Analysis
-
max time kernel
152s -
max time network
154s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
13/12/2021, 15:18
Static task
static1
Behavioral task
behavioral1
Sample
SHIPMENT_DOCUMENTS_INV-PLIST01256_BL PDF.js
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
SHIPMENT_DOCUMENTS_INV-PLIST01256_BL PDF.js
Resource
win10-en-20211208
General
-
Target
SHIPMENT_DOCUMENTS_INV-PLIST01256_BL PDF.js
-
Size
491KB
-
MD5
87abfdba2290a31df0d97e91cc4b1195
-
SHA1
04ccec1a839efb216cfab4c6bf35e25b1b320157
-
SHA256
556e3aa4f1bdf16c72a2ab22884b935936386f69ca4977a6e815bcc1eb3b9408
-
SHA512
bcf7c1528ca72669d43d495f5daa21417f757dbd825593cf6589bf9502e3866b7860a807be81a92d9d20dc2dee4ca84bae85dabcddec3a53b83ba336a840aa9c
Malware Config
Signatures
-
suricata: ET MALWARE STRRAT CnC Checkin
suricata: ET MALWARE STRRAT CnC Checkin
-
Blocklisted process makes network request 15 IoCs
flow pid Process 5 556 WScript.exe 12 556 WScript.exe 15 556 WScript.exe 17 556 WScript.exe 18 556 WScript.exe 22 556 WScript.exe 24 556 WScript.exe 25 556 WScript.exe 26 556 WScript.exe 28 556 WScript.exe 29 556 WScript.exe 30 556 WScript.exe 32 556 WScript.exe 33 556 WScript.exe 34 556 WScript.exe -
Drops startup file 3 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\etthhdicsg.txt java.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\oiCIKHrGSI.js WScript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\oiCIKHrGSI.js WScript.exe -
Loads dropped DLL 2 IoCs
pid Process 1608 java.exe 1088 java.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run WScript.exe Set value (str) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\SEJOKAOI5S = "\"C:\\Users\\Admin\\AppData\\Roaming\\oiCIKHrGSI.js\"" WScript.exe Set value (str) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\etthhdicsg = "\"C:\\Users\\Admin\\AppData\\Roaming\\etthhdicsg.txt\"" java.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\etthhdicsg = "\"C:\\Users\\Admin\\AppData\\Roaming\\etthhdicsg.txt\"" java.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 20 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1956 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 1912 WMIC.exe Token: SeSecurityPrivilege 1912 WMIC.exe Token: SeTakeOwnershipPrivilege 1912 WMIC.exe Token: SeLoadDriverPrivilege 1912 WMIC.exe Token: SeSystemProfilePrivilege 1912 WMIC.exe Token: SeSystemtimePrivilege 1912 WMIC.exe Token: SeProfSingleProcessPrivilege 1912 WMIC.exe Token: SeIncBasePriorityPrivilege 1912 WMIC.exe Token: SeCreatePagefilePrivilege 1912 WMIC.exe Token: SeBackupPrivilege 1912 WMIC.exe Token: SeRestorePrivilege 1912 WMIC.exe Token: SeShutdownPrivilege 1912 WMIC.exe Token: SeDebugPrivilege 1912 WMIC.exe Token: SeSystemEnvironmentPrivilege 1912 WMIC.exe Token: SeRemoteShutdownPrivilege 1912 WMIC.exe Token: SeUndockPrivilege 1912 WMIC.exe Token: SeManageVolumePrivilege 1912 WMIC.exe Token: 33 1912 WMIC.exe Token: 34 1912 WMIC.exe Token: 35 1912 WMIC.exe Token: SeIncreaseQuotaPrivilege 1912 WMIC.exe Token: SeSecurityPrivilege 1912 WMIC.exe Token: SeTakeOwnershipPrivilege 1912 WMIC.exe Token: SeLoadDriverPrivilege 1912 WMIC.exe Token: SeSystemProfilePrivilege 1912 WMIC.exe Token: SeSystemtimePrivilege 1912 WMIC.exe Token: SeProfSingleProcessPrivilege 1912 WMIC.exe Token: SeIncBasePriorityPrivilege 1912 WMIC.exe Token: SeCreatePagefilePrivilege 1912 WMIC.exe Token: SeBackupPrivilege 1912 WMIC.exe Token: SeRestorePrivilege 1912 WMIC.exe Token: SeShutdownPrivilege 1912 WMIC.exe Token: SeDebugPrivilege 1912 WMIC.exe Token: SeSystemEnvironmentPrivilege 1912 WMIC.exe Token: SeRemoteShutdownPrivilege 1912 WMIC.exe Token: SeUndockPrivilege 1912 WMIC.exe Token: SeManageVolumePrivilege 1912 WMIC.exe Token: 33 1912 WMIC.exe Token: 34 1912 WMIC.exe Token: 35 1912 WMIC.exe Token: SeIncreaseQuotaPrivilege 1092 WMIC.exe Token: SeSecurityPrivilege 1092 WMIC.exe Token: SeTakeOwnershipPrivilege 1092 WMIC.exe Token: SeLoadDriverPrivilege 1092 WMIC.exe Token: SeSystemProfilePrivilege 1092 WMIC.exe Token: SeSystemtimePrivilege 1092 WMIC.exe Token: SeProfSingleProcessPrivilege 1092 WMIC.exe Token: SeIncBasePriorityPrivilege 1092 WMIC.exe Token: SeCreatePagefilePrivilege 1092 WMIC.exe Token: SeBackupPrivilege 1092 WMIC.exe Token: SeRestorePrivilege 1092 WMIC.exe Token: SeShutdownPrivilege 1092 WMIC.exe Token: SeDebugPrivilege 1092 WMIC.exe Token: SeSystemEnvironmentPrivilege 1092 WMIC.exe Token: SeRemoteShutdownPrivilege 1092 WMIC.exe Token: SeUndockPrivilege 1092 WMIC.exe Token: SeManageVolumePrivilege 1092 WMIC.exe Token: 33 1092 WMIC.exe Token: 34 1092 WMIC.exe Token: 35 1092 WMIC.exe Token: SeIncreaseQuotaPrivilege 1092 WMIC.exe Token: SeSecurityPrivilege 1092 WMIC.exe Token: SeTakeOwnershipPrivilege 1092 WMIC.exe Token: SeLoadDriverPrivilege 1092 WMIC.exe -
Suspicious use of WriteProcessMemory 42 IoCs
description pid Process procid_target PID 1648 wrote to memory of 556 1648 wscript.exe 27 PID 1648 wrote to memory of 556 1648 wscript.exe 27 PID 1648 wrote to memory of 556 1648 wscript.exe 27 PID 1648 wrote to memory of 1420 1648 wscript.exe 28 PID 1648 wrote to memory of 1420 1648 wscript.exe 28 PID 1648 wrote to memory of 1420 1648 wscript.exe 28 PID 1420 wrote to memory of 1608 1420 javaw.exe 34 PID 1420 wrote to memory of 1608 1420 javaw.exe 34 PID 1420 wrote to memory of 1608 1420 javaw.exe 34 PID 1608 wrote to memory of 1724 1608 java.exe 48 PID 1608 wrote to memory of 1724 1608 java.exe 48 PID 1608 wrote to memory of 1724 1608 java.exe 48 PID 1608 wrote to memory of 1088 1608 java.exe 36 PID 1608 wrote to memory of 1088 1608 java.exe 36 PID 1608 wrote to memory of 1088 1608 java.exe 36 PID 1724 wrote to memory of 1956 1724 WMIC.exe 39 PID 1724 wrote to memory of 1956 1724 WMIC.exe 39 PID 1724 wrote to memory of 1956 1724 WMIC.exe 39 PID 1088 wrote to memory of 840 1088 java.exe 43 PID 1088 wrote to memory of 840 1088 java.exe 43 PID 1088 wrote to memory of 840 1088 java.exe 43 PID 840 wrote to memory of 1912 840 cmd.exe 44 PID 840 wrote to memory of 1912 840 cmd.exe 44 PID 840 wrote to memory of 1912 840 cmd.exe 44 PID 1088 wrote to memory of 528 1088 java.exe 46 PID 1088 wrote to memory of 528 1088 java.exe 46 PID 1088 wrote to memory of 528 1088 java.exe 46 PID 528 wrote to memory of 1092 528 cmd.exe 47 PID 528 wrote to memory of 1092 528 cmd.exe 47 PID 528 wrote to memory of 1092 528 cmd.exe 47 PID 1088 wrote to memory of 1640 1088 java.exe 50 PID 1088 wrote to memory of 1640 1088 java.exe 50 PID 1088 wrote to memory of 1640 1088 java.exe 50 PID 1640 wrote to memory of 1724 1640 cmd.exe 48 PID 1640 wrote to memory of 1724 1640 cmd.exe 48 PID 1640 wrote to memory of 1724 1640 cmd.exe 48 PID 1088 wrote to memory of 1716 1088 java.exe 53 PID 1088 wrote to memory of 1716 1088 java.exe 53 PID 1088 wrote to memory of 1716 1088 java.exe 53 PID 1716 wrote to memory of 1136 1716 cmd.exe 51 PID 1716 wrote to memory of 1136 1716 cmd.exe 51 PID 1716 wrote to memory of 1136 1716 cmd.exe 51
Processes
-
C:\Windows\system32\wscript.exewscript.exe "C:\Users\Admin\AppData\Local\Temp\SHIPMENT_DOCUMENTS_INV-PLIST01256_BL PDF.js"1⤵
- Suspicious use of WriteProcessMemory
PID:1648 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\oiCIKHrGSI.js"2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
PID:556
-
-
C:\Program Files\Java\jre7\bin\javaw.exe"C:\Program Files\Java\jre7\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\etthhdicsg.txt"2⤵
- Suspicious use of WriteProcessMemory
PID:1420 -
C:\Program Files\Java\jre7\bin\java.exe"C:\Program Files\Java\jre7\bin\java.exe" -jar "C:\Users\Admin\etthhdicsg.txt"3⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1608 -
C:\Windows\system32\cmd.execmd /c schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\etthhdicsg.txt"4⤵PID:1724
-
C:\Windows\system32\schtasks.exeschtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\etthhdicsg.txt"5⤵
- Creates scheduled task(s)
PID:1956
-
-
-
C:\Program Files\Java\jre7\bin\java.exe"C:\Program Files\Java\jre7\bin\java.exe" -jar "C:\Users\Admin\AppData\Roaming\etthhdicsg.txt"4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1088 -
C:\Windows\system32\cmd.execmd.exe /c "wmic /node:. /namespace:'\\root\cimv2' path win32_logicaldisk get volumeserialnumber /format:list"5⤵
- Suspicious use of WriteProcessMemory
PID:840 -
C:\Windows\System32\Wbem\WMIC.exewmic /node:. /namespace:'\\root\cimv2' path win32_logicaldisk get volumeserialnumber /format:list6⤵
- Suspicious use of AdjustPrivilegeToken
PID:1912
-
-
-
C:\Windows\system32\cmd.execmd.exe /c "wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get caption,OSArchitecture /format:list"5⤵
- Suspicious use of WriteProcessMemory
PID:528 -
C:\Windows\System32\Wbem\WMIC.exewmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get caption,OSArchitecture /format:list6⤵
- Suspicious use of AdjustPrivilegeToken
PID:1092
-
-
-
C:\Windows\system32\cmd.execmd.exe /c "wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get version /format:list"5⤵
- Suspicious use of WriteProcessMemory
PID:1640
-
-
C:\Windows\system32\cmd.execmd.exe /c "wmic /node:localhost /namespace:'\\root\securitycenter' path antivirusproduct get displayname /format:list"5⤵
- Suspicious use of WriteProcessMemory
PID:1716
-
-
-
-
-
C:\Windows\System32\Wbem\WMIC.exewmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get version /format:list1⤵
- Suspicious use of WriteProcessMemory
PID:1724
-
C:\Windows\System32\Wbem\WMIC.exewmic /node:localhost /namespace:'\\root\securitycenter' path antivirusproduct get displayname /format:list1⤵PID:1136