Analysis
-
max time kernel
150s -
max time network
176s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
03-09-2021 03:01
Static task
static1
Behavioral task
behavioral1
Sample
DHL September Pickup Form for E-Shipment Retu.js
Resource
win7v20210408
Behavioral task
behavioral2
Sample
DHL September Pickup Form for E-Shipment Retu.js
Resource
win10-en
General
-
Target
DHL September Pickup Form for E-Shipment Retu.js
-
Size
31KB
-
MD5
0bc390a3151f3d4524d81c4f039d2685
-
SHA1
89d78b77ddbfbeb17d4d1a589d93f886bdc76e80
-
SHA256
21c1f33b0a6d1b5ecaf03b167e8701a9e9fa4ecf8935e9437ad01cc8f944349c
-
SHA512
d658ed37178255fbe2b8bca0dfc34a142c11139ddef078abb241a6c3bcb8759a4a46c693c14142bffc53eed1f18f0af394489ba66dcfed25b9aacca78aae76f8
Malware Config
Signatures
-
Blocklisted process makes network request 18 IoCs
Processes:
wscript.exewscript.exeflow pid process 10 1824 wscript.exe 11 520 wscript.exe 13 520 wscript.exe 14 520 wscript.exe 17 520 wscript.exe 20 520 wscript.exe 22 520 wscript.exe 24 520 wscript.exe 27 520 wscript.exe 28 520 wscript.exe 31 520 wscript.exe 33 520 wscript.exe 36 520 wscript.exe 38 520 wscript.exe 41 520 wscript.exe 43 520 wscript.exe 45 520 wscript.exe 46 520 wscript.exe -
Drops startup file 3 IoCs
Processes:
wscript.exewscript.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AfHZdNMtwD.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AfHZdNMtwD.js wscript.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DHL September Pickup Form for E-Shipment Retu.js wscript.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
wscript.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\SEJOKAOI5S = "\"C:\\Users\\Admin\\AppData\\Roaming\\AfHZdNMtwD.js\"" wscript.exe Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
wscript.exedescription pid process target process PID 1824 wrote to memory of 520 1824 wscript.exe wscript.exe PID 1824 wrote to memory of 520 1824 wscript.exe wscript.exe PID 1824 wrote to memory of 520 1824 wscript.exe wscript.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe "C:\Users\Admin\AppData\Local\Temp\DHL September Pickup Form for E-Shipment Retu.js"1⤵
- Blocklisted process makes network request
- Drops startup file
- Suspicious use of WriteProcessMemory
PID:1824 -
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\AfHZdNMtwD.js"2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
PID:520
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\AfHZdNMtwD.jsMD5
eef60c67a6c398f351039837615f2ece
SHA1da2bcc1eef7918ae27df4c7352b8f9eb025e7ccc
SHA2565a9376351281368dc74815b74de37f98bf1c3d571fb2f6b5258625354a2265f9
SHA512f9480c76ab3545f5c931ac99030aaf272f3c2af764a57efa257031ff69876b5930e57dd4d55e2c2e12f75bb04fb4d44cf40522bf19130781dbd144222814d219
-
memory/520-60-0x0000000000000000-mapping.dmp