8dc2d31e099d444dad67796bb29b11e758c133b8342d648ed31ed20c48bff673

General

Target

1ebfdfdd77bf4dc347eb5ca1ff4455e5.exe
Size

180KB
MD5

1ebfdfdd77bf4dc347eb5ca1ff4455e5
SHA1

2116a8691d4ac4fc8327a177ce9c71e74cfd8977
SHA256

8dc2d31e099d444dad67796bb29b11e758c133b8342d648ed31ed20c48bff673
SHA512

bc64bc03b7092af105dac27aed8d8d39cd0da45edf340f3ff43442ec5151ae062b92ea17075d960587d662820c397157617eba51e319b979353eb8398f051342
SSDEEP

3072:IBAp5XhKpN4eOyVTGfhEClj8jTk+0hFCvAS7naIbx:/bXE9OiTGfhEClq9a6rx

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
3	1932	WScript.exe
5	1932	WScript.exe

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	cmd.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	WScript.exe
File opened for modification	C:\Windows\System32\drivers\etc\hîsts	WScript.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Request Sample\Subscribe to SERVO\ññ\kolu.pa	1ebfdfdd77bf4dc347eb5ca1ff4455e5.exe
File opened for modification	C:\Program Files (x86)\Request Sample\Subscribe to SERVO\e0323a9039add2978bf5b49550572c7c.bat	1ebfdfdd77bf4dc347eb5ca1ff4455e5.exe
File opened for modification	C:\Program Files (x86)\Request Sample\Subscribe to SERVO\ññ\d68005ccf362b82d084551b6291792a3.vbs	1ebfdfdd77bf4dc347eb5ca1ff4455e5.exe
File opened for modification	C:\Program Files (x86)\Request Sample\Subscribe to SERVO\ññ\a964065211872fb76f876c6c3e952ea3.vbs	1ebfdfdd77bf4dc347eb5ca1ff4455e5.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2488 wrote to memory of 2676	2488	1ebfdfdd77bf4dc347eb5ca1ff4455e5.exe	28
PID 2488 wrote to memory of 2676	2488	1ebfdfdd77bf4dc347eb5ca1ff4455e5.exe	28
PID 2488 wrote to memory of 2676	2488	1ebfdfdd77bf4dc347eb5ca1ff4455e5.exe	28
PID 2488 wrote to memory of 2676	2488	1ebfdfdd77bf4dc347eb5ca1ff4455e5.exe	28
PID 2488 wrote to memory of 1932	2488	1ebfdfdd77bf4dc347eb5ca1ff4455e5.exe	30
PID 2488 wrote to memory of 1932	2488	1ebfdfdd77bf4dc347eb5ca1ff4455e5.exe	30
PID 2488 wrote to memory of 1932	2488	1ebfdfdd77bf4dc347eb5ca1ff4455e5.exe	30
PID 2488 wrote to memory of 1932	2488	1ebfdfdd77bf4dc347eb5ca1ff4455e5.exe	30
PID 2488 wrote to memory of 2704	2488	1ebfdfdd77bf4dc347eb5ca1ff4455e5.exe	31
PID 2488 wrote to memory of 2704	2488	1ebfdfdd77bf4dc347eb5ca1ff4455e5.exe	31
PID 2488 wrote to memory of 2704	2488	1ebfdfdd77bf4dc347eb5ca1ff4455e5.exe	31
PID 2488 wrote to memory of 2704	2488	1ebfdfdd77bf4dc347eb5ca1ff4455e5.exe	31

C:\Users\Admin\AppData\Local\Temp\1ebfdfdd77bf4dc347eb5ca1ff4455e5.exe
"C:\Users\Admin\AppData\Local\Temp\1ebfdfdd77bf4dc347eb5ca1ff4455e5.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2488
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Program Files (x86)\Request Sample\Subscribe to SERVO\e0323a9039add2978bf5b49550572c7c.bat" "
  2⤵
  - Drops file in Drivers directory
  PID:2676
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\Request Sample\Subscribe to SERVO\ññ\d68005ccf362b82d084551b6291792a3.vbs"
  2⤵
  - Blocklisted process makes network request
  PID:1932
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\Request Sample\Subscribe to SERVO\ññ\a964065211872fb76f876c6c3e952ea3.vbs"
  2⤵
  - Drops file in Drivers directory
  PID:2704

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Request Sample\Subscribe to SERVO\e0323a9039add2978bf5b49550572c7c.bat

Filesize
2KB

MD5
4636aedf9d24428c027af2ef905f10f6

SHA1
ea0930d2359b1ad674451132b02064c1a92a12d5

SHA256
ff34f6a6a68c39cf99305dbf2d950896cfde90949191849f177ed583eb49eb1c

SHA512
c51eae1d7e7f1ebb20c2c249497061ec06b1ee8d59bcfc8e0de6945b5d7debb6ecacdf9877e4e7d3ec49ad96a771609f4fe8795de79e7974142fcd3cb9b4855f

Download Submit
C:\Program Files (x86)\Request Sample\Subscribe to SERVO\ññ\a964065211872fb76f876c6c3e952ea3.vbs

Filesize
449B

MD5
d05d07253e92908318af7785bca395d2

SHA1
e35cf2ace7473784cb69ac30c9e6d9725ea3ae65

SHA256
487afcf4b8aad2af68d3b9e7b3c5537244feab410db8cd47203539c8aa60c16c

SHA512
3b96f8808fb729779c001895146e91d7c49a1921a06629d14ca3c3200f195df85864afe651678ad7cf8bd3b2139c04cb4aed89e00a5c8369b8fd5bf968e93529

Download Submit
C:\Program Files (x86)\Request Sample\Subscribe to SERVO\ññ\d68005ccf362b82d084551b6291792a3.vbs

Filesize
337B

MD5
a2fb37ac511008cfee1b213d4cff4a9e

SHA1
5a628d71a01b19a89aaf4af86c1f5d3449b927fb

SHA256
5521078cdc928887ebe9aaaf6b1f59c38e2e4baceb32015d994cd01e1ecb2171

SHA512
44056b007a80ac74daec9fbcc22961891fa5a7f46bf3763d1198ba045dfdcac8867f294c90b288b1200b9adee91afb1198d7a47c35d8f9b39f9416d46231ca7a

Download Submit
C:\Program Files (x86)\Request Sample\Subscribe to SERVO\ññ\kolu.pa

Filesize
44B

MD5
139763fcfc7b22fdd8c85f48120fe7be

SHA1
57556b4c007c6b0451396cb4c85708f1bd8b5836

SHA256
735cba7336fcd6572f452c66184dfd0321a5eeed21ed383a51d4961eae4cdfaf

SHA512
c3c98654f9632cd132188325df6ca041704ca6f3cd775151817cf3124828de615049d0473ca521223de73b8b3a4c69a1b1774cabb366e463aeda46f2255bb054

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
1KB

MD5
1919b6eb1deffbc68c794be7eaa7634c

SHA1
ef77bfcfb8da6a2b94263142b7295df483ece122

SHA256
f24060d88530ad06878b03bc400d0000800ef612e1403a51913b8a04d80cd79d

SHA512
ea53cac432765d3b75eb5c2e76e2f7e12c22a6407b3041d005fca75d326c582768ffe3762e368c9e8a89993248dca8cd4bf03babcc4014ce28a935e1914863e5

Download Submit
memory/2488-43-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download

Analysis

Sharing