f62aeeb494c19159f77d6b86734d9c7f08e707eb2370a4a7fdeefe97d6f7dbaa

General

Target

f62aeeb494c19159f77d6b86734d9c7f08e707eb2370a4a7fdeefe97d6f7dbaa.exe
Size

227KB
MD5

e2335a973c55b516a4c75a4c69b417c2
SHA1

30ff1132c6f53c999db664f3b0c60d7828ace515
SHA256

f62aeeb494c19159f77d6b86734d9c7f08e707eb2370a4a7fdeefe97d6f7dbaa
SHA512

1f1e271ba8d7a9edff494a1b64f2a7f99c39ccab94552680308f6acc862c19a0a492f0f88954ff9d8c04dfe759c62ad151454e48b46ad25a0e998f4b3397b7de
SSDEEP

6144:H9o7tHiKg02IwLgnIgRdS6+0KJksoddmwEVTy:dAHiKgHcdg0KJkuzy

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 3 IoCs

Processes:

wscript.exe

flow pid process

4 1536 wscript.exe
6 1536 wscript.exe
8 1536 wscript.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

flow	pid	process
4	1536	wscript.exe
6	1536	wscript.exe
8	1536	wscript.exe

Modifies system certificate store 2 TTPs 2 IoCs

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

wscript.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474	wscript.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e40f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47419000000010000001000000068cb42b035ea773e52ef50ecf50ec52920000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	wscript.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1708 PING.EXE
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

DllHost.exe

pid process

2044 DllHost.exe

pid	process
1708	PING.EXE

pid	process
2044	DllHost.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

f62aeeb494c19159f77d6b86734d9c7f08e707eb2370a4a7fdeefe97d6f7dbaa.execmd.exewscript.exe

description	pid	process	target process
PID 1012 wrote to memory of 1708	1012	f62aeeb494c19159f77d6b86734d9c7f08e707eb2370a4a7fdeefe97d6f7dbaa.exe	PING.EXE
PID 1012 wrote to memory of 1708	1012	f62aeeb494c19159f77d6b86734d9c7f08e707eb2370a4a7fdeefe97d6f7dbaa.exe	PING.EXE
PID 1012 wrote to memory of 1708	1012	f62aeeb494c19159f77d6b86734d9c7f08e707eb2370a4a7fdeefe97d6f7dbaa.exe	PING.EXE
PID 1012 wrote to memory of 1708	1012	f62aeeb494c19159f77d6b86734d9c7f08e707eb2370a4a7fdeefe97d6f7dbaa.exe	PING.EXE
PID 1012 wrote to memory of 668	1012	f62aeeb494c19159f77d6b86734d9c7f08e707eb2370a4a7fdeefe97d6f7dbaa.exe	cmd.exe
PID 1012 wrote to memory of 668	1012	f62aeeb494c19159f77d6b86734d9c7f08e707eb2370a4a7fdeefe97d6f7dbaa.exe	cmd.exe
PID 1012 wrote to memory of 668	1012	f62aeeb494c19159f77d6b86734d9c7f08e707eb2370a4a7fdeefe97d6f7dbaa.exe	cmd.exe
PID 1012 wrote to memory of 668	1012	f62aeeb494c19159f77d6b86734d9c7f08e707eb2370a4a7fdeefe97d6f7dbaa.exe	cmd.exe
PID 1012 wrote to memory of 576	1012	f62aeeb494c19159f77d6b86734d9c7f08e707eb2370a4a7fdeefe97d6f7dbaa.exe	cmd.exe
PID 1012 wrote to memory of 576	1012	f62aeeb494c19159f77d6b86734d9c7f08e707eb2370a4a7fdeefe97d6f7dbaa.exe	cmd.exe
PID 1012 wrote to memory of 576	1012	f62aeeb494c19159f77d6b86734d9c7f08e707eb2370a4a7fdeefe97d6f7dbaa.exe	cmd.exe
PID 1012 wrote to memory of 576	1012	f62aeeb494c19159f77d6b86734d9c7f08e707eb2370a4a7fdeefe97d6f7dbaa.exe	cmd.exe
PID 576 wrote to memory of 1536	576	cmd.exe	wscript.exe
PID 576 wrote to memory of 1536	576	cmd.exe	wscript.exe
PID 576 wrote to memory of 1536	576	cmd.exe	wscript.exe
PID 576 wrote to memory of 1536	576	cmd.exe	wscript.exe
PID 1536 wrote to memory of 1068	1536	wscript.exe	cmd.exe
PID 1536 wrote to memory of 1068	1536	wscript.exe	cmd.exe
PID 1536 wrote to memory of 1068	1536	wscript.exe	cmd.exe
PID 1536 wrote to memory of 1068	1536	wscript.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\f62aeeb494c19159f77d6b86734d9c7f08e707eb2370a4a7fdeefe97d6f7dbaa.exe
"C:\Users\Admin\AppData\Local\Temp\f62aeeb494c19159f77d6b86734d9c7f08e707eb2370a4a7fdeefe97d6f7dbaa.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1012

C:\Windows\SysWOW64\PING.EXE
"C:\Windows\System32\PING.EXE" 127.0.0.1 -n 1
2⤵
- Runs ping.exe
PID:1708

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c if exist "C:\Users\Admin\AppData\Roaming\1881795ffa4793d2fd6056125afe580c.bin" del /f /q "C:\Users\Admin\AppData\Roaming\1881795ffa4793d2fd6056125afe580c.js"&exit
2⤵
PID:668

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c if exist "C:\Users\Admin\AppData\Roaming\1881795ffa4793d2fd6056125afe580c.js" start wscript.exe //B //Nologo //T:360 "C:\Users\Admin\AppData\Roaming\1881795ffa4793d2fd6056125afe580c.js"
2⤵
- Suspicious use of WriteProcessMemory
PID:576

C:\Windows\SysWOW64\wscript.exe
wscript.exe //B //Nologo //T:360 "C:\Users\Admin\AppData\Roaming\1881795ffa4793d2fd6056125afe580c.js"
3⤵
- Blocklisted process makes network request
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:1536

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Roaming\1881795ffa4793d2fd6056125afe580c.cmd" "
4⤵
PID:1068

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- Suspicious use of FindShellTrayWindow
PID:2044

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

Modify Registry

Credential Access

Discovery

Remote System Discovery

1

T1018

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\1881795ffa4793d2fd6056125afe580c.cmd

Filesize
125KB

MD5
444b3e0250fdc892e6a745b115f79ae9

SHA1
85e1502bfdbbf4ee292ae8a9df56a74c0aac4a8f

SHA256
d035dd31971a16a0ec8dc6c8c6baf00bd4346e843d697ae3aed32b81dd72e672

SHA512
3915640831d2e0d3fd9ed1d641f906c4f71a46f77f55a434add29bf5fbaa7a8f8c8837b7638377ccec58479d7b86d1e8af36ef156415a10d25308eee5d73bbb6

Download Submit
C:\Users\Admin\AppData\Roaming\1881795ffa4793d2fd6056125afe580c.jpg

Filesize
68KB

MD5
fb5e07870199d63c34448b68a84912ee

SHA1
b6e46748c5c5a5d902e20f6e2d45064d3ca4050e

SHA256
03d233031c6d3f6293d82c14e81334935c43a8651d619de4dcdca9dd20e86ffa

SHA512
4c6b8be2710fffff3c3a58bc8d3f803e11308a68e4513f8ffe625d7436d242c6c71203c5b2b6b0b738754bdadbb2e97d6933fb7a10a5dc366ababe8e03250c65

Download Submit
C:\Users\Admin\AppData\Roaming\1881795ffa4793d2fd6056125afe580c.js

Filesize
862B

MD5
ab0c4dcd9c94f9b965beaf99615ef383

SHA1
3dbf92b522955119ef5ac02de626d0f3d70aa717

SHA256
1c3a7fa85db82b3ec4ea0625c3bda096ce6dd4f0d32cceca99ea3959280ca1a8

SHA512
262e3b836b51403755d9cd6500328dccb2b7bf61542c9d8c8f988907bc5c9fdda5060ff7e17e5d488240015ec4ac35f4fc01aa524f5af7180b52eef3be63c230

Download Submit
memory/576-58-0x0000000000000000-mapping.dmp

Download
memory/668-57-0x0000000000000000-mapping.dmp

Download
memory/1012-54-0x00000000763F1000-0x00000000763F3000-memory.dmp

Filesize
8KB

Download
memory/1068-63-0x0000000000000000-mapping.dmp

Download
memory/1536-59-0x0000000000000000-mapping.dmp

Download
memory/1708-55-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing