Analysis
-
max time kernel
151s -
max time network
180s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
29-07-2021 11:01
Static task
static1
Behavioral task
behavioral1
Sample
COTIZACION July 1079.js
Resource
win7v20210408
Behavioral task
behavioral2
Sample
COTIZACION July 1079.js
Resource
win10v20210410
General
-
Target
COTIZACION July 1079.js
-
Size
16KB
-
MD5
8a64707b027a9b569641b6151c54ba24
-
SHA1
b34f4dbb2f5b9a34645ea444db51841d9325a8cf
-
SHA256
6e64dbcbe7e1c0e0eb8f4f967b936221c7a6c0185718fe991612e478e22f9cc8
-
SHA512
9cade1e35eca162b7c06529b104db155e7c3a3f62965a88cbc66d709ee17ae7e86f53307b2208829d8c1ed498c96bbc3f73e7935df12b01533b4ef693f900456
Malware Config
Signatures
-
Blocklisted process makes network request 2 IoCs
Processes:
wscript.exewscript.exeflow pid process 8 1980 wscript.exe 9 1208 wscript.exe -
Drops startup file 2 IoCs
Processes:
wscript.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NBQpvDxIha.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NBQpvDxIha.js wscript.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
wscript.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\B02N3ZE1UL = "\"C:\\Users\\Admin\\AppData\\Roaming\\NBQpvDxIha.js\"" wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
wscript.exedescription pid process target process PID 1208 wrote to memory of 1980 1208 wscript.exe wscript.exe PID 1208 wrote to memory of 1980 1208 wscript.exe wscript.exe PID 1208 wrote to memory of 1980 1208 wscript.exe wscript.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe "C:\Users\Admin\AppData\Local\Temp\COTIZACION July 1079.js"1⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\NBQpvDxIha.js"2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\NBQpvDxIha.jsMD5
1807d266a0331297bb3459474f4a78b5
SHA1724d14ff54fa10acdddb4d158c68782388ca3ae6
SHA2560167ce0f367ac05128ac702d9f1b8a853a56e5fc0fa113d53a34266b6de3f1ac
SHA512a980c5db1bfe54a7cf5e091ae79a73240c1d17cc6cdd99b154375921030827cc0494bf8a024d0ba9a22aeb14a0960d8c8011b84683142c72ed7030c01327d132
-
memory/1208-60-0x000007FEFB9F1000-0x000007FEFB9F3000-memory.dmpFilesize
8KB
-
memory/1980-61-0x0000000000000000-mapping.dmp