fbabc4e5a6470606fc64c39c182b5a7a71f8fa96f50c67725d52abf184f75fd4

General

Target

Диверсанти file‮‮rar.scr
Size

2.0MB
MD5

bcdab4ae622811f699765bfb9cb909d2
SHA1

04bc53294ed74b6630c20c02afbc97f2772e2e31
SHA256

6149680c8541980d46c17681e37e4751e2baca1d13ee648b8188dfb24bf56f7c
SHA512

16c4c6b8cd6b8bca380c743d614f54adf803ac2302c677347b9a984d7d5e9024deed11ebc6464414bcb09ae0d8ebcdea2991415fd42a61fe95f6f46dacee6fc7
SSDEEP

49152:UbA30conkEwqU7XgaN2b2so1KkZzNNaixhpN:UbVRtYX1QCsYaix7N

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2676	dhdhk0k34.com
2796	Skype.exe

Loads dropped DLL 1 IoCs

pid	Process
2512	wscript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
2796	Skype.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2796	Skype.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 1952 wrote to memory of 2512	1952	Диверсанти file‮‮rar.scr	28
PID 1952 wrote to memory of 2512	1952	Диверсанти file‮‮rar.scr	28
PID 1952 wrote to memory of 2512	1952	Диверсанти file‮‮rar.scr	28
PID 1952 wrote to memory of 2512	1952	Диверсанти file‮‮rar.scr	28
PID 2512 wrote to memory of 2676	2512	wscript.exe	29
PID 2512 wrote to memory of 2676	2512	wscript.exe	29
PID 2512 wrote to memory of 2676	2512	wscript.exe	29
PID 2512 wrote to memory of 2676	2512	wscript.exe	29
PID 2232 wrote to memory of 2796	2232	taskeng.exe	31
PID 2232 wrote to memory of 2796	2232	taskeng.exe	31
PID 2232 wrote to memory of 2796	2232	taskeng.exe	31
PID 2232 wrote to memory of 2796	2232	taskeng.exe	31
PID 2796 wrote to memory of 1052	2796	Skype.exe	32
PID 2796 wrote to memory of 1052	2796	Skype.exe	32
PID 2796 wrote to memory of 1052	2796	Skype.exe	32
PID 2796 wrote to memory of 1052	2796	Skype.exe	32
PID 2796 wrote to memory of 1052	2796	Skype.exe	32

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Диверсанти file‮‮rar.scr
"C:\Users\Admin\AppData\Local\Temp\Диверсанти file‮‮rar.scr" /S
1⤵
- Suspicious use of WriteProcessMemory
PID:1952
- C:\Windows\SysWOW64\wscript.exe
  "C:\Windows\System32\wscript.exe" //B //E:vbs "Thumbs.db"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2512
- - C:\Users\Public\dhdhk0k34.com
    "C:\Users\Public\dhdhk0k34.com"
    3⤵
    - Executes dropped EXE
    PID:2676

C:\Windows\system32\taskeng.exe
taskeng.exe {EE2B83DA-3697-42F1-A062-793C50FE1C09} S-1-5-21-330940541-141609230-1670313778-1000:KXIPPCKF\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2232
- C:\Users\Public\Skype.exe
  C:\Users\Public\Skype.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2796
- - C:\Windows\SysWOW64\svchost.exe
    C:\Windows\SysWOW64\svchost.exe
    3⤵
    PID:1052

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Thumbs.db

Filesize
2.0MB

MD5
b5525108912ee8d5f1519f1b552723e8

SHA1
426d8a2289a234de5f647950a745fe228ca6d495

SHA256
d324d7f30984931176ff878a81c7c1f4f979ad3d759c7f33427bba10d9deb1f6

SHA512
06c359599a502e9d1c40edc1be4354a7ca1d06d8651b238d814161a8374d4371cd9b1ed9f3732862bc2b0e6c69c92d2bca564dcae514be3873773e50c3b904e9

Download Submit
C:\Users\Public\Skype.exe

Filesize
328KB

MD5
18e73cc3d5eda742530ba3fef59e3943

SHA1
5ac79ec558347889d54d69e8e24e011683a58520

SHA256
37e644deee0add76bac9c5121355a03a459b1a97917383765bf3df94e9af7e29

SHA512
239172efe4bd81be87fa4fda5462cd40dd03c1b8bb659f46efb11e7502343af450de8b58883eae6feb175db19be1ed2d52a83f0e46b8bea9ccbd5db502fd4675

Download Submit
\Users\Public\dhdhk0k34.com

Filesize
394KB

MD5
3303286735a07ae5d14db9c12843d44e

SHA1
18a590741330ec1968b229a1acdba2f08151909c

SHA256
f98e1e61c84a5ed098e7481ab339e2881195f4d1b101c92b81113eb7ff56e63d

SHA512
c12f0d6fd37d5add73d37a0575c3e0e6f47d536e440c82d3a4e1b994cb4b56e6e10aaa96f17b267625a6cef9af37baa5bbb112ce72c4b425d5c5b42cfda18032

Download Submit
memory/1052-54-0x00000000000D0000-0x000000000011B000-memory.dmp

Filesize
300KB

Download
memory/1052-56-0x00000000000D0000-0x000000000011B000-memory.dmp

Filesize
300KB

Download
memory/2676-37-0x0000000001260000-0x00000000012C8000-memory.dmp

Filesize
416KB

Download
memory/2676-38-0x000007FEF5BA0000-0x000007FEF658C000-memory.dmp

Filesize
9.9MB

Download
memory/2676-39-0x0000000000340000-0x0000000000346000-memory.dmp

Filesize
24KB

Download
memory/2676-40-0x000000001AEE0000-0x000000001AF60000-memory.dmp

Filesize
512KB

Download
memory/2676-44-0x000007FEF5BA0000-0x000007FEF658C000-memory.dmp

Filesize
9.9MB

Download
memory/2796-47-0x0000000074A40000-0x000000007512E000-memory.dmp

Filesize
6.9MB

Download
memory/2796-50-0x0000000000E60000-0x0000000000EA0000-memory.dmp

Filesize
256KB

Download
memory/2796-51-0x00000000779F0000-0x0000000077AC6000-memory.dmp

Filesize
856KB

Download
memory/2796-52-0x0000000074A40000-0x000000007512E000-memory.dmp

Filesize
6.9MB

Download
memory/2796-53-0x0000000000E60000-0x0000000000EA0000-memory.dmp

Filesize
256KB

Download
memory/2796-49-0x00000000001F0000-0x00000000001F6000-memory.dmp

Filesize
24KB

Download
memory/2796-55-0x0000000074A40000-0x000000007512E000-memory.dmp

Filesize
6.9MB

Download
memory/2796-48-0x0000000001270000-0x00000000012C8000-memory.dmp

Filesize
352KB

Download

Analysis

Sharing