Analysis

  • max time kernel
    145s
  • max time network
    148s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    15/12/2021, 07:22

General

  • Target

    Proof of payment.js

  • Size

    182KB

  • MD5

    5eaa5af5395fa6f3c827fc0e47aa1777

  • SHA1

    836112a65cca4e6e37ef7950fc5167417c79845e

  • SHA256

    c2c538a26d9de315c6c94c98513a02d2c17e5e96666191a208426eb9f0d5f3ca

  • SHA512

    9dd863c44b5c83abf231218596983aa475a530ae8d72a923cb47850e7bad8cda7ede079b6c2299064caee8494d59b78d97c17a4197293b061f263c22bed08603

Malware Config

Signatures

  • STRRAT

    STRRAT is a remote access tool than can steal credentials and log keystrokes.

  • Drops startup file 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 39 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe "C:\Users\Admin\AppData\Local\Temp\Proof of payment.js"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1676
    • C:\Program Files\Java\jre7\bin\javaw.exe
      "C:\Program Files\Java\jre7\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\kndkqnchpo.txt"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1104
      • C:\Program Files\Java\jre7\bin\java.exe
        "C:\Program Files\Java\jre7\bin\java.exe" -jar "C:\Users\Admin\kndkqnchpo.txt"
        3⤵
        • Drops startup file
        • Loads dropped DLL
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:1452
        • C:\Windows\system32\cmd.exe
          cmd /c schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\kndkqnchpo.txt"
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:1864
          • C:\Windows\system32\schtasks.exe
            schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\kndkqnchpo.txt"
            5⤵
            • Creates scheduled task(s)
            PID:1880
        • C:\Program Files\Java\jre7\bin\java.exe
          "C:\Program Files\Java\jre7\bin\java.exe" -jar "C:\Users\Admin\AppData\Roaming\kndkqnchpo.txt"
          4⤵
          • Loads dropped DLL
          • Suspicious use of WriteProcessMemory
          PID:1720
          • C:\Windows\system32\cmd.exe
            cmd.exe /c "wmic /node:. /namespace:'\\root\cimv2' path win32_logicaldisk get volumeserialnumber /format:list"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:1696
            • C:\Windows\System32\Wbem\WMIC.exe
              wmic /node:. /namespace:'\\root\cimv2' path win32_logicaldisk get volumeserialnumber /format:list
              6⤵
              • Suspicious use of AdjustPrivilegeToken
              PID:1064
          • C:\Windows\system32\cmd.exe
            cmd.exe /c "wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get caption,OSArchitecture /format:list"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:612
            • C:\Windows\System32\Wbem\WMIC.exe
              wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get caption,OSArchitecture /format:list
              6⤵
              • Suspicious use of AdjustPrivilegeToken
              PID:968
          • C:\Windows\system32\cmd.exe
            cmd.exe /c "wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get version /format:list"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:856
          • C:\Windows\system32\cmd.exe
            cmd.exe /c "wmic /node:localhost /namespace:'\\root\securitycenter' path antivirusproduct get displayname /format:list"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:1484
            • C:\Windows\System32\Wbem\WMIC.exe
              wmic /node:localhost /namespace:'\\root\securitycenter' path antivirusproduct get displayname /format:list
              6⤵
                PID:620
    • C:\Windows\System32\Wbem\WMIC.exe
      wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get version /format:list
      1⤵
        PID:996

      Network

            MITRE ATT&CK Enterprise v6

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • memory/1104-74-0x0000000000310000-0x0000000000311000-memory.dmp

              Filesize

              4KB

            • memory/1104-56-0x000007FEFC3A1000-0x000007FEFC3A3000-memory.dmp

              Filesize

              8KB

            • memory/1104-58-0x00000000020E0000-0x0000000002350000-memory.dmp

              Filesize

              2.4MB

            • memory/1104-59-0x00000000020E0000-0x0000000002350000-memory.dmp

              Filesize

              2.4MB

            • memory/1104-60-0x0000000000310000-0x0000000000311000-memory.dmp

              Filesize

              4KB

            • memory/1104-61-0x0000000000310000-0x0000000000311000-memory.dmp

              Filesize

              4KB

            • memory/1104-78-0x0000000000310000-0x0000000000311000-memory.dmp

              Filesize

              4KB

            • memory/1104-64-0x0000000000310000-0x0000000000311000-memory.dmp

              Filesize

              4KB

            • memory/1104-68-0x0000000000310000-0x0000000000311000-memory.dmp

              Filesize

              4KB

            • memory/1104-69-0x0000000000310000-0x0000000000311000-memory.dmp

              Filesize

              4KB

            • memory/1104-76-0x0000000000310000-0x0000000000311000-memory.dmp

              Filesize

              4KB

            • memory/1104-75-0x0000000000310000-0x0000000000311000-memory.dmp

              Filesize

              4KB

            • memory/1104-71-0x0000000000310000-0x0000000000311000-memory.dmp

              Filesize

              4KB

            • memory/1452-87-0x0000000002340000-0x00000000025B0000-memory.dmp

              Filesize

              2.4MB

            • memory/1452-92-0x0000000000120000-0x0000000000121000-memory.dmp

              Filesize

              4KB

            • memory/1452-82-0x0000000000120000-0x0000000000121000-memory.dmp

              Filesize

              4KB

            • memory/1720-98-0x0000000000120000-0x0000000000121000-memory.dmp

              Filesize

              4KB

            • memory/1720-97-0x00000000023F0000-0x0000000002660000-memory.dmp

              Filesize

              2.4MB

            • memory/1720-114-0x0000000000120000-0x0000000000121000-memory.dmp

              Filesize

              4KB