Analysis
-
max time kernel
150s -
max time network
159s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
24-08-2021 15:16
Static task
static1
Behavioral task
behavioral1
Sample
Payment proof.js
Resource
win7v20210410
Behavioral task
behavioral2
Sample
Payment proof.js
Resource
win10v20210410
General
-
Target
Payment proof.js
-
Size
201KB
-
MD5
7371063acbfacc81ffdeaeea7e75eb99
-
SHA1
28ee63662467f1ab7c682eec227b66db7ccadeca
-
SHA256
6915f06eb48cc9d71dbc136313c6a935b36844641f9b2ae1e85e08ccc74d8e73
-
SHA512
8b3bebb2cd6f97a49f98e3072393ea6ad2f46e0f4ba4a25b1293c10b1fe75e192800d6b47c60b03680934517e35d2dc6c4786f0122785675e1cc2e247fa292dd
Malware Config
Signatures
-
Blocklisted process makes network request 18 IoCs
Processes:
WScript.exeflow pid process 12 2608 WScript.exe 17 2608 WScript.exe 20 2608 WScript.exe 21 2608 WScript.exe 22 2608 WScript.exe 23 2608 WScript.exe 24 2608 WScript.exe 25 2608 WScript.exe 26 2608 WScript.exe 27 2608 WScript.exe 28 2608 WScript.exe 29 2608 WScript.exe 30 2608 WScript.exe 31 2608 WScript.exe 32 2608 WScript.exe 33 2608 WScript.exe 34 2608 WScript.exe 35 2608 WScript.exe -
Drops startup file 2 IoCs
Processes:
WScript.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PNIsXqzyQf.js WScript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PNIsXqzyQf.js WScript.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
WScript.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run WScript.exe Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\SEJOKAOI5S = "\"C:\\Users\\Admin\\AppData\\Roaming\\PNIsXqzyQf.js\"" WScript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 196 2684 WerFault.exe javaw.exe -
Modifies registry class 1 IoCs
Processes:
wscript.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings wscript.exe -
Suspicious behavior: EnumeratesProcesses 15 IoCs
Processes:
WerFault.exepid process 196 WerFault.exe 196 WerFault.exe 196 WerFault.exe 196 WerFault.exe 196 WerFault.exe 196 WerFault.exe 196 WerFault.exe 196 WerFault.exe 196 WerFault.exe 196 WerFault.exe 196 WerFault.exe 196 WerFault.exe 196 WerFault.exe 196 WerFault.exe 196 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
WerFault.exedescription pid process Token: SeDebugPrivilege 196 WerFault.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
wscript.exedescription pid process target process PID 4072 wrote to memory of 2608 4072 wscript.exe WScript.exe PID 4072 wrote to memory of 2608 4072 wscript.exe WScript.exe PID 4072 wrote to memory of 2684 4072 wscript.exe javaw.exe PID 4072 wrote to memory of 2684 4072 wscript.exe javaw.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe "C:\Users\Admin\AppData\Local\Temp\Payment proof.js"1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4072 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\PNIsXqzyQf.js"2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
PID:2608 -
C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe"C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\otzpdutd.txt"2⤵PID:2684
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2684 -s 3523⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:196
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\PNIsXqzyQf.jsMD5
93451bfa41b44af1f45d80b9feb2a73d
SHA1ea15542e8ebf859d751de6af1af3966d73a16f1a
SHA2569ee8fb95e2771cf84659aa10cfa773a90ba5d58b577f489ec808d6fce7fbd6cb
SHA512145be16dfce485c7c32077689c581e06f8bc1af9bc0f1e2fb8e02ddd7eafc11f5fa8a7a263e09bde4ee89d68bee4486cc8ccd939a15113b467ccadc42e4a1cbd
-
C:\Users\Admin\AppData\Roaming\otzpdutd.txtMD5
06f61cd3d0cdf9257fcdac6483d4c1ba
SHA1f4eec20fdbc68dbdd8bb5fd1dfecd918b099ef2f
SHA256424ba40767618afade696d3714c1ba1960ff91e3bc1658fa510cd2332baf2a2f
SHA5129aa7d19fb9999d0414d2399e14ccf43b66cbd6a1bf54be6538b6a0a9e9ac096bdc065a43e4d776ed5cd01a14562446fcd535979b0756781e132e13b27b575657
-
memory/2608-114-0x0000000000000000-mapping.dmp
-
memory/2684-115-0x0000000000000000-mapping.dmp