Analysis
-
max time kernel
152s -
max time network
154s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
01-09-2021 07:06
Static task
static1
Behavioral task
behavioral1
Sample
1.js
Resource
win7v20210410
Behavioral task
behavioral2
Sample
1.js
Resource
win10v20210410
General
-
Target
1.js
-
Size
31KB
-
MD5
3771bb59d87a6d8e0d7e7a9846e71f1a
-
SHA1
dc4046ac08b572ad4c155606de569456ec4335b4
-
SHA256
91bf45557d26f24ad6224c87c80e94ee9c19094b66f67bcfb121e65c568e9632
-
SHA512
2d70c22373e4e2ef3803acd55985ee3202ead0078bff572ddb9de06e8fed1e29ff12df61387c6afa929b74b0e4c1309cbae66effb134fdbc48b390ba50254c1e
Malware Config
Signatures
-
Blocklisted process makes network request 19 IoCs
Processes:
wscript.exewscript.exeflow pid process 9 1688 wscript.exe 10 1952 wscript.exe 11 1952 wscript.exe 14 1952 wscript.exe 16 1952 wscript.exe 19 1952 wscript.exe 20 1952 wscript.exe 24 1952 wscript.exe 25 1952 wscript.exe 27 1952 wscript.exe 30 1952 wscript.exe 32 1952 wscript.exe 34 1952 wscript.exe 38 1952 wscript.exe 40 1952 wscript.exe 42 1952 wscript.exe 44 1952 wscript.exe 47 1952 wscript.exe 48 1952 wscript.exe -
Drops startup file 2 IoCs
Processes:
wscript.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\amqolYPJMq.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\amqolYPJMq.js wscript.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
wscript.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\SEJOKAOI5S = "\"C:\\Users\\Admin\\AppData\\Roaming\\amqolYPJMq.js\"" wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
wscript.exedescription pid process target process PID 1688 wrote to memory of 1952 1688 wscript.exe wscript.exe PID 1688 wrote to memory of 1952 1688 wscript.exe wscript.exe PID 1688 wrote to memory of 1952 1688 wscript.exe wscript.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\1.js1⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\amqolYPJMq.js"2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\amqolYPJMq.jsMD5
3f7b92769fc59d8adc125b4d4e8adee4
SHA1b3ea6913dcf3681572a1db1f429cc5e1e49b060e
SHA256e1fccde6528046c2c1e41096085c199efaddc1393d42f6696165aeec43c9a209
SHA512659caad97e885af9d5f2dece465873b517fc34a5c67f5f0aba08b9ef868cca57fe025ed9979bd0933e46ee45792d5b424bd99a24c4449c5b739f17e0b6bdf01f
-
memory/1952-60-0x0000000000000000-mapping.dmp