a5c7cfae4cc5108f266ce13cdc360f493e955c39fd79bf8f6f72e211e82071dc

General

Target

a5c7cfae4cc5108f266ce13cdc360f493e955c39fd79bf8f6f72e211e82071dc.exe
Size

158KB
MD5

8afe467d78986b5cb20f5f693507740f
SHA1

b813a37247cb93eb974dc6dd10d52cce4b58c125
SHA256

a5c7cfae4cc5108f266ce13cdc360f493e955c39fd79bf8f6f72e211e82071dc
SHA512

5116c93869118b4e47dc0602c1ca2c2044fa2bf58295ab08b8bfb93f91e8c39c2333e33452f5edf530f52228e72aebb46f12fd53fcebddb1162999b59db9b00a
SSDEEP

3072:YBAp5XhKpN4eOyVTGfhEClj8jTk+0hMKBz6jcaJY79:PbXE9OiTGfhEClq9FKx4e

Score

8^/10

discovery

Malware Config

Signatures

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	WScript.exe
File opened for modification	C:\Windows\System32\drivers\etc\hîsts	WScript.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	cmd.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Hn\Ip\nash_sitee.vbs	a5c7cfae4cc5108f266ce13cdc360f493e955c39fd79bf8f6f72e211e82071dc.exe
File opened for modification	C:\Program Files (x86)\Hn\Ip\sklspaanngwdf.vbs	a5c7cfae4cc5108f266ce13cdc360f493e955c39fd79bf8f6f72e211e82071dc.exe
File opened for modification	C:\Program Files (x86)\Hn\Ip\poajfmas.dd	a5c7cfae4cc5108f266ce13cdc360f493e955c39fd79bf8f6f72e211e82071dc.exe
File opened for modification	C:\Program Files (x86)\Hn\Ip\indurk.akk	a5c7cfae4cc5108f266ce13cdc360f493e955c39fd79bf8f6f72e211e82071dc.exe
File opened for modification	C:\Program Files (x86)\Hn\Ip\nechelovecheskieebanyai.bat	a5c7cfae4cc5108f266ce13cdc360f493e955c39fd79bf8f6f72e211e82071dc.exe
File opened for modification	C:\Program Files (x86)\Hn\Ip\Uninstall.exe	a5c7cfae4cc5108f266ce13cdc360f493e955c39fd79bf8f6f72e211e82071dc.exe
File created	C:\Program Files (x86)\Hn\Ip\Uninstall.ini	a5c7cfae4cc5108f266ce13cdc360f493e955c39fd79bf8f6f72e211e82071dc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 108 wrote to memory of 904	108	a5c7cfae4cc5108f266ce13cdc360f493e955c39fd79bf8f6f72e211e82071dc.exe	27
PID 108 wrote to memory of 904	108	a5c7cfae4cc5108f266ce13cdc360f493e955c39fd79bf8f6f72e211e82071dc.exe	27
PID 108 wrote to memory of 904	108	a5c7cfae4cc5108f266ce13cdc360f493e955c39fd79bf8f6f72e211e82071dc.exe	27
PID 108 wrote to memory of 904	108	a5c7cfae4cc5108f266ce13cdc360f493e955c39fd79bf8f6f72e211e82071dc.exe	27
PID 904 wrote to memory of 1376	904	cmd.exe	29
PID 904 wrote to memory of 1376	904	cmd.exe	29
PID 904 wrote to memory of 1376	904	cmd.exe	29
PID 904 wrote to memory of 1376	904	cmd.exe	29
PID 904 wrote to memory of 1724	904	cmd.exe	30
PID 904 wrote to memory of 1724	904	cmd.exe	30
PID 904 wrote to memory of 1724	904	cmd.exe	30
PID 904 wrote to memory of 1724	904	cmd.exe	30

C:\Users\Admin\AppData\Local\Temp\a5c7cfae4cc5108f266ce13cdc360f493e955c39fd79bf8f6f72e211e82071dc.exe
"C:\Users\Admin\AppData\Local\Temp\a5c7cfae4cc5108f266ce13cdc360f493e955c39fd79bf8f6f72e211e82071dc.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:108
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Program Files (x86)\Hn\Ip\nechelovecheskieebanyai.bat" "
  2⤵
  - Drops file in Drivers directory
  - Suspicious use of WriteProcessMemory
  PID:904
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\Hn\Ip\nash_sitee.vbs"
    3⤵
    - Drops file in Drivers directory
    PID:1376
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\Hn\Ip\sklspaanngwdf.vbs"
    3⤵
    PID:1724

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Hn\Ip\indurk.akk

Filesize
52B

MD5
099b0158d8e627ce3b4ab59c7c56e22f

SHA1
b81927497c763ab8265e13a81de2a735a6375c33

SHA256
61bded2ff63645df32dc288b50a6495a47fcf37b3ee58b2dcfdcd084d3dddd4b

SHA512
cba452535a644dcb760abb38962e23cc4f703dac0071d85f22c04cd0a0dce0ccb3d80b19bd49265b0c8720a448b11a72c6bef8d6b1e630db466763fc4dd14426

Download Submit
C:\Program Files (x86)\Hn\Ip\nash_sitee.vbs

Filesize
1KB

MD5
050703f7f5214ca4207664eeb02d6692

SHA1
69374791ba095a32e39734ea73c8202f0f3d4cc8

SHA256
4a04b96e9c68300a57f592078eeb839b89d278a15eff78f899256bcc9458f07a

SHA512
16b575af69a6078742ca15e20fe61178ec0867625e09c7ea0a47a7745ceef7fba6d70d6db1ba70903b7d00476bfc678c103de2a471a06453316643e8dc3a5359

Download Submit
C:\Program Files (x86)\Hn\Ip\nechelovecheskieebanyai.bat

Filesize
1KB

MD5
aa210171ea5d2a48bdbd9cc2cb2bb43f

SHA1
2fa7bfe96e7c375628d9804d1a28350d7151e8f6

SHA256
878e1eee33c26e3ccbd2c548dcce5efc3a0f3ba0ea5c5c3f61c370a9dfcc9fbc

SHA512
9c6b66e8bb310a7f9eeeb04cd30a2537bf491d3f7b230872ed4c5ddd61509fc1ca6016eec6999158e56133b1d39cf436d0745da46d47b2ba63609941dea87159

Download Submit
C:\Program Files (x86)\Hn\Ip\poajfmas.dd

Filesize
27B

MD5
213c0742081a9007c9093a01760f9f8c

SHA1
df53bb518c732df777b5ce19fc7c02dcb2f9d81b

SHA256
9681429a2b00c27fe6cb0453f255024813944a7cd460d18797e3c35e81c53d69

SHA512
55182c2e353a0027f585535a537b9c309c3bf57f47da54a16e0c415ed6633b725bf40e40a664b1071575feeb7e589d775983516728ec3e51e87a0a29010c4eb9

Download Submit
C:\Program Files (x86)\Hn\Ip\sklspaanngwdf.vbs

Filesize
153B

MD5
0464ad808ff10ea4271afdc6015562aa

SHA1
7ca29b4492f34e75c56c25a94ced45eb7f7298f3

SHA256
b3e6ce10cc4bb3704146acf66eebf6a0c7bea270962b294bdd86702229aba80f

SHA512
1487d44f6c5da4619a6f4769e46d7425249e05082e68efd7873bf8f0235963f9971f0cf08a20846d33b8c13b44412981b32b2119da1c392ea3f270360e509386

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
1KB

MD5
6f1e4232423d43147d99a9d7f8c58075

SHA1
34c992241ce9b5535c107501ff124144885512ff

SHA256
1fcb304ced74de9b4ebfeabc553d992c1e5ca484c7611910dfcaf878adedb41d

SHA512
be18a097ea262865ea4aadefc22ff6790ce81066296aae5249e30e0f797da04a7285ddfa8c86ab4267d1fc6499a4b5ae35bdcc7f73034ba67fae03d46b93ba97

Download Submit
memory/108-54-0x0000000075B41000-0x0000000075B43000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing