Analysis
-
max time kernel
145s -
max time network
148s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
15/12/2021, 07:22
Static task
static1
Behavioral task
behavioral1
Sample
Proof of payment.js
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
Proof of payment.js
Resource
win10-en-20211208
General
-
Target
Proof of payment.js
-
Size
182KB
-
MD5
5eaa5af5395fa6f3c827fc0e47aa1777
-
SHA1
836112a65cca4e6e37ef7950fc5167417c79845e
-
SHA256
c2c538a26d9de315c6c94c98513a02d2c17e5e96666191a208426eb9f0d5f3ca
-
SHA512
9dd863c44b5c83abf231218596983aa475a530ae8d72a923cb47850e7bad8cda7ede079b6c2299064caee8494d59b78d97c17a4197293b061f263c22bed08603
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\kndkqnchpo.txt java.exe -
Loads dropped DLL 2 IoCs
pid Process 1452 java.exe 1720 java.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kndkqnchpo = "\"C:\\Users\\Admin\\AppData\\Roaming\\kndkqnchpo.txt\"" java.exe Set value (str) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\kndkqnchpo = "\"C:\\Users\\Admin\\AppData\\Roaming\\kndkqnchpo.txt\"" java.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 14 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1880 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 1064 WMIC.exe Token: SeSecurityPrivilege 1064 WMIC.exe Token: SeTakeOwnershipPrivilege 1064 WMIC.exe Token: SeLoadDriverPrivilege 1064 WMIC.exe Token: SeSystemProfilePrivilege 1064 WMIC.exe Token: SeSystemtimePrivilege 1064 WMIC.exe Token: SeProfSingleProcessPrivilege 1064 WMIC.exe Token: SeIncBasePriorityPrivilege 1064 WMIC.exe Token: SeCreatePagefilePrivilege 1064 WMIC.exe Token: SeBackupPrivilege 1064 WMIC.exe Token: SeRestorePrivilege 1064 WMIC.exe Token: SeShutdownPrivilege 1064 WMIC.exe Token: SeDebugPrivilege 1064 WMIC.exe Token: SeSystemEnvironmentPrivilege 1064 WMIC.exe Token: SeRemoteShutdownPrivilege 1064 WMIC.exe Token: SeUndockPrivilege 1064 WMIC.exe Token: SeManageVolumePrivilege 1064 WMIC.exe Token: 33 1064 WMIC.exe Token: 34 1064 WMIC.exe Token: 35 1064 WMIC.exe Token: SeIncreaseQuotaPrivilege 1064 WMIC.exe Token: SeSecurityPrivilege 1064 WMIC.exe Token: SeTakeOwnershipPrivilege 1064 WMIC.exe Token: SeLoadDriverPrivilege 1064 WMIC.exe Token: SeSystemProfilePrivilege 1064 WMIC.exe Token: SeSystemtimePrivilege 1064 WMIC.exe Token: SeProfSingleProcessPrivilege 1064 WMIC.exe Token: SeIncBasePriorityPrivilege 1064 WMIC.exe Token: SeCreatePagefilePrivilege 1064 WMIC.exe Token: SeBackupPrivilege 1064 WMIC.exe Token: SeRestorePrivilege 1064 WMIC.exe Token: SeShutdownPrivilege 1064 WMIC.exe Token: SeDebugPrivilege 1064 WMIC.exe Token: SeSystemEnvironmentPrivilege 1064 WMIC.exe Token: SeRemoteShutdownPrivilege 1064 WMIC.exe Token: SeUndockPrivilege 1064 WMIC.exe Token: SeManageVolumePrivilege 1064 WMIC.exe Token: 33 1064 WMIC.exe Token: 34 1064 WMIC.exe Token: 35 1064 WMIC.exe Token: SeIncreaseQuotaPrivilege 968 WMIC.exe Token: SeSecurityPrivilege 968 WMIC.exe Token: SeTakeOwnershipPrivilege 968 WMIC.exe Token: SeLoadDriverPrivilege 968 WMIC.exe Token: SeSystemProfilePrivilege 968 WMIC.exe Token: SeSystemtimePrivilege 968 WMIC.exe Token: SeProfSingleProcessPrivilege 968 WMIC.exe Token: SeIncBasePriorityPrivilege 968 WMIC.exe Token: SeCreatePagefilePrivilege 968 WMIC.exe Token: SeBackupPrivilege 968 WMIC.exe Token: SeRestorePrivilege 968 WMIC.exe Token: SeShutdownPrivilege 968 WMIC.exe Token: SeDebugPrivilege 968 WMIC.exe Token: SeSystemEnvironmentPrivilege 968 WMIC.exe Token: SeRemoteShutdownPrivilege 968 WMIC.exe Token: SeUndockPrivilege 968 WMIC.exe Token: SeManageVolumePrivilege 968 WMIC.exe Token: 33 968 WMIC.exe Token: 34 968 WMIC.exe Token: 35 968 WMIC.exe Token: SeIncreaseQuotaPrivilege 968 WMIC.exe Token: SeSecurityPrivilege 968 WMIC.exe Token: SeTakeOwnershipPrivilege 968 WMIC.exe Token: SeLoadDriverPrivilege 968 WMIC.exe -
Suspicious use of WriteProcessMemory 39 IoCs
description pid Process procid_target PID 1676 wrote to memory of 1104 1676 wscript.exe 27 PID 1676 wrote to memory of 1104 1676 wscript.exe 27 PID 1676 wrote to memory of 1104 1676 wscript.exe 27 PID 1104 wrote to memory of 1452 1104 javaw.exe 28 PID 1104 wrote to memory of 1452 1104 javaw.exe 28 PID 1104 wrote to memory of 1452 1104 javaw.exe 28 PID 1452 wrote to memory of 1864 1452 java.exe 30 PID 1452 wrote to memory of 1864 1452 java.exe 30 PID 1452 wrote to memory of 1864 1452 java.exe 30 PID 1452 wrote to memory of 1720 1452 java.exe 32 PID 1452 wrote to memory of 1720 1452 java.exe 32 PID 1452 wrote to memory of 1720 1452 java.exe 32 PID 1864 wrote to memory of 1880 1864 cmd.exe 34 PID 1864 wrote to memory of 1880 1864 cmd.exe 34 PID 1864 wrote to memory of 1880 1864 cmd.exe 34 PID 1720 wrote to memory of 1696 1720 java.exe 35 PID 1720 wrote to memory of 1696 1720 java.exe 35 PID 1720 wrote to memory of 1696 1720 java.exe 35 PID 1696 wrote to memory of 1064 1696 cmd.exe 37 PID 1696 wrote to memory of 1064 1696 cmd.exe 37 PID 1696 wrote to memory of 1064 1696 cmd.exe 37 PID 1720 wrote to memory of 612 1720 java.exe 40 PID 1720 wrote to memory of 612 1720 java.exe 40 PID 1720 wrote to memory of 612 1720 java.exe 40 PID 612 wrote to memory of 968 612 cmd.exe 41 PID 612 wrote to memory of 968 612 cmd.exe 41 PID 612 wrote to memory of 968 612 cmd.exe 41 PID 1720 wrote to memory of 856 1720 java.exe 44 PID 1720 wrote to memory of 856 1720 java.exe 44 PID 1720 wrote to memory of 856 1720 java.exe 44 PID 856 wrote to memory of 996 856 cmd.exe 42 PID 856 wrote to memory of 996 856 cmd.exe 42 PID 856 wrote to memory of 996 856 cmd.exe 42 PID 1720 wrote to memory of 1484 1720 java.exe 45 PID 1720 wrote to memory of 1484 1720 java.exe 45 PID 1720 wrote to memory of 1484 1720 java.exe 45 PID 1484 wrote to memory of 620 1484 cmd.exe 46 PID 1484 wrote to memory of 620 1484 cmd.exe 46 PID 1484 wrote to memory of 620 1484 cmd.exe 46
Processes
-
C:\Windows\system32\wscript.exewscript.exe "C:\Users\Admin\AppData\Local\Temp\Proof of payment.js"1⤵
- Suspicious use of WriteProcessMemory
PID:1676 -
C:\Program Files\Java\jre7\bin\javaw.exe"C:\Program Files\Java\jre7\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\kndkqnchpo.txt"2⤵
- Suspicious use of WriteProcessMemory
PID:1104 -
C:\Program Files\Java\jre7\bin\java.exe"C:\Program Files\Java\jre7\bin\java.exe" -jar "C:\Users\Admin\kndkqnchpo.txt"3⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1452 -
C:\Windows\system32\cmd.execmd /c schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\kndkqnchpo.txt"4⤵
- Suspicious use of WriteProcessMemory
PID:1864 -
C:\Windows\system32\schtasks.exeschtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\kndkqnchpo.txt"5⤵
- Creates scheduled task(s)
PID:1880
-
-
-
C:\Program Files\Java\jre7\bin\java.exe"C:\Program Files\Java\jre7\bin\java.exe" -jar "C:\Users\Admin\AppData\Roaming\kndkqnchpo.txt"4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1720 -
C:\Windows\system32\cmd.execmd.exe /c "wmic /node:. /namespace:'\\root\cimv2' path win32_logicaldisk get volumeserialnumber /format:list"5⤵
- Suspicious use of WriteProcessMemory
PID:1696 -
C:\Windows\System32\Wbem\WMIC.exewmic /node:. /namespace:'\\root\cimv2' path win32_logicaldisk get volumeserialnumber /format:list6⤵
- Suspicious use of AdjustPrivilegeToken
PID:1064
-
-
-
C:\Windows\system32\cmd.execmd.exe /c "wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get caption,OSArchitecture /format:list"5⤵
- Suspicious use of WriteProcessMemory
PID:612 -
C:\Windows\System32\Wbem\WMIC.exewmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get caption,OSArchitecture /format:list6⤵
- Suspicious use of AdjustPrivilegeToken
PID:968
-
-
-
C:\Windows\system32\cmd.execmd.exe /c "wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get version /format:list"5⤵
- Suspicious use of WriteProcessMemory
PID:856
-
-
C:\Windows\system32\cmd.execmd.exe /c "wmic /node:localhost /namespace:'\\root\securitycenter' path antivirusproduct get displayname /format:list"5⤵
- Suspicious use of WriteProcessMemory
PID:1484 -
C:\Windows\System32\Wbem\WMIC.exewmic /node:localhost /namespace:'\\root\securitycenter' path antivirusproduct get displayname /format:list6⤵PID:620
-
-
-
-
-
-
C:\Windows\System32\Wbem\WMIC.exewmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get version /format:list1⤵PID:996