Analysis
-
max time kernel
149s -
max time network
183s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
24-08-2021 17:49
Static task
static1
Behavioral task
behavioral1
Sample
_[output].js
Resource
win7v20210408
Behavioral task
behavioral2
Sample
_[output].js
Resource
win10v20210410
General
-
Target
_[output].js
-
Size
201KB
-
MD5
235c68f406aa41b7e1a87e35d83add4c
-
SHA1
dadb5bd81a34b437863e3d744ea0a06c48533b39
-
SHA256
9285fa6ba7f6cb35a4371d51a11f7c5c7aa582cb1deec294aff20ec5060b0a2d
-
SHA512
158661fdbd3c48fb3f3dba455833553e0c3c1c64d4007262515a689f755f5b752b34f7ead147834852445f60328e3d66b0ea44bfa79372f1667ea14297fa7d1a
Malware Config
Signatures
-
Blocklisted process makes network request 16 IoCs
Processes:
WScript.exeflow pid process 7 1900 WScript.exe 8 1900 WScript.exe 9 1900 WScript.exe 11 1900 WScript.exe 12 1900 WScript.exe 13 1900 WScript.exe 15 1900 WScript.exe 16 1900 WScript.exe 17 1900 WScript.exe 19 1900 WScript.exe 20 1900 WScript.exe 21 1900 WScript.exe 23 1900 WScript.exe 24 1900 WScript.exe 25 1900 WScript.exe 27 1900 WScript.exe -
Drops startup file 2 IoCs
Processes:
WScript.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ruYArSxXtj.js WScript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ruYArSxXtj.js WScript.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
WScript.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run WScript.exe Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\SEJOKAOI5S = "\"C:\\Users\\Admin\\AppData\\Roaming\\ruYArSxXtj.js\"" WScript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1908 1708 WerFault.exe javaw.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
WerFault.exepid process 1908 WerFault.exe 1908 WerFault.exe 1908 WerFault.exe 1908 WerFault.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
WerFault.exepid process 1908 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
WerFault.exedescription pid process Token: SeDebugPrivilege 1908 WerFault.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
wscript.exejavaw.exedescription pid process target process PID 1976 wrote to memory of 1900 1976 wscript.exe WScript.exe PID 1976 wrote to memory of 1900 1976 wscript.exe WScript.exe PID 1976 wrote to memory of 1900 1976 wscript.exe WScript.exe PID 1976 wrote to memory of 1708 1976 wscript.exe javaw.exe PID 1976 wrote to memory of 1708 1976 wscript.exe javaw.exe PID 1976 wrote to memory of 1708 1976 wscript.exe javaw.exe PID 1708 wrote to memory of 1908 1708 javaw.exe WerFault.exe PID 1708 wrote to memory of 1908 1708 javaw.exe WerFault.exe PID 1708 wrote to memory of 1908 1708 javaw.exe WerFault.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\_[output].js1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\ruYArSxXtj.js"2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
-
C:\Program Files\Java\jre7\bin\javaw.exe"C:\Program Files\Java\jre7\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\rwzzluutmx.txt"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1708 -s 1403⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\ruYArSxXtj.jsMD5
ca4e11b0bbf70a587e0d653bfceded8c
SHA1c70eeac3273988740e937e21e11948b003295582
SHA256d0a3dc9322f9f6f9028f437d45757560de849fd0a0a6dcf8c92beed012b61e0d
SHA512291bbeb73d3ecacfe5c50aa9fd59f0542eea4950a82d0def79318017d5a0c9bcd3792a49c17309414c7678235ffeae284f29643e2be4b4a368592c0f5f64bdf0
-
C:\Users\Admin\AppData\Roaming\rwzzluutmx.txtMD5
ae4f924072e8dd90687607e7becdde2e
SHA1225d2c7cf6506bf59d865fe3dba1b6c1736d492b
SHA256915de15ccb287c58270e6bc23523b0cde9ce077dbc0fef517faca1a1a0313286
SHA51214da1de2af981af4390e3bb95e29f968f0ef67af011202ce9f598e9f553f822e37013301c965f871ad2660cc451fb7c1ad619bf9533405e7424ad88f199803f0
-
memory/1708-63-0x0000000000000000-mapping.dmp
-
memory/1900-61-0x0000000000000000-mapping.dmp
-
memory/1908-66-0x0000000000000000-mapping.dmp
-
memory/1908-68-0x00000000002B0000-0x00000000002B1000-memory.dmpFilesize
4KB
-
memory/1976-60-0x000007FEFC1D1000-0x000007FEFC1D3000-memory.dmpFilesize
8KB