Analysis
-
max time kernel
128s -
max time network
131s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
15-01-2021 15:51
Static task
static1
Behavioral task
behavioral1
Sample
000117061.doc.js
Resource
win7v20201028
Behavioral task
behavioral2
Sample
000117061.doc.js
Resource
win10v20201028
General
-
Target
000117061.doc.js
-
Size
38KB
-
MD5
0cc28681f876b7308ab01ac899a15254
-
SHA1
08d864dff97c0a2e632101c5a92b9659c31d882d
-
SHA256
58d3c192d644d498253d871ad5bd6022cc2a99ebdec7609ef991e04a0705ee6e
-
SHA512
5403902f2ca280b3201229b785dc9b3eff5b2a48b119ecc3f54c1c561ddde20a7902b052f5cecd187a6388ecb0998112fe7f690d97d7c96d2dd15e8b33325caf
Malware Config
Extracted
C:\Users\Admin\AppData\Local\Temp\a.txt
1HGjCFUm6kt4sdipE7nanTAXaBxuZGe7bT
http://futengcapital.com/counter/?a=1HGjCFUm6kt4sdipE7nanTAXaBxuZGe7bT
http://clermontcentralchurch.org/counter/?a=1HGjCFUm6kt4sdipE7nanTAXaBxuZGe7bT
http://bellefremee.com/counter/?a=1HGjCFUm6kt4sdipE7nanTAXaBxuZGe7bT
http://sandrahalbe.com/counter/?a=1HGjCFUm6kt4sdipE7nanTAXaBxuZGe7bT
http://glamcook.com/counter/?a=1HGjCFUm6kt4sdipE7nanTAXaBxuZGe7bT
Signatures
-
Blocklisted process makes network request 2 IoCs
Processes:
wscript.exeflow pid process 6 4768 wscript.exe 10 4768 wscript.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
reg.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\Crypted = "C:\\Users\\Admin\\AppData\\Local\\Temp\\a.txt" reg.exe -
Modifies registry class 7 IoCs
Processes:
reg.exereg.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Crypted\shell\open\command reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Crypted reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Crypted\shell reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Crypted\shell\open reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Crypted\shell\open\command\ = "notepad.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\a.txt\"" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.crypted reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.crypted\ = "Crypted" reg.exe -
Opens file in notepad (likely ransom note) 1 IoCs
Processes:
notepad.exepid process 4484 notepad.exe -
Suspicious use of WriteProcessMemory 28 IoCs
Processes:
wscript.execmd.execmd.execmd.execmd.exedescription pid process target process PID 4768 wrote to memory of 4164 4768 wscript.exe cmd.exe PID 4768 wrote to memory of 4164 4768 wscript.exe cmd.exe PID 4768 wrote to memory of 3096 4768 wscript.exe cmd.exe PID 4768 wrote to memory of 3096 4768 wscript.exe cmd.exe PID 4768 wrote to memory of 3300 4768 wscript.exe cmd.exe PID 4768 wrote to memory of 3300 4768 wscript.exe cmd.exe PID 4768 wrote to memory of 648 4768 wscript.exe cmd.exe PID 4768 wrote to memory of 648 4768 wscript.exe cmd.exe PID 4768 wrote to memory of 428 4768 wscript.exe cmd.exe PID 4768 wrote to memory of 428 4768 wscript.exe cmd.exe PID 4164 wrote to memory of 612 4164 cmd.exe reg.exe PID 4164 wrote to memory of 612 4164 cmd.exe reg.exe PID 4768 wrote to memory of 1180 4768 wscript.exe cmd.exe PID 4768 wrote to memory of 1180 4768 wscript.exe cmd.exe PID 3300 wrote to memory of 1584 3300 cmd.exe reg.exe PID 3300 wrote to memory of 1584 3300 cmd.exe reg.exe PID 3096 wrote to memory of 1768 3096 cmd.exe reg.exe PID 3096 wrote to memory of 1768 3096 cmd.exe reg.exe PID 4768 wrote to memory of 4076 4768 wscript.exe cmd.exe PID 4768 wrote to memory of 4076 4768 wscript.exe cmd.exe PID 4768 wrote to memory of 4424 4768 wscript.exe cmd.exe PID 4768 wrote to memory of 4424 4768 wscript.exe cmd.exe PID 4768 wrote to memory of 3312 4768 wscript.exe cmd.exe PID 4768 wrote to memory of 3312 4768 wscript.exe cmd.exe PID 4768 wrote to memory of 1536 4768 wscript.exe cmd.exe PID 4768 wrote to memory of 1536 4768 wscript.exe cmd.exe PID 4076 wrote to memory of 4484 4076 cmd.exe notepad.exe PID 4076 wrote to memory of 4484 4076 cmd.exe notepad.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\000117061.doc.js1⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Crypted" /t REG_SZ /F /D "C:\Users\Admin\AppData\Local\Temp\a.txt"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exeREG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Crypted" /t REG_SZ /F /D "C:\Users\Admin\AppData\Local\Temp\a.txt"3⤵
- Adds Run key to start application
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c REG ADD "HKCR\.crypted" /ve /t REG_SZ /F /D "Crypted"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exeREG ADD "HKCR\.crypted" /ve /t REG_SZ /F /D "Crypted"3⤵
- Modifies registry class
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c REG ADD "HKCR\Crypted\shell\open\command" /ve /t REG_SZ /F /D "notepad.exe \"C:\Users\Admin\AppData\Local\Temp\a.txt\""2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exeREG ADD "HKCR\Crypted\shell\open\command" /ve /t REG_SZ /F /D "notepad.exe \"C:\Users\Admin\AppData\Local\Temp\a.txt\""3⤵
- Modifies registry class
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c copy /y "C:\Users\Admin\AppData\Local\Temp\a.txt" "C:\Users\Admin\AppData\Roaming\Desktop\DECRYPT.txt"2⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c copy /y "C:\Users\Admin\AppData\Local\Temp\a.txt" "C:\Users\Admin\Desktop\DECRYPT.txt"2⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\a.exe "C:\Users\Admin\AppData\Local\Temp\a.php"2⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c notepad.exe "C:\Users\Admin\AppData\Local\Temp\a.txt"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\notepad.exenotepad.exe "C:\Users\Admin\AppData\Local\Temp\a.txt"3⤵
- Opens file in notepad (likely ransom note)
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c DEL "C:\Users\Admin\AppData\Local\Temp\a.php"2⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c DEL "C:\Users\Admin\AppData\Local\Temp\a.exe"2⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c DEL "C:\Users\Admin\AppData\Local\Temp\php4ts.dll"2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\a.exeMD5
3022cd6998edac270e2c0266f7453683
SHA190073b07ded7a4795dfb9df99439f87e980ce094
SHA2560659d5bd673b9d26956634761ed872622b3085c9d97f095923b30fbba4c50e25
SHA512ebc6265ab8361f3308535180a3087fa60a9793986fcdcd06884c97906fb4fbae4949cef88902ff5d16236438a88df1aaf7f1ed26501f81d1ad369a47a128448e
-
C:\Users\Admin\AppData\Local\Temp\a.phpMD5
56e7893f05df9fdb5aced563356c1240
SHA1f75fe6cedac7c20a7058221dc5b06ef001159820
SHA25671d65216a79b94d92f55aa6903abdee4860d23959c518b8f8b7d2cde53e62a77
SHA5124b6c654d92582d5be84aedaa6810b86e7015ff3d3bccc9243a030f26625c4ceccd77ef7d78c9f8a7dbd84faf3fedf1b409b3bcbad3fc5875b70316fc6d548cd4
-
C:\Users\Admin\AppData\Local\Temp\a.txtMD5
affab943a13e418ded4237070b4631e8
SHA16fc1d0e58fdfc3cba438f05b5036ade8d02fa857
SHA25672eba23c3c30e1fb60fba0219d1e9312b95fec3b9cc440300e72dd6bfc90e5b2
SHA5122e2ea36ef3d1ddb8812a6c76b7680df8a1039c4ea894a677c4d81cd892c1ebc0bf4a6a4398fa4d850ed912a55ad1fe7235a4c7342dc24038397fcee465d805bf
-
C:\Users\Admin\AppData\Local\Temp\php4ts.dllMD5
3022cd6998edac270e2c0266f7453683
SHA190073b07ded7a4795dfb9df99439f87e980ce094
SHA2560659d5bd673b9d26956634761ed872622b3085c9d97f095923b30fbba4c50e25
SHA512ebc6265ab8361f3308535180a3087fa60a9793986fcdcd06884c97906fb4fbae4949cef88902ff5d16236438a88df1aaf7f1ed26501f81d1ad369a47a128448e
-
memory/428-6-0x0000000000000000-mapping.dmp
-
memory/612-7-0x0000000000000000-mapping.dmp
-
memory/648-5-0x0000000000000000-mapping.dmp
-
memory/1180-8-0x0000000000000000-mapping.dmp
-
memory/1536-16-0x0000000000000000-mapping.dmp
-
memory/1584-9-0x0000000000000000-mapping.dmp
-
memory/1768-11-0x0000000000000000-mapping.dmp
-
memory/3096-3-0x0000000000000000-mapping.dmp
-
memory/3300-4-0x0000000000000000-mapping.dmp
-
memory/3312-15-0x0000000000000000-mapping.dmp
-
memory/4076-13-0x0000000000000000-mapping.dmp
-
memory/4164-2-0x0000000000000000-mapping.dmp
-
memory/4424-14-0x0000000000000000-mapping.dmp
-
memory/4484-17-0x0000000000000000-mapping.dmp