Analysis
-
max time kernel
145s -
max time network
150s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
31-08-2021 07:46
Static task
static1
Behavioral task
behavioral1
Sample
Payment.js
Resource
win7v20210408
Behavioral task
behavioral2
Sample
Payment.js
Resource
win10v20210408
General
-
Target
Payment.js
-
Size
199KB
-
MD5
fc81b118b986d065514814c62ce2959c
-
SHA1
a8c1ed074cc533c5aa6b71a3a527ffbc0493e225
-
SHA256
8b89ccf2aeee269572578f39cbe44d8b9eb1e90d6625be8bb005cc5296abc629
-
SHA512
5bf826d4cfbdd6613e4955d4eee3ef0851ad48f0ab3c8eada4c4d57b0b815af8e854d08a95eaf196316fd91f8c84aa2ec7ed5cfef8913757c19ea077e3c4a6e7
Malware Config
Signatures
-
Blocklisted process makes network request 18 IoCs
Processes:
WScript.exeflow pid process 9 3968 WScript.exe 18 3968 WScript.exe 20 3968 WScript.exe 21 3968 WScript.exe 22 3968 WScript.exe 23 3968 WScript.exe 24 3968 WScript.exe 25 3968 WScript.exe 26 3968 WScript.exe 27 3968 WScript.exe 28 3968 WScript.exe 29 3968 WScript.exe 30 3968 WScript.exe 31 3968 WScript.exe 32 3968 WScript.exe 33 3968 WScript.exe 34 3968 WScript.exe 35 3968 WScript.exe -
Drops startup file 2 IoCs
Processes:
WScript.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QUKoVKgJQp.js WScript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QUKoVKgJQp.js WScript.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
WScript.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run WScript.exe Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\SEJOKAOI5S = "\"C:\\Users\\Admin\\AppData\\Roaming\\QUKoVKgJQp.js\"" WScript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3008 3716 WerFault.exe javaw.exe -
Modifies registry class 1 IoCs
Processes:
wscript.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings wscript.exe -
Suspicious behavior: EnumeratesProcesses 15 IoCs
Processes:
WerFault.exepid process 3008 WerFault.exe 3008 WerFault.exe 3008 WerFault.exe 3008 WerFault.exe 3008 WerFault.exe 3008 WerFault.exe 3008 WerFault.exe 3008 WerFault.exe 3008 WerFault.exe 3008 WerFault.exe 3008 WerFault.exe 3008 WerFault.exe 3008 WerFault.exe 3008 WerFault.exe 3008 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
WerFault.exedescription pid process Token: SeDebugPrivilege 3008 WerFault.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
wscript.exedescription pid process target process PID 912 wrote to memory of 3968 912 wscript.exe WScript.exe PID 912 wrote to memory of 3968 912 wscript.exe WScript.exe PID 912 wrote to memory of 3716 912 wscript.exe javaw.exe PID 912 wrote to memory of 3716 912 wscript.exe javaw.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\Payment.js1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\QUKoVKgJQp.js"2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
-
C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe"C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\lijhizicm.txt"2⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3716 -s 3523⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\QUKoVKgJQp.jsMD5
20db8f29d1db93e67b8b2ad6196d9e37
SHA1ce499527cae2ea611057d5dc952132b0d948eba4
SHA256349e780cca53f741459e1da002e177b536bf4eb7c69f5d3efaa6c4287bcfa985
SHA51271950c00ace082834e8b13ccc869a5d13c1ee0fe83e170ea3714b0a4279bad2d560f2dd6c2f200bddd4a00b241ff6553db9f6c8156cda7b60f0c08629512bfd3
-
C:\Users\Admin\AppData\Roaming\lijhizicm.txtMD5
7873269dd388d4ff3dbe9f020e121e89
SHA1d50b0740bab0ebc4cf6b3cc4c586632f6dc9e13e
SHA256bc12cbf509a1f5bff1dea9896aae44b9bc119115bf38349f6caabbbf99e0e919
SHA51236fdd31209b3448dc32100f733c048b063521bade50a5dd8a3945b7acc5b504115036a6c37bf37ac99b31cf4f94a63b7040224bcf5d8b0c3d2bc93e4bb0fc818
-
memory/3716-116-0x0000000000000000-mapping.dmp
-
memory/3968-114-0x0000000000000000-mapping.dmp