c9718b8354f67e040917ac8519dc2f286d53889e6ed7f513cc71e468a3bb3492

General

Target

267.exe
Size

146KB
MD5

068400d929db33e9991f4188f74a3c96
SHA1

d57c6efe65e8d1d60e98acbd5536daa065037011
SHA256

9ffe6cb3a60d37f590e4448c9fdfda66ccf4aa045b727c262d33866fea6ba802
SHA512

6cacd0096a6ccb5486f44b4c1889613a8f0db0075db45ae34577f5dc95c0184f60f3cc992219675faecce47980bf154388eb2403b792db21f26a0c190ce4ada8
SSDEEP

3072:ABAp5XhKpN4eOyVTGfhEClj8jTk+0htpcZVrJ6:3bXE9OiTGfhEClq9GOHrJ6

Score

8^/10

discovery

Malware Config

Signatures

Blocklisted process makes network request 2 IoCs

Processes:

WScript.exe

flow pid process

4 2804 WScript.exe
7 2804 WScript.exe

flow	pid	process
4	2804	WScript.exe
7	2804	WScript.exe

Drops file in Drivers directory 3 IoCs

Processes:

cmd.exeWScript.exe

description	ioc	process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	cmd.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	WScript.exe
File opened for modification	C:\Windows\System32\drivers\etc\hîsts	WScript.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 7 IoCs

Processes:

267.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Compa1\New11\Uninstall.exe	267.exe
File created	C:\Program Files (x86)\Compa1\New11\Uninstall.ini	267.exe
File opened for modification	C:\Program Files (x86)\Compa1\New11\ch092z.bat	267.exe
File opened for modification	C:\Program Files (x86)\Compa1\New11\kolupasi.vbs	267.exe
File opened for modification	C:\Program Files (x86)\Compa1\New11\zubizaba.vbs	267.exe
File opened for modification	C:\Program Files (x86)\Compa1\New11\silk.note	267.exe
File opened for modification	C:\Program Files (x86)\Compa1\New11\skak.riot	267.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

267.execmd.exeWScript.exeWScript.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	267.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

267.execmd.exe

description	pid	process	target process
PID 516 wrote to memory of 2772	516	267.exe	cmd.exe
PID 516 wrote to memory of 2772	516	267.exe	cmd.exe
PID 516 wrote to memory of 2772	516	267.exe	cmd.exe
PID 516 wrote to memory of 2772	516	267.exe	cmd.exe
PID 2772 wrote to memory of 2828	2772	cmd.exe	WScript.exe
PID 2772 wrote to memory of 2828	2772	cmd.exe	WScript.exe
PID 2772 wrote to memory of 2828	2772	cmd.exe	WScript.exe
PID 2772 wrote to memory of 2828	2772	cmd.exe	WScript.exe
PID 2772 wrote to memory of 2804	2772	cmd.exe	WScript.exe
PID 2772 wrote to memory of 2804	2772	cmd.exe	WScript.exe
PID 2772 wrote to memory of 2804	2772	cmd.exe	WScript.exe
PID 2772 wrote to memory of 2804	2772	cmd.exe	WScript.exe

C:\Users\Admin\AppData\Local\Temp\267.exe
"C:\Users\Admin\AppData\Local\Temp\267.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:516
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Program Files (x86)\Compa1\New11\ch092z.bat" "
  2⤵
  - Drops file in Drivers directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2772
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\Compa1\New11\kolupasi.vbs"
    3⤵
    - Drops file in Drivers directory
    - System Location Discovery: System Language Discovery
    PID:2828
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\Compa1\New11\zubizaba.vbs"
    3⤵
    - Blocklisted process makes network request
    - System Location Discovery: System Language Discovery
    PID:2804

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Compa1\New11\ch092z.bat

Filesize
1KB

MD5
68dc908dea12ecfbe385dea564e1e050

SHA1
e22a35a206d117d5719329614cd493385d2ff004

SHA256
ca52d263102ff07f9c9f50b514f740f130c87b01c0e8e7dfee99af9bc4142ccd

SHA512
8eb8acab68e024d76a9ec95fa426c96d4b6d659fa47711c4a94f926558499fcd763dce2234b5db44e9d08d0028f13889633c232d54721ba6dae88ecbdd12c70a

Download Submit
C:\Program Files (x86)\Compa1\New11\kolupasi.vbs

Filesize
899B

MD5
427b84c71e9634149a2931de84de0a03

SHA1
cfec7ba4fe09ba83fecfd53d6e1483f1e1e401a2

SHA256
31497aae4731f1f4004f4061940b1e9048423c2a3b7eb149477e53e92c426d36

SHA512
77302000c24addb4ce46a5dd1c54a53eddf62fa8a5ae36bb0fe001b79f3805834b33966fa23e8165ab324435bac1f34bf7f2499e1b85b3ac0a6b151ff29caaff

Download Submit
C:\Program Files (x86)\Compa1\New11\silk.note

Filesize
27B

MD5
213c0742081a9007c9093a01760f9f8c

SHA1
df53bb518c732df777b5ce19fc7c02dcb2f9d81b

SHA256
9681429a2b00c27fe6cb0453f255024813944a7cd460d18797e3c35e81c53d69

SHA512
55182c2e353a0027f585535a537b9c309c3bf57f47da54a16e0c415ed6633b725bf40e40a664b1071575feeb7e589d775983516728ec3e51e87a0a29010c4eb9

Download Submit
C:\Program Files (x86)\Compa1\New11\skak.riot

Filesize
49B

MD5
b1f7a6ca78673cc6706fc35136284444

SHA1
e0fd1dc7a7744ac1507f1b96ea16d5a86f4d3db4

SHA256
82e77432178658af118b16aa1a04494c138ac86ed407a8d345fcd384e5153119

SHA512
179961c39493ca850bd92f802b58c1ef7e1c51d3464f012e88ca0bcef086173897a8d0da08c550af0688f2d75e4d78f6eb9213c4ed5e45dcb564693f46007a92

Download Submit
C:\Program Files (x86)\Compa1\New11\zubizaba.vbs

Filesize
309B

MD5
ef97c4736187d9e01fb74f18fdcadea9

SHA1
b1cfa056264bece992c4854713bbfa9a2bfe0476

SHA256
db3c11025b3b5d10b047b4ab169a7cddd194e2b983b6ee4d3d7c064e88d830f1

SHA512
96e4231706f98854869853c7f81bf23cf8ba6396fb2f49242f1b4f660b1d97b6e44e3adf185d44e8d6168bc4ad635dc948412da70425039de405824060d05d72

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
1KB

MD5
6b625709543445d82ebd6613a16b692f

SHA1
4663418f7ac8bf57c0fd711ce958cbd8d41c18a4

SHA256
42b5ea3130726ee55078c1a30f33458920884b43ee3034fa092b6a2188d62303

SHA512
8e1b23bb7b17d84bfb9567323d6a3b8e06f480c9cd9b6148b54b716108284a33edcde44aadcb396835916a8d162b4055d2ea683671f74e98dac36f96855b18c6

Download Submit
memory/516-75-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2772-73-0x0000000002830000-0x0000000002930000-memory.dmp

Filesize
1024KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads