Analysis
-
max time kernel
158s -
max time network
198s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
30-08-2021 16:45
Static task
static1
Behavioral task
behavioral1
Sample
PROOF OF PAYMENT1.js
Resource
win7v20210408
Behavioral task
behavioral2
Sample
PROOF OF PAYMENT1.js
Resource
win10v20210408
General
-
Target
PROOF OF PAYMENT1.js
-
Size
207KB
-
MD5
019ba024bf588f00e256748d936eb626
-
SHA1
dcf86be244ff99ab838d7f9dc8012533ca16142f
-
SHA256
68378f29c28f5c114262352e6f090391f3ca783181750b9f59911dcdb8f4c976
-
SHA512
43faf55150630cb87ea01d2595ca792a20fb7ece259296cb1829b243f22e784645a484ee5789650f8933fba05dafebe299d9441144f785f1bfe34f2e0af13e3a
Malware Config
Signatures
-
Blocklisted process makes network request 17 IoCs
Processes:
WScript.exeflow pid process 7 512 WScript.exe 8 512 WScript.exe 9 512 WScript.exe 11 512 WScript.exe 12 512 WScript.exe 13 512 WScript.exe 15 512 WScript.exe 16 512 WScript.exe 17 512 WScript.exe 19 512 WScript.exe 20 512 WScript.exe 21 512 WScript.exe 23 512 WScript.exe 24 512 WScript.exe 25 512 WScript.exe 27 512 WScript.exe 28 512 WScript.exe -
Drops startup file 2 IoCs
Processes:
WScript.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CSaGqYEkCZ.js WScript.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CSaGqYEkCZ.js WScript.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
WScript.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run WScript.exe Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\SEJOKAOI5S = "\"C:\\Users\\Admin\\AppData\\Roaming\\CSaGqYEkCZ.js\"" WScript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1828 1488 WerFault.exe javaw.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
WerFault.exepid process 1828 WerFault.exe 1828 WerFault.exe 1828 WerFault.exe 1828 WerFault.exe 1828 WerFault.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
WerFault.exepid process 1828 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
WerFault.exedescription pid process Token: SeDebugPrivilege 1828 WerFault.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
wscript.exejavaw.exedescription pid process target process PID 1916 wrote to memory of 512 1916 wscript.exe WScript.exe PID 1916 wrote to memory of 512 1916 wscript.exe WScript.exe PID 1916 wrote to memory of 512 1916 wscript.exe WScript.exe PID 1916 wrote to memory of 1488 1916 wscript.exe javaw.exe PID 1916 wrote to memory of 1488 1916 wscript.exe javaw.exe PID 1916 wrote to memory of 1488 1916 wscript.exe javaw.exe PID 1488 wrote to memory of 1828 1488 javaw.exe WerFault.exe PID 1488 wrote to memory of 1828 1488 javaw.exe WerFault.exe PID 1488 wrote to memory of 1828 1488 javaw.exe WerFault.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe "C:\Users\Admin\AppData\Local\Temp\PROOF OF PAYMENT1.js"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\CSaGqYEkCZ.js"2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
-
C:\Program Files\Java\jre7\bin\javaw.exe"C:\Program Files\Java\jre7\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\owmhrgjo.txt"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1488 -s 1403⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\CSaGqYEkCZ.jsMD5
e7a8ca9c9fccca22054654ab0ecbba32
SHA1ebcffc54aaafb74d1f881ee535dad9e14e3944fa
SHA256a09ea45e53024c5f72ea6485eeadd9e80b38d9cbd8e1e82cee88e6291ea25031
SHA5127bd25e67af83810bbe001f146a8b5e39ba792db36a2ac0b0dd7c62f87a6da1257d652e9ec932b89067cea5c98dcd21900f0be820baffc454f0d011ac21c776c5
-
C:\Users\Admin\AppData\Roaming\owmhrgjo.txtMD5
23c93de4b1f7d9fdb680da960a8858a9
SHA1029a3c28cae69273dd2e70481f990808f3f414ce
SHA2564d6186fdf512e6f098a30bea6fa0810167e023d9c840209fc36593f9fa4470cc
SHA5129653abcb715745a7b837e6b436b4f57ea0205a31d82f2e8badc95907714180735f839db46a4249e3fb3a606b104c27f17bac0b8d7a954cba52636a453946dac6
-
memory/512-61-0x0000000000000000-mapping.dmp
-
memory/1488-63-0x0000000000000000-mapping.dmp
-
memory/1828-66-0x0000000000000000-mapping.dmp
-
memory/1828-68-0x00000000022B0000-0x00000000022B1000-memory.dmpFilesize
4KB
-
memory/1916-60-0x000007FEFBC41000-0x000007FEFBC43000-memory.dmpFilesize
8KB