Analysis
-
max time kernel
145s -
max time network
152s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
24-08-2021 17:49
Static task
static1
Behavioral task
behavioral1
Sample
_[output].js
Resource
win7v20210408
Behavioral task
behavioral2
Sample
_[output].js
Resource
win10v20210410
General
-
Target
_[output].js
-
Size
201KB
-
MD5
235c68f406aa41b7e1a87e35d83add4c
-
SHA1
dadb5bd81a34b437863e3d744ea0a06c48533b39
-
SHA256
9285fa6ba7f6cb35a4371d51a11f7c5c7aa582cb1deec294aff20ec5060b0a2d
-
SHA512
158661fdbd3c48fb3f3dba455833553e0c3c1c64d4007262515a689f755f5b752b34f7ead147834852445f60328e3d66b0ea44bfa79372f1667ea14297fa7d1a
Malware Config
Signatures
-
Blocklisted process makes network request 17 IoCs
Processes:
WScript.exeflow pid process 9 2352 WScript.exe 17 2352 WScript.exe 20 2352 WScript.exe 21 2352 WScript.exe 22 2352 WScript.exe 23 2352 WScript.exe 24 2352 WScript.exe 25 2352 WScript.exe 26 2352 WScript.exe 27 2352 WScript.exe 28 2352 WScript.exe 29 2352 WScript.exe 30 2352 WScript.exe 31 2352 WScript.exe 32 2352 WScript.exe 33 2352 WScript.exe 34 2352 WScript.exe -
Drops startup file 2 IoCs
Processes:
WScript.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ruYArSxXtj.js WScript.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ruYArSxXtj.js WScript.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
WScript.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\SEJOKAOI5S = "\"C:\\Users\\Admin\\AppData\\Roaming\\ruYArSxXtj.js\"" WScript.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run WScript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2904 2636 WerFault.exe javaw.exe -
Modifies registry class 1 IoCs
Processes:
wscript.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings wscript.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
WerFault.exepid process 2904 WerFault.exe 2904 WerFault.exe 2904 WerFault.exe 2904 WerFault.exe 2904 WerFault.exe 2904 WerFault.exe 2904 WerFault.exe 2904 WerFault.exe 2904 WerFault.exe 2904 WerFault.exe 2904 WerFault.exe 2904 WerFault.exe 2904 WerFault.exe 2904 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
WerFault.exedescription pid process Token: SeDebugPrivilege 2904 WerFault.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
wscript.exedescription pid process target process PID 2752 wrote to memory of 2352 2752 wscript.exe WScript.exe PID 2752 wrote to memory of 2352 2752 wscript.exe WScript.exe PID 2752 wrote to memory of 2636 2752 wscript.exe javaw.exe PID 2752 wrote to memory of 2636 2752 wscript.exe javaw.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\_[output].js1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2752 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\ruYArSxXtj.js"2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
PID:2352 -
C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe"C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\oulfxesr.txt"2⤵PID:2636
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2636 -s 3523⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2904
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\oulfxesr.txtMD5
ae4f924072e8dd90687607e7becdde2e
SHA1225d2c7cf6506bf59d865fe3dba1b6c1736d492b
SHA256915de15ccb287c58270e6bc23523b0cde9ce077dbc0fef517faca1a1a0313286
SHA51214da1de2af981af4390e3bb95e29f968f0ef67af011202ce9f598e9f553f822e37013301c965f871ad2660cc451fb7c1ad619bf9533405e7424ad88f199803f0
-
C:\Users\Admin\AppData\Roaming\ruYArSxXtj.jsMD5
ca4e11b0bbf70a587e0d653bfceded8c
SHA1c70eeac3273988740e937e21e11948b003295582
SHA256d0a3dc9322f9f6f9028f437d45757560de849fd0a0a6dcf8c92beed012b61e0d
SHA512291bbeb73d3ecacfe5c50aa9fd59f0542eea4950a82d0def79318017d5a0c9bcd3792a49c17309414c7678235ffeae284f29643e2be4b4a368592c0f5f64bdf0
-
memory/2352-114-0x0000000000000000-mapping.dmp
-
memory/2636-116-0x0000000000000000-mapping.dmp