Analysis
-
max time kernel
143s -
max time network
147s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
06-09-2021 12:31
Static task
static1
Behavioral task
behavioral1
Sample
Nuovo Ordine - p31010_20200401_14_31.js
Resource
win7-en
Behavioral task
behavioral2
Sample
Nuovo Ordine - p31010_20200401_14_31.js
Resource
win10v20210408
General
-
Target
Nuovo Ordine - p31010_20200401_14_31.js
-
Size
903KB
-
MD5
49c1a97463360ee62ed4b22b7532b184
-
SHA1
eb1647e8d2d411e4ecc5ef8f0d587696b440f531
-
SHA256
176b5071201599faf37b23fa343983519eaa2a65044ff7849903ca758d7a2fb2
-
SHA512
12062816d462760b5da36678a5efe1e7de4c60089814e76aaf47daa5c113708a3f406d0751b702981ba4722691f81f8a983cb943f867f48990ec103e5ab6cb65
Malware Config
Signatures
-
Blocklisted process makes network request 18 IoCs
Processes:
WScript.exeflow pid process 8 1424 WScript.exe 16 1424 WScript.exe 19 1424 WScript.exe 20 1424 WScript.exe 21 1424 WScript.exe 22 1424 WScript.exe 23 1424 WScript.exe 24 1424 WScript.exe 25 1424 WScript.exe 26 1424 WScript.exe 27 1424 WScript.exe 28 1424 WScript.exe 29 1424 WScript.exe 30 1424 WScript.exe 31 1424 WScript.exe 32 1424 WScript.exe 33 1424 WScript.exe 34 1424 WScript.exe -
Drops startup file 2 IoCs
Processes:
WScript.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pHdQIiGjFP.js WScript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pHdQIiGjFP.js WScript.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
WScript.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run WScript.exe Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\SEJOKAOI5S = "\"C:\\Users\\Admin\\AppData\\Roaming\\pHdQIiGjFP.js\"" WScript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3688 1552 WerFault.exe javaw.exe -
Modifies registry class 1 IoCs
Processes:
wscript.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings wscript.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
WerFault.exepid process 3688 WerFault.exe 3688 WerFault.exe 3688 WerFault.exe 3688 WerFault.exe 3688 WerFault.exe 3688 WerFault.exe 3688 WerFault.exe 3688 WerFault.exe 3688 WerFault.exe 3688 WerFault.exe 3688 WerFault.exe 3688 WerFault.exe 3688 WerFault.exe 3688 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
WerFault.exedescription pid process Token: SeDebugPrivilege 3688 WerFault.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
wscript.exedescription pid process target process PID 568 wrote to memory of 1424 568 wscript.exe WScript.exe PID 568 wrote to memory of 1424 568 wscript.exe WScript.exe PID 568 wrote to memory of 1552 568 wscript.exe javaw.exe PID 568 wrote to memory of 1552 568 wscript.exe javaw.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe "C:\Users\Admin\AppData\Local\Temp\Nuovo Ordine - p31010_20200401_14_31.js"1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\pHdQIiGjFP.js"2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
-
C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe"C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\czzbxnnbl.txt"2⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1552 -s 3523⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\czzbxnnbl.txtMD5
4740a590e86a95c895c20699b4d4cdec
SHA1557c6eae17e86849050e148961f97627f9cab74e
SHA2565d2b9adcb287daf42c646f9b36aecb613bf7f27de16f4addfe60722e94cf905d
SHA512079ba5e68f3d5446c144f10d003d31ab6461196cc9e7687fbf530a21784f7279c3fe82ba48be6b37885baac468ac3513e73d9cb2e0d45817df661e850b9f2c47
-
C:\Users\Admin\AppData\Roaming\pHdQIiGjFP.jsMD5
b62bd809653a1ae3dcaeeb7b31c728f0
SHA1db818b03821f9e25a81864e5dcb4128eb37722a8
SHA256eee5274eae70bdcf1af045798f853a09e612bdb7bc36af57f2b7df99b44afeb3
SHA512b3b75b5ddf8f90d518cec4ba876738049ab24e9e54829abe70e1836e9f7145e552bfb5f9ecac999340db3b6e24a4e92a0e20f73fe1d22f635743ef42de7755ba
-
memory/1424-114-0x0000000000000000-mapping.dmp
-
memory/1552-116-0x0000000000000000-mapping.dmp