Analysis
-
max time kernel
148s -
max time network
159s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
19-08-2021 13:24
Static task
static1
Behavioral task
behavioral1
Sample
b824cf54e9e9e1c28ff2ec6b6e3de9048750f5cb.js
Resource
win7v20210410
Behavioral task
behavioral2
Sample
b824cf54e9e9e1c28ff2ec6b6e3de9048750f5cb.js
Resource
win10v20210408
General
-
Target
b824cf54e9e9e1c28ff2ec6b6e3de9048750f5cb.js
-
Size
67KB
-
MD5
7e58440b8eb773b24aace538de1c5437
-
SHA1
b824cf54e9e9e1c28ff2ec6b6e3de9048750f5cb
-
SHA256
21e0026aeb23c03125337151d862a29372ac17af5663fca1f5ff7beeacf82fc1
-
SHA512
a3d50e13255253989be68a25304ad51098fdbbe8873269d6fd148cc7ef641639bea881cfb57837182ee0c5036340cdd572706d0ac5552c6be8404404f79db298
Malware Config
Signatures
-
Blocklisted process makes network request 23 IoCs
Processes:
wscript.exewscript.exeflow pid process 9 4064 wscript.exe 10 804 wscript.exe 18 4064 wscript.exe 19 4064 wscript.exe 20 4064 wscript.exe 21 804 wscript.exe 22 4064 wscript.exe 23 4064 wscript.exe 24 4064 wscript.exe 25 804 wscript.exe 26 4064 wscript.exe 27 4064 wscript.exe 28 4064 wscript.exe 29 804 wscript.exe 30 4064 wscript.exe 31 4064 wscript.exe 32 4064 wscript.exe 33 804 wscript.exe 34 4064 wscript.exe 35 4064 wscript.exe 36 4064 wscript.exe 37 804 wscript.exe 38 4064 wscript.exe -
Drops startup file 4 IoCs
Processes:
wscript.exewscript.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\b824cf54e9e9e1c28ff2ec6b6e3de9048750f5cb.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\b824cf54e9e9e1c28ff2ec6b6e3de9048750f5cb.js wscript.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rVRpsUBiCR.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rVRpsUBiCR.js wscript.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
wscript.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\0HKX5ALWLG = "\"C:\\Users\\Admin\\AppData\\Roaming\\rVRpsUBiCR.js\"" wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
wscript.exedescription pid process target process PID 804 wrote to memory of 4064 804 wscript.exe wscript.exe PID 804 wrote to memory of 4064 804 wscript.exe wscript.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\b824cf54e9e9e1c28ff2ec6b6e3de9048750f5cb.js1⤵
- Blocklisted process makes network request
- Drops startup file
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\rVRpsUBiCR.js"2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\rVRpsUBiCR.jsMD5
ed533885cb7d43829db0e85dbaabec22
SHA1c19225ec3612ce86d4f5b8046ae65b3332d40776
SHA2566641f0211253402fa4b39005e29c7e0b688d3722d05746040f6c35b4c14182eb
SHA512b6420e3c79ebb31b687f1b3f89ee4a67ea45bc08628aa91cf9ad63cd6c488f198ef6f981ad784cfa6ce3534d937a4a957e02e00d2b09c99301cfba1e90d1996b
-
memory/4064-114-0x0000000000000000-mapping.dmp