Analysis
-
max time kernel
150s -
max time network
179s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
31-08-2021 08:30
Static task
static1
Behavioral task
behavioral1
Sample
Order234.js
Resource
win7v20210408
Behavioral task
behavioral2
Sample
Order234.js
Resource
win10v20210408
General
-
Target
Order234.js
-
Size
32KB
-
MD5
2921078ffa801cc6b1f03e43ecc21969
-
SHA1
906058e1e1ce4d586426ae1ad70d971f3da83a17
-
SHA256
4dcdeee1e442d12f58dd818e95c31f562d34546c4d61618f7e6322a8c2b5fa0e
-
SHA512
92cf75cd46faf4b277145bb5a288aa766ba0154a26a7f2def79b33b758847df2a72d7adec103b358a7ef5b09d6a988327c70729903acef394faeea259d99fa35
Malware Config
Signatures
-
Blocklisted process makes network request 19 IoCs
Processes:
wscript.exewscript.exeflow pid process 8 1784 wscript.exe 9 1708 wscript.exe 10 1784 wscript.exe 12 1784 wscript.exe 14 1784 wscript.exe 16 1784 wscript.exe 17 1784 wscript.exe 20 1784 wscript.exe 22 1784 wscript.exe 23 1784 wscript.exe 26 1784 wscript.exe 28 1784 wscript.exe 29 1784 wscript.exe 32 1784 wscript.exe 33 1784 wscript.exe 35 1784 wscript.exe 38 1784 wscript.exe 40 1784 wscript.exe 41 1784 wscript.exe -
Drops startup file 2 IoCs
Processes:
wscript.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jGYMDjeXbD.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jGYMDjeXbD.js wscript.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
wscript.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\SEJOKAOI5S = "\"C:\\Users\\Admin\\AppData\\Roaming\\jGYMDjeXbD.js\"" wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
wscript.exedescription pid process target process PID 752 wrote to memory of 1784 752 wscript.exe wscript.exe PID 752 wrote to memory of 1784 752 wscript.exe wscript.exe PID 752 wrote to memory of 1784 752 wscript.exe wscript.exe PID 752 wrote to memory of 1708 752 wscript.exe wscript.exe PID 752 wrote to memory of 1708 752 wscript.exe wscript.exe PID 752 wrote to memory of 1708 752 wscript.exe wscript.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\Order234.js1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\jGYMDjeXbD.js"2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" "C:\Users\Admin\AppData\Local\Temp\TN.vbs"2⤵
- Blocklisted process makes network request
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\TN.vbsMD5
67d1ef16a441f01f3cdb946fb37c338c
SHA185e95317dee6b010143ca8c4ae3e95f4423c8d2b
SHA256504e732364e1c8430aa692b4a8bfc1b1e72f4fc1bcd478ba9a5f74627a0f409f
SHA512f5efab36ce98a5473d2e5706751fdf13d29367b5b2b1c40d75ea2f7e687ec5bc0eee9caa3dcee25dafc81f3f84a58ba5be7ce9b8201ba0214945a1beb2e337e3
-
C:\Users\Admin\AppData\Roaming\jGYMDjeXbD.jsMD5
f44c78ecda070300932b3f777006e1b3
SHA1fdd5655ded64f931fdabe8d66e2e95cfc49bdff8
SHA256406662bc108dd5d3b21b23428e2e438696d92195cd08f149ea954eed4a1bc401
SHA5126cfc61656929ca4a5182b3b086f9b5eefadcf6d5228a53bae8b16b432fd54b9b571213b064d792eaa07a8fb54253e78ec4feb1aabe4ee6b71642a139e08bc0d1
-
memory/1708-61-0x0000000000000000-mapping.dmp
-
memory/1784-60-0x0000000000000000-mapping.dmp