Analysis
-
max time kernel
149s -
max time network
197s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
31-08-2021 07:46
Static task
static1
Behavioral task
behavioral1
Sample
Payment.js
Resource
win7v20210408
Behavioral task
behavioral2
Sample
Payment.js
Resource
win10v20210408
General
-
Target
Payment.js
-
Size
199KB
-
MD5
fc81b118b986d065514814c62ce2959c
-
SHA1
a8c1ed074cc533c5aa6b71a3a527ffbc0493e225
-
SHA256
8b89ccf2aeee269572578f39cbe44d8b9eb1e90d6625be8bb005cc5296abc629
-
SHA512
5bf826d4cfbdd6613e4955d4eee3ef0851ad48f0ab3c8eada4c4d57b0b815af8e854d08a95eaf196316fd91f8c84aa2ec7ed5cfef8913757c19ea077e3c4a6e7
Malware Config
Signatures
-
Blocklisted process makes network request 18 IoCs
Processes:
WScript.exeflow pid process 5 1596 WScript.exe 6 1596 WScript.exe 7 1596 WScript.exe 9 1596 WScript.exe 10 1596 WScript.exe 11 1596 WScript.exe 13 1596 WScript.exe 14 1596 WScript.exe 15 1596 WScript.exe 17 1596 WScript.exe 18 1596 WScript.exe 19 1596 WScript.exe 21 1596 WScript.exe 22 1596 WScript.exe 23 1596 WScript.exe 25 1596 WScript.exe 26 1596 WScript.exe 27 1596 WScript.exe -
Drops startup file 2 IoCs
Processes:
WScript.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QUKoVKgJQp.js WScript.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QUKoVKgJQp.js WScript.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
WScript.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run WScript.exe Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\SEJOKAOI5S = "\"C:\\Users\\Admin\\AppData\\Roaming\\QUKoVKgJQp.js\"" WScript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1152 1708 WerFault.exe javaw.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
WerFault.exepid process 1152 WerFault.exe 1152 WerFault.exe 1152 WerFault.exe 1152 WerFault.exe 1152 WerFault.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
WerFault.exepid process 1152 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
WerFault.exedescription pid process Token: SeDebugPrivilege 1152 WerFault.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
wscript.exejavaw.exedescription pid process target process PID 628 wrote to memory of 1596 628 wscript.exe WScript.exe PID 628 wrote to memory of 1596 628 wscript.exe WScript.exe PID 628 wrote to memory of 1596 628 wscript.exe WScript.exe PID 628 wrote to memory of 1708 628 wscript.exe javaw.exe PID 628 wrote to memory of 1708 628 wscript.exe javaw.exe PID 628 wrote to memory of 1708 628 wscript.exe javaw.exe PID 1708 wrote to memory of 1152 1708 javaw.exe WerFault.exe PID 1708 wrote to memory of 1152 1708 javaw.exe WerFault.exe PID 1708 wrote to memory of 1152 1708 javaw.exe WerFault.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\Payment.js1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\QUKoVKgJQp.js"2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
-
C:\Program Files\Java\jre7\bin\javaw.exe"C:\Program Files\Java\jre7\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\sfnbzlui.txt"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1708 -s 1403⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\QUKoVKgJQp.jsMD5
20db8f29d1db93e67b8b2ad6196d9e37
SHA1ce499527cae2ea611057d5dc952132b0d948eba4
SHA256349e780cca53f741459e1da002e177b536bf4eb7c69f5d3efaa6c4287bcfa985
SHA51271950c00ace082834e8b13ccc869a5d13c1ee0fe83e170ea3714b0a4279bad2d560f2dd6c2f200bddd4a00b241ff6553db9f6c8156cda7b60f0c08629512bfd3
-
C:\Users\Admin\AppData\Roaming\sfnbzlui.txtMD5
7873269dd388d4ff3dbe9f020e121e89
SHA1d50b0740bab0ebc4cf6b3cc4c586632f6dc9e13e
SHA256bc12cbf509a1f5bff1dea9896aae44b9bc119115bf38349f6caabbbf99e0e919
SHA51236fdd31209b3448dc32100f733c048b063521bade50a5dd8a3945b7acc5b504115036a6c37bf37ac99b31cf4f94a63b7040224bcf5d8b0c3d2bc93e4bb0fc818
-
memory/628-59-0x000007FEFBF71000-0x000007FEFBF73000-memory.dmpFilesize
8KB
-
memory/1152-65-0x0000000000000000-mapping.dmp
-
memory/1152-67-0x0000000000350000-0x0000000000351000-memory.dmpFilesize
4KB
-
memory/1596-60-0x0000000000000000-mapping.dmp
-
memory/1708-62-0x0000000000000000-mapping.dmp