c9718b8354f67e040917ac8519dc2f286d53889e6ed7f513cc71e468a3bb3492

General

Target

267.exe
Size

146KB
MD5

068400d929db33e9991f4188f74a3c96
SHA1

d57c6efe65e8d1d60e98acbd5536daa065037011
SHA256

9ffe6cb3a60d37f590e4448c9fdfda66ccf4aa045b727c262d33866fea6ba802
SHA512

6cacd0096a6ccb5486f44b4c1889613a8f0db0075db45ae34577f5dc95c0184f60f3cc992219675faecce47980bf154388eb2403b792db21f26a0c190ce4ada8
SSDEEP

3072:ABAp5XhKpN4eOyVTGfhEClj8jTk+0htpcZVrJ6:3bXE9OiTGfhEClq9GOHrJ6

Score

8^/10

discovery

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

Processes:

WScript.exe

flow pid process

4 3028 WScript.exe

flow	pid	process
4	3028	WScript.exe

Drops file in Drivers directory 3 IoCs

Processes:

WScript.execmd.exe

description	ioc	process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	WScript.exe
File opened for modification	C:\Windows\System32\drivers\etc\hîsts	WScript.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	cmd.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

267.execmd.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	267.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	cmd.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 7 IoCs

Processes:

267.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Compa1\New11\kolupasi.vbs	267.exe
File opened for modification	C:\Program Files (x86)\Compa1\New11\zubizaba.vbs	267.exe
File opened for modification	C:\Program Files (x86)\Compa1\New11\silk.note	267.exe
File opened for modification	C:\Program Files (x86)\Compa1\New11\skak.riot	267.exe
File opened for modification	C:\Program Files (x86)\Compa1\New11\Uninstall.exe	267.exe
File created	C:\Program Files (x86)\Compa1\New11\Uninstall.ini	267.exe
File opened for modification	C:\Program Files (x86)\Compa1\New11\ch092z.bat	267.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

267.execmd.exeWScript.exeWScript.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	267.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

Modifies registry class 1 IoCs

Processes:

cmd.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings cmd.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	cmd.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

267.execmd.exe

description	pid	process	target process
PID 3948 wrote to memory of 2220	3948	267.exe	cmd.exe
PID 3948 wrote to memory of 2220	3948	267.exe	cmd.exe
PID 3948 wrote to memory of 2220	3948	267.exe	cmd.exe
PID 2220 wrote to memory of 5056	2220	cmd.exe	WScript.exe
PID 2220 wrote to memory of 5056	2220	cmd.exe	WScript.exe
PID 2220 wrote to memory of 5056	2220	cmd.exe	WScript.exe
PID 2220 wrote to memory of 3028	2220	cmd.exe	WScript.exe
PID 2220 wrote to memory of 3028	2220	cmd.exe	WScript.exe
PID 2220 wrote to memory of 3028	2220	cmd.exe	WScript.exe

C:\Users\Admin\AppData\Local\Temp\267.exe
"C:\Users\Admin\AppData\Local\Temp\267.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3948
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\Compa1\New11\ch092z.bat" "
  2⤵
  - Drops file in Drivers directory
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2220
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\Compa1\New11\kolupasi.vbs"
    3⤵
    - Drops file in Drivers directory
    - System Location Discovery: System Language Discovery
    PID:5056
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\Compa1\New11\zubizaba.vbs"
    3⤵
    - Blocklisted process makes network request
    - System Location Discovery: System Language Discovery
    PID:3028

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Compa1\New11\ch092z.bat

Filesize
1KB

MD5
68dc908dea12ecfbe385dea564e1e050

SHA1
e22a35a206d117d5719329614cd493385d2ff004

SHA256
ca52d263102ff07f9c9f50b514f740f130c87b01c0e8e7dfee99af9bc4142ccd

SHA512
8eb8acab68e024d76a9ec95fa426c96d4b6d659fa47711c4a94f926558499fcd763dce2234b5db44e9d08d0028f13889633c232d54721ba6dae88ecbdd12c70a

Download Submit
C:\Program Files (x86)\Compa1\New11\kolupasi.vbs

Filesize
899B

MD5
427b84c71e9634149a2931de84de0a03

SHA1
cfec7ba4fe09ba83fecfd53d6e1483f1e1e401a2

SHA256
31497aae4731f1f4004f4061940b1e9048423c2a3b7eb149477e53e92c426d36

SHA512
77302000c24addb4ce46a5dd1c54a53eddf62fa8a5ae36bb0fe001b79f3805834b33966fa23e8165ab324435bac1f34bf7f2499e1b85b3ac0a6b151ff29caaff

Download Submit
C:\Program Files (x86)\Compa1\New11\silk.note

Filesize
27B

MD5
213c0742081a9007c9093a01760f9f8c

SHA1
df53bb518c732df777b5ce19fc7c02dcb2f9d81b

SHA256
9681429a2b00c27fe6cb0453f255024813944a7cd460d18797e3c35e81c53d69

SHA512
55182c2e353a0027f585535a537b9c309c3bf57f47da54a16e0c415ed6633b725bf40e40a664b1071575feeb7e589d775983516728ec3e51e87a0a29010c4eb9

Download Submit
C:\Program Files (x86)\Compa1\New11\skak.riot

Filesize
49B

MD5
b1f7a6ca78673cc6706fc35136284444

SHA1
e0fd1dc7a7744ac1507f1b96ea16d5a86f4d3db4

SHA256
82e77432178658af118b16aa1a04494c138ac86ed407a8d345fcd384e5153119

SHA512
179961c39493ca850bd92f802b58c1ef7e1c51d3464f012e88ca0bcef086173897a8d0da08c550af0688f2d75e4d78f6eb9213c4ed5e45dcb564693f46007a92

Download Submit
C:\Program Files (x86)\Compa1\New11\zubizaba.vbs

Filesize
309B

MD5
ef97c4736187d9e01fb74f18fdcadea9

SHA1
b1cfa056264bece992c4854713bbfa9a2bfe0476

SHA256
db3c11025b3b5d10b047b4ab169a7cddd194e2b983b6ee4d3d7c064e88d830f1

SHA512
96e4231706f98854869853c7f81bf23cf8ba6396fb2f49242f1b4f660b1d97b6e44e3adf185d44e8d6168bc4ad635dc948412da70425039de405824060d05d72

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
1KB

MD5
370e694a32dad2c086ac79287bef4803

SHA1
8d6d22f19606b51bbde2c70be99f0fe8ab8dfbdd

SHA256
78f59b69d31ce97663bf1f3dec96fe57463595d9dc960422b18df31dcfc7d20e

SHA512
89af119a2decdd92ba8765f7ebc79303acc86d0d8dac1de4d50c7dc7420248751f9bcc907e08a5ba5f5af73ec99057add9480d2479a1305ca67af46604dfc383

Download Submit
memory/3948-49-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads