Overview

overview

10

Static

static

1

50ba244f11...07f.js

windows7-x64

10

50ba244f11...07f.js

windows10-2004-x64

10

Analysis

  • max time kernel
    121s
  • max time network
    130s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    21-11-2024 05:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    50ba244f113f398afc39ed760e2c3822fdc82147259e9846df5abab89cf8307f.js

  • Size

    52KB

  • MD5

    b9f2fc5e874114e45330cad7b524476c

  • SHA1

    f158badcc637d7d92efb7ef63a6f8783a886ac6b

  • SHA256

    50ba244f113f398afc39ed760e2c3822fdc82147259e9846df5abab89cf8307f

  • SHA512

    dbbd63c7bd8b4a6723fd170e74e4c6532a6a89cca37c4580566585bb645711e7da05bfa37eb5ff7aac1683943b833bc4210a04959789e3e284d5d9dcf6e556a8

  • SSDEEP

    768:EGWR269T41RPhQ3uvuGNhUP9KU2c0WuPIFXRomYO:Jh6d4wcTMgyBomYO

Score
10/10
defense_evasionexecutionpersistenceransomware

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\a.txt

Ransom Note
ATTENTION! All your documents, photos, databases and other important personal files were encrypted using strong RSA-1024 algorithm with a unique key. To restore your files you have to pay 0.49255 BTC (bitcoins). Please follow this manual: 1. Create Bitcoin wallet here: https://blockchain.info/wallet/new 2. Buy 0.49255 BTC with cash, using search here: https://localbitcoins.com/buy_bitcoins 3. Send 0.49255 BTC to this Bitcoin address: 1GgLeHpXUqeapoK3wvev1HyrCPEjvYKfyG 4. Open one of the following links in your browser to download decryptor: http://ohchinhing.com.sg/counter/?a=1GgLeHpXUqeapoK3wvev1HyrCPEjvYKfyG http://bloki.internetdsl.pl/counter/?a=1GgLeHpXUqeapoK3wvev1HyrCPEjvYKfyG http://crobal-water.com/counter/?a=1GgLeHpXUqeapoK3wvev1HyrCPEjvYKfyG http://stroydek.ru/counter/?a=1GgLeHpXUqeapoK3wvev1HyrCPEjvYKfyG http://www.cuihuangge.com/counter/?a=1GgLeHpXUqeapoK3wvev1HyrCPEjvYKfyG 5. Run decryptor to restore your files. PLEASE REMEMBER: - If you do not pay in 3 days YOU LOOSE ALL YOUR FILES. - Nobody can help you except us. - It`s useless to reinstall Windows, update antivirus software, etc. - Your files can be decrypted only after you make payment. - You can find this manual on your desktop (DECRYPT.txt).
Wallets

1GgLeHpXUqeapoK3wvev1HyrCPEjvYKfyG

URLs

http://ohchinhing.com.sg/counter/?a=1GgLeHpXUqeapoK3wvev1HyrCPEjvYKfyG

http://bloki.internetdsl.pl/counter/?a=1GgLeHpXUqeapoK3wvev1HyrCPEjvYKfyG

http://crobal-water.com/counter/?a=1GgLeHpXUqeapoK3wvev1HyrCPEjvYKfyG

http://stroydek.ru/counter/?a=1GgLeHpXUqeapoK3wvev1HyrCPEjvYKfyG

http://www.cuihuangge.com/counter/?a=1GgLeHpXUqeapoK3wvev1HyrCPEjvYKfyG

Signatures

  • Blocklisted process makes network request 7 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

    defense_evasion
  • Command and Scripting Interpreter: JavaScript 1 TTPs
    execution
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 7 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Suspicious use of WriteProcessMemory 42 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe C:\Users\Admin\AppData\Local\Temp\50ba244f113f398afc39ed760e2c3822fdc82147259e9846df5abab89cf8307f.js
    1⤵
    • Blocklisted process makes network request
    • Suspicious use of WriteProcessMemory
    PID:2096
    • C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe" /c REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Crypted" /t REG_SZ /F /D "C:\Users\Admin\AppData\Local\Temp\a.txt"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1820
      • C:\Windows\system32\reg.exe
        REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Crypted" /t REG_SZ /F /D "C:\Users\Admin\AppData\Local\Temp\a.txt"
        3⤵
        • Adds Run key to start application
        PID:2888
    • C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe" /c REG ADD "HKCR\.crypted" /ve /t REG_SZ /F /D "Crypted"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:904
      • C:\Windows\system32\reg.exe
        REG ADD "HKCR\.crypted" /ve /t REG_SZ /F /D "Crypted"
        3⤵
        • Modifies registry class
        PID:1188
    • C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe" /c REG ADD "HKCR\Crypted\shell\open\command" /ve /t REG_SZ /F /D "notepad.exe \"C:\Users\Admin\AppData\Local\Temp\a.txt\""
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1740
      • C:\Windows\system32\reg.exe
        REG ADD "HKCR\Crypted\shell\open\command" /ve /t REG_SZ /F /D "notepad.exe \"C:\Users\Admin\AppData\Local\Temp\a.txt\""
        3⤵
        • Modifies registry class
        PID:1704
    • C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe" /c copy /y "C:\Users\Admin\AppData\Local\Temp\a.txt" "C:\Users\Admin\AppData\Roaming\Desktop\DECRYPT.txt"
      2⤵
        PID:324
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe" /c copy /y "C:\Users\Admin\AppData\Local\Temp\a.txt" "C:\Users\Admin\Desktop\DECRYPT.txt"
        2⤵
          PID:1924
        • C:\Windows\system32\cmd.exe
          "C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\a.exe "C:\Users\Admin\AppData\Local\Temp\a.php"
          2⤵
            PID:584
          • C:\Windows\system32\cmd.exe
            "C:\Windows\system32\cmd.exe" /c notepad.exe "C:\Users\Admin\AppData\Local\Temp\a.txt"
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:1908
            • C:\Windows\system32\notepad.exe
              notepad.exe "C:\Users\Admin\AppData\Local\Temp\a.txt"
              3⤵
              • Opens file in notepad (likely ransom note)
              PID:2708
          • C:\Windows\system32\cmd.exe
            "C:\Windows\system32\cmd.exe" /c DEL "C:\Users\Admin\AppData\Local\Temp\a.php"
            2⤵
              PID:1756
            • C:\Windows\system32\cmd.exe
              "C:\Windows\system32\cmd.exe" /c DEL "C:\Users\Admin\AppData\Local\Temp\a.exe"
              2⤵
                PID:2260
              • C:\Windows\system32\cmd.exe
                "C:\Windows\system32\cmd.exe" /c DEL "C:\Users\Admin\AppData\Local\Temp\php4ts.dll"
                2⤵
                  PID:1952

              Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\S8GI6B9B\BL3600TF.htm
                Filesize

                1KB

                MD5

                6fbd7c29cf69162a0c5213664c2f19c4

                SHA1

                ea8ecaf79bcc408ff176f72e1bded69cda494099

                SHA256

                5bb365f51aa447fc3a3bf92a92c7db8b1d3c655daa138eb466401bfacfa4bf7e

                SHA512

                ee26b9d9265b5cd83598ecc513934397bb10703d224c780a019fa95caeb8835a49a9b7cbc5b26052fda9a181cf734add1643998624dcd566ab8de95a301515ca

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\a.php
                Filesize

                35KB

                MD5

                4a980d966affaa603078f39f4eb8efa7

                SHA1

                40503a88d86e7a5e94f3c9321022bdf9d84c0d99

                SHA256

                7195fc82c2e220dc9939a96e9ae45a5299b784064e20c5296d97793524f503dd

                SHA512

                eafb5aba7c91520f7f22547a7ff105ae7c91de695eeb1d884c5f638206a9a57a113920c5dc66e17f6e56c1358d9b5ad576b5d92b46d442df263daca4fa9a56cc

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\a.txt
                Filesize

                1KB

                MD5

                f1d60b27e3d798e12efa60ec659a15b7

                SHA1

                ff39d09936b77c8af8bef06ea3bf814eb36a8374

                SHA256

                1a56f50c5bafe87b4ea6e3eec49f55984ca67359d4d83a71892e20e729f9ec77

                SHA512

                e65b0f1a330ee467bcbac72b8b81d4992961f0cb6891b20ae40f669eb1e19f83e33be00e96f084ee8e9b9effc5844131c3ed412cf9ea0369508361b061056811

                Download Submit