Analysis
-
max time kernel
145s -
max time network
159s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
03-09-2021 05:01
Static task
static1
Behavioral task
behavioral1
Sample
a3b2ac28_icZisiD3ix.js
Resource
win7-en
Behavioral task
behavioral2
Sample
a3b2ac28_icZisiD3ix.js
Resource
win10v20210408
General
-
Target
a3b2ac28_icZisiD3ix.js
-
Size
904KB
-
MD5
a3b2ac28fb71d8461b6c90327fabb5a1
-
SHA1
033bf48edff207df74d6b78410040f391750db8f
-
SHA256
e33df6ad1c1f683b5fe7dd5edfe1d0f9e246ab41364b3f6ae297e717a5ff8026
-
SHA512
4174fd12ac86611280ffb1c3afaffbeb1c888f7835747738dba38cce5c75093c6831bb509236839fb67931bc77f925575e418d89bf295e8265d0987b266efc89
Malware Config
Signatures
-
Blocklisted process makes network request 18 IoCs
Processes:
WScript.exeflow pid process 9 1544 WScript.exe 18 1544 WScript.exe 19 1544 WScript.exe 20 1544 WScript.exe 21 1544 WScript.exe 22 1544 WScript.exe 23 1544 WScript.exe 24 1544 WScript.exe 25 1544 WScript.exe 26 1544 WScript.exe 27 1544 WScript.exe 28 1544 WScript.exe 29 1544 WScript.exe 30 1544 WScript.exe 31 1544 WScript.exe 32 1544 WScript.exe 33 1544 WScript.exe 34 1544 WScript.exe -
Drops startup file 2 IoCs
Processes:
WScript.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lrsFyEuHKj.js WScript.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lrsFyEuHKj.js WScript.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
WScript.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run WScript.exe Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\SEJOKAOI5S = "\"C:\\Users\\Admin\\AppData\\Roaming\\lrsFyEuHKj.js\"" WScript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3504 2136 WerFault.exe javaw.exe -
Modifies registry class 1 IoCs
Processes:
wscript.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings wscript.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
WerFault.exepid process 3504 WerFault.exe 3504 WerFault.exe 3504 WerFault.exe 3504 WerFault.exe 3504 WerFault.exe 3504 WerFault.exe 3504 WerFault.exe 3504 WerFault.exe 3504 WerFault.exe 3504 WerFault.exe 3504 WerFault.exe 3504 WerFault.exe 3504 WerFault.exe 3504 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
WerFault.exedescription pid process Token: SeDebugPrivilege 3504 WerFault.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
wscript.exedescription pid process target process PID 3128 wrote to memory of 1544 3128 wscript.exe WScript.exe PID 3128 wrote to memory of 1544 3128 wscript.exe WScript.exe PID 3128 wrote to memory of 2136 3128 wscript.exe javaw.exe PID 3128 wrote to memory of 2136 3128 wscript.exe javaw.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\a3b2ac28_icZisiD3ix.js1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\lrsFyEuHKj.js"2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
-
C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe"C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\szkzjfx.txt"2⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2136 -s 3523⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\lrsFyEuHKj.jsMD5
1ba75bca44a20a321cea4e496ce91a85
SHA15a14b44b498f56cbe7b248c537479c845ff465c6
SHA2564035eee1e50075cfcaf233c8d0511dfeeeb01870b1a4baf4a43e9b37a03cc804
SHA5122aaf2cafe8951a03e81d56eadb1d83516a9fc986d7ce6e8aa9a2704da1916feb900b42e271979cdfd0c8852ed2fa17c948a394d3e5977a47e2140fcb2d945481
-
C:\Users\Admin\AppData\Roaming\szkzjfx.txtMD5
57845a03f0630d3fbb9caa203e940935
SHA19c4bb48d46593af760ddb9aec6160e2f379e99f7
SHA25685e1a1df9973a080afe6a11d338a36994732a40cf9f891ec7f2b69dc56aed19f
SHA5127ede78b67b49d91d13ab3eb642874263899231d1c4fbb1fa5575f8c904f46fb32091986b9bd9f2824859f6e6748f112314e745f0ac858d08f3a3b9b152ee64e1
-
memory/1544-114-0x0000000000000000-mapping.dmp
-
memory/2136-116-0x0000000000000000-mapping.dmp