c5dd8d65b08a1d339eb6318b1a08ba91d09931d0afbedc4af93b4e3fabfe4fc1

General

Target

download.exe
Size

203KB
MD5

ddc256f409bf0b8e9647497da0c02077
SHA1

5f17007371a209876bec6e467fbbab7634cb93b6
SHA256

5114a34a00f9cb4273df0778733e2ffb006f74a065ecc0e82311f6ceb8bd2e09
SHA512

d4d10039597dcdde99d8b25e4c5bcaad7514dc54f2296220e7fd108e02030b926943f53d2c622f8212340f48c9568dc000432a8ab83052c64c15c3bcfc4eed12
SSDEEP

3072:rBAp5XhKpN4eOyVTGfhEClj8jTk+0hJ8D4RD0c0rpOdt/46KC5NV/2iBY:WbXE9OiTGfhEClq9YKXcP7/UCpS

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
3	2244	WScript.exe
5	2244	WScript.exe

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	cmd.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	WScript.exe
File opened for modification	C:\Windows\System32\drivers\etc\hîsts	WScript.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\a\222\dd11\kokoloda.da	download.exe
File opened for modification	C:\Program Files (x86)\a\222\1a8.bat	download.exe
File opened for modification	C:\Program Files (x86)\a\222\dd11\8546f9rtrty464b17.vbs	download.exe
File opened for modification	C:\Program Files (x86)\a\222\dd11\0a93c4e8557cb61c55ee.vbs	download.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1572 wrote to memory of 2792	1572	download.exe	28
PID 1572 wrote to memory of 2792	1572	download.exe	28
PID 1572 wrote to memory of 2792	1572	download.exe	28
PID 1572 wrote to memory of 2792	1572	download.exe	28
PID 1572 wrote to memory of 2244	1572	download.exe	30
PID 1572 wrote to memory of 2244	1572	download.exe	30
PID 1572 wrote to memory of 2244	1572	download.exe	30
PID 1572 wrote to memory of 2244	1572	download.exe	30
PID 1572 wrote to memory of 2032	1572	download.exe	31
PID 1572 wrote to memory of 2032	1572	download.exe	31
PID 1572 wrote to memory of 2032	1572	download.exe	31
PID 1572 wrote to memory of 2032	1572	download.exe	31

C:\Users\Admin\AppData\Local\Temp\download.exe
"C:\Users\Admin\AppData\Local\Temp\download.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1572
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Program Files (x86)\a\222\1a8.bat" "
  2⤵
  - Drops file in Drivers directory
  PID:2792
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\a\222\dd11\0a93c4e8557cb61c55ee.vbs"
  2⤵
  - Blocklisted process makes network request
  PID:2244
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\a\222\dd11\8546f9rtrty464b17.vbs"
  2⤵
  - Drops file in Drivers directory
  PID:2032

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\a\222\1a8.bat

Filesize
5KB

MD5
de147ce6ba1d1943dafb2e5f863516a4

SHA1
a090f0df6ba6874d2d1380efcc2d471854f6d86a

SHA256
df3746b241d470e51ce2d1c1c87ba8f4c1fb7598712c37b7a8bc37dd79e2378d

SHA512
e197eda48fc1e720d4839f13112dec4e8bfc1932b6168e812cca8326cc9dd4b9cd583285da00d3e6bc455d11e33e015a3b134b65389f2e0eb72691315b145bba

Download Submit
C:\Program Files (x86)\a\222\dd11\0a93c4e8557cb61c55ee.vbs

Filesize
512B

MD5
47d274be3586757ba8e79a432db848a3

SHA1
4f53bd2d2308849fe993e3a475a7bccd430d5d81

SHA256
bf04ec8c40ffe1281422fe5944bad405587c6ad1ee4226f85b0915c8b573add1

SHA512
4b90229cd9ac8ee81c9dce0292dc3881d6d7028525e77b412e138a6fc44fa5236518c419865a093440c27dbd00bbbc58326619122138ace6c35f89b123c68175

Download Submit
C:\Program Files (x86)\a\222\dd11\8546f9rtrty464b17.vbs

Filesize
638B

MD5
bb461184f044aca28b37faec5030b29a

SHA1
1f712dd2138a0a1c64f3da2881b22cedffa0c7a3

SHA256
8869ea1e9535b4e846c39458e121b625b08781748fe004a81bd91552ddffacf8

SHA512
329fdc364d6f44e67ecc17f38eafcd8a0a5315bb729d4a067779d35596ba417a3b90cdf8100dc0774ddf3fdef4a91c62ebd8f9c87bf04e55e8fef6f3052aec66

Download Submit
C:\Program Files (x86)\a\222\dd11\kokoloda.da

Filesize
91B

MD5
fdf80ba0d1c8aecbe41796eda51c2ca7

SHA1
f23f744f124d18444586c39f2a4eeaef5ee295a8

SHA256
55e136d79fef1b1e38269f95b57c4fb4637dd4909d3765886672a820afbf5f3b

SHA512
fdfa96e64551f03d79bc62612cdb1b5a3059fc7d9d77d5c5a9141cb3e3910effd98d4e6711b70a0dad8e6785a4fa3bd171f6bbd384d82285406b7e2537c2d784

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
1KB

MD5
8b4fcc57447eb585a0c58bbf25c95d4a

SHA1
7ed2636f75019d489a0618c2faad9148ab6709d8

SHA256
294873a0ca32766a925daab324720adf10307dff6c0fd7532eacc50563114f39

SHA512
969f8d4e80a54e48c99e563c8fa71ec76f574087d93da36b4a051fb179c7fd9182515228916c9924b35b92fd65d6b5e9dab145de03dca58f7394e6373ae069a8

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
1KB

MD5
d3fb08f5c670ac93c13de5621034466f

SHA1
199901a7805f143647461d376216d5610e49dba9

SHA256
18e1aceb1a462039c5e228c0500eeb6508bd1c557c58ff9ada8a4ec20d7e0ecd

SHA512
1b120c0aed4c845b21f7a61ca7dad78a391b58c469086e78fac554a465c4f9e9aab9496afc20d0e18ce5c0aa828858acbb82b9dd1ebd521b1e31498a580ac6c1

Download Submit
memory/1572-37-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download

Analysis

Sharing