Analysis
-
max time kernel
149s -
max time network
184s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
24-08-2021 15:42
Static task
static1
Behavioral task
behavioral1
Sample
Payment proof.js
Resource
win7v20210408
Behavioral task
behavioral2
Sample
Payment proof.js
Resource
win10v20210408
General
-
Target
Payment proof.js
-
Size
201KB
-
MD5
279ba39874bda6eba21ce2ec81361659
-
SHA1
4d44cefbfce10930858e8a0f9ee8510e27152dcf
-
SHA256
2e60c3ba7e545ebb75f91c51b085be7b61d34374f178f9bca45e96624727dc9b
-
SHA512
aba2055963cab29261df5d14386235ea53535ccc6b58485d8a9758fb171deb84f7034deb38c8f209d80a15584bc2cf252edf62b956e70a09614abf00d536aa42
Malware Config
Signatures
-
Blocklisted process makes network request 15 IoCs
Processes:
WScript.exeflow pid process 7 516 WScript.exe 8 516 WScript.exe 9 516 WScript.exe 11 516 WScript.exe 12 516 WScript.exe 13 516 WScript.exe 15 516 WScript.exe 16 516 WScript.exe 17 516 WScript.exe 19 516 WScript.exe 20 516 WScript.exe 21 516 WScript.exe 23 516 WScript.exe 24 516 WScript.exe 25 516 WScript.exe -
Drops startup file 2 IoCs
Processes:
WScript.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RQJrwUperv.js WScript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RQJrwUperv.js WScript.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
WScript.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run WScript.exe Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\SEJOKAOI5S = "\"C:\\Users\\Admin\\AppData\\Roaming\\RQJrwUperv.js\"" WScript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1216 1872 WerFault.exe javaw.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
WerFault.exepid process 1216 WerFault.exe 1216 WerFault.exe 1216 WerFault.exe 1216 WerFault.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
WerFault.exepid process 1216 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
WerFault.exedescription pid process Token: SeDebugPrivilege 1216 WerFault.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
wscript.exejavaw.exedescription pid process target process PID 2020 wrote to memory of 516 2020 wscript.exe WScript.exe PID 2020 wrote to memory of 516 2020 wscript.exe WScript.exe PID 2020 wrote to memory of 516 2020 wscript.exe WScript.exe PID 2020 wrote to memory of 1872 2020 wscript.exe javaw.exe PID 2020 wrote to memory of 1872 2020 wscript.exe javaw.exe PID 2020 wrote to memory of 1872 2020 wscript.exe javaw.exe PID 1872 wrote to memory of 1216 1872 javaw.exe WerFault.exe PID 1872 wrote to memory of 1216 1872 javaw.exe WerFault.exe PID 1872 wrote to memory of 1216 1872 javaw.exe WerFault.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe "C:\Users\Admin\AppData\Local\Temp\Payment proof.js"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\RQJrwUperv.js"2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
-
C:\Program Files\Java\jre7\bin\javaw.exe"C:\Program Files\Java\jre7\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\zgyesvnp.txt"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1872 -s 1403⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\RQJrwUperv.jsMD5
8809b0d0197b3cd57b6708280097e505
SHA19ce907eb77d894c721bac3b95ec10198b673cf90
SHA25608a35def10fe25f0e7ba5ab9f9225617752d008b77c3c8038e7f4e6e22efca97
SHA5120619a90ee431c855718ef66166886c166ee2d3461514220e46fb8cfdfc78bdade23fc6823860dedf6f1a8d65dae9e8e0c94343fe250d469ba63ecd6ef3cfe1a1
-
C:\Users\Admin\AppData\Roaming\zgyesvnp.txtMD5
06f61cd3d0cdf9257fcdac6483d4c1ba
SHA1f4eec20fdbc68dbdd8bb5fd1dfecd918b099ef2f
SHA256424ba40767618afade696d3714c1ba1960ff91e3bc1658fa510cd2332baf2a2f
SHA5129aa7d19fb9999d0414d2399e14ccf43b66cbd6a1bf54be6538b6a0a9e9ac096bdc065a43e4d776ed5cd01a14562446fcd535979b0756781e132e13b27b575657
-
memory/516-60-0x0000000000000000-mapping.dmp
-
memory/1216-65-0x0000000000000000-mapping.dmp
-
memory/1216-67-0x0000000000210000-0x0000000000211000-memory.dmpFilesize
4KB
-
memory/1872-62-0x0000000000000000-mapping.dmp
-
memory/2020-59-0x000007FEFB6A1000-0x000007FEFB6A3000-memory.dmpFilesize
8KB