Downloads.rar

General
Target

ForceOp 2.8.7 - By RaiSence.exe

Filesize

139MB

Completed

19-11-2020 10:40

Score
10 /10
Malware Config
Signatures 10

Filter: none

Discovery
Persistence
  • Suspicious use of NtCreateProcessExOtherParentProcess
    WerFault.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 3636 created 18883636WerFault.exewscript.exe
  • Executes dropped EXE
    wincommon.exewscript.exe

    Reported IOCs

    pidprocess
    3772wincommon.exe
    1888wscript.exe
  • Drops file in Program Files directory
    wincommon.exe

    Reported IOCs

    descriptioniocprocess
    File createdC:\Program Files\Microsoft Office 15\ClientX64\f4d236fdec2fd03914189c3b26e5cb0dfea9d761wincommon.exe
    File createdC:\Program Files (x86)\Mozilla Maintenance Service\logs\System.exewincommon.exe
    File createdC:\Program Files (x86)\Mozilla Maintenance Service\logs\27d1bcfc3c54e0e44ea423ffd4ee81fe73670a2awincommon.exe
    File createdC:\Program Files\Microsoft Office 15\ClientX64\svchost.exewincommon.exe
  • Enumerates physical storage devices

    Description

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

    TTPs

    System Information Discovery
  • Program crash
    WerFault.exe

    Reported IOCs

    pidpid_targetprocesstarget process
    36361888WerFault.exewscript.exe
  • Creates scheduled task(s)
    schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

    Description

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    TTPs

    Scheduled Task

    Reported IOCs

    pidprocess
    2084schtasks.exe
    1508schtasks.exe
    3612schtasks.exe
    2136schtasks.exe
    1136schtasks.exe
    3648schtasks.exe
  • Modifies registry class
    ForceOp 2.8.7 - By RaiSence.exe

    Reported IOCs

    descriptioniocprocess
    Key created\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local SettingsForceOp 2.8.7 - By RaiSence.exe
  • Suspicious behavior: EnumeratesProcesses
    wincommon.exewscript.exeWerFault.exe

    Reported IOCs

    pidprocess
    3772wincommon.exe
    1888wscript.exe
    3636WerFault.exe
    3636WerFault.exe
    3636WerFault.exe
    3636WerFault.exe
    3636WerFault.exe
    3636WerFault.exe
    3636WerFault.exe
    3636WerFault.exe
    3636WerFault.exe
    3636WerFault.exe
    3636WerFault.exe
    3636WerFault.exe
    3636WerFault.exe
    3636WerFault.exe
  • Suspicious use of AdjustPrivilegeToken
    wincommon.exewscript.exeWerFault.exe

    Reported IOCs

    descriptionpidprocess
    Token: SeDebugPrivilege3772wincommon.exe
    Token: SeDebugPrivilege1888wscript.exe
    Token: SeDebugPrivilege3636WerFault.exe
  • Suspicious use of WriteProcessMemory
    ForceOp 2.8.7 - By RaiSence.exeWScript.execmd.exewincommon.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 3276 wrote to memory of 25403276ForceOp 2.8.7 - By RaiSence.exeWScript.exe
    PID 3276 wrote to memory of 25403276ForceOp 2.8.7 - By RaiSence.exeWScript.exe
    PID 3276 wrote to memory of 25403276ForceOp 2.8.7 - By RaiSence.exeWScript.exe
    PID 3276 wrote to memory of 34123276ForceOp 2.8.7 - By RaiSence.exeWScript.exe
    PID 3276 wrote to memory of 34123276ForceOp 2.8.7 - By RaiSence.exeWScript.exe
    PID 3276 wrote to memory of 34123276ForceOp 2.8.7 - By RaiSence.exeWScript.exe
    PID 2540 wrote to memory of 11482540WScript.execmd.exe
    PID 2540 wrote to memory of 11482540WScript.execmd.exe
    PID 2540 wrote to memory of 11482540WScript.execmd.exe
    PID 1148 wrote to memory of 37721148cmd.exewincommon.exe
    PID 1148 wrote to memory of 37721148cmd.exewincommon.exe
    PID 3772 wrote to memory of 36123772wincommon.exeschtasks.exe
    PID 3772 wrote to memory of 36123772wincommon.exeschtasks.exe
    PID 3772 wrote to memory of 21363772wincommon.exeschtasks.exe
    PID 3772 wrote to memory of 21363772wincommon.exeschtasks.exe
    PID 3772 wrote to memory of 11363772wincommon.exeschtasks.exe
    PID 3772 wrote to memory of 11363772wincommon.exeschtasks.exe
    PID 3772 wrote to memory of 36483772wincommon.exeschtasks.exe
    PID 3772 wrote to memory of 36483772wincommon.exeschtasks.exe
    PID 3772 wrote to memory of 20843772wincommon.exeschtasks.exe
    PID 3772 wrote to memory of 20843772wincommon.exeschtasks.exe
    PID 3772 wrote to memory of 15083772wincommon.exeschtasks.exe
    PID 3772 wrote to memory of 15083772wincommon.exeschtasks.exe
    PID 3772 wrote to memory of 18883772wincommon.exewscript.exe
    PID 3772 wrote to memory of 18883772wincommon.exewscript.exe
Processes 13
  • C:\Users\Admin\AppData\Local\Temp\ForceOp 2.8.7 - By RaiSence.exe
    "C:\Users\Admin\AppData\Local\Temp\ForceOp 2.8.7 - By RaiSence.exe"
    Modifies registry class
    Suspicious use of WriteProcessMemory
    PID:3276
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\intofont\1Udi0TDz635jTrMWFNrE4kqnOIuYIi.vbe"
      Suspicious use of WriteProcessMemory
      PID:2540
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\intofont\xLg6v1j1ZJy5DZ1pz826KfZq2BmfLM.bat" "
        Suspicious use of WriteProcessMemory
        PID:1148
        • C:\intofont\wincommon.exe
          "C:\intofont\wincommon.exe"
          Executes dropped EXE
          Drops file in Program Files directory
          Suspicious behavior: EnumeratesProcesses
          Suspicious use of AdjustPrivilegeToken
          Suspicious use of WriteProcessMemory
          PID:3772
          • C:\Windows\SYSTEM32\schtasks.exe
            "schtasks" /create /tn "svchost" /sc ONLOGON /tr "'C:\odt\svchost.exe'" /rl HIGHEST /f
            Creates scheduled task(s)
            PID:3612
          • C:\Windows\SYSTEM32\schtasks.exe
            "schtasks" /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\smss.exe'" /rl HIGHEST /f
            Creates scheduled task(s)
            PID:2136
          • C:\Windows\SYSTEM32\schtasks.exe
            "schtasks" /create /tn "svchost" /sc ONLOGON /tr "'C:\intofont\svchost.exe'" /rl HIGHEST /f
            Creates scheduled task(s)
            PID:1136
          • C:\Windows\SYSTEM32\schtasks.exe
            "schtasks" /create /tn "svchost" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office 15\ClientX64\svchost.exe'" /rl HIGHEST /f
            Creates scheduled task(s)
            PID:3648
          • C:\Windows\SYSTEM32\schtasks.exe
            "schtasks" /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\System.exe'" /rl HIGHEST /f
            Creates scheduled task(s)
            PID:2084
          • C:\Windows\SYSTEM32\schtasks.exe
            "schtasks" /create /tn "wscript" /sc ONLOGON /tr "'C:\PerfLogs\wscript.exe'" /rl HIGHEST /f
            Creates scheduled task(s)
            PID:1508
          • C:\PerfLogs\wscript.exe
            "C:\PerfLogs\wscript.exe"
            Executes dropped EXE
            Suspicious behavior: EnumeratesProcesses
            Suspicious use of AdjustPrivilegeToken
            PID:1888
            • C:\Windows\system32\WerFault.exe
              C:\Windows\system32\WerFault.exe -u -p 1888 -s 1796
              Suspicious use of NtCreateProcessExOtherParentProcess
              Program crash
              Suspicious behavior: EnumeratesProcesses
              Suspicious use of AdjustPrivilegeToken
              PID:3636
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\intofont\msg.vbs"
      PID:3412
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
          Execution
            Exfiltration
              Impact
                Initial Access
                  Lateral Movement
                    Persistence
                    Privilege Escalation
                      Replay Monitor
                      00:00 00:00
                      Downloads
                      • C:\PerfLogs\wscript.exe

                        MD5

                        9134637118b2a4485fb46d439133749b

                        SHA1

                        25b60dba36e432f53f68603797d50b9c6cc127ce

                        SHA256

                        5dca1a463f5308018c477503a5179f45c468245dd4a84732ee824bd704521acc

                        SHA512

                        a6db12e3349c034051940b15adbb530ba34152ccbe41afc210dad7e64331221b3dbae1563a2f3b79a43d12da54eaeac3f30cfb708ebc75ab6a9dfc30a8f1e601

                      • C:\PerfLogs\wscript.exe

                        MD5

                        9134637118b2a4485fb46d439133749b

                        SHA1

                        25b60dba36e432f53f68603797d50b9c6cc127ce

                        SHA256

                        5dca1a463f5308018c477503a5179f45c468245dd4a84732ee824bd704521acc

                        SHA512

                        a6db12e3349c034051940b15adbb530ba34152ccbe41afc210dad7e64331221b3dbae1563a2f3b79a43d12da54eaeac3f30cfb708ebc75ab6a9dfc30a8f1e601

                      • C:\intofont\1Udi0TDz635jTrMWFNrE4kqnOIuYIi.vbe

                        MD5

                        35f693ab095c33d4c62230d69ff6b43f

                        SHA1

                        19e8b126076b5e5d8e8b97f3757ad99357915bf4

                        SHA256

                        1a3b550ae14c360fd9600e52924706a356290939317f3a32b35bfa97b5dbc163

                        SHA512

                        1e2599c7b10a1fc5c004d7d68c487028d5d2d6a1102af0150ea0c15663819dac42e3a55a769cc532cf45f9f037cece3fcdc2820f2bfbe8439fd0a3d5a16bb4df

                      • C:\intofont\MOS

                        MD5

                        cb456215c3333db0551bd0788bc258c7

                        SHA1

                        a0b861f6121344b631992c8252fa8748835e4df6

                        SHA256

                        7e7b3a01539b5dd82108fe0dc455a76294708bb782f8f7590b06f0975fdf93c1

                        SHA512

                        796ccc0f1fc4a990fe3c50f54a2d009e6ddb8e4e062ac1839a2c2c1e6f120311dad66fa86211137cb38cce27a99614085702d5fe9b6f3effc5dd1db0ad879448

                      • C:\intofont\msg.vbs

                        MD5

                        01c71ea2d98437129936261c48403132

                        SHA1

                        dc689fb68a3e7e09a334e7a37c0d10d0641af1a6

                        SHA256

                        0401f2dd76d5ed6f90c82b72e1e7a122ef127bedbaf717532c4bba26d43a0061

                        SHA512

                        a668d4216a50ccc699221dd902d8b0f864e44368dc7474fa5659a739154d4e769b85d49b60a73affb8fba7628e7210b0f8106d5652006d1bbba67083513e65d9

                      • C:\intofont\wincommon.exe

                        MD5

                        9134637118b2a4485fb46d439133749b

                        SHA1

                        25b60dba36e432f53f68603797d50b9c6cc127ce

                        SHA256

                        5dca1a463f5308018c477503a5179f45c468245dd4a84732ee824bd704521acc

                        SHA512

                        a6db12e3349c034051940b15adbb530ba34152ccbe41afc210dad7e64331221b3dbae1563a2f3b79a43d12da54eaeac3f30cfb708ebc75ab6a9dfc30a8f1e601

                      • C:\intofont\wincommon.exe

                        MD5

                        9134637118b2a4485fb46d439133749b

                        SHA1

                        25b60dba36e432f53f68603797d50b9c6cc127ce

                        SHA256

                        5dca1a463f5308018c477503a5179f45c468245dd4a84732ee824bd704521acc

                        SHA512

                        a6db12e3349c034051940b15adbb530ba34152ccbe41afc210dad7e64331221b3dbae1563a2f3b79a43d12da54eaeac3f30cfb708ebc75ab6a9dfc30a8f1e601

                      • C:\intofont\xLg6v1j1ZJy5DZ1pz826KfZq2BmfLM.bat

                        MD5

                        9fe442702fb57ffec2b831c3949a74e0

                        SHA1

                        e285d89241ef0aeeeb50f65e09a741baf399cb1f

                        SHA256

                        d50176a5de27bc9b4c52ebb4e30ec4cbf1e6a79eda4d83a013b220f489a5bcb9

                        SHA512

                        548a8df7f0d9278f84eca35bf40638a4572cb625050f7a0684ee14b2117df8307101d8f9383c3fcab23fcf656c21f69db3f4509a037307ed6658ff4c063b4eab

                      • memory/1136-28-0x0000000000000000-mapping.dmp

                      • memory/1148-18-0x0000000000000000-mapping.dmp

                      • memory/1508-31-0x0000000000000000-mapping.dmp

                      • memory/1888-47-0x0000000000000000-mapping.dmp

                      • memory/1888-50-0x0000000000000000-mapping.dmp

                      • memory/1888-49-0x0000000000000000-mapping.dmp

                      • memory/1888-45-0x0000000000000000-mapping.dmp

                      • memory/1888-51-0x0000000000000000-mapping.dmp

                      • memory/1888-46-0x0000000000000000-mapping.dmp

                      • memory/1888-44-0x0000000000000000-mapping.dmp

                      • memory/1888-52-0x0000000000000000-mapping.dmp

                      • memory/1888-32-0x0000000000000000-mapping.dmp

                      • memory/1888-53-0x0000000000000000-mapping.dmp

                      • memory/1888-54-0x0000000000000000-mapping.dmp

                      • memory/1888-35-0x00007FFED8500000-0x00007FFED8EEC000-memory.dmp

                      • memory/1888-48-0x0000000000000000-mapping.dmp

                      • memory/1888-41-0x0000000000000000-mapping.dmp

                      • memory/1888-40-0x0000000000000000-mapping.dmp

                      • memory/1888-42-0x0000000000000000-mapping.dmp

                      • memory/1888-43-0x0000000000000000-mapping.dmp

                      • memory/2084-30-0x0000000000000000-mapping.dmp

                      • memory/2136-27-0x0000000000000000-mapping.dmp

                      • memory/2540-0-0x0000000000000000-mapping.dmp

                      • memory/3412-14-0x0000000000000000-mapping.dmp

                      • memory/3612-26-0x0000000000000000-mapping.dmp

                      • memory/3636-39-0x0000017402A40000-0x0000017402A41000-memory.dmp

                      • memory/3636-55-0x0000017403C40000-0x0000017403C41000-memory.dmp

                      • memory/3648-29-0x0000000000000000-mapping.dmp

                      • memory/3772-25-0x000000001B9E0000-0x000000001B9E1000-memory.dmp

                      • memory/3772-23-0x0000000000C90000-0x0000000000C91000-memory.dmp

                      • memory/3772-22-0x00007FFED8500000-0x00007FFED8EEC000-memory.dmp

                      • memory/3772-19-0x0000000000000000-mapping.dmp