a94580c60e3a7fefc2531251d3920959baf0f837974a5b1839811cfe0e100513

General

Target

a94580c60e3a7fefc2531251d3920959baf0f837974a5b1839811cfe0e100513.exe
Size

762KB
MD5

5248363663a3870aaf804f823a8c16ba
SHA1

addd9ab47d25f829bbc461d841d63a377fbf0589
SHA256

a94580c60e3a7fefc2531251d3920959baf0f837974a5b1839811cfe0e100513
SHA512

c1a0aa2e693605be8dc4c6961a2a03c5cb46d54545f4c2ed9b81720a6f2b6cc3b66a54ededa4a9800f673d01a853c8fa7b34de6618e49dbc7c365e825b293aeb
SSDEEP

12288:8AHiKgH2vkEg4qQ49lzWK134AR0WuYGM7wxa9f:8ACK3JAWK13nuW1Au

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 5 IoCs

flow	pid	Process
5	684	wscript.exe
6	684	wscript.exe
8	684	wscript.exe
10	684	wscript.exe
12	684	wscript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies system certificate store 2 TTPs 4 IoCs

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 19000000010000001000000068cb42b035ea773e52ef50ecf50ec529030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47409000000010000000c000000300a06082b060105050703011d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c00b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f00740000000f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f20000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	wscript.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e40f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47419000000010000001000000068cb42b035ea773e52ef50ecf50ec52920000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	wscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474	wscript.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 0f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	wscript.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1612	PING.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1692	DllHost.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 944 wrote to memory of 1612	944	a94580c60e3a7fefc2531251d3920959baf0f837974a5b1839811cfe0e100513.exe	28
PID 944 wrote to memory of 1612	944	a94580c60e3a7fefc2531251d3920959baf0f837974a5b1839811cfe0e100513.exe	28
PID 944 wrote to memory of 1612	944	a94580c60e3a7fefc2531251d3920959baf0f837974a5b1839811cfe0e100513.exe	28
PID 944 wrote to memory of 1612	944	a94580c60e3a7fefc2531251d3920959baf0f837974a5b1839811cfe0e100513.exe	28
PID 944 wrote to memory of 268	944	a94580c60e3a7fefc2531251d3920959baf0f837974a5b1839811cfe0e100513.exe	30
PID 944 wrote to memory of 268	944	a94580c60e3a7fefc2531251d3920959baf0f837974a5b1839811cfe0e100513.exe	30
PID 944 wrote to memory of 268	944	a94580c60e3a7fefc2531251d3920959baf0f837974a5b1839811cfe0e100513.exe	30
PID 944 wrote to memory of 268	944	a94580c60e3a7fefc2531251d3920959baf0f837974a5b1839811cfe0e100513.exe	30
PID 944 wrote to memory of 1848	944	a94580c60e3a7fefc2531251d3920959baf0f837974a5b1839811cfe0e100513.exe	33
PID 944 wrote to memory of 1848	944	a94580c60e3a7fefc2531251d3920959baf0f837974a5b1839811cfe0e100513.exe	33
PID 944 wrote to memory of 1848	944	a94580c60e3a7fefc2531251d3920959baf0f837974a5b1839811cfe0e100513.exe	33
PID 944 wrote to memory of 1848	944	a94580c60e3a7fefc2531251d3920959baf0f837974a5b1839811cfe0e100513.exe	33
PID 944 wrote to memory of 1720	944	a94580c60e3a7fefc2531251d3920959baf0f837974a5b1839811cfe0e100513.exe	35
PID 944 wrote to memory of 1720	944	a94580c60e3a7fefc2531251d3920959baf0f837974a5b1839811cfe0e100513.exe	35
PID 944 wrote to memory of 1720	944	a94580c60e3a7fefc2531251d3920959baf0f837974a5b1839811cfe0e100513.exe	35
PID 944 wrote to memory of 1720	944	a94580c60e3a7fefc2531251d3920959baf0f837974a5b1839811cfe0e100513.exe	35
PID 1720 wrote to memory of 684	1720	cmd.exe	37
PID 1720 wrote to memory of 684	1720	cmd.exe	37
PID 1720 wrote to memory of 684	1720	cmd.exe	37
PID 1720 wrote to memory of 684	1720	cmd.exe	37
PID 684 wrote to memory of 1628	684	wscript.exe	40
PID 684 wrote to memory of 1628	684	wscript.exe	40
PID 684 wrote to memory of 1628	684	wscript.exe	40
PID 684 wrote to memory of 1628	684	wscript.exe	40

C:\Users\Admin\AppData\Local\Temp\a94580c60e3a7fefc2531251d3920959baf0f837974a5b1839811cfe0e100513.exe
"C:\Users\Admin\AppData\Local\Temp\a94580c60e3a7fefc2531251d3920959baf0f837974a5b1839811cfe0e100513.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:944
- C:\Windows\SysWOW64\PING.EXE
  "C:\Windows\System32\PING.EXE" 127.0.0.1 -n 1
  2⤵
  - Runs ping.exe
  PID:1612
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c if exist "C:\Users\Admin\AppData\Roaming\r1EB20u.jpg" "C:\Users\Admin\AppData\Roaming\r1EB20u.jpg"
  2⤵
  PID:268
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c if exist "C:\Users\Admin\AppData\Roaming\rtv.bin" del /f /q "C:\Users\Admin\AppData\Roaming\ws.js"&exit
  2⤵
  PID:1848
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c if exist "C:\Users\Admin\AppData\Roaming\ws.js" start wscript.exe //B //Nologo //T:360 "C:\Users\Admin\AppData\Roaming\ws.js"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1720
- - C:\Windows\SysWOW64\wscript.exe
    wscript.exe //B //Nologo //T:360 "C:\Users\Admin\AppData\Roaming\ws.js"
    3⤵
    - Blocklisted process makes network request
    - Modifies system certificate store
    - Suspicious use of WriteProcessMemory
    PID:684
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Roaming\sysfile.cmd" "
      4⤵
      PID:1628

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- Suspicious use of FindShellTrayWindow
PID:1692

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

Modify Registry

Credential Access

Discovery

Remote System Discovery

1

T1018

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\r1EB20u.jpg

Filesize
124KB

MD5
5acc8fc1a2e6dc797704068df189bab9

SHA1
93fdfb1c32572c8c94bc04e1472d191e8fd75745

SHA256
fd9eec3e6400318f912defe578e2e84567b187bb30417671fa8e4ec21c0f7548

SHA512
c6b07779abc66d0f73dfc75b304a76f3825767fc77495c1b6436fed499566c612c5c569917ac9e8f3831059673902c2a57b1c18f392735c44e87340fd06d8e4e

Download Submit
C:\Users\Admin\AppData\Roaming\sysfile.cmd

Filesize
125KB

MD5
f681b2729b4c1acbba3b82f682032a14

SHA1
b7eddf2138f313c38e259eda22f990b42b8949ec

SHA256
d38980772bcb6aa20188f99738c9da5d80e3aefea243e4c1a32838c869aa5215

SHA512
7ce3cd2009eb442fa74759988213aeb85a814519574c5a91b8cc6b29f366025db5a5b480d69a7d8b7305052661ef6266c19f54368ce5cbb65073f3f08b775378

Download Submit
C:\Users\Admin\AppData\Roaming\ws.js

Filesize
952B

MD5
76ba79e64fb59a3f529491b4d87a1e3b

SHA1
ac1423a8c95f0081e230c19cdc17b6bc7b9b21f9

SHA256
6576f649253d6b85d33bea91fa2b72f8a603567ab393ea09d9d877619b83459f

SHA512
68b75d5ebe265f215680506f8142810a377ca8d5dae583d18bf2b5af94f8800729830ac82d3f52907925b9a58db4dbb606888d2072bcf6ca319dc83dd385e1ca

Download Submit
memory/944-54-0x0000000075B61000-0x0000000075B63000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing