Analysis
-
max time kernel
156s -
max time network
197s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
30-08-2021 18:15
Static task
static1
Behavioral task
behavioral1
Sample
Payment.js
Resource
win7v20210408
Behavioral task
behavioral2
Sample
Payment.js
Resource
win10v20210408
General
-
Target
Payment.js
-
Size
199KB
-
MD5
fc81b118b986d065514814c62ce2959c
-
SHA1
a8c1ed074cc533c5aa6b71a3a527ffbc0493e225
-
SHA256
8b89ccf2aeee269572578f39cbe44d8b9eb1e90d6625be8bb005cc5296abc629
-
SHA512
5bf826d4cfbdd6613e4955d4eee3ef0851ad48f0ab3c8eada4c4d57b0b815af8e854d08a95eaf196316fd91f8c84aa2ec7ed5cfef8913757c19ea077e3c4a6e7
Malware Config
Signatures
-
Blocklisted process makes network request 17 IoCs
Processes:
WScript.exeflow pid process 7 612 WScript.exe 8 612 WScript.exe 9 612 WScript.exe 11 612 WScript.exe 12 612 WScript.exe 13 612 WScript.exe 15 612 WScript.exe 16 612 WScript.exe 17 612 WScript.exe 19 612 WScript.exe 20 612 WScript.exe 21 612 WScript.exe 23 612 WScript.exe 24 612 WScript.exe 25 612 WScript.exe 27 612 WScript.exe 28 612 WScript.exe -
Drops startup file 2 IoCs
Processes:
WScript.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QUKoVKgJQp.js WScript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QUKoVKgJQp.js WScript.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
WScript.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run WScript.exe Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\SEJOKAOI5S = "\"C:\\Users\\Admin\\AppData\\Roaming\\QUKoVKgJQp.js\"" WScript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1828 556 WerFault.exe javaw.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
WerFault.exepid process 1828 WerFault.exe 1828 WerFault.exe 1828 WerFault.exe 1828 WerFault.exe 1828 WerFault.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
WerFault.exepid process 1828 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
WerFault.exedescription pid process Token: SeDebugPrivilege 1828 WerFault.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
wscript.exejavaw.exedescription pid process target process PID 1936 wrote to memory of 612 1936 wscript.exe WScript.exe PID 1936 wrote to memory of 612 1936 wscript.exe WScript.exe PID 1936 wrote to memory of 612 1936 wscript.exe WScript.exe PID 1936 wrote to memory of 556 1936 wscript.exe javaw.exe PID 1936 wrote to memory of 556 1936 wscript.exe javaw.exe PID 1936 wrote to memory of 556 1936 wscript.exe javaw.exe PID 556 wrote to memory of 1828 556 javaw.exe WerFault.exe PID 556 wrote to memory of 1828 556 javaw.exe WerFault.exe PID 556 wrote to memory of 1828 556 javaw.exe WerFault.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\Payment.js1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\QUKoVKgJQp.js"2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
-
C:\Program Files\Java\jre7\bin\javaw.exe"C:\Program Files\Java\jre7\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\clsywgmz.txt"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 556 -s 1403⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\QUKoVKgJQp.jsMD5
20db8f29d1db93e67b8b2ad6196d9e37
SHA1ce499527cae2ea611057d5dc952132b0d948eba4
SHA256349e780cca53f741459e1da002e177b536bf4eb7c69f5d3efaa6c4287bcfa985
SHA51271950c00ace082834e8b13ccc869a5d13c1ee0fe83e170ea3714b0a4279bad2d560f2dd6c2f200bddd4a00b241ff6553db9f6c8156cda7b60f0c08629512bfd3
-
C:\Users\Admin\AppData\Roaming\clsywgmz.txtMD5
7873269dd388d4ff3dbe9f020e121e89
SHA1d50b0740bab0ebc4cf6b3cc4c586632f6dc9e13e
SHA256bc12cbf509a1f5bff1dea9896aae44b9bc119115bf38349f6caabbbf99e0e919
SHA51236fdd31209b3448dc32100f733c048b063521bade50a5dd8a3945b7acc5b504115036a6c37bf37ac99b31cf4f94a63b7040224bcf5d8b0c3d2bc93e4bb0fc818
-
memory/556-63-0x0000000000000000-mapping.dmp
-
memory/612-61-0x0000000000000000-mapping.dmp
-
memory/1828-66-0x0000000000000000-mapping.dmp
-
memory/1828-68-0x00000000029F0000-0x00000000029F1000-memory.dmpFilesize
4KB
-
memory/1936-60-0x000007FEFBC41000-0x000007FEFBC43000-memory.dmpFilesize
8KB