36d2f34f83dbc1175246645ce519ca662ca135c3dba888008a914e5a76186753

General

Target

36d2f34f83dbc1175246645ce519ca662ca135c3dba888008a914e5a76186753.exe
Size

239KB
MD5

fb27882953902d93630cbda71ec5278e
SHA1

dea98808211c6fd017b1273695eeb3bfd47121b7
SHA256

36d2f34f83dbc1175246645ce519ca662ca135c3dba888008a914e5a76186753
SHA512

3d49de4a9e025b55cd74769ebcd3707000cb13aa54ae57191b603771e159750439571d1bfcb772dae9cb95cf85b1e273bde438971af5791ccb58b2bade8d3008
SSDEEP

3072:MBAp5XhKpN4eOyVTGfhEClj8jTk+0hbe+s461efwvsOq7Mirevf0o3+2GFZB4QyH:7bXE9OiTGfhEClq9u2JJUy

Score

8^/10

discovery

Malware Config

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
4	1728	WScript.exe
5	1728	WScript.exe

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	cmd.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	WScript.exe
File opened for modification	C:\Windows\System32\drivers\etc\hîsts	WScript.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 13 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\tokom kak neer delat\ne glad ego kisto4koi\nu kak bi vsua hernya.fos	36d2f34f83dbc1175246645ce519ca662ca135c3dba888008a914e5a76186753.exe
File created	C:\Program Files (x86)\tokom kak neer delat\ne glad ego kisto4koi\Uninstall.exe	36d2f34f83dbc1175246645ce519ca662ca135c3dba888008a914e5a76186753.exe
File opened for modification	C:\Program Files (x86)\tokom kak neer delat\ne glad ego kisto4koi\Uninstall.exe	36d2f34f83dbc1175246645ce519ca662ca135c3dba888008a914e5a76186753.exe
File opened for modification	C:\Program Files (x86)\tokom kak neer delat\ne glad ego kisto4koi\svezee_techenie_cheloveko.bat	36d2f34f83dbc1175246645ce519ca662ca135c3dba888008a914e5a76186753.exe
File created	C:\Program Files (x86)\tokom kak neer delat\ne glad ego kisto4koi\xranilise_vsei_figni_tut.bok	36d2f34f83dbc1175246645ce519ca662ca135c3dba888008a914e5a76186753.exe
File created	C:\Program Files (x86)\tokom kak neer delat\ne glad ego kisto4koi\slooooowthespeedafer.cross	36d2f34f83dbc1175246645ce519ca662ca135c3dba888008a914e5a76186753.exe
File opened for modification	C:\Program Files (x86)\tokom kak neer delat\ne glad ego kisto4koi\nu kak bi vsua hernya.fos	36d2f34f83dbc1175246645ce519ca662ca135c3dba888008a914e5a76186753.exe
File created	C:\Program Files (x86)\tokom kak neer delat\ne glad ego kisto4koi\Uninstall.ini	36d2f34f83dbc1175246645ce519ca662ca135c3dba888008a914e5a76186753.exe
File created	C:\Program Files (x86)\tokom kak neer delat\ne glad ego kisto4koi\slooooowthespeedafer.vbs	cmd.exe
File opened for modification	C:\Program Files (x86)\tokom kak neer delat\ne glad ego kisto4koi\slooooowthespeedafer.vbs	cmd.exe
File created	C:\Program Files (x86)\tokom kak neer delat\ne glad ego kisto4koi\svezee_techenie_cheloveko.bat	36d2f34f83dbc1175246645ce519ca662ca135c3dba888008a914e5a76186753.exe
File opened for modification	C:\Program Files (x86)\tokom kak neer delat\ne glad ego kisto4koi\xranilise_vsei_figni_tut.bok	36d2f34f83dbc1175246645ce519ca662ca135c3dba888008a914e5a76186753.exe
File opened for modification	C:\Program Files (x86)\tokom kak neer delat\ne glad ego kisto4koi\slooooowthespeedafer.cross	36d2f34f83dbc1175246645ce519ca662ca135c3dba888008a914e5a76186753.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 884 wrote to memory of 936	884	36d2f34f83dbc1175246645ce519ca662ca135c3dba888008a914e5a76186753.exe	27
PID 884 wrote to memory of 936	884	36d2f34f83dbc1175246645ce519ca662ca135c3dba888008a914e5a76186753.exe	27
PID 884 wrote to memory of 936	884	36d2f34f83dbc1175246645ce519ca662ca135c3dba888008a914e5a76186753.exe	27
PID 884 wrote to memory of 936	884	36d2f34f83dbc1175246645ce519ca662ca135c3dba888008a914e5a76186753.exe	27
PID 884 wrote to memory of 1728	884	36d2f34f83dbc1175246645ce519ca662ca135c3dba888008a914e5a76186753.exe	29
PID 884 wrote to memory of 1728	884	36d2f34f83dbc1175246645ce519ca662ca135c3dba888008a914e5a76186753.exe	29
PID 884 wrote to memory of 1728	884	36d2f34f83dbc1175246645ce519ca662ca135c3dba888008a914e5a76186753.exe	29
PID 884 wrote to memory of 1728	884	36d2f34f83dbc1175246645ce519ca662ca135c3dba888008a914e5a76186753.exe	29

C:\Users\Admin\AppData\Local\Temp\36d2f34f83dbc1175246645ce519ca662ca135c3dba888008a914e5a76186753.exe
"C:\Users\Admin\AppData\Local\Temp\36d2f34f83dbc1175246645ce519ca662ca135c3dba888008a914e5a76186753.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:884
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Program Files (x86)\tokom kak neer delat\ne glad ego kisto4koi\svezee_techenie_cheloveko.bat" "
  2⤵
  - Drops file in Drivers directory
  - Drops file in Program Files directory
  PID:936
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\tokom kak neer delat\ne glad ego kisto4koi\slooooowthespeedafer.vbs"
  2⤵
  - Blocklisted process makes network request
  - Drops file in Drivers directory
  PID:1728

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\tokom kak neer delat\ne glad ego kisto4koi\slooooowthespeedafer.cross

Filesize
1KB

MD5
035cde8a4ac80016bbe9efb1b5d6d1d5

SHA1
1524e26ece3e77ad93656c4465a289a0d94e0e39

SHA256
29376638dd4b2ebf5234f0e4f7b9f80f4db8949acbe3bd40402b4aba7dccd323

SHA512
0cbfdb47cc9292c659fc1b5585d4e03674e97e0bd44e99dfe9ff435483ae8f8d50d1f474dbd80d0b45c286496e16aba3292efc39e06476796890f1a1d12c926b

Download Submit
C:\Program Files (x86)\tokom kak neer delat\ne glad ego kisto4koi\slooooowthespeedafer.vbs

Filesize
1KB

MD5
035cde8a4ac80016bbe9efb1b5d6d1d5

SHA1
1524e26ece3e77ad93656c4465a289a0d94e0e39

SHA256
29376638dd4b2ebf5234f0e4f7b9f80f4db8949acbe3bd40402b4aba7dccd323

SHA512
0cbfdb47cc9292c659fc1b5585d4e03674e97e0bd44e99dfe9ff435483ae8f8d50d1f474dbd80d0b45c286496e16aba3292efc39e06476796890f1a1d12c926b

Download Submit
C:\Program Files (x86)\tokom kak neer delat\ne glad ego kisto4koi\svezee_techenie_cheloveko.bat

Filesize
1KB

MD5
7d69c56d73177a09e8434670864ff523

SHA1
47bf55f6d6f6fcc882891cd616ab93947a4ec25e

SHA256
52f04434f1379820ce7dd687e5db5d39ed6f4340ed50c72453fd68df741a9bf0

SHA512
364cd4ae7ad0ea261530a4e34b41d6821440eea2781324f8d832d4559411a174058f0e42454d597a0cb41fa68ab6d7cf961a88289dec33ae9f6338be881f34a2

Download Submit
C:\Program Files (x86)\tokom kak neer delat\ne glad ego kisto4koi\xranilise_vsei_figni_tut.bok

Filesize
99B

MD5
7a13d0dda4820b9427ff6ba226ca625b

SHA1
fc630331447daaf8c83841780e4fc58dc5bb8cf7

SHA256
c7acc4a885cf1df75a1591a395160b267e506e24847704fa57c943eda05da456

SHA512
8950c3dfc77a46bcd022cac116b5b260964f7480cb195d36b1424b3ea7b9bc27df105ddaecc99816c8df786a6832d05b26cc8536cd549ff3e1cf1002b7e706f0

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
1KB

MD5
afa5bc9f93cf57717e039926430a2c87

SHA1
ae8ec8fe21cddf2a7a2c7ad83bc1e32e3c22e3e9

SHA256
77800427c8fff569a7536dbcaceced494e6e2100100234640956fc9738a01b24

SHA512
e5835490560575f141862eb2a9eb8c19479c741552d0b2f21020f84ba9a28ac1721abce9e15a477b35411e773dcef25fbfb27752800fefb08d1694573aaa9728

Download Submit
memory/884-54-0x0000000075D01000-0x0000000075D03000-memory.dmp

Filesize
8KB

Download
memory/936-55-0x0000000000000000-mapping.dmp

Download
memory/1728-59-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing