27a9e51066039125da5ec58a97e5d79eb9322701db816bc33410d5cf36446a73

General

Target

26bc956e39cb8676067ba6b42949ad46.exe
Size

180KB
MD5

26bc956e39cb8676067ba6b42949ad46
SHA1

750f03419f638806a095aa5c0a2c043fa14d5083
SHA256

27a9e51066039125da5ec58a97e5d79eb9322701db816bc33410d5cf36446a73
SHA512

e7e77c99d035e098cb8b2952a69bc40b3ccf4cc85f1240aec9b34a13ba75a70d4c0496055b45926255376ed1f1e40dd6da1a8c904db7345b9714fc28940251c3
SSDEEP

3072:CBAp5XhKpN4eOyVTGfhEClj8jTk+0h4tzQn7:RbXE9OiTGfhEClq919Q7

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
4	4076	WScript.exe

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	WScript.exe
File opened for modification	C:\Windows\System32\drivers\etc\hîsts	WScript.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	cmd.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation	26bc956e39cb8676067ba6b42949ad46.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\The first evidence\Guatemala is a magical\08a4415e9d594ff960030b921d42b91e.bat	26bc956e39cb8676067ba6b42949ad46.exe
File opened for modification	C:\Program Files (x86)\The first evidence\Guatemala is a magical\ee\63c4da4fde984fa5c719cdcf2147ab7f.vbs	26bc956e39cb8676067ba6b42949ad46.exe
File opened for modification	C:\Program Files (x86)\The first evidence\Guatemala is a magical\ee\87dba6b5e5e739d7a8506bbceb19e4be.vbs	26bc956e39cb8676067ba6b42949ad46.exe
File opened for modification	C:\Program Files (x86)\The first evidence\Guatemala is a magical\ee\she.he	26bc956e39cb8676067ba6b42949ad46.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings	26bc956e39cb8676067ba6b42949ad46.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1636 wrote to memory of 4888	1636	26bc956e39cb8676067ba6b42949ad46.exe	56
PID 1636 wrote to memory of 4888	1636	26bc956e39cb8676067ba6b42949ad46.exe	56
PID 1636 wrote to memory of 4888	1636	26bc956e39cb8676067ba6b42949ad46.exe	56
PID 1636 wrote to memory of 4076	1636	26bc956e39cb8676067ba6b42949ad46.exe	53
PID 1636 wrote to memory of 4076	1636	26bc956e39cb8676067ba6b42949ad46.exe	53
PID 1636 wrote to memory of 4076	1636	26bc956e39cb8676067ba6b42949ad46.exe	53
PID 1636 wrote to memory of 1276	1636	26bc956e39cb8676067ba6b42949ad46.exe	54
PID 1636 wrote to memory of 1276	1636	26bc956e39cb8676067ba6b42949ad46.exe	54
PID 1636 wrote to memory of 1276	1636	26bc956e39cb8676067ba6b42949ad46.exe	54

C:\Users\Admin\AppData\Local\Temp\26bc956e39cb8676067ba6b42949ad46.exe
"C:\Users\Admin\AppData\Local\Temp\26bc956e39cb8676067ba6b42949ad46.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1636
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\The first evidence\Guatemala is a magical\ee\63c4da4fde984fa5c719cdcf2147ab7f.vbs"
  2⤵
  - Blocklisted process makes network request
  PID:4076
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\The first evidence\Guatemala is a magical\ee\87dba6b5e5e739d7a8506bbceb19e4be.vbs"
  2⤵
  - Drops file in Drivers directory
  PID:1276
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\The first evidence\Guatemala is a magical\08a4415e9d594ff960030b921d42b91e.bat" "
  2⤵
  - Drops file in Drivers directory
  PID:4888

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\The first evidence\Guatemala is a magical\08a4415e9d594ff960030b921d42b91e.bat

Filesize
2KB

MD5
7953eb5761e5f03dd4689d59dea86e91

SHA1
90364693df9b0f3ca71e18685c4287d653d4eb24

SHA256
1f6c829df7891859a7f6ccf4f1e8b97aa9ad704888adf85181a22aabcc83e830

SHA512
5d19b40e9e3960721a9c1fe9d4c0d065b52d1016b81e19503eae4d62b89c87fd56cb5d34badfe8b41e6388666f7f2a69a62bf29ad77ad434bb8cfacf35cdf77a

Download Submit
C:\Program Files (x86)\The first evidence\Guatemala is a magical\ee\63c4da4fde984fa5c719cdcf2147ab7f.vbs

Filesize
454B

MD5
b39ceb9ce3b2753dd4023ef2cf6f488e

SHA1
bebabd1454913885029a2e57edb6d3a1c8873387

SHA256
04bb5e68fd4d85ea4e0559033e507ece59aa5786927dbad62c1f20fb7ba8928a

SHA512
37ead6f8effadacd5f421e2e36c6f0b78341ddc37f02743b8648de4d59a4c304eafdb8e18816024ef6f9cac5311d92ed8c8bf984351d075689d28808074cdf3f

Download Submit
C:\Program Files (x86)\The first evidence\Guatemala is a magical\ee\87dba6b5e5e739d7a8506bbceb19e4be.vbs

Filesize
516B

MD5
5799a3cdd814d5fd64c2012a1a6441e8

SHA1
a8098bdf657f146156a3ebebacaabf06e1685a85

SHA256
e23768e2dfcc10fa05d33809e1717d2d9c1f685584f29a8e5da4a5df4c80edf0

SHA512
557f0d3b1ed338c74dc5d79740368f1cb353763c7eaec14741557f39446799a6390b57de83e0ee02757316411f0267e105163a62b4e1d7531ae9d4cd8d796d24

Download Submit
C:\Program Files (x86)\The first evidence\Guatemala is a magical\ee\she.he

Filesize
102B

MD5
edc3562dbbc6cc8d7f19ebb3ab9314d5

SHA1
b7c5b76161bd34c89fef25e15fc6b56649607ed8

SHA256
5a0e42b959d43df1151a71d3825973fbf1f4a10fd76d31c1188f206e0f0e01d7

SHA512
a8e03b0bdc4cfe8232f2e2961be1cab2b989bba96be0a94167f632be64a6cb12ae110c2ff4b2b9b1375a5f0ea4236e2c54fea9e3d628c55aca2b40c60367aca5

Download Submit
memory/1636-26-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download

Analysis

Sharing