a2686bc365897b29d0246666c89d2e9cc6002d8a604631c21cd8ffbc160d71e5

General

Target

a2686bc365897b29d0246666c89d2e9cc6002d8a604631c21cd8ffbc160d71e5.js
Size

15KB
MD5

d6f08791f0df06ddfe6e846d536a887f
SHA1

cde039518a07cb2ea65c4f2e984d19702cf84555
SHA256

a2686bc365897b29d0246666c89d2e9cc6002d8a604631c21cd8ffbc160d71e5
SHA512

66820099e493ebf7974d38cb7d78b1018cf7706ee12c278c1b86bec8bf6321b937cbfc91f35a5a82c5fb85564ce018e74ba00de4f6bb6eb9b2da71e0e0ecfc57
SSDEEP

384:XM49Wq5HlWaDIFieYws+9VgPxo+Kd9Mvv2iN05N5fXmfAvT3Q9FwhagFx2Vv6dUZ:XD9WsH0a8Finws+9VgPxo+Kd9MvvjN0u

Score

10^/10

defense_evasion execution persistence ransomware

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\a.txt

Ransom Note

ATTENTION! All your documents, photos, databases and other important personal files were encrypted using strong RSA-1024 algorithm with a unique key. To restore your files you have to pay 0.44780 BTC (bitcoins). Please follow this manual: 1. Create Bitcoin wallet here: https://blockchain.info/wallet/new 2. Buy 0.44780 BTC with cash, using search here: https://localbitcoins.com/buy_bitcoins 3. Send 0.44780 BTC to this Bitcoin address: 1JXSXybzEjjRJQDbVngTy7d8kEFAxmgmDN 4. Open one of the following links in your browser to download decryptor: http://xn--80adi0bdhdbmg.xn--p1ai/counter/?a=1JXSXybzEjjRJQDbVngTy7d8kEFAxmgmDN http://jpnovo.ru/counter/?a=1JXSXybzEjjRJQDbVngTy7d8kEFAxmgmDN http://lacampagnetropicana.com/counter/?a=1JXSXybzEjjRJQDbVngTy7d8kEFAxmgmDN http://cestasgabrasil.com.br/counter/?a=1JXSXybzEjjRJQDbVngTy7d8kEFAxmgmDN http://radostdetym.ru/counter/?a=1JXSXybzEjjRJQDbVngTy7d8kEFAxmgmDN 5. Run decryptor to restore your files. PLEASE REMEMBER: - If you do not pay in 3 days YOU LOOSE ALL YOUR FILES. - Nobody can help you except us. - It`s useless to reinstall Windows, update antivirus software, etc. - Your files can be decrypted only after you make payment. - You can find this manual on your desktop (DECRYPT.txt).

Wallets

1JXSXybzEjjRJQDbVngTy7d8kEFAxmgmDN

URLs

http://xn--80adi0bdhdbmg.xn--p1ai/counter/?a=1JXSXybzEjjRJQDbVngTy7d8kEFAxmgmDN

http://jpnovo.ru/counter/?a=1JXSXybzEjjRJQDbVngTy7d8kEFAxmgmDN

http://lacampagnetropicana.com/counter/?a=1JXSXybzEjjRJQDbVngTy7d8kEFAxmgmDN

http://cestasgabrasil.com.br/counter/?a=1JXSXybzEjjRJQDbVngTy7d8kEFAxmgmDN

http://radostdetym.ru/counter/?a=1JXSXybzEjjRJQDbVngTy7d8kEFAxmgmDN

Signatures

Blocklisted process makes network request 6 IoCs

Processes:

wscript.exe

flow pid process

13 5044 wscript.exe
25 5044 wscript.exe
26 5044 wscript.exe
27 5044 wscript.exe
29 5044 wscript.exe
30 5044 wscript.exe
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

wscript.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation wscript.exe

flow	pid	process
13	5044	wscript.exe
25	5044	wscript.exe
26	5044	wscript.exe
27	5044	wscript.exe
29	5044	wscript.exe
30	5044	wscript.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	wscript.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Crypted = "C:\\Users\\Admin\\AppData\\Local\\Temp\\a.txt"	reg.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004
Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 7 IoCs

Processes:

reg.exereg.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.crypted	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.crypted\ = "Crypted"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Crypted\shell\open\command	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Crypted	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Crypted\shell	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Crypted\shell\open	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Crypted\shell\open\command\ = "notepad.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\a.txt\""	reg.exe

Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

notepad.exe

pid process

2580 notepad.exe

pid	process
2580	notepad.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

wscript.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 5044 wrote to memory of 4088	5044	wscript.exe	cmd.exe
PID 5044 wrote to memory of 4088	5044	wscript.exe	cmd.exe
PID 5044 wrote to memory of 3392	5044	wscript.exe	cmd.exe
PID 5044 wrote to memory of 3392	5044	wscript.exe	cmd.exe
PID 5044 wrote to memory of 884	5044	wscript.exe	cmd.exe
PID 5044 wrote to memory of 884	5044	wscript.exe	cmd.exe
PID 5044 wrote to memory of 504	5044	wscript.exe	cmd.exe
PID 5044 wrote to memory of 504	5044	wscript.exe	cmd.exe
PID 5044 wrote to memory of 228	5044	wscript.exe	cmd.exe
PID 5044 wrote to memory of 228	5044	wscript.exe	cmd.exe
PID 5044 wrote to memory of 4428	5044	wscript.exe	cmd.exe
PID 5044 wrote to memory of 4428	5044	wscript.exe	cmd.exe
PID 4088 wrote to memory of 992	4088	cmd.exe	reg.exe
PID 4088 wrote to memory of 992	4088	cmd.exe	reg.exe
PID 3392 wrote to memory of 1168	3392	cmd.exe	reg.exe
PID 3392 wrote to memory of 1168	3392	cmd.exe	reg.exe
PID 884 wrote to memory of 1540	884	cmd.exe	reg.exe
PID 884 wrote to memory of 1540	884	cmd.exe	reg.exe
PID 5044 wrote to memory of 3152	5044	wscript.exe	cmd.exe
PID 5044 wrote to memory of 3152	5044	wscript.exe	cmd.exe
PID 5044 wrote to memory of 2796	5044	wscript.exe	cmd.exe
PID 5044 wrote to memory of 2796	5044	wscript.exe	cmd.exe
PID 5044 wrote to memory of 1264	5044	wscript.exe	cmd.exe
PID 5044 wrote to memory of 1264	5044	wscript.exe	cmd.exe
PID 5044 wrote to memory of 3676	5044	wscript.exe	cmd.exe
PID 5044 wrote to memory of 3676	5044	wscript.exe	cmd.exe
PID 3152 wrote to memory of 2580	3152	cmd.exe	notepad.exe
PID 3152 wrote to memory of 2580	3152	cmd.exe	notepad.exe

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\a2686bc365897b29d0246666c89d2e9cc6002d8a604631c21cd8ffbc160d71e5.js
1⤵
- Blocklisted process makes network request
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5044
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe" /c REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Crypted" /t REG_SZ /F /D "C:\Users\Admin\AppData\Local\Temp\a.txt"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4088
- - C:\Windows\system32\reg.exe
    REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Crypted" /t REG_SZ /F /D "C:\Users\Admin\AppData\Local\Temp\a.txt"
    3⤵
    - Adds Run key to start application
    PID:992
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe" /c REG ADD "HKCR\.crypted" /ve /t REG_SZ /F /D "Crypted"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3392
- - C:\Windows\system32\reg.exe
    REG ADD "HKCR\.crypted" /ve /t REG_SZ /F /D "Crypted"
    3⤵
    - Modifies registry class
    PID:1168
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe" /c REG ADD "HKCR\Crypted\shell\open\command" /ve /t REG_SZ /F /D "notepad.exe \"C:\Users\Admin\AppData\Local\Temp\a.txt\""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:884
- - C:\Windows\system32\reg.exe
    REG ADD "HKCR\Crypted\shell\open\command" /ve /t REG_SZ /F /D "notepad.exe \"C:\Users\Admin\AppData\Local\Temp\a.txt\""
    3⤵
    - Modifies registry class
    PID:1540
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe" /c copy /y "C:\Users\Admin\AppData\Local\Temp\a.txt" "C:\Users\Admin\AppData\Roaming\Desktop\DECRYPT.txt"
  2⤵
  PID:504
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe" /c copy /y "C:\Users\Admin\AppData\Local\Temp\a.txt" "C:\Users\Admin\Desktop\DECRYPT.txt"
  2⤵
  PID:228
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\a.exe "C:\Users\Admin\AppData\Local\Temp\a.php"
  2⤵
  PID:4428
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe" /c notepad.exe "C:\Users\Admin\AppData\Local\Temp\a.txt"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3152
- - C:\Windows\system32\notepad.exe
    notepad.exe "C:\Users\Admin\AppData\Local\Temp\a.txt"
    3⤵
    - Opens file in notepad (likely ransom note)
    PID:2580
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe" /c DEL "C:\Users\Admin\AppData\Local\Temp\a.php"
  2⤵
  PID:2796
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe" /c DEL "C:\Users\Admin\AppData\Local\Temp\a.exe"
  2⤵
  PID:1264
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe" /c DEL "C:\Users\Admin\AppData\Local\Temp\php4ts.dll"
  2⤵
  PID:3676

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

JavaScript

1

T1059.007

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Indicator Removal

1

T1070

File Deletion

Modify Registry

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\a.php

Filesize
35KB

MD5
bc3ae13abec7937f50b3f3eea1e2fa04

SHA1
f271d2ce7b997473bc2b00d624282d44a3bdbc13

SHA256
d5a436a5ab186a66e4b4b28482a54eb9dd8d32e62f9ce7450e3fa52520ca8282

SHA512
0d23651c455ec581bd42667fd360f98467732ac41d5c623c1357bdaf2d1f856e7100605388f188f4851c3acfbad65abefd0144655d2606f117cb76b3ebb53544

Download Submit
C:\Users\Admin\AppData\Local\Temp\a.txt

Filesize
1KB

MD5
8aad373d6f4e7a096f53032a69d7f401

SHA1
42e62dc1cb4dda1d618f2c7384fdc8946b62a135

SHA256
f14cabebe355a7121ac295299d1b4e79183ac2370aa6a983e1cd65016607c94f

SHA512
79989ad8d1a9eca59bbd2b79bab753a6fa6173acca92f100ec491fd9372d94b28f9d789fc116968923203782a22be081ef87d1f5639b5828dc1d4b31b5bcaa37

Download Submit
C:\Users\Admin\AppData\Local\Temp\a1.exe

Filesize
3KB

MD5
cc666088a917dd7f5da8b6689069aec0

SHA1
f688de634ccd20939a522391abb5049483e726bd

SHA256
332d102987273318f13e7fc89a043613c6dd5dd7eb7d21033a2ab73dd438a405

SHA512
77a15aebeb10d355e3723fdebd2ea59a09a60d54f09ab9a6f06c52dbfa3bea0965ff49b7a1c2e6f4ff94f3fe903e6301188de2f80801a8a978c8c09b3356c8dc

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads