Analysis
-
max time kernel
148s -
max time network
152s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
03-09-2021 05:16
Static task
static1
Behavioral task
behavioral1
Sample
29e6358d_aGAuLITv8n.js
Resource
win7-en
Behavioral task
behavioral2
Sample
29e6358d_aGAuLITv8n.js
Resource
win10v20210408
General
-
Target
29e6358d_aGAuLITv8n.js
-
Size
231KB
-
MD5
29e6358dcc6c6518ff978ed2e06a097f
-
SHA1
963d7a5020461bf138b723518c4b606599ad18b4
-
SHA256
1e4b0b6254e8f64254e54a9b587c58b1b315d3778f2f359c1e2fa8a5eedf2832
-
SHA512
25310412f2e6b727cc990a17a6c6435a5c2380245beeae7fdfe45748bb7858d48910da032bf277322b7639bfb49c247f066aa3030758b344eb4403f88a9e4c62
Malware Config
Signatures
-
Blocklisted process makes network request 18 IoCs
Processes:
WScript.exeflow pid process 8 3936 WScript.exe 18 3936 WScript.exe 19 3936 WScript.exe 20 3936 WScript.exe 21 3936 WScript.exe 22 3936 WScript.exe 23 3936 WScript.exe 24 3936 WScript.exe 25 3936 WScript.exe 26 3936 WScript.exe 27 3936 WScript.exe 28 3936 WScript.exe 29 3936 WScript.exe 30 3936 WScript.exe 31 3936 WScript.exe 32 3936 WScript.exe 33 3936 WScript.exe 34 3936 WScript.exe -
Drops startup file 2 IoCs
Processes:
WScript.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\URivKZByzt.js WScript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\URivKZByzt.js WScript.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
WScript.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run WScript.exe Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\SEJOKAOI5S = "\"C:\\Users\\Admin\\AppData\\Roaming\\URivKZByzt.js\"" WScript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 212 3172 WerFault.exe javaw.exe -
Modifies registry class 1 IoCs
Processes:
wscript.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings wscript.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
WerFault.exepid process 212 WerFault.exe 212 WerFault.exe 212 WerFault.exe 212 WerFault.exe 212 WerFault.exe 212 WerFault.exe 212 WerFault.exe 212 WerFault.exe 212 WerFault.exe 212 WerFault.exe 212 WerFault.exe 212 WerFault.exe 212 WerFault.exe 212 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
WerFault.exedescription pid process Token: SeDebugPrivilege 212 WerFault.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
wscript.exedescription pid process target process PID 908 wrote to memory of 3936 908 wscript.exe WScript.exe PID 908 wrote to memory of 3936 908 wscript.exe WScript.exe PID 908 wrote to memory of 3172 908 wscript.exe javaw.exe PID 908 wrote to memory of 3172 908 wscript.exe javaw.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\29e6358d_aGAuLITv8n.js1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:908 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\URivKZByzt.js"2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
PID:3936 -
C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe"C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\siaeuoppwf.txt"2⤵PID:3172
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3172 -s 3523⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:212
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
4fccb6c905ca75de32d215f44e5adf08
SHA1a72402da433c6a2f4de9b9dfa2e9cd6b38ff754c
SHA256d396e916d9ca8d1505a157a4eca9626f9a15be706f64b65e2e8c5859c7776eb5
SHA512c05de1d95ee26a3f90424aa9acc89940d305c96aebc31815ace24096349b344920701848d8eea63b14471c391cbf6913d586eae0734f7bee25797fe42b5854ed
-
MD5
d1abdb24c44f1ec93c4800f3128cf01f
SHA1765a23589063a01d8c3e0b4e5615ac5d0ac475a6
SHA25615ddd12f95653df0799fc8420b8d5d73361d3fd9a97237da094f4440ba108580
SHA512659310fb4e2750cbb87ead008ffda551c6ce3296690c8747231b21ce8543961cecfbefb2c1cb9ba41f6fe87c60cd4f312549b1eab6039337514e2c18b529887f