Analysis
-
max time kernel
300s -
max time network
307s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
30-08-2021 11:06
Static task
static1
Behavioral task
behavioral1
Sample
Payment.js
Resource
win7v20210408
Behavioral task
behavioral2
Sample
Payment.js
Resource
win10v20210408
General
-
Target
Payment.js
-
Size
199KB
-
MD5
fc81b118b986d065514814c62ce2959c
-
SHA1
a8c1ed074cc533c5aa6b71a3a527ffbc0493e225
-
SHA256
8b89ccf2aeee269572578f39cbe44d8b9eb1e90d6625be8bb005cc5296abc629
-
SHA512
5bf826d4cfbdd6613e4955d4eee3ef0851ad48f0ab3c8eada4c4d57b0b815af8e854d08a95eaf196316fd91f8c84aa2ec7ed5cfef8913757c19ea077e3c4a6e7
Malware Config
Signatures
-
Blocklisted process makes network request 32 IoCs
Processes:
WScript.exeflow pid process 9 1820 WScript.exe 19 1820 WScript.exe 20 1820 WScript.exe 21 1820 WScript.exe 22 1820 WScript.exe 23 1820 WScript.exe 24 1820 WScript.exe 25 1820 WScript.exe 26 1820 WScript.exe 27 1820 WScript.exe 28 1820 WScript.exe 29 1820 WScript.exe 30 1820 WScript.exe 31 1820 WScript.exe 32 1820 WScript.exe 33 1820 WScript.exe 34 1820 WScript.exe 35 1820 WScript.exe 36 1820 WScript.exe 37 1820 WScript.exe 38 1820 WScript.exe 39 1820 WScript.exe 40 1820 WScript.exe 41 1820 WScript.exe 45 1820 WScript.exe 46 1820 WScript.exe 47 1820 WScript.exe 55 1820 WScript.exe 56 1820 WScript.exe 57 1820 WScript.exe 58 1820 WScript.exe 59 1820 WScript.exe -
Drops startup file 2 IoCs
Processes:
WScript.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QUKoVKgJQp.js WScript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QUKoVKgJQp.js WScript.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
WScript.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run WScript.exe Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\SEJOKAOI5S = "\"C:\\Users\\Admin\\AppData\\Roaming\\QUKoVKgJQp.js\"" WScript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3700 3168 WerFault.exe javaw.exe -
Modifies registry class 1 IoCs
Processes:
wscript.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings wscript.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
WerFault.exepid process 3700 WerFault.exe 3700 WerFault.exe 3700 WerFault.exe 3700 WerFault.exe 3700 WerFault.exe 3700 WerFault.exe 3700 WerFault.exe 3700 WerFault.exe 3700 WerFault.exe 3700 WerFault.exe 3700 WerFault.exe 3700 WerFault.exe 3700 WerFault.exe 3700 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
WerFault.exedescription pid process Token: SeDebugPrivilege 3700 WerFault.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
wscript.exedescription pid process target process PID 804 wrote to memory of 1820 804 wscript.exe WScript.exe PID 804 wrote to memory of 1820 804 wscript.exe WScript.exe PID 804 wrote to memory of 3168 804 wscript.exe javaw.exe PID 804 wrote to memory of 3168 804 wscript.exe javaw.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\Payment.js1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:804 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\QUKoVKgJQp.js"2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
PID:1820 -
C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe"C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\uyucmqsjbl.txt"2⤵PID:3168
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3168 -s 3563⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3700
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\QUKoVKgJQp.jsMD5
20db8f29d1db93e67b8b2ad6196d9e37
SHA1ce499527cae2ea611057d5dc952132b0d948eba4
SHA256349e780cca53f741459e1da002e177b536bf4eb7c69f5d3efaa6c4287bcfa985
SHA51271950c00ace082834e8b13ccc869a5d13c1ee0fe83e170ea3714b0a4279bad2d560f2dd6c2f200bddd4a00b241ff6553db9f6c8156cda7b60f0c08629512bfd3
-
C:\Users\Admin\AppData\Roaming\uyucmqsjbl.txtMD5
7873269dd388d4ff3dbe9f020e121e89
SHA1d50b0740bab0ebc4cf6b3cc4c586632f6dc9e13e
SHA256bc12cbf509a1f5bff1dea9896aae44b9bc119115bf38349f6caabbbf99e0e919
SHA51236fdd31209b3448dc32100f733c048b063521bade50a5dd8a3945b7acc5b504115036a6c37bf37ac99b31cf4f94a63b7040224bcf5d8b0c3d2bc93e4bb0fc818
-
memory/1820-114-0x0000000000000000-mapping.dmp
-
memory/3168-116-0x0000000000000000-mapping.dmp