Analysis
-
max time kernel
151s -
max time network
197s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
31-08-2021 19:01
Static task
static1
Behavioral task
behavioral1
Sample
BookingDetails.js
Resource
win7v20210410
Behavioral task
behavioral2
Sample
BookingDetails.js
Resource
win10v20210408
General
-
Target
BookingDetails.js
-
Size
31KB
-
MD5
fa7455d6a61fb3e6188ac979bbe934e7
-
SHA1
79015b30c58c35330d500967afbf6f1ba5e9f924
-
SHA256
ee80374831fab3f0f3adff5866ec8dacfd1001454b416c121ec5dcba099c5a51
-
SHA512
981662d3abbc5022a456509a352e9c5fa998d10aab21a99a1f082105f085696243281b669302e22b8059b1f8b30ea0aba98a5d14945c17a22f86ad06bf3f3747
Malware Config
Signatures
-
Blocklisted process makes network request 49 IoCs
Processes:
wscript.exewscript.exeflow pid process 8 1804 wscript.exe 9 1672 wscript.exe 10 1672 wscript.exe 11 1804 wscript.exe 13 1672 wscript.exe 14 1672 wscript.exe 15 1804 wscript.exe 17 1672 wscript.exe 19 1672 wscript.exe 21 1804 wscript.exe 23 1672 wscript.exe 24 1672 wscript.exe 25 1804 wscript.exe 27 1672 wscript.exe 28 1672 wscript.exe 29 1804 wscript.exe 32 1672 wscript.exe 33 1672 wscript.exe 34 1804 wscript.exe 37 1672 wscript.exe 38 1804 wscript.exe 39 1672 wscript.exe 40 1804 wscript.exe 42 1672 wscript.exe 43 1672 wscript.exe 45 1804 wscript.exe 47 1672 wscript.exe 48 1672 wscript.exe 50 1804 wscript.exe 52 1672 wscript.exe 53 1672 wscript.exe 54 1804 wscript.exe 56 1672 wscript.exe 58 1672 wscript.exe 59 1804 wscript.exe 61 1672 wscript.exe 62 1672 wscript.exe 64 1804 wscript.exe 66 1672 wscript.exe 67 1672 wscript.exe 68 1804 wscript.exe 71 1672 wscript.exe 72 1804 wscript.exe 73 1672 wscript.exe 74 1804 wscript.exe 76 1672 wscript.exe 77 1672 wscript.exe 79 1804 wscript.exe 81 1672 wscript.exe -
Drops startup file 2 IoCs
Processes:
wscript.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tHpwtWlHkV.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tHpwtWlHkV.js wscript.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
wscript.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\SEJOKAOI5S = "\"C:\\Users\\Admin\\AppData\\Roaming\\tHpwtWlHkV.js\"" wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
wscript.exedescription pid process target process PID 1672 wrote to memory of 1804 1672 wscript.exe wscript.exe PID 1672 wrote to memory of 1804 1672 wscript.exe wscript.exe PID 1672 wrote to memory of 1804 1672 wscript.exe wscript.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\BookingDetails.js1⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\tHpwtWlHkV.js"2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\tHpwtWlHkV.jsMD5
f8c499a37127e740518507c1d3a2caa3
SHA19798bedde67191ad5f515d30fe30b6616965355f
SHA25610ab2382646c3af7434f6db3001f43954b57e3274ab8780e031663af06506d9c
SHA5125886f47fe9abc391a79ac17c84b9387f8b8258dcea754dbe21332b5d7e8c818d0b62e527e0a5291f66ade5dcfd1e16d62fbbfb19787256f79ff2dd7b2b214a50
-
memory/1804-60-0x0000000000000000-mapping.dmp