19c22a4ef415fc47c32bd6b351da57938c70574a2b7d223607c123743a07af9b

General

Target

19c22a4ef415fc47c32bd6b351da57938c70574a2b7d223607c123743a07af9b.exe
Size

227KB
MD5

a6bb070d438a766d4966ce5ff0a57e0d
SHA1

38daa2d784f17e3f1046c246bca874698ab65e9c
SHA256

19c22a4ef415fc47c32bd6b351da57938c70574a2b7d223607c123743a07af9b
SHA512

8a9757daad0c9456118f10b19cd5910f0b90391da02271a4cd11b2c159a3d1c16a7d6e2181178284f00358294397b9db4479a016aacc83ddc52606c5a9b163cc
SSDEEP

6144:+9o7tHiKg02IwLgnIgRdS6rxKJksoddmwEVT9:6AHiKgHUd9xKJkuz9

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 3 IoCs

Processes:

wscript.exe

flow pid process

5 1880 wscript.exe
7 1880 wscript.exe
9 1880 wscript.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

flow	pid	process
5	1880	wscript.exe
7	1880	wscript.exe
9	1880	wscript.exe

Modifies system certificate store 2 TTPs 2 IoCs

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

wscript.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474	wscript.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e40f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47419000000010000001000000068cb42b035ea773e52ef50ecf50ec52920000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	wscript.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

2032 PING.EXE
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

DllHost.exe

pid process

952 DllHost.exe

pid	process
2032	PING.EXE

pid	process
952	DllHost.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

19c22a4ef415fc47c32bd6b351da57938c70574a2b7d223607c123743a07af9b.execmd.exewscript.exe

description	pid	process	target process
PID 868 wrote to memory of 2032	868	19c22a4ef415fc47c32bd6b351da57938c70574a2b7d223607c123743a07af9b.exe	PING.EXE
PID 868 wrote to memory of 2032	868	19c22a4ef415fc47c32bd6b351da57938c70574a2b7d223607c123743a07af9b.exe	PING.EXE
PID 868 wrote to memory of 2032	868	19c22a4ef415fc47c32bd6b351da57938c70574a2b7d223607c123743a07af9b.exe	PING.EXE
PID 868 wrote to memory of 2032	868	19c22a4ef415fc47c32bd6b351da57938c70574a2b7d223607c123743a07af9b.exe	PING.EXE
PID 868 wrote to memory of 1752	868	19c22a4ef415fc47c32bd6b351da57938c70574a2b7d223607c123743a07af9b.exe	cmd.exe
PID 868 wrote to memory of 1752	868	19c22a4ef415fc47c32bd6b351da57938c70574a2b7d223607c123743a07af9b.exe	cmd.exe
PID 868 wrote to memory of 1752	868	19c22a4ef415fc47c32bd6b351da57938c70574a2b7d223607c123743a07af9b.exe	cmd.exe
PID 868 wrote to memory of 1752	868	19c22a4ef415fc47c32bd6b351da57938c70574a2b7d223607c123743a07af9b.exe	cmd.exe
PID 868 wrote to memory of 1776	868	19c22a4ef415fc47c32bd6b351da57938c70574a2b7d223607c123743a07af9b.exe	cmd.exe
PID 868 wrote to memory of 1776	868	19c22a4ef415fc47c32bd6b351da57938c70574a2b7d223607c123743a07af9b.exe	cmd.exe
PID 868 wrote to memory of 1776	868	19c22a4ef415fc47c32bd6b351da57938c70574a2b7d223607c123743a07af9b.exe	cmd.exe
PID 868 wrote to memory of 1776	868	19c22a4ef415fc47c32bd6b351da57938c70574a2b7d223607c123743a07af9b.exe	cmd.exe
PID 1776 wrote to memory of 1880	1776	cmd.exe	wscript.exe
PID 1776 wrote to memory of 1880	1776	cmd.exe	wscript.exe
PID 1776 wrote to memory of 1880	1776	cmd.exe	wscript.exe
PID 1776 wrote to memory of 1880	1776	cmd.exe	wscript.exe
PID 1880 wrote to memory of 1472	1880	wscript.exe	cmd.exe
PID 1880 wrote to memory of 1472	1880	wscript.exe	cmd.exe
PID 1880 wrote to memory of 1472	1880	wscript.exe	cmd.exe
PID 1880 wrote to memory of 1472	1880	wscript.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\19c22a4ef415fc47c32bd6b351da57938c70574a2b7d223607c123743a07af9b.exe
"C:\Users\Admin\AppData\Local\Temp\19c22a4ef415fc47c32bd6b351da57938c70574a2b7d223607c123743a07af9b.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:868

C:\Windows\SysWOW64\PING.EXE
"C:\Windows\System32\PING.EXE" 127.0.0.1 -n 1
2⤵
- Runs ping.exe
PID:2032

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c if exist "C:\Users\Admin\AppData\Roaming\566bbee0f961ad71b54c3c2fd36db053.bin" del /f /q "C:\Users\Admin\AppData\Roaming\566bbee0f961ad71b54c3c2fd36db053.js"&exit
2⤵
PID:1752

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c if exist "C:\Users\Admin\AppData\Roaming\566bbee0f961ad71b54c3c2fd36db053.js" start wscript.exe //B //Nologo //T:360 "C:\Users\Admin\AppData\Roaming\566bbee0f961ad71b54c3c2fd36db053.js"
2⤵
- Suspicious use of WriteProcessMemory
PID:1776

C:\Windows\SysWOW64\wscript.exe
wscript.exe //B //Nologo //T:360 "C:\Users\Admin\AppData\Roaming\566bbee0f961ad71b54c3c2fd36db053.js"
3⤵
- Blocklisted process makes network request
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:1880

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Roaming\566bbee0f961ad71b54c3c2fd36db053.cmd" "
4⤵
PID:1472

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- Suspicious use of FindShellTrayWindow
PID:952

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

1

T1130

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Remote System Discovery

1

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\566bbee0f961ad71b54c3c2fd36db053.cmd
Filesize
125KB

MD5
3c2de6d4c2dfecf633e801fd73fdabc4

SHA1
a0d0b824571d9cc621e01c06319d6e546a6a0e25

SHA256
ccd2e89fe77045544f6da21250535cc61c0e5a4f5702a4b8ba7930549a8fed42

SHA512
18b4b52f02f65bb1a11c01664b76f27dc0a9ab610802ed66fccc36e2f174eaabb6fe746689437191d7c9e7e06eee5103be0eed5bbd4b00ec39b97611d4ad7d49

Download Submit
C:\Users\Admin\AppData\Roaming\566bbee0f961ad71b54c3c2fd36db053.jpg
Filesize
68KB

MD5
fb5e07870199d63c34448b68a84912ee

SHA1
b6e46748c5c5a5d902e20f6e2d45064d3ca4050e

SHA256
03d233031c6d3f6293d82c14e81334935c43a8651d619de4dcdca9dd20e86ffa

SHA512
4c6b8be2710fffff3c3a58bc8d3f803e11308a68e4513f8ffe625d7436d242c6c71203c5b2b6b0b738754bdadbb2e97d6933fb7a10a5dc366ababe8e03250c65

Download Submit
C:\Users\Admin\AppData\Roaming\566bbee0f961ad71b54c3c2fd36db053.js
Filesize
860B

MD5
12558d0bf7d69db70988530eafffeb53

SHA1
e594eacae5147c953f4b57d3ed3449a7699e3078

SHA256
4f2c8969cd573fc8408df3449c88ae1c7f34afa2a176a8fc1e5a68ed3dcf4fde

SHA512
b88ea05c76beb9ba83640df2991b1990ea396550b71a7bfc10198667f7e537539fc68836be302d276aa1a6d2cb2b34aedc3f01c550cde54ae2857136a63d2f03

Download Submit
memory/868-54-0x0000000075131000-0x0000000075133000-memory.dmp

Filesize
8KB

Download
memory/1472-63-0x0000000000000000-mapping.dmp

Download
memory/1752-57-0x0000000000000000-mapping.dmp

Download
memory/1776-58-0x0000000000000000-mapping.dmp

Download
memory/1880-59-0x0000000000000000-mapping.dmp

Download
memory/2032-55-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing