Analysis
-
max time kernel
145s -
max time network
151s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
30-08-2021 19:55
Static task
static1
Behavioral task
behavioral1
Sample
00SI886_SO_0169256IN_20210818_000.js
Resource
win7v20210408
Behavioral task
behavioral2
Sample
00SI886_SO_0169256IN_20210818_000.js
Resource
win10v20210408
General
-
Target
00SI886_SO_0169256IN_20210818_000.js
-
Size
31KB
-
MD5
786cd57e65ffb85f2e19b3d2ef3dc0bf
-
SHA1
e36e41a8bb11ec29f90e0b3c643e2707d2a2f255
-
SHA256
68921406e9b3c27e573cbf28f5d12a5b46cb40501384feaf13e4e3f753246d2c
-
SHA512
45d85f01d0b2b2f8bb13e886ec8015c0f8d906b9041910ad94c2be2de4557c312f36cf018ccf37bb6fa362b1a6a49da674a08687691e78e78855206cb6cdcb99
Malware Config
Signatures
-
Blocklisted process makes network request 28 IoCs
Processes:
wscript.exewscript.exeflow pid process 9 644 wscript.exe 10 3668 wscript.exe 15 3668 wscript.exe 20 3668 wscript.exe 21 3668 wscript.exe 22 3668 wscript.exe 23 644 wscript.exe 24 3668 wscript.exe 25 644 wscript.exe 26 3668 wscript.exe 27 644 wscript.exe 28 3668 wscript.exe 29 644 wscript.exe 30 3668 wscript.exe 31 644 wscript.exe 32 3668 wscript.exe 33 644 wscript.exe 34 3668 wscript.exe 35 644 wscript.exe 36 3668 wscript.exe 37 644 wscript.exe 38 3668 wscript.exe 39 644 wscript.exe 40 3668 wscript.exe 41 3668 wscript.exe 42 3668 wscript.exe 43 3668 wscript.exe 44 3668 wscript.exe -
Drops startup file 4 IoCs
Processes:
wscript.exewscript.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PzbgTgURNP.js wscript.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00SI886_SO_0169256IN_20210818_000.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PzbgTgURNP.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00SI886_SO_0169256IN_20210818_000.js wscript.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
wscript.exewscript.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\0L2MC7JOKR = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\00SI886_SO_0169256IN_20210818_000.js\"" wscript.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\SEJOKAOI5S = "\"C:\\Users\\Admin\\AppData\\Roaming\\PzbgTgURNP.js\"" wscript.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
wscript.exedescription pid process target process PID 644 wrote to memory of 3668 644 wscript.exe wscript.exe PID 644 wrote to memory of 3668 644 wscript.exe wscript.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\00SI886_SO_0169256IN_20210818_000.js1⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\PzbgTgURNP.js"2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\PzbgTgURNP.jsMD5
91cbc6abb6d16bba34b15ca2ce44e689
SHA1f63cb5c1395b405a4e1043ce0b46488da52ea47e
SHA256ebaa4b01e859ee2f2f37178a78d9d6e668c5cb47edca97bff923fdbf68d02a74
SHA51258977af7c86a43257aa2bc17ea1eaafa49f41cee579c0504004648d0a09e2e7939d6b84c370a2d78cedd47b093009da79d6ac33e0c0cec0712f60a8a245cf0ba
-
memory/3668-114-0x0000000000000000-mapping.dmp