58d3c192d644d498253d871ad5bd6022cc2a99ebdec7609ef991e04a0705ee6e

General

Target

000117061.doc.js
Size

38KB
MD5

0cc28681f876b7308ab01ac899a15254
SHA1

08d864dff97c0a2e632101c5a92b9659c31d882d
SHA256

58d3c192d644d498253d871ad5bd6022cc2a99ebdec7609ef991e04a0705ee6e
SHA512

5403902f2ca280b3201229b785dc9b3eff5b2a48b119ecc3f54c1c561ddde20a7902b052f5cecd187a6388ecb0998112fe7f690d97d7c96d2dd15e8b33325caf

Score

10^/10

persistence ransomware

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\a.txt

Ransom Note

ATTENTION! All your documents, photos, databases and other important personal files were encrypted using strong RSA-1024 algorithm with a unique key. To restore your files you have to pay 0.62766 BTC (bitcoins). Please follow this manual: 1. Create Bitcoin wallet here: https://blockchain.info/wallet/new 2. Buy 0.62766 BTC with cash, using search here: https://localbitcoins.com/buy_bitcoins 3. Send 0.62766 BTC to this Bitcoin address: 1HGjCFUm6kt4sdipE7nanTAXaBxuZGe7bT 4. Open one of the following links in your browser to download decryptor: http://futengcapital.com/counter/?a=1HGjCFUm6kt4sdipE7nanTAXaBxuZGe7bT http://clermontcentralchurch.org/counter/?a=1HGjCFUm6kt4sdipE7nanTAXaBxuZGe7bT http://bellefremee.com/counter/?a=1HGjCFUm6kt4sdipE7nanTAXaBxuZGe7bT http://sandrahalbe.com/counter/?a=1HGjCFUm6kt4sdipE7nanTAXaBxuZGe7bT http://glamcook.com/counter/?a=1HGjCFUm6kt4sdipE7nanTAXaBxuZGe7bT 5. Run decryptor to restore your files. PLEASE REMEMBER: - If you do not pay in 3 days YOU LOOSE ALL YOUR FILES. - Nobody can help you except us. - It`s useless to reinstall Windows, update antivirus software, etc. - Your files can be decrypted only after you make payment. - You can find this manual on your desktop (DECRYPT.txt).

Wallets

1HGjCFUm6kt4sdipE7nanTAXaBxuZGe7bT

URLs

http://futengcapital.com/counter/?a=1HGjCFUm6kt4sdipE7nanTAXaBxuZGe7bT

http://clermontcentralchurch.org/counter/?a=1HGjCFUm6kt4sdipE7nanTAXaBxuZGe7bT

http://bellefremee.com/counter/?a=1HGjCFUm6kt4sdipE7nanTAXaBxuZGe7bT

http://sandrahalbe.com/counter/?a=1HGjCFUm6kt4sdipE7nanTAXaBxuZGe7bT

http://glamcook.com/counter/?a=1HGjCFUm6kt4sdipE7nanTAXaBxuZGe7bT

Signatures

Blocklisted process makes network request 2 IoCs

Processes:

wscript.exe

flow pid process

6 4768 wscript.exe
10 4768 wscript.exe

flow	pid	process
6	4768	wscript.exe
10	4768	wscript.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\Crypted = "C:\\Users\\Admin\\AppData\\Local\\Temp\\a.txt"	reg.exe

Modifies registry class 7 IoCs

Processes:

reg.exereg.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Crypted\shell\open\command	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Crypted	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Crypted\shell	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Crypted\shell\open	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Crypted\shell\open\command\ = "notepad.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\a.txt\""	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.crypted	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.crypted\ = "Crypted"	reg.exe

Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

notepad.exe

pid process

4484 notepad.exe

pid	process
4484	notepad.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

wscript.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 4768 wrote to memory of 4164	4768	wscript.exe	cmd.exe
PID 4768 wrote to memory of 4164	4768	wscript.exe	cmd.exe
PID 4768 wrote to memory of 3096	4768	wscript.exe	cmd.exe
PID 4768 wrote to memory of 3096	4768	wscript.exe	cmd.exe
PID 4768 wrote to memory of 3300	4768	wscript.exe	cmd.exe
PID 4768 wrote to memory of 3300	4768	wscript.exe	cmd.exe
PID 4768 wrote to memory of 648	4768	wscript.exe	cmd.exe
PID 4768 wrote to memory of 648	4768	wscript.exe	cmd.exe
PID 4768 wrote to memory of 428	4768	wscript.exe	cmd.exe
PID 4768 wrote to memory of 428	4768	wscript.exe	cmd.exe
PID 4164 wrote to memory of 612	4164	cmd.exe	reg.exe
PID 4164 wrote to memory of 612	4164	cmd.exe	reg.exe
PID 4768 wrote to memory of 1180	4768	wscript.exe	cmd.exe
PID 4768 wrote to memory of 1180	4768	wscript.exe	cmd.exe
PID 3300 wrote to memory of 1584	3300	cmd.exe	reg.exe
PID 3300 wrote to memory of 1584	3300	cmd.exe	reg.exe
PID 3096 wrote to memory of 1768	3096	cmd.exe	reg.exe
PID 3096 wrote to memory of 1768	3096	cmd.exe	reg.exe
PID 4768 wrote to memory of 4076	4768	wscript.exe	cmd.exe
PID 4768 wrote to memory of 4076	4768	wscript.exe	cmd.exe
PID 4768 wrote to memory of 4424	4768	wscript.exe	cmd.exe
PID 4768 wrote to memory of 4424	4768	wscript.exe	cmd.exe
PID 4768 wrote to memory of 3312	4768	wscript.exe	cmd.exe
PID 4768 wrote to memory of 3312	4768	wscript.exe	cmd.exe
PID 4768 wrote to memory of 1536	4768	wscript.exe	cmd.exe
PID 4768 wrote to memory of 1536	4768	wscript.exe	cmd.exe
PID 4076 wrote to memory of 4484	4076	cmd.exe	notepad.exe
PID 4076 wrote to memory of 4484	4076	cmd.exe	notepad.exe

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\000117061.doc.js
1⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
PID:4768

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Crypted" /t REG_SZ /F /D "C:\Users\Admin\AppData\Local\Temp\a.txt"
2⤵
- Suspicious use of WriteProcessMemory
PID:4164

C:\Windows\system32\reg.exe
REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Crypted" /t REG_SZ /F /D "C:\Users\Admin\AppData\Local\Temp\a.txt"
3⤵
- Adds Run key to start application
PID:612

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c REG ADD "HKCR\.crypted" /ve /t REG_SZ /F /D "Crypted"
2⤵
- Suspicious use of WriteProcessMemory
PID:3096

C:\Windows\system32\reg.exe
REG ADD "HKCR\.crypted" /ve /t REG_SZ /F /D "Crypted"
3⤵
- Modifies registry class
PID:1768

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c REG ADD "HKCR\Crypted\shell\open\command" /ve /t REG_SZ /F /D "notepad.exe \"C:\Users\Admin\AppData\Local\Temp\a.txt\""
2⤵
- Suspicious use of WriteProcessMemory
PID:3300

C:\Windows\system32\reg.exe
REG ADD "HKCR\Crypted\shell\open\command" /ve /t REG_SZ /F /D "notepad.exe \"C:\Users\Admin\AppData\Local\Temp\a.txt\""
3⤵
- Modifies registry class
PID:1584

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c copy /y "C:\Users\Admin\AppData\Local\Temp\a.txt" "C:\Users\Admin\AppData\Roaming\Desktop\DECRYPT.txt"
2⤵
PID:648

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c copy /y "C:\Users\Admin\AppData\Local\Temp\a.txt" "C:\Users\Admin\Desktop\DECRYPT.txt"
2⤵
PID:428

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\a.exe "C:\Users\Admin\AppData\Local\Temp\a.php"
2⤵
PID:1180

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c notepad.exe "C:\Users\Admin\AppData\Local\Temp\a.txt"
2⤵
- Suspicious use of WriteProcessMemory
PID:4076

C:\Windows\system32\notepad.exe
notepad.exe "C:\Users\Admin\AppData\Local\Temp\a.txt"
3⤵
- Opens file in notepad (likely ransom note)
PID:4484

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c DEL "C:\Users\Admin\AppData\Local\Temp\a.php"
2⤵
PID:4424

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c DEL "C:\Users\Admin\AppData\Local\Temp\a.exe"
2⤵
PID:3312

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c DEL "C:\Users\Admin\AppData\Local\Temp\php4ts.dll"
2⤵
PID:1536

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\a.exe
MD5
3022cd6998edac270e2c0266f7453683

SHA1
90073b07ded7a4795dfb9df99439f87e980ce094

SHA256
0659d5bd673b9d26956634761ed872622b3085c9d97f095923b30fbba4c50e25

SHA512
ebc6265ab8361f3308535180a3087fa60a9793986fcdcd06884c97906fb4fbae4949cef88902ff5d16236438a88df1aaf7f1ed26501f81d1ad369a47a128448e

Download Submit
C:\Users\Admin\AppData\Local\Temp\a.php
MD5
56e7893f05df9fdb5aced563356c1240

SHA1
f75fe6cedac7c20a7058221dc5b06ef001159820

SHA256
71d65216a79b94d92f55aa6903abdee4860d23959c518b8f8b7d2cde53e62a77

SHA512
4b6c654d92582d5be84aedaa6810b86e7015ff3d3bccc9243a030f26625c4ceccd77ef7d78c9f8a7dbd84faf3fedf1b409b3bcbad3fc5875b70316fc6d548cd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\a.txt
MD5
affab943a13e418ded4237070b4631e8

SHA1
6fc1d0e58fdfc3cba438f05b5036ade8d02fa857

SHA256
72eba23c3c30e1fb60fba0219d1e9312b95fec3b9cc440300e72dd6bfc90e5b2

SHA512
2e2ea36ef3d1ddb8812a6c76b7680df8a1039c4ea894a677c4d81cd892c1ebc0bf4a6a4398fa4d850ed912a55ad1fe7235a4c7342dc24038397fcee465d805bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\php4ts.dll
MD5
3022cd6998edac270e2c0266f7453683

SHA1
90073b07ded7a4795dfb9df99439f87e980ce094

SHA256
0659d5bd673b9d26956634761ed872622b3085c9d97f095923b30fbba4c50e25

SHA512
ebc6265ab8361f3308535180a3087fa60a9793986fcdcd06884c97906fb4fbae4949cef88902ff5d16236438a88df1aaf7f1ed26501f81d1ad369a47a128448e

Download Submit
memory/428-6-0x0000000000000000-mapping.dmp

Download
memory/612-7-0x0000000000000000-mapping.dmp

Download
memory/648-5-0x0000000000000000-mapping.dmp

Download
memory/1180-8-0x0000000000000000-mapping.dmp

Download
memory/1536-16-0x0000000000000000-mapping.dmp

Download
memory/1584-9-0x0000000000000000-mapping.dmp

Download
memory/1768-11-0x0000000000000000-mapping.dmp

Download
memory/3096-3-0x0000000000000000-mapping.dmp

Download
memory/3300-4-0x0000000000000000-mapping.dmp

Download
memory/3312-15-0x0000000000000000-mapping.dmp

Download
memory/4076-13-0x0000000000000000-mapping.dmp

Download
memory/4164-2-0x0000000000000000-mapping.dmp

Download
memory/4424-14-0x0000000000000000-mapping.dmp

Download
memory/4484-17-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads