947145a1cbd2e98c1b3467cf550252e0ecc070d73386c4911890ffa4f0d6cbd2

General

Target

947145a1cbd2e98c1b3467cf550252e0ecc070d73386c4911890ffa4f0d6cbd2.exe
Size

224KB
MD5

267655ebca4e4261d58556e007ecd5b1
SHA1

05e0d60628978cae7ebf98c45646ff785c1f2dd5
SHA256

947145a1cbd2e98c1b3467cf550252e0ecc070d73386c4911890ffa4f0d6cbd2
SHA512

ebab316a4353dab3cc5fecabc23b0cacdab562651886aed95e1bb9266c548e63090fd8865643a7462260d74762b3bb16408c95bb3a83c3d0ef5244a868816a52
SSDEEP

6144:g9o7tHiKg02IwLgnIgGdS6N0WL21IDBILxJakz:MAHiKgHPdvfL21KBKJB

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 4 IoCs

Processes:

wscript.exe

flow pid process

5 1240 wscript.exe
7 1240 wscript.exe
9 1240 wscript.exe
11 1240 wscript.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

flow	pid	process
5	1240	wscript.exe
7	1240	wscript.exe
9	1240	wscript.exe
11	1240	wscript.exe

Modifies system certificate store 2 TTPs 4 IoCs

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

wscript.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474	wscript.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 0f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	wscript.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 19000000010000001000000068cb42b035ea773e52ef50ecf50ec529030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47409000000010000000c000000300a06082b060105050703011d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c00b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f00740000000f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f20000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	wscript.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e40f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47419000000010000001000000068cb42b035ea773e52ef50ecf50ec52920000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	wscript.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

320 PING.EXE
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

DllHost.exe

pid process

1504 DllHost.exe

pid	process
320	PING.EXE

pid	process
1504	DllHost.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

947145a1cbd2e98c1b3467cf550252e0ecc070d73386c4911890ffa4f0d6cbd2.execmd.exewscript.exe

description	pid	process	target process
PID 2004 wrote to memory of 320	2004	947145a1cbd2e98c1b3467cf550252e0ecc070d73386c4911890ffa4f0d6cbd2.exe	PING.EXE
PID 2004 wrote to memory of 320	2004	947145a1cbd2e98c1b3467cf550252e0ecc070d73386c4911890ffa4f0d6cbd2.exe	PING.EXE
PID 2004 wrote to memory of 320	2004	947145a1cbd2e98c1b3467cf550252e0ecc070d73386c4911890ffa4f0d6cbd2.exe	PING.EXE
PID 2004 wrote to memory of 320	2004	947145a1cbd2e98c1b3467cf550252e0ecc070d73386c4911890ffa4f0d6cbd2.exe	PING.EXE
PID 2004 wrote to memory of 1104	2004	947145a1cbd2e98c1b3467cf550252e0ecc070d73386c4911890ffa4f0d6cbd2.exe	cmd.exe
PID 2004 wrote to memory of 1104	2004	947145a1cbd2e98c1b3467cf550252e0ecc070d73386c4911890ffa4f0d6cbd2.exe	cmd.exe
PID 2004 wrote to memory of 1104	2004	947145a1cbd2e98c1b3467cf550252e0ecc070d73386c4911890ffa4f0d6cbd2.exe	cmd.exe
PID 2004 wrote to memory of 1104	2004	947145a1cbd2e98c1b3467cf550252e0ecc070d73386c4911890ffa4f0d6cbd2.exe	cmd.exe
PID 2004 wrote to memory of 1492	2004	947145a1cbd2e98c1b3467cf550252e0ecc070d73386c4911890ffa4f0d6cbd2.exe	cmd.exe
PID 2004 wrote to memory of 1492	2004	947145a1cbd2e98c1b3467cf550252e0ecc070d73386c4911890ffa4f0d6cbd2.exe	cmd.exe
PID 2004 wrote to memory of 1492	2004	947145a1cbd2e98c1b3467cf550252e0ecc070d73386c4911890ffa4f0d6cbd2.exe	cmd.exe
PID 2004 wrote to memory of 1492	2004	947145a1cbd2e98c1b3467cf550252e0ecc070d73386c4911890ffa4f0d6cbd2.exe	cmd.exe
PID 1492 wrote to memory of 1240	1492	cmd.exe	wscript.exe
PID 1492 wrote to memory of 1240	1492	cmd.exe	wscript.exe
PID 1492 wrote to memory of 1240	1492	cmd.exe	wscript.exe
PID 1492 wrote to memory of 1240	1492	cmd.exe	wscript.exe
PID 1240 wrote to memory of 432	1240	wscript.exe	cmd.exe
PID 1240 wrote to memory of 432	1240	wscript.exe	cmd.exe
PID 1240 wrote to memory of 432	1240	wscript.exe	cmd.exe
PID 1240 wrote to memory of 432	1240	wscript.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\947145a1cbd2e98c1b3467cf550252e0ecc070d73386c4911890ffa4f0d6cbd2.exe
"C:\Users\Admin\AppData\Local\Temp\947145a1cbd2e98c1b3467cf550252e0ecc070d73386c4911890ffa4f0d6cbd2.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2004

C:\Windows\SysWOW64\PING.EXE
"C:\Windows\System32\PING.EXE" 127.0.0.1 -n 1
2⤵
- Runs ping.exe
PID:320

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c if exist "C:\Users\Admin\AppData\Roaming\c8ee489bef12c4b55b777fa7db8380b1.bin" del /f /q "C:\Users\Admin\AppData\Roaming\c8ee489bef12c4b55b777fa7db8380b1.js"&exit
2⤵
PID:1104

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c if exist "C:\Users\Admin\AppData\Roaming\c8ee489bef12c4b55b777fa7db8380b1.js" start wscript.exe //B //Nologo //T:360 "C:\Users\Admin\AppData\Roaming\c8ee489bef12c4b55b777fa7db8380b1.js"
2⤵
- Suspicious use of WriteProcessMemory
PID:1492

C:\Windows\SysWOW64\wscript.exe
wscript.exe //B //Nologo //T:360 "C:\Users\Admin\AppData\Roaming\c8ee489bef12c4b55b777fa7db8380b1.js"
3⤵
- Blocklisted process makes network request
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:1240

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Roaming\c8ee489bef12c4b55b777fa7db8380b1.cmd" "
4⤵
PID:432

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- Suspicious use of FindShellTrayWindow
PID:1504

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

Modify Registry

Credential Access

Discovery

Remote System Discovery

1

T1018

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\c8ee489bef12c4b55b777fa7db8380b1.cmd

Filesize
125KB

MD5
ae9af350a1f3016b3e8ffae3ecdf4589

SHA1
3b08795e39f090f53f028d5059ca3a051bf8779a

SHA256
c5e2f97a126bd57c1f084da8c5a3e8e7eac20c5703903d6fd68ea1167cd5b3d4

SHA512
6c80c799f6a118f2f1206dedcc5b2b3641750d0f733d5d33529658549a3163015d0609eda272ec459e9be061e5ad4c4687cc48639bc445276cc45110478186d7

Download Submit
C:\Users\Admin\AppData\Roaming\c8ee489bef12c4b55b777fa7db8380b1.jpg

Filesize
55KB

MD5
e228c81fadadefc362f3dc5b0c05631b

SHA1
bbf7b25ccf218b24d78f77ba0b92b5faeca1cc59

SHA256
1510dd5f323cc0b8a30d1ef763681e377d5595fbf896d676092ba8968c996f1e

SHA512
3720789899becd55ad41e721759e55cf68ea914931f0260fe30928a391798a1a597956b9169c776aa6c9607c8c7809d0177deb2b14b7c0ef03c3eb1b49554fda

Download Submit
C:\Users\Admin\AppData\Roaming\c8ee489bef12c4b55b777fa7db8380b1.js

Filesize
871B

MD5
567807ae0cfbd08ad5e6d004793b13a0

SHA1
aaa20c335aad55f15ba58cb57cc759af2b66ae4f

SHA256
da4da4c7bafb17df484d93d014c11a02634329a986c7bc7a6179d5ae143aafca

SHA512
22ed17ffd53ef4e1efca7713952aad0b7edc98566341ad15d44de252ea8f6038c3e44e9c85283275997c5a8f9b94c1a4d5e9550377c0d394b4842e71160a17d9

Download Submit
memory/320-55-0x0000000000000000-mapping.dmp

Download
memory/432-63-0x0000000000000000-mapping.dmp

Download
memory/1104-57-0x0000000000000000-mapping.dmp

Download
memory/1240-59-0x0000000000000000-mapping.dmp

Download
memory/1492-58-0x0000000000000000-mapping.dmp

Download
memory/2004-54-0x0000000076651000-0x0000000076653000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing