
MD5

06a5e62b81d7329ca998195bf3cd1011
SHA1

d07cca01a8577523a6ac70f6ec9bb51c5916ac5b
SHA256

cf23d10128a5080e52b625c5d8eeea71fb4bd63fa63df98dbd079fd21074f0ff
SHA512

d017df0875cc9d0ef8fd72bd9fb351cbf4188860a0b3d9e478d8841244446a9be41400f217e51d97c6861730ca596b9d82c5dead1cd97180fc659877e3c55a21
SSDEEP

3072:YBAp5XhKpN4eOyVTGfhEClj8jTk+0hMKBz6jmo4MVVMKR:PbXE9OiTGfhEClq9FKxOmoBR

Score

8^/10

discovery

Malware Config

Signatures

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	cmd.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	WScript.exe
File opened for modification	C:\Windows\System32\drivers\etc\hîsts	WScript.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Sl\Zp\gde_manya_zdut.vbs	cf23d10128a5080e52b625c5d8eeea71fb4bd63fa63df98dbd079fd21074f0ff.exe
File opened for modification	C:\Program Files (x86)\Sl\Zp\gde_mne_radi.vbs	cf23d10128a5080e52b625c5d8eeea71fb4bd63fa63df98dbd079fd21074f0ff.exe
File opened for modification	C:\Program Files (x86)\Sl\Zp\vitalik.kil	cf23d10128a5080e52b625c5d8eeea71fb4bd63fa63df98dbd079fd21074f0ff.exe
File opened for modification	C:\Program Files (x86)\Sl\Zp\adsense.ko	cf23d10128a5080e52b625c5d8eeea71fb4bd63fa63df98dbd079fd21074f0ff.exe
File opened for modification	C:\Program Files (x86)\Sl\Zp\eche_razok_s_nim_vstretilsuai.bat	cf23d10128a5080e52b625c5d8eeea71fb4bd63fa63df98dbd079fd21074f0ff.exe
File opened for modification	C:\Program Files (x86)\Sl\Zp\Uninstall.exe	cf23d10128a5080e52b625c5d8eeea71fb4bd63fa63df98dbd079fd21074f0ff.exe
File created	C:\Program Files (x86)\Sl\Zp\Uninstall.ini	cf23d10128a5080e52b625c5d8eeea71fb4bd63fa63df98dbd079fd21074f0ff.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1724 wrote to memory of 1148	1724	cf23d10128a5080e52b625c5d8eeea71fb4bd63fa63df98dbd079fd21074f0ff.exe	27
PID 1724 wrote to memory of 1148	1724	cf23d10128a5080e52b625c5d8eeea71fb4bd63fa63df98dbd079fd21074f0ff.exe	27
PID 1724 wrote to memory of 1148	1724	cf23d10128a5080e52b625c5d8eeea71fb4bd63fa63df98dbd079fd21074f0ff.exe	27
PID 1724 wrote to memory of 1148	1724	cf23d10128a5080e52b625c5d8eeea71fb4bd63fa63df98dbd079fd21074f0ff.exe	27
PID 1148 wrote to memory of 756	1148	cmd.exe	29
PID 1148 wrote to memory of 756	1148	cmd.exe	29
PID 1148 wrote to memory of 756	1148	cmd.exe	29
PID 1148 wrote to memory of 756	1148	cmd.exe	29
PID 1148 wrote to memory of 1736	1148	cmd.exe	30
PID 1148 wrote to memory of 1736	1148	cmd.exe	30
PID 1148 wrote to memory of 1736	1148	cmd.exe	30
PID 1148 wrote to memory of 1736	1148	cmd.exe	30

C:\Users\Admin\AppData\Local\Temp\cf23d10128a5080e52b625c5d8eeea71fb4bd63fa63df98dbd079fd21074f0ff.exe
"C:\Users\Admin\AppData\Local\Temp\cf23d10128a5080e52b625c5d8eeea71fb4bd63fa63df98dbd079fd21074f0ff.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1724
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Program Files (x86)\Sl\Zp\eche_razok_s_nim_vstretilsuai.bat" "
  2⤵
  - Drops file in Drivers directory
  - Suspicious use of WriteProcessMemory
  PID:1148
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\Sl\Zp\gde_manya_zdut.vbs"
    3⤵
    - Drops file in Drivers directory
    PID:756
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\Sl\Zp\gde_mne_radi.vbs"
    3⤵
    PID:1736

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Sl\Zp\adsense.ko

Filesize
61B

MD5
51e6044f7892fbead3ad3249134919ae

SHA1
c16c77c4e5e159ffbec437b07ed7474eb12325eb

SHA256
a04d4a380a486aba2837ac064dca5afd3d69fe0fb012db3aa07b5dade75ab5f2

SHA512
41c803126be84b858d6c1bdb2eea7f50945ca2e776e0f7173aa9a47c60f17795302472f0399234e19adee22982633112f9d039e8a4412c173b445c3b1874530d

Download Submit
C:\Program Files (x86)\Sl\Zp\eche_razok_s_nim_vstretilsuai.bat

Filesize
1KB

MD5
a48a3ef43edfce669ae758e8f107f961

SHA1
725ad7c7fedd55390c4bdb8d46120bae6da076d3

SHA256
4e0ea52c44014ff461a13e9457f6b19b2f026da093365d116fc60269b4a2d297

SHA512
82f7c814ce94dd80abe396f4af59075174e662903694adf775d93e0b9560824735cc44390d5fd9684ae7510acbcb7cdd29faefc82f37ae51bd8348ad0164fcea

Download Submit
C:\Program Files (x86)\Sl\Zp\gde_manya_zdut.vbs

Filesize
1KB

MD5
39c01e6a1fe46873b0bb6d1a41f7c0cd

SHA1
a3105828bae72e31f6a7a820f1896923aa12dfc6

SHA256
03b85af1fe93837f58a648dd82f1fd753823f5791c2f5bb72f3e56b8fcb7e9cb

SHA512
f68131b5fba880368a18e15fb35a73911908effe0c8e7e3dc7d4f782b3d5e3ced6bf8e71a899b49845f19b331b2a6d09f51d47362a74398a0a483f23da71aae3

Download Submit
C:\Program Files (x86)\Sl\Zp\gde_mne_radi.vbs

Filesize
172B

MD5
855512154c70b0de65115eb911dde5bc

SHA1
c7db6f4279e87df7146af26f4d0cec6ef78f1730

SHA256
c367fa8af5f94f7f1b7f78d237f17a135baaf5f31c2b26f2a128e1aee6c7c4c9

SHA512
5c5c4eabcf06d8fed48bb625ca9eac0389b6aa9c4c114759237209ecaea11ed872555fef496f638b231cfcf354bc4c377ab77a69167b52cdbabd12bd07491fc8

Download Submit
C:\Program Files (x86)\Sl\Zp\vitalik.kil

Filesize
27B

MD5
213c0742081a9007c9093a01760f9f8c

SHA1
df53bb518c732df777b5ce19fc7c02dcb2f9d81b

SHA256
9681429a2b00c27fe6cb0453f255024813944a7cd460d18797e3c35e81c53d69

SHA512
55182c2e353a0027f585535a537b9c309c3bf57f47da54a16e0c415ed6633b725bf40e40a664b1071575feeb7e589d775983516728ec3e51e87a0a29010c4eb9

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
1KB

MD5
ebdac2027c08d0716f13ac5f9fe8bbc7

SHA1
93d9cfbf3870f052b4e4fa1be26f74d3de4189c3

SHA256
a5e6ac9432fcb11c8646f316a955c31e812a2f54f765643a8200e72a4d6be74d

SHA512
31fa38cbed7a9f5c00a821388364345cd78b6b872b8e44703879a43814d5b5a3ccb6cc8c1b364ebfecdf3e895e3f9a0c6b0f6259f69ba801f7fb46bf622916a2

Download Submit
memory/756-60-0x0000000000000000-mapping.dmp

Download
memory/1148-55-0x0000000000000000-mapping.dmp

Download
memory/1724-54-0x0000000074B51000-0x0000000074B53000-memory.dmp

Filesize
8KB

Download
memory/1736-62-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing