e1f8b00f05923dce7e47d5de0cff7c928e08dead70c11483b66bb623076c6b39

General

Target

e1f8b00f05923dce7e47d5de0cff7c928e08dead70c11483b66bb623076c6b39.exe
Size

639KB
MD5

5185850a2e9b31d47475969f77da64e5
SHA1

936da4181f4d281038b470048063479a459b21fe
SHA256

e1f8b00f05923dce7e47d5de0cff7c928e08dead70c11483b66bb623076c6b39
SHA512

fe4a3607d64f9d320e1df907280f10eac4da91141d1ab727982d4cab4194b34d2220f63a667b166ae118c0b621b02f47c354f9392ff9ee40a9d991a081bbedbb
SSDEEP

12288:qXbWzxWsXJpE04glCFZs/U+eLhuU9y02ud3Np39jJ5wJE4MsGZ4Q:dXU04Iws/09djJ

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2700	MEGA_UKUPNIK_MINUS_USHI_by_LuckyKazya.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\B:	WScript.exe
File opened (read-only)	\??\E:	WScript.exe
File opened (read-only)	\??\I:	WScript.exe
File opened (read-only)	\??\L:	WScript.exe
File opened (read-only)	\??\Y:	WScript.exe
File opened (read-only)	\??\K:	WScript.exe
File opened (read-only)	\??\N:	WScript.exe
File opened (read-only)	\??\T:	WScript.exe
File opened (read-only)	\??\Z:	WScript.exe
File opened (read-only)	\??\R:	WScript.exe
File opened (read-only)	\??\S:	WScript.exe
File opened (read-only)	\??\U:	WScript.exe
File opened (read-only)	\??\H:	WScript.exe
File opened (read-only)	\??\M:	WScript.exe
File opened (read-only)	\??\O:	WScript.exe
File opened (read-only)	\??\P:	WScript.exe
File opened (read-only)	\??\Q:	WScript.exe
File opened (read-only)	\??\V:	WScript.exe
File opened (read-only)	\??\A:	WScript.exe
File opened (read-only)	\??\G:	WScript.exe
File opened (read-only)	\??\J:	WScript.exe
File opened (read-only)	\??\W:	WScript.exe
File opened (read-only)	\??\X:	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MEGA_UKUPNIK_MINUS_USHI_by_LuckyKazya.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: 33	2804	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2804	AUDIODG.EXE
Token: 33	2804	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2804	AUDIODG.EXE
Token: 33	1176	WScript.exe
Token: SeIncBasePriorityPrivilege	1176	WScript.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1644 wrote to memory of 2700	1644	e1f8b00f05923dce7e47d5de0cff7c928e08dead70c11483b66bb623076c6b39.exe	29
PID 1644 wrote to memory of 2700	1644	e1f8b00f05923dce7e47d5de0cff7c928e08dead70c11483b66bb623076c6b39.exe	29
PID 1644 wrote to memory of 2700	1644	e1f8b00f05923dce7e47d5de0cff7c928e08dead70c11483b66bb623076c6b39.exe	29
PID 1644 wrote to memory of 2700	1644	e1f8b00f05923dce7e47d5de0cff7c928e08dead70c11483b66bb623076c6b39.exe	29
PID 2700 wrote to memory of 1176	2700	MEGA_UKUPNIK_MINUS_USHI_by_LuckyKazya.exe	30
PID 2700 wrote to memory of 1176	2700	MEGA_UKUPNIK_MINUS_USHI_by_LuckyKazya.exe	30
PID 2700 wrote to memory of 1176	2700	MEGA_UKUPNIK_MINUS_USHI_by_LuckyKazya.exe	30
PID 2700 wrote to memory of 1176	2700	MEGA_UKUPNIK_MINUS_USHI_by_LuckyKazya.exe	30

C:\Users\Admin\AppData\Local\Temp\e1f8b00f05923dce7e47d5de0cff7c928e08dead70c11483b66bb623076c6b39.exe
"C:\Users\Admin\AppData\Local\Temp\e1f8b00f05923dce7e47d5de0cff7c928e08dead70c11483b66bb623076c6b39.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1644
- C:\Users\Admin\AppData\Local\Temp\MEGA_UKUPNIK_MINUS_USHI_by_LuckyKazya.exe
  "C:\Users\Admin\AppData\Local\Temp\MEGA_UKUPNIK_MINUS_USHI_by_LuckyKazya.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2700
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\play.vbs"
    3⤵
    - Enumerates connected drives
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:1176

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x518
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2804

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MEGA_UKUPNIK_MINUS_USHI_by_LuckyKazya.exe

Filesize
751KB

MD5
6d2d42f4cf64f23def041b16c4a591d1

SHA1
06c9da003fcce27caf71ea4cd23f3897a4e8c184

SHA256
9abe739d093133b3aaf5512dd0b6799ee2bc4b108466622b982d5233446aee6d

SHA512
926195935e5b001f60dd26c1b4f36c89723a710ee8e4b6bf5a1c9db5918969b1aabbaa7d359a06e6cec84267afd2c1f315a30bfb46d1944b9986dc42dc099bd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\SSS.mp3

Filesize
646KB

MD5
cfc09a9a46f1910b13200df435483c6f

SHA1
cdd3cb2b197728d7445d478378e6140185cbaefc

SHA256
4168c7692e7c8c02fe9df4752422d217f1a92247fcd90114ac419a58bbdf784f

SHA512
34dc498968ba7bc43cac96d0e6490a2b2d0766c38824982c1dd04ee299baac969635c2fa4c7b962e5aa85786f40641fdec300c488627c898929341c02fc3a919

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\play.vbs

Filesize
234B

MD5
7cbcceb16259fc7371af338c0e44ed3a

SHA1
b260e12cdc0079b4773ed93de0fe961062ee1549

SHA256
52d886707355893ed4879c4865a3b135e1d9c870478bc0be273eb5259f9d9408

SHA512
d528946ba9ebf5943ba83f62c8221f34bb027a2391f3cc65f4dc9473575a08eb3906e57f9c9769c8ee5586e12f9fee2f9eabb4b69db70bb30c7f832407c96aeb

Download Submit
memory/1644-0-0x000007FEF56E3000-0x000007FEF56E4000-memory.dmp

Filesize
4KB

Download
memory/1644-1-0x0000000000C70000-0x0000000000D16000-memory.dmp

Filesize
664KB

Download
memory/1644-8-0x000007FEF56E0000-0x000007FEF60CC000-memory.dmp

Filesize
9.9MB

Download
memory/1644-18-0x000007FEF56E0000-0x000007FEF60CC000-memory.dmp

Filesize
9.9MB

Download

Analysis

Sharing