Analysis
-
max time kernel
151s -
max time network
165s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
30-08-2021 06:14
Static task
static1
Behavioral task
behavioral1
Sample
MtBJlv_GM.js
Resource
win7v20210408
Behavioral task
behavioral2
Sample
MtBJlv_GM.js
Resource
win10v20210408
General
-
Target
MtBJlv_GM.js
-
Size
26KB
-
MD5
e9a08df4b85e99b01a9c145e9af3964d
-
SHA1
e498d70a9b568d7a66d661c91e9ed2db52d442df
-
SHA256
dff140d494fb80e82a23e29b374abc733ed9b62525fdca0341fdbb121290dca6
-
SHA512
a2e2bfc777e80770444554866fc29df5ce307974bc842de43d40ab1b536d0be1398eff97ba2d6bc73c59966b86570ebc3c4ce85d1f6430c2a32c4110b2e73283
Malware Config
Signatures
-
Blocklisted process makes network request 17 IoCs
Processes:
wscript.exewscript.exeflow pid process 8 3728 wscript.exe 10 1600 wscript.exe 15 1600 wscript.exe 18 1600 wscript.exe 19 1600 wscript.exe 20 1600 wscript.exe 21 1600 wscript.exe 22 1600 wscript.exe 23 1600 wscript.exe 24 1600 wscript.exe 25 1600 wscript.exe 26 1600 wscript.exe 27 1600 wscript.exe 28 1600 wscript.exe 29 1600 wscript.exe 30 1600 wscript.exe 31 1600 wscript.exe -
Drops startup file 2 IoCs
Processes:
wscript.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\yBqkfOVwNP.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\yBqkfOVwNP.js wscript.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
wscript.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\SEJOKAOI5S = "\"C:\\Users\\Admin\\AppData\\Roaming\\yBqkfOVwNP.js\"" wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
wscript.exedescription pid process target process PID 3728 wrote to memory of 1600 3728 wscript.exe wscript.exe PID 3728 wrote to memory of 1600 3728 wscript.exe wscript.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\MtBJlv_GM.js1⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\yBqkfOVwNP.js"2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\yBqkfOVwNP.jsMD5
57111779ec54af1803d5013520a6b104
SHA1822be87e2f4dbc2ccf178141bd95d916b90f8dfd
SHA2567c61705381b479cfe63d85a7eae012b4bfc5825d01b1d7c2366277d3ed5c880f
SHA5126d4db62c75d8bbfa4de93633c3216538bf5bf611323c03693744ae410919a18d6e3096b7f4270eee1727931603978c1b02390d3a82d10d19fbf8787bc158cf30
-
memory/1600-114-0x0000000000000000-mapping.dmp