Analysis
-
max time kernel
292s -
max time network
327s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
06-09-2021 08:27
Static task
static1
Behavioral task
behavioral1
Sample
Nuovo Ordine - p31010_20200401_14_31.js
Resource
win7v20210408
Behavioral task
behavioral2
Sample
Nuovo Ordine - p31010_20200401_14_31.js
Resource
win10-en
General
-
Target
Nuovo Ordine - p31010_20200401_14_31.js
-
Size
903KB
-
MD5
49c1a97463360ee62ed4b22b7532b184
-
SHA1
eb1647e8d2d411e4ecc5ef8f0d587696b440f531
-
SHA256
176b5071201599faf37b23fa343983519eaa2a65044ff7849903ca758d7a2fb2
-
SHA512
12062816d462760b5da36678a5efe1e7de4c60089814e76aaf47daa5c113708a3f406d0751b702981ba4722691f81f8a983cb943f867f48990ec103e5ab6cb65
Malware Config
Signatures
-
Blocklisted process makes network request 23 IoCs
Processes:
WScript.exeflow pid process 7 520 WScript.exe 8 520 WScript.exe 9 520 WScript.exe 11 520 WScript.exe 12 520 WScript.exe 13 520 WScript.exe 15 520 WScript.exe 16 520 WScript.exe 17 520 WScript.exe 19 520 WScript.exe 20 520 WScript.exe 21 520 WScript.exe 23 520 WScript.exe 24 520 WScript.exe 25 520 WScript.exe 27 520 WScript.exe 28 520 WScript.exe 29 520 WScript.exe 31 520 WScript.exe 32 520 WScript.exe 33 520 WScript.exe 35 520 WScript.exe 36 520 WScript.exe -
Drops startup file 2 IoCs
Processes:
WScript.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pHdQIiGjFP.js WScript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pHdQIiGjFP.js WScript.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
WScript.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run WScript.exe Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\SEJOKAOI5S = "\"C:\\Users\\Admin\\AppData\\Roaming\\pHdQIiGjFP.js\"" WScript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1116 932 WerFault.exe javaw.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
WerFault.exepid process 1116 WerFault.exe 1116 WerFault.exe 1116 WerFault.exe 1116 WerFault.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
WerFault.exepid process 1116 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
WerFault.exedescription pid process Token: SeDebugPrivilege 1116 WerFault.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
wscript.exejavaw.exedescription pid process target process PID 1824 wrote to memory of 520 1824 wscript.exe WScript.exe PID 1824 wrote to memory of 520 1824 wscript.exe WScript.exe PID 1824 wrote to memory of 520 1824 wscript.exe WScript.exe PID 1824 wrote to memory of 932 1824 wscript.exe javaw.exe PID 1824 wrote to memory of 932 1824 wscript.exe javaw.exe PID 1824 wrote to memory of 932 1824 wscript.exe javaw.exe PID 932 wrote to memory of 1116 932 javaw.exe WerFault.exe PID 932 wrote to memory of 1116 932 javaw.exe WerFault.exe PID 932 wrote to memory of 1116 932 javaw.exe WerFault.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe "C:\Users\Admin\AppData\Local\Temp\Nuovo Ordine - p31010_20200401_14_31.js"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\pHdQIiGjFP.js"2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
-
C:\Program Files\Java\jre7\bin\javaw.exe"C:\Program Files\Java\jre7\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\yrlhptvkj.txt"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 932 -s 1403⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\pHdQIiGjFP.jsMD5
b62bd809653a1ae3dcaeeb7b31c728f0
SHA1db818b03821f9e25a81864e5dcb4128eb37722a8
SHA256eee5274eae70bdcf1af045798f853a09e612bdb7bc36af57f2b7df99b44afeb3
SHA512b3b75b5ddf8f90d518cec4ba876738049ab24e9e54829abe70e1836e9f7145e552bfb5f9ecac999340db3b6e24a4e92a0e20f73fe1d22f635743ef42de7755ba
-
C:\Users\Admin\AppData\Roaming\yrlhptvkj.txtMD5
4740a590e86a95c895c20699b4d4cdec
SHA1557c6eae17e86849050e148961f97627f9cab74e
SHA2565d2b9adcb287daf42c646f9b36aecb613bf7f27de16f4addfe60722e94cf905d
SHA512079ba5e68f3d5446c144f10d003d31ab6461196cc9e7687fbf530a21784f7279c3fe82ba48be6b37885baac468ac3513e73d9cb2e0d45817df661e850b9f2c47
-
memory/520-61-0x0000000000000000-mapping.dmp
-
memory/932-63-0x0000000000000000-mapping.dmp
-
memory/1116-66-0x0000000000000000-mapping.dmp
-
memory/1116-68-0x0000000001D20000-0x0000000001D21000-memory.dmpFilesize
4KB
-
memory/1824-60-0x000007FEFB631000-0x000007FEFB633000-memory.dmpFilesize
8KB