Analysis
-
max time kernel
152s -
max time network
183s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
19-08-2021 09:29
Static task
static1
Behavioral task
behavioral1
Sample
Remittance-634731.js
Resource
win7v20210410
Behavioral task
behavioral2
Sample
Remittance-634731.js
Resource
win10v20210408
General
-
Target
Remittance-634731.js
-
Size
462KB
-
MD5
526e79a834bb7c263ee552706e8ca417
-
SHA1
088706831253c13f4d77a76c3e9c4e85ac15e104
-
SHA256
421c6e4dc68b3eb178243788435e0346b78fae06ffa5126c7b95bd222da0f9d9
-
SHA512
8bb57999c72b37b2572c166c46026f53c5746992c0a7019f5aa74651e87bef9042254d031412c458a9542e38f61304756787822ffc4ef2ffcf3bd1ae07ccb59f
Malware Config
Signatures
-
Blocklisted process makes network request 18 IoCs
Processes:
WScript.exeflow pid process 7 1800 WScript.exe 8 1800 WScript.exe 9 1800 WScript.exe 11 1800 WScript.exe 12 1800 WScript.exe 13 1800 WScript.exe 15 1800 WScript.exe 16 1800 WScript.exe 17 1800 WScript.exe 19 1800 WScript.exe 20 1800 WScript.exe 21 1800 WScript.exe 23 1800 WScript.exe 24 1800 WScript.exe 25 1800 WScript.exe 27 1800 WScript.exe 28 1800 WScript.exe 29 1800 WScript.exe -
Drops startup file 2 IoCs
Processes:
WScript.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RypRJcyXfu.js WScript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RypRJcyXfu.js WScript.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
WScript.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run WScript.exe Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\0HKX5ALWLG = "\"C:\\Users\\Admin\\AppData\\Roaming\\RypRJcyXfu.js\"" WScript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1484 1740 WerFault.exe javaw.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
WerFault.exepid process 1484 WerFault.exe 1484 WerFault.exe 1484 WerFault.exe 1484 WerFault.exe 1484 WerFault.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
WerFault.exepid process 1484 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
WerFault.exedescription pid process Token: SeDebugPrivilege 1484 WerFault.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
wscript.exejavaw.exedescription pid process target process PID 1664 wrote to memory of 1800 1664 wscript.exe WScript.exe PID 1664 wrote to memory of 1800 1664 wscript.exe WScript.exe PID 1664 wrote to memory of 1800 1664 wscript.exe WScript.exe PID 1664 wrote to memory of 1740 1664 wscript.exe javaw.exe PID 1664 wrote to memory of 1740 1664 wscript.exe javaw.exe PID 1664 wrote to memory of 1740 1664 wscript.exe javaw.exe PID 1740 wrote to memory of 1484 1740 javaw.exe WerFault.exe PID 1740 wrote to memory of 1484 1740 javaw.exe WerFault.exe PID 1740 wrote to memory of 1484 1740 javaw.exe WerFault.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\Remittance-634731.js1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\RypRJcyXfu.js"2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
-
C:\Program Files\Java\jre7\bin\javaw.exe"C:\Program Files\Java\jre7\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\cnlkxen.txt"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1740 -s 1403⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\RypRJcyXfu.jsMD5
1ba12eceb96fcc3f701b57a122d2d619
SHA1e6760348cbee519d5f6d99f38cce7c4ead6fc9fa
SHA256f5582ff25d56281b7a5158ff4105d71f6a1453f1f75e4f26a0d82efd2f61160d
SHA51208a22d4a5642a828ebfdb18c99d20cbaa49ee966cd166f4338a8ddfc17875da3f5bb1feb7ab8a7aab3e2b98adca9d9464b786d7dc8329cad1e52082669b81ed7
-
C:\Users\Admin\AppData\Roaming\cnlkxen.txtMD5
4b04a5e29aeac9bc79a101dc514c33a4
SHA157abb8775a1d7642066df1acfb2568d92735f359
SHA256c327f4e0d967b4560a204eaf5af02c7dc6a1d0989b57a8ce72afc640705170b9
SHA512b4bf9a4f313b36291673912ae11315cbbf594ee6fe7df62a2e20fb795edb0db0862cdef20e81b391cdead629b11ad24922431766ab00f7810cfb097abae6e442
-
memory/1484-65-0x0000000000000000-mapping.dmp
-
memory/1484-67-0x0000000000250000-0x0000000000251000-memory.dmpFilesize
4KB
-
memory/1740-62-0x0000000000000000-mapping.dmp
-
memory/1740-63-0x000007FEFBB41000-0x000007FEFBB43000-memory.dmpFilesize
8KB
-
memory/1800-60-0x0000000000000000-mapping.dmp