Analysis
-
max time kernel
161s -
max time network
176s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
27-08-2021 16:48
Static task
static1
Behavioral task
behavioral1
Sample
cotización______________________fdp.js
Resource
win7v20210410
Behavioral task
behavioral2
Sample
cotización______________________fdp.js
Resource
win10v20210408
General
-
Target
cotización______________________fdp.js
-
Size
200KB
-
MD5
0982fc211767a61d7a3ef26ad2405be6
-
SHA1
e00d78a7ac396441217c133ba728af2a7aa67c9d
-
SHA256
c0d0da52fab57a9a3ac346e9aa1427c6f08198c2ef8f1f4ed9f556abc736cc52
-
SHA512
a3b15291adb751a83386b1ba0cf1fd89843237a7f4ce6402a11a5099a8f18f8caa652842532310c768734ff670f46df28da8893c869a8e564a17268c13897d57
Malware Config
Signatures
-
Blocklisted process makes network request 17 IoCs
Processes:
WScript.exeflow pid process 9 1600 WScript.exe 14 1600 WScript.exe 18 1600 WScript.exe 20 1600 WScript.exe 21 1600 WScript.exe 22 1600 WScript.exe 23 1600 WScript.exe 24 1600 WScript.exe 25 1600 WScript.exe 26 1600 WScript.exe 27 1600 WScript.exe 28 1600 WScript.exe 29 1600 WScript.exe 30 1600 WScript.exe 31 1600 WScript.exe 32 1600 WScript.exe 33 1600 WScript.exe -
Drops startup file 2 IoCs
Processes:
WScript.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\iZuOkORefJ.js WScript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\iZuOkORefJ.js WScript.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
WScript.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run WScript.exe Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\SEJOKAOI5S = "\"C:\\Users\\Admin\\AppData\\Roaming\\iZuOkORefJ.js\"" WScript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2648 1944 WerFault.exe javaw.exe -
Modifies registry class 1 IoCs
Processes:
wscript.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings wscript.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
WerFault.exepid process 2648 WerFault.exe 2648 WerFault.exe 2648 WerFault.exe 2648 WerFault.exe 2648 WerFault.exe 2648 WerFault.exe 2648 WerFault.exe 2648 WerFault.exe 2648 WerFault.exe 2648 WerFault.exe 2648 WerFault.exe 2648 WerFault.exe 2648 WerFault.exe 2648 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
WerFault.exedescription pid process Token: SeDebugPrivilege 2648 WerFault.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
wscript.exedescription pid process target process PID 4044 wrote to memory of 1600 4044 wscript.exe WScript.exe PID 4044 wrote to memory of 1600 4044 wscript.exe WScript.exe PID 4044 wrote to memory of 1944 4044 wscript.exe javaw.exe PID 4044 wrote to memory of 1944 4044 wscript.exe javaw.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\cotización______________________fdp.js1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\iZuOkORefJ.js"2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
-
C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe"C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\wxtlokfp.txt"2⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1944 -s 3563⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\iZuOkORefJ.jsMD5
ba88b3aeea9cd6596528119b0a81e127
SHA1af06129ded6c4e82b5c16607c3cbae77691d8407
SHA2567417fe426dc695b070d697d4cd2add731e80cab5bd1f15ae01c26d3bf7ff6812
SHA5124deb61ea7ea3a5cec8fee42e878cc3704375f05ff3c68ae1cc7154885919c2f3952e22a042d716efe4277041f9384203f13308f1e9ce7338139cb4d314424d38
-
C:\Users\Admin\AppData\Roaming\wxtlokfp.txtMD5
2e458a59025b390fbdf7d3717314b507
SHA1d5a84f501bfa81682ebde5e31a68794140141785
SHA2566b723bd260b53c68c716ef218c78718d3e99ab4d4238a4bd823fd0cd6ec8007b
SHA5122b463bc4ef98264560abad47053549c463fc9ee098c97cd60d58c959ba67f4ddf2ca60856f6564802a9f056740fbedbb6bdc829388c136c13b334563465d1f22
-
memory/1600-114-0x0000000000000000-mapping.dmp
-
memory/1944-116-0x0000000000000000-mapping.dmp