Analysis
-
max time kernel
156s -
max time network
204s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
30-08-2021 16:46
Static task
static1
Behavioral task
behavioral1
Sample
00SI886_SO_0169256IN_20210818_000.js
Resource
win7v20210408
Behavioral task
behavioral2
Sample
00SI886_SO_0169256IN_20210818_000.js
Resource
win10v20210408
General
-
Target
00SI886_SO_0169256IN_20210818_000.js
-
Size
31KB
-
MD5
786cd57e65ffb85f2e19b3d2ef3dc0bf
-
SHA1
e36e41a8bb11ec29f90e0b3c643e2707d2a2f255
-
SHA256
68921406e9b3c27e573cbf28f5d12a5b46cb40501384feaf13e4e3f753246d2c
-
SHA512
45d85f01d0b2b2f8bb13e886ec8015c0f8d906b9041910ad94c2be2de4557c312f36cf018ccf37bb6fa362b1a6a49da674a08687691e78e78855206cb6cdcb99
Malware Config
Signatures
-
Blocklisted process makes network request 45 IoCs
Processes:
wscript.exewscript.exeflow pid process 9 664 wscript.exe 10 2016 wscript.exe 11 2016 wscript.exe 12 664 wscript.exe 14 2016 wscript.exe 15 2016 wscript.exe 16 664 wscript.exe 18 2016 wscript.exe 20 2016 wscript.exe 22 664 wscript.exe 24 2016 wscript.exe 25 2016 wscript.exe 26 664 wscript.exe 28 2016 wscript.exe 29 664 wscript.exe 30 2016 wscript.exe 32 664 wscript.exe 34 2016 wscript.exe 35 2016 wscript.exe 37 664 wscript.exe 39 2016 wscript.exe 40 2016 wscript.exe 41 664 wscript.exe 43 2016 wscript.exe 45 2016 wscript.exe 46 664 wscript.exe 48 2016 wscript.exe 49 2016 wscript.exe 50 664 wscript.exe 52 2016 wscript.exe 54 664 wscript.exe 56 2016 wscript.exe 57 664 wscript.exe 58 2016 wscript.exe 60 2016 wscript.exe 61 664 wscript.exe 63 2016 wscript.exe 64 2016 wscript.exe 66 664 wscript.exe 68 2016 wscript.exe 70 2016 wscript.exe 71 664 wscript.exe 73 2016 wscript.exe 74 664 wscript.exe 75 2016 wscript.exe -
Drops startup file 4 IoCs
Processes:
wscript.exewscript.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PzbgTgURNP.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PzbgTgURNP.js wscript.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00SI886_SO_0169256IN_20210818_000.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00SI886_SO_0169256IN_20210818_000.js wscript.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
wscript.exewscript.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\0L2MC7JOKR = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\00SI886_SO_0169256IN_20210818_000.js\"" wscript.exe Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\SEJOKAOI5S = "\"C:\\Users\\Admin\\AppData\\Roaming\\PzbgTgURNP.js\"" wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
wscript.exedescription pid process target process PID 2016 wrote to memory of 664 2016 wscript.exe wscript.exe PID 2016 wrote to memory of 664 2016 wscript.exe wscript.exe PID 2016 wrote to memory of 664 2016 wscript.exe wscript.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\00SI886_SO_0169256IN_20210818_000.js1⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2016 -
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\PzbgTgURNP.js"2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
PID:664
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\PzbgTgURNP.jsMD5
91cbc6abb6d16bba34b15ca2ce44e689
SHA1f63cb5c1395b405a4e1043ce0b46488da52ea47e
SHA256ebaa4b01e859ee2f2f37178a78d9d6e668c5cb47edca97bff923fdbf68d02a74
SHA51258977af7c86a43257aa2bc17ea1eaafa49f41cee579c0504004648d0a09e2e7939d6b84c370a2d78cedd47b093009da79d6ac33e0c0cec0712f60a8a245cf0ba
-
memory/664-60-0x0000000000000000-mapping.dmp