1872a080e41bf4ed1f00782501b583d130740cd97329cd554765f4513a7c31d2

General

Target

?????????? ? ?????? ????? ???????? ?????-?????????.jse
Size

5KB
MD5

d330aad3bfd86656f6f3c9271ebefe27
SHA1

442892ac4dc64348d009b8f7d1f8cb2d3522340b
SHA256

1b89fbda3bb65e0f5c2f9aa178082d418393087f37f0a1cd3f68645eec4a834f
SHA512

c869200fe3fcadeda670f78ab5ed327e7672d4b22b9ecdf6089c8aea9493b3f20e474f22a53a586cccdcc51cfe187dce08f38222bc6dc7621696175119bcdf9d

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
4	1056	WScript.exe
6	1056	WScript.exe

Deletes itself 1 IoCs

pid	Process
1056	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 10 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000_CLASSES\tmp_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\""	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\MuiCache	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000_CLASSES\tmp_auto_file	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000_CLASSES\tmp_auto_file\	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000_CLASSES\.tmp\ = "tmp_auto_file"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000_CLASSES\tmp_auto_file\shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000_CLASSES\tmp_auto_file\shell\Read\command	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000_CLASSES\.tmp	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000_CLASSES\tmp_auto_file\shell\Read	rundll32.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1384	AcroRd32.exe
1384	AcroRd32.exe
1384	AcroRd32.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 1056 wrote to memory of 1876	1056	WScript.exe	29
PID 1056 wrote to memory of 1876	1056	WScript.exe	29
PID 1056 wrote to memory of 1876	1056	WScript.exe	29
PID 1876 wrote to memory of 1772	1876	cmd.exe	31
PID 1876 wrote to memory of 1772	1876	cmd.exe	31
PID 1876 wrote to memory of 1772	1876	cmd.exe	31
PID 1772 wrote to memory of 1384	1772	rundll32.exe	32
PID 1772 wrote to memory of 1384	1772	rundll32.exe	32
PID 1772 wrote to memory of 1384	1772	rundll32.exe	32
PID 1772 wrote to memory of 1384	1772	rundll32.exe	32

C:\Windows\System32\WScript.exe
C:\Windows\System32\WScript.exe "C:\Users\Admin\AppData\Local\Temp\__________ _ ______ _____ ________ _____-_________.jse"
1⤵
- Blocklisted process makes network request
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1056
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\radC8069.tmp
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1876
- - C:\Windows\system32\rundll32.exe
    "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\radC8069.tmp
    3⤵
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1772
  - - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
      "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\radC8069.tmp"
      4⤵
      Suspicious use of SetWindowsHookEx
      PID:1384

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\radC8069.tmp

Filesize
21KB

MD5
d3293ef33084014272f8242c7bd2405a

SHA1
b44dcfe43658f4491b3e039782f719190ba55b08

SHA256
fa0e3988be923fa2acf1f9456e3ba3b9bdeca33a3f4365cc6b206280967e7a1d

SHA512
67ff6a8fc8c8d0e267e862c083d01e98719501a860cb50d2b961296caaa957737f46c4361953e67dcb0b60fb3aa60e33f8613e76e748e60318e5b176373d18c3

Download Submit
memory/1384-89-0x00000000764C1000-0x00000000764C3000-memory.dmp

Filesize
8KB

Download
memory/1876-55-0x000007FEFBD41000-0x000007FEFBD43000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing