Analysis
-
max time kernel
150s -
max time network
162s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
24-08-2021 15:42
Static task
static1
Behavioral task
behavioral1
Sample
Payment proof.js
Resource
win7v20210408
Behavioral task
behavioral2
Sample
Payment proof.js
Resource
win10v20210408
General
-
Target
Payment proof.js
-
Size
201KB
-
MD5
279ba39874bda6eba21ce2ec81361659
-
SHA1
4d44cefbfce10930858e8a0f9ee8510e27152dcf
-
SHA256
2e60c3ba7e545ebb75f91c51b085be7b61d34374f178f9bca45e96624727dc9b
-
SHA512
aba2055963cab29261df5d14386235ea53535ccc6b58485d8a9758fb171deb84f7034deb38c8f209d80a15584bc2cf252edf62b956e70a09614abf00d536aa42
Malware Config
Signatures
-
Blocklisted process makes network request 17 IoCs
Processes:
WScript.exeflow pid process 9 1528 WScript.exe 16 1528 WScript.exe 18 1528 WScript.exe 19 1528 WScript.exe 20 1528 WScript.exe 21 1528 WScript.exe 22 1528 WScript.exe 23 1528 WScript.exe 24 1528 WScript.exe 25 1528 WScript.exe 26 1528 WScript.exe 27 1528 WScript.exe 28 1528 WScript.exe 29 1528 WScript.exe 30 1528 WScript.exe 31 1528 WScript.exe 32 1528 WScript.exe -
Drops startup file 2 IoCs
Processes:
WScript.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RQJrwUperv.js WScript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RQJrwUperv.js WScript.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
WScript.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run WScript.exe Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\SEJOKAOI5S = "\"C:\\Users\\Admin\\AppData\\Roaming\\RQJrwUperv.js\"" WScript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2708 1652 WerFault.exe javaw.exe -
Modifies registry class 1 IoCs
Processes:
wscript.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings wscript.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
WerFault.exepid process 2708 WerFault.exe 2708 WerFault.exe 2708 WerFault.exe 2708 WerFault.exe 2708 WerFault.exe 2708 WerFault.exe 2708 WerFault.exe 2708 WerFault.exe 2708 WerFault.exe 2708 WerFault.exe 2708 WerFault.exe 2708 WerFault.exe 2708 WerFault.exe 2708 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
WerFault.exedescription pid process Token: SeDebugPrivilege 2708 WerFault.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
wscript.exedescription pid process target process PID 580 wrote to memory of 1528 580 wscript.exe WScript.exe PID 580 wrote to memory of 1528 580 wscript.exe WScript.exe PID 580 wrote to memory of 1652 580 wscript.exe javaw.exe PID 580 wrote to memory of 1652 580 wscript.exe javaw.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe "C:\Users\Admin\AppData\Local\Temp\Payment proof.js"1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:580 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\RQJrwUperv.js"2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
PID:1528 -
C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe"C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\btybhtvvhn.txt"2⤵PID:1652
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1652 -s 3523⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2708
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\RQJrwUperv.jsMD5
8809b0d0197b3cd57b6708280097e505
SHA19ce907eb77d894c721bac3b95ec10198b673cf90
SHA25608a35def10fe25f0e7ba5ab9f9225617752d008b77c3c8038e7f4e6e22efca97
SHA5120619a90ee431c855718ef66166886c166ee2d3461514220e46fb8cfdfc78bdade23fc6823860dedf6f1a8d65dae9e8e0c94343fe250d469ba63ecd6ef3cfe1a1
-
C:\Users\Admin\AppData\Roaming\btybhtvvhn.txtMD5
06f61cd3d0cdf9257fcdac6483d4c1ba
SHA1f4eec20fdbc68dbdd8bb5fd1dfecd918b099ef2f
SHA256424ba40767618afade696d3714c1ba1960ff91e3bc1658fa510cd2332baf2a2f
SHA5129aa7d19fb9999d0414d2399e14ccf43b66cbd6a1bf54be6538b6a0a9e9ac096bdc065a43e4d776ed5cd01a14562446fcd535979b0756781e132e13b27b575657
-
memory/1528-114-0x0000000000000000-mapping.dmp
-
memory/1652-116-0x0000000000000000-mapping.dmp