Analysis
-
max time kernel
149s -
max time network
165s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
01-09-2021 07:06
Static task
static1
Behavioral task
behavioral1
Sample
1.js
Resource
win7v20210410
Behavioral task
behavioral2
Sample
1.js
Resource
win10v20210410
General
-
Target
1.js
-
Size
31KB
-
MD5
3771bb59d87a6d8e0d7e7a9846e71f1a
-
SHA1
dc4046ac08b572ad4c155606de569456ec4335b4
-
SHA256
91bf45557d26f24ad6224c87c80e94ee9c19094b66f67bcfb121e65c568e9632
-
SHA512
2d70c22373e4e2ef3803acd55985ee3202ead0078bff572ddb9de06e8fed1e29ff12df61387c6afa929b74b0e4c1309cbae66effb134fdbc48b390ba50254c1e
Malware Config
Signatures
-
Blocklisted process makes network request 20 IoCs
Processes:
wscript.exewscript.exeflow pid process 6 3980 wscript.exe 8 1308 wscript.exe 15 1308 wscript.exe 18 1308 wscript.exe 19 1308 wscript.exe 20 1308 wscript.exe 21 1308 wscript.exe 22 1308 wscript.exe 23 1308 wscript.exe 24 1308 wscript.exe 25 1308 wscript.exe 26 1308 wscript.exe 27 1308 wscript.exe 28 1308 wscript.exe 29 1308 wscript.exe 30 1308 wscript.exe 31 1308 wscript.exe 32 1308 wscript.exe 33 1308 wscript.exe 34 1308 wscript.exe -
Drops startup file 2 IoCs
Processes:
wscript.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\amqolYPJMq.js wscript.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\amqolYPJMq.js wscript.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
wscript.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\SEJOKAOI5S = "\"C:\\Users\\Admin\\AppData\\Roaming\\amqolYPJMq.js\"" wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
wscript.exedescription pid process target process PID 3980 wrote to memory of 1308 3980 wscript.exe wscript.exe PID 3980 wrote to memory of 1308 3980 wscript.exe wscript.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\1.js1⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\amqolYPJMq.js"2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\amqolYPJMq.jsMD5
3f7b92769fc59d8adc125b4d4e8adee4
SHA1b3ea6913dcf3681572a1db1f429cc5e1e49b060e
SHA256e1fccde6528046c2c1e41096085c199efaddc1393d42f6696165aeec43c9a209
SHA512659caad97e885af9d5f2dece465873b517fc34a5c67f5f0aba08b9ef868cca57fe025ed9979bd0933e46ee45792d5b424bd99a24c4449c5b739f17e0b6bdf01f
-
memory/1308-114-0x0000000000000000-mapping.dmp