a2686bc365897b29d0246666c89d2e9cc6002d8a604631c21cd8ffbc160d71e5

General

Target

a2686bc365897b29d0246666c89d2e9cc6002d8a604631c21cd8ffbc160d71e5.js
Size

15KB
MD5

d6f08791f0df06ddfe6e846d536a887f
SHA1

cde039518a07cb2ea65c4f2e984d19702cf84555
SHA256

a2686bc365897b29d0246666c89d2e9cc6002d8a604631c21cd8ffbc160d71e5
SHA512

66820099e493ebf7974d38cb7d78b1018cf7706ee12c278c1b86bec8bf6321b937cbfc91f35a5a82c5fb85564ce018e74ba00de4f6bb6eb9b2da71e0e0ecfc57
SSDEEP

384:XM49Wq5HlWaDIFieYws+9VgPxo+Kd9Mvv2iN05N5fXmfAvT3Q9FwhagFx2Vv6dUZ:XD9WsH0a8Finws+9VgPxo+Kd9MvvjN0u

Score

10^/10

defense_evasion execution persistence ransomware

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\a.txt

Ransom Note

ATTENTION! All your documents, photos, databases and other important personal files were encrypted using strong RSA-1024 algorithm with a unique key. To restore your files you have to pay 0.44780 BTC (bitcoins). Please follow this manual: 1. Create Bitcoin wallet here: https://blockchain.info/wallet/new 2. Buy 0.44780 BTC with cash, using search here: https://localbitcoins.com/buy_bitcoins 3. Send 0.44780 BTC to this Bitcoin address: 1JXSXybzEjjRJQDbVngTy7d8kEFAxmgmDN 4. Open one of the following links in your browser to download decryptor: http://xn--80adi0bdhdbmg.xn--p1ai/counter/?a=1JXSXybzEjjRJQDbVngTy7d8kEFAxmgmDN http://jpnovo.ru/counter/?a=1JXSXybzEjjRJQDbVngTy7d8kEFAxmgmDN http://lacampagnetropicana.com/counter/?a=1JXSXybzEjjRJQDbVngTy7d8kEFAxmgmDN http://cestasgabrasil.com.br/counter/?a=1JXSXybzEjjRJQDbVngTy7d8kEFAxmgmDN http://radostdetym.ru/counter/?a=1JXSXybzEjjRJQDbVngTy7d8kEFAxmgmDN 5. Run decryptor to restore your files. PLEASE REMEMBER: - If you do not pay in 3 days YOU LOOSE ALL YOUR FILES. - Nobody can help you except us. - It`s useless to reinstall Windows, update antivirus software, etc. - Your files can be decrypted only after you make payment. - You can find this manual on your desktop (DECRYPT.txt).

Wallets

1JXSXybzEjjRJQDbVngTy7d8kEFAxmgmDN

URLs

http://xn--80adi0bdhdbmg.xn--p1ai/counter/?a=1JXSXybzEjjRJQDbVngTy7d8kEFAxmgmDN

http://jpnovo.ru/counter/?a=1JXSXybzEjjRJQDbVngTy7d8kEFAxmgmDN

http://lacampagnetropicana.com/counter/?a=1JXSXybzEjjRJQDbVngTy7d8kEFAxmgmDN

http://cestasgabrasil.com.br/counter/?a=1JXSXybzEjjRJQDbVngTy7d8kEFAxmgmDN

http://radostdetym.ru/counter/?a=1JXSXybzEjjRJQDbVngTy7d8kEFAxmgmDN

Signatures

Blocklisted process makes network request 6 IoCs

Processes:

wscript.exe

flow pid process

18 1088 wscript.exe
25 1088 wscript.exe
26 1088 wscript.exe
28 1088 wscript.exe
29 1088 wscript.exe
30 1088 wscript.exe
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

wscript.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation wscript.exe

flow	pid	process
18	1088	wscript.exe
25	1088	wscript.exe
26	1088	wscript.exe
28	1088	wscript.exe
29	1088	wscript.exe
30	1088	wscript.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	wscript.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Crypted = "C:\\Users\\Admin\\AppData\\Local\\Temp\\a.txt"	reg.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004
Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 7 IoCs

Processes:

reg.exereg.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Crypted\shell\open	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Crypted\shell\open\command\ = "notepad.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\a.txt\""	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.crypted	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.crypted\ = "Crypted"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Crypted\shell\open\command	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Crypted	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Crypted\shell	reg.exe

Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

notepad.exe

pid process

3448 notepad.exe

pid	process
3448	notepad.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

wscript.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 1088 wrote to memory of 1592	1088	wscript.exe	cmd.exe
PID 1088 wrote to memory of 1592	1088	wscript.exe	cmd.exe
PID 1088 wrote to memory of 3280	1088	wscript.exe	cmd.exe
PID 1088 wrote to memory of 3280	1088	wscript.exe	cmd.exe
PID 1088 wrote to memory of 3468	1088	wscript.exe	cmd.exe
PID 1088 wrote to memory of 3468	1088	wscript.exe	cmd.exe
PID 1088 wrote to memory of 1400	1088	wscript.exe	cmd.exe
PID 1088 wrote to memory of 1400	1088	wscript.exe	cmd.exe
PID 1088 wrote to memory of 2972	1088	wscript.exe	cmd.exe
PID 1088 wrote to memory of 2972	1088	wscript.exe	cmd.exe
PID 1592 wrote to memory of 1832	1592	cmd.exe	reg.exe
PID 1592 wrote to memory of 1832	1592	cmd.exe	reg.exe
PID 1088 wrote to memory of 1020	1088	wscript.exe	cmd.exe
PID 1088 wrote to memory of 1020	1088	wscript.exe	cmd.exe
PID 3280 wrote to memory of 3660	3280	cmd.exe	reg.exe
PID 3280 wrote to memory of 3660	3280	cmd.exe	reg.exe
PID 3468 wrote to memory of 700	3468	cmd.exe	reg.exe
PID 3468 wrote to memory of 700	3468	cmd.exe	reg.exe
PID 1088 wrote to memory of 3540	1088	wscript.exe	cmd.exe
PID 1088 wrote to memory of 3540	1088	wscript.exe	cmd.exe
PID 1088 wrote to memory of 1804	1088	wscript.exe	cmd.exe
PID 1088 wrote to memory of 1804	1088	wscript.exe	cmd.exe
PID 1088 wrote to memory of 1480	1088	wscript.exe	cmd.exe
PID 1088 wrote to memory of 1480	1088	wscript.exe	cmd.exe
PID 3540 wrote to memory of 3448	3540	cmd.exe	notepad.exe
PID 3540 wrote to memory of 3448	3540	cmd.exe	notepad.exe
PID 1088 wrote to memory of 2332	1088	wscript.exe	cmd.exe
PID 1088 wrote to memory of 2332	1088	wscript.exe	cmd.exe

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\a2686bc365897b29d0246666c89d2e9cc6002d8a604631c21cd8ffbc160d71e5.js
1⤵
- Blocklisted process makes network request
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1088
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe" /c REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Crypted" /t REG_SZ /F /D "C:\Users\Admin\AppData\Local\Temp\a.txt"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1592
- - C:\Windows\system32\reg.exe
    REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Crypted" /t REG_SZ /F /D "C:\Users\Admin\AppData\Local\Temp\a.txt"
    3⤵
    - Adds Run key to start application
    PID:1832
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe" /c REG ADD "HKCR\.crypted" /ve /t REG_SZ /F /D "Crypted"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3280
- - C:\Windows\system32\reg.exe
    REG ADD "HKCR\.crypted" /ve /t REG_SZ /F /D "Crypted"
    3⤵
    - Modifies registry class
    PID:3660
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe" /c REG ADD "HKCR\Crypted\shell\open\command" /ve /t REG_SZ /F /D "notepad.exe \"C:\Users\Admin\AppData\Local\Temp\a.txt\""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3468
- - C:\Windows\system32\reg.exe
    REG ADD "HKCR\Crypted\shell\open\command" /ve /t REG_SZ /F /D "notepad.exe \"C:\Users\Admin\AppData\Local\Temp\a.txt\""
    3⤵
    - Modifies registry class
    PID:700
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe" /c copy /y "C:\Users\Admin\AppData\Local\Temp\a.txt" "C:\Users\Admin\AppData\Roaming\Desktop\DECRYPT.txt"
  2⤵
  PID:1400
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe" /c copy /y "C:\Users\Admin\AppData\Local\Temp\a.txt" "C:\Users\Admin\Desktop\DECRYPT.txt"
  2⤵
  PID:2972
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\a.exe "C:\Users\Admin\AppData\Local\Temp\a.php"
  2⤵
  PID:1020
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe" /c notepad.exe "C:\Users\Admin\AppData\Local\Temp\a.txt"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3540
- - C:\Windows\system32\notepad.exe
    notepad.exe "C:\Users\Admin\AppData\Local\Temp\a.txt"
    3⤵
    - Opens file in notepad (likely ransom note)
    PID:3448
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe" /c DEL "C:\Users\Admin\AppData\Local\Temp\a.php"
  2⤵
  PID:1804
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe" /c DEL "C:\Users\Admin\AppData\Local\Temp\a.exe"
  2⤵
  PID:1480
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe" /c DEL "C:\Users\Admin\AppData\Local\Temp\php4ts.dll"
  2⤵
  PID:2332

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

JavaScript

1

T1059.007

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Indicator Removal

1

T1070

File Deletion

Modify Registry

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\a.php

Filesize
35KB

MD5
bc3ae13abec7937f50b3f3eea1e2fa04

SHA1
f271d2ce7b997473bc2b00d624282d44a3bdbc13

SHA256
d5a436a5ab186a66e4b4b28482a54eb9dd8d32e62f9ce7450e3fa52520ca8282

SHA512
0d23651c455ec581bd42667fd360f98467732ac41d5c623c1357bdaf2d1f856e7100605388f188f4851c3acfbad65abefd0144655d2606f117cb76b3ebb53544

Download Submit
C:\Users\Admin\AppData\Local\Temp\a.txt

Filesize
1KB

MD5
8aad373d6f4e7a096f53032a69d7f401

SHA1
42e62dc1cb4dda1d618f2c7384fdc8946b62a135

SHA256
f14cabebe355a7121ac295299d1b4e79183ac2370aa6a983e1cd65016607c94f

SHA512
79989ad8d1a9eca59bbd2b79bab753a6fa6173acca92f100ec491fd9372d94b28f9d789fc116968923203782a22be081ef87d1f5639b5828dc1d4b31b5bcaa37

Download Submit
C:\Users\Admin\AppData\Local\Temp\a1.exe

Filesize
3KB

MD5
cc666088a917dd7f5da8b6689069aec0

SHA1
f688de634ccd20939a522391abb5049483e726bd

SHA256
332d102987273318f13e7fc89a043613c6dd5dd7eb7d21033a2ab73dd438a405

SHA512
77a15aebeb10d355e3723fdebd2ea59a09a60d54f09ab9a6f06c52dbfa3bea0965ff49b7a1c2e6f4ff94f3fe903e6301188de2f80801a8a978c8c09b3356c8dc

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads