Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
22/09/2022, 11:59
Static task
static1
Behavioral task
behavioral1
Sample
Bill_for_September.js
Resource
win7-20220812-en
General
-
Target
Bill_for_September.js
-
Size
117KB
-
MD5
0d4ce6bd62a6939871782dbf6dc33905
-
SHA1
c59f4f36d9b46b8e4c131401fa4054f50450e245
-
SHA256
4fcdcb3039331525724bfeb0cbc97bd0893de48d4aa4ca95e282f0a8f2a1a5ab
-
SHA512
07b7f3d7cb81a48c90f21bfdf22b0f6cb3941631ab14d05004b813f031d0c5b41538818e4b8c15b83081f48f522adce9b3e01d9f43cf3d202d142f0ea806aff1
-
SSDEEP
1536:LfgQ2U241TiKP3/qopoIo8kQjZs1BGMLOivlSPPQh7l1GCVbabMOijrkJpQt:BVxiufpoTnBzK7cvhaoNr1t
Malware Config
Extracted
formbook
te2r
Fd9/7zupFcFsmNMDWQ==
7VlRReDWtbu4LUTd5fNe/zPDyw==
jQgurOY8oCSzrjSP+2/F1jU=
xTMzpNwUaiHAy4+Anaz1
RcLapxVS9iOZhw==
lfLSnVItJp+5ImXLvcrLFTUXRmDxTnik
vj9fMOxFLjrOtdhP1GZo0KXIQ388
/91mgBbtxFIxtQk=
4FZ0aRyH/rEdFibAy+VjQyWIUIZaHBQ=
ScHdt3/t4FIxtQk=
/M9svqdL9iOZhw==
iFX1abANxkj893bVWA==
KzjvVANMpiTBmg==
aEKKEue7E9JtmNMDWQ==
+Mdhw6992svnUbzeo5y0zSn+B2co
albc98wrE0xtKjOoOOQ=
DV6CgU6omcjeZ6bJEG/F1jU=
NH981rm1JdyUNRd1
yi0xIqrxV83bmNMDWQ==
v8l52aXp4VIxtQk=
WMLesyFk2GDrymHL6sJhSA==
mwPvLC+p9iOZhw==
sRcXd1s8v+8ZeG/MtdpqB8uqeVfTxWqJgA==
NrXLmPbOmdX7f7oO2+HlKBajNSM=
rA4qraHeGwuv
81Vavo7TvrmUNRd1
6zFRRxZbN3eOC4Hr/tbSAmYB
NZ20hOzkzFIxtQk=
4W5EBEiJ/efwW2CAnaz1
jvkGKZ7zYuVfhLMOmEQgQA==
n40TaKr5UdZhmNMDWQ==
QL3juFq3IR6LgQ==
ovf90FAiAW3yz0Op6sJhSA==
6dF92/I1XmyZCQxr
pqRGRv1Rfm+K3wY=
ziAsyBFi9iOZhw==
j/n54WNFS/ujqXbX6sJhSA==
uBkjoeEzjwWGVsU+u1ku/zPDyw==
Ani5vYjvBambKG6rJLhY/zPDyw==
bewGzHnhwLTDLE+1kLrcJRajNSM=
Z7W1bBp0c6WV8SJFWjIzlT0=
1lZ79TmoGbM5AakYEza8lVG3hCW40A==
69WD6MoYDTxPzSiZELCTchajNSM=
QkTq40YlGuHCQ8H3Tddh/zPDyw==
XjK6Kjgdi4EUFlG6kKTIJRajNSM=
o/0L0WnZUQwEis1i
l51TzuC8OmWF8kZbKF4kQA==
pvUA6lqaFcVbWC2nwdvkciMJ
qPv9bbUJYOMYapyxk6/9
WiWSlWa+q9bHStE9wmAu/zPDyw==
+Op+6vPJLmbVxmPGUQ==
cjzGJW/JPy3ftZT1u9dd/zPDyw==
aseyfK4eDFIxtQk=
8uikGFKVGmLmwx4=
UZ2tszMF83SrDTxrgn2zXw==
LkLuU1I9trBxN5uA+qri
cvkoGOM9Gxivj3rgt+Jy/6KzTYDG1g==
qqdGxb3/ATVGjH28oW/F1jU=
E1lmbvY2kxZDodQ3KkV52EnisfrxTnik
EVpoA7vkSf+jqXbX6sJhSA==
/E5pOdTcxTFIksP9X9xm/zPDyw==
Mf2d+QmwiFgEis1i
A/2zGEmV7Z4/QFdu0W/F1jU=
Kn+6hS0A7PeUNRd1
riskstudio.uk
Signatures
-
Blocklisted process makes network request 15 IoCs
flow pid Process 4 1252 WScript.exe 9 1252 WScript.exe 10 1252 WScript.exe 12 1252 WScript.exe 14 1252 WScript.exe 15 1252 WScript.exe 17 1252 WScript.exe 18 1252 WScript.exe 19 1252 WScript.exe 21 1252 WScript.exe 22 1252 WScript.exe 23 1252 WScript.exe 25 1252 WScript.exe 26 1252 WScript.exe 27 1252 WScript.exe -
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
pid Process 1196 dl-11941615582555800775452413394.exe 1352 dl-11941615582555800775452413394.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OKbZTSiYGW.js WScript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OKbZTSiYGW.js WScript.exe -
Loads dropped DLL 1 IoCs
pid Process 1196 dl-11941615582555800775452413394.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\Yhttn = "\"C:\\Users\\Admin\\AppData\\Roaming\\Fgnxz\\Yhttn.exe\"" dl-11941615582555800775452413394.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1196 set thread context of 1352 1196 dl-11941615582555800775452413394.exe 38 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 852 powershell.exe 1352 dl-11941615582555800775452413394.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1196 dl-11941615582555800775452413394.exe Token: SeDebugPrivilege 852 powershell.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1108 javaw.exe -
Suspicious use of WriteProcessMemory 21 IoCs
description pid Process procid_target PID 2020 wrote to memory of 1252 2020 wscript.exe 28 PID 2020 wrote to memory of 1252 2020 wscript.exe 28 PID 2020 wrote to memory of 1252 2020 wscript.exe 28 PID 2020 wrote to memory of 1108 2020 wscript.exe 29 PID 2020 wrote to memory of 1108 2020 wscript.exe 29 PID 2020 wrote to memory of 1108 2020 wscript.exe 29 PID 1108 wrote to memory of 1196 1108 javaw.exe 33 PID 1108 wrote to memory of 1196 1108 javaw.exe 33 PID 1108 wrote to memory of 1196 1108 javaw.exe 33 PID 1108 wrote to memory of 1196 1108 javaw.exe 33 PID 1196 wrote to memory of 852 1196 dl-11941615582555800775452413394.exe 34 PID 1196 wrote to memory of 852 1196 dl-11941615582555800775452413394.exe 34 PID 1196 wrote to memory of 852 1196 dl-11941615582555800775452413394.exe 34 PID 1196 wrote to memory of 852 1196 dl-11941615582555800775452413394.exe 34 PID 1196 wrote to memory of 1352 1196 dl-11941615582555800775452413394.exe 38 PID 1196 wrote to memory of 1352 1196 dl-11941615582555800775452413394.exe 38 PID 1196 wrote to memory of 1352 1196 dl-11941615582555800775452413394.exe 38 PID 1196 wrote to memory of 1352 1196 dl-11941615582555800775452413394.exe 38 PID 1196 wrote to memory of 1352 1196 dl-11941615582555800775452413394.exe 38 PID 1196 wrote to memory of 1352 1196 dl-11941615582555800775452413394.exe 38 PID 1196 wrote to memory of 1352 1196 dl-11941615582555800775452413394.exe 38
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\Bill_for_September.js1⤵
- Suspicious use of WriteProcessMemory
PID:2020 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\OKbZTSiYGW.js"2⤵
- Blocklisted process makes network request
- Drops startup file
PID:1252
-
-
C:\Program Files\Java\jre7\bin\javaw.exe"C:\Program Files\Java\jre7\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\ykmjni.txt"2⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1108 -
C:\Users\Admin\AppData\Local\Temp\dl-11941615582555800775452413394.exeC:\Users\Admin\AppData\Local\Temp\dl-11941615582555800775452413394.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1196 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAANQAwAA==4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:852
-
-
C:\Users\Admin\AppData\Local\Temp\dl-11941615582555800775452413394.exeC:\Users\Admin\AppData\Local\Temp\dl-11941615582555800775452413394.exe4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1352
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
6KB
MD5ca997af70e0e7ba134bd85015d945684
SHA10d2972cf028063d8086fc6207537d8d1796993b7
SHA25674cb4ffa84249a18ca95cd781bd121a166e2902161a8918d645fa3d6b59032ec
SHA512836c667aba467655a52a1c13f6d8a4eff844af3aedb115dea2a77244d9294cf605d7030ffc9d30e200c5010251aa78cbe8e5265daebee8c4a0cd107ff3253fc9
-
Filesize
6KB
MD5ca997af70e0e7ba134bd85015d945684
SHA10d2972cf028063d8086fc6207537d8d1796993b7
SHA25674cb4ffa84249a18ca95cd781bd121a166e2902161a8918d645fa3d6b59032ec
SHA512836c667aba467655a52a1c13f6d8a4eff844af3aedb115dea2a77244d9294cf605d7030ffc9d30e200c5010251aa78cbe8e5265daebee8c4a0cd107ff3253fc9
-
Filesize
6KB
MD5ca997af70e0e7ba134bd85015d945684
SHA10d2972cf028063d8086fc6207537d8d1796993b7
SHA25674cb4ffa84249a18ca95cd781bd121a166e2902161a8918d645fa3d6b59032ec
SHA512836c667aba467655a52a1c13f6d8a4eff844af3aedb115dea2a77244d9294cf605d7030ffc9d30e200c5010251aa78cbe8e5265daebee8c4a0cd107ff3253fc9
-
Filesize
6KB
MD5cd1e26090eca7148fb0bf3d0a9070791
SHA1745715f115adbc17ee4f903908cedbf5f33fe305
SHA2565ccd5f609f1f1c47e835968018ad8efc7dc25c6ab5c6b8212a279ddd494b7196
SHA51212b6a39cd7e3495c562e8c5a73aeba37e7055d5c4049a1a976a9945609ae7452d0ceb70e9c95432151104cd39991dadc36978ac87c1b09cb09cb53d17f014bdc
-
Filesize
51KB
MD5f3fec1cda20623152eadff01fa271dd9
SHA124b5b9e16d17fa7828b0f2edeaa5aab8ac8bacfb
SHA256eb5605cc851a689a83c9555f48465ea5d13af94ea8db927e6f8ba32640462efc
SHA5125895e77dedd7756e98f4484b0ea0bdba348211349eb6483ca002d60d293e58f253028a4b07f6deab2d902cbbcc502cf75ac812ec38c30fd05d7e74d1cc5a8a2f
-
Filesize
6KB
MD5ca997af70e0e7ba134bd85015d945684
SHA10d2972cf028063d8086fc6207537d8d1796993b7
SHA25674cb4ffa84249a18ca95cd781bd121a166e2902161a8918d645fa3d6b59032ec
SHA512836c667aba467655a52a1c13f6d8a4eff844af3aedb115dea2a77244d9294cf605d7030ffc9d30e200c5010251aa78cbe8e5265daebee8c4a0cd107ff3253fc9