94cb27f6953c60e8b57e2eae16ebb6a71e7cc837eae4c2a06e724a0be6fcb865

General

Target

9cc94cedd85793b3be9cb808dfd7e326ba1386b0bae08fee1519c1df8ea40d26.js
Size

4KB
MD5

6ec662cb2923bc72fbbfbce78331109a
SHA1

fe3d25c1d4164161c4075122b6f99de415da6430
SHA256

9cc94cedd85793b3be9cb808dfd7e326ba1386b0bae08fee1519c1df8ea40d26
SHA512

4e6476aa0442d2533a4a44d3c0bbabc106d72e5266a4e5f5d8bbe4cf36e71506e5474e84017c8d862041927b99c2af14090fc975ec8502cfecd6844f0a441241
SSDEEP

96:l8rOmAMUpSH9hDks9gUQSOv0oKzPqHz8qZ/2EsL/eekJyK:2r8MUwHHDPgUJOJzRt4LGzJyK

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
3	1920	wscript.exe

Executes dropped EXE 1 IoCs

pid	Process
2268	fmsign.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies system certificate store 2 TTPs 2 IoCs

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	wscript.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	wscript.exe

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	3	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1920 wrote to memory of 2268	1920	wscript.exe	28
PID 1920 wrote to memory of 2268	1920	wscript.exe	28
PID 1920 wrote to memory of 2268	1920	wscript.exe	28
PID 1920 wrote to memory of 2268	1920	wscript.exe	28
PID 1920 wrote to memory of 2268	1920	wscript.exe	28
PID 1920 wrote to memory of 2268	1920	wscript.exe	28
PID 1920 wrote to memory of 2268	1920	wscript.exe	28

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\9cc94cedd85793b3be9cb808dfd7e326ba1386b0bae08fee1519c1df8ea40d26.js
1⤵
- Blocklisted process makes network request
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:1920
- C:\Windows\Temp\fmsign.exe
  "C:\Windows\Temp\fmsign.exe"
  2⤵
  - Executes dropped EXE
  PID:2268

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Temp\fmsign.exe

Filesize
1.1MB

MD5
bf6f221b0588d21e73f2095cc4eedaf2

SHA1
171694b0fe53de3d2a799cb8822560b58309f20c

SHA256
397584eda8f01bf29d148fcc38c1481e81c44a9e6fa45c95c041a7662c037157

SHA512
4300762b097e4487d9a3f6fa0edd082e7397989302b3b226e9b8a166695b2269b9fe6514693f944e84ab0dc2fe735827ce1e3bf97529b9e734a239baaec5d939

Download Submit
C:\Windows\Temp\fmsign.exe

Filesize
1.1MB

MD5
bf6f221b0588d21e73f2095cc4eedaf2

SHA1
171694b0fe53de3d2a799cb8822560b58309f20c

SHA256
397584eda8f01bf29d148fcc38c1481e81c44a9e6fa45c95c041a7662c037157

SHA512
4300762b097e4487d9a3f6fa0edd082e7397989302b3b226e9b8a166695b2269b9fe6514693f944e84ab0dc2fe735827ce1e3bf97529b9e734a239baaec5d939

Download Submit
memory/1920-2-0x000007FEF5F00000-0x000007FEF689D000-memory.dmp

Filesize
9.6MB

Download
memory/1920-12-0x000007FEF5F00000-0x000007FEF689D000-memory.dmp

Filesize
9.6MB

Download
memory/1920-14-0x000007FEF5F00000-0x000007FEF689D000-memory.dmp

Filesize
9.6MB

Download
memory/1920-10-0x0000000004B10000-0x0000000004B90000-memory.dmp

Filesize
512KB

Download
memory/2268-13-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download

Analysis

Sharing