Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows7_x64 -
resource
win7-en -
submitted
07-09-2021 01:36
Static task
static1
Behavioral task
behavioral1
Sample
新命令__________.PDF.js
Resource
win7-en
Behavioral task
behavioral2
Sample
新命令__________.PDF.js
Resource
win10v20210408
General
-
Target
新命令__________.PDF.js
-
Size
207KB
-
MD5
9154158d95df39303de36b475a790529
-
SHA1
b79ad43d110887b9302bbfca092517a1fb0f43f3
-
SHA256
ce8e23a1309e4fbe54a48d36c5c68af97df72073acce4a930df3246a34a75f32
-
SHA512
de36f4d45c7b03f8cb70498bfd7a9285303814eb20a9a7f09a7855db6daacf817e4e6a0f63f6e63dd46b8bff7d4704155daa4fb2e9ca5a4902957dead3ee7a82
Malware Config
Signatures
-
Blocklisted process makes network request 18 IoCs
Processes:
WScript.exeflow pid process 7 1712 WScript.exe 8 1712 WScript.exe 9 1712 WScript.exe 11 1712 WScript.exe 12 1712 WScript.exe 13 1712 WScript.exe 15 1712 WScript.exe 16 1712 WScript.exe 17 1712 WScript.exe 19 1712 WScript.exe 20 1712 WScript.exe 21 1712 WScript.exe 23 1712 WScript.exe 24 1712 WScript.exe 25 1712 WScript.exe 27 1712 WScript.exe 28 1712 WScript.exe 29 1712 WScript.exe -
Drops startup file 2 IoCs
Processes:
WScript.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WOChiHyFPM.js WScript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WOChiHyFPM.js WScript.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
WScript.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Windows\CurrentVersion\Run WScript.exe Set value (str) \REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Windows\CurrentVersion\Run\SEJOKAOI5S = "\"C:\\Users\\Admin\\AppData\\Roaming\\WOChiHyFPM.js\"" WScript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1368 2028 WerFault.exe javaw.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
WerFault.exepid process 1368 WerFault.exe 1368 WerFault.exe 1368 WerFault.exe 1368 WerFault.exe 1368 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
WerFault.exedescription pid process Token: SeDebugPrivilege 1368 WerFault.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
wscript.exejavaw.exedescription pid process target process PID 1080 wrote to memory of 1712 1080 wscript.exe WScript.exe PID 1080 wrote to memory of 1712 1080 wscript.exe WScript.exe PID 1080 wrote to memory of 1712 1080 wscript.exe WScript.exe PID 1080 wrote to memory of 2028 1080 wscript.exe javaw.exe PID 1080 wrote to memory of 2028 1080 wscript.exe javaw.exe PID 1080 wrote to memory of 2028 1080 wscript.exe javaw.exe PID 2028 wrote to memory of 1368 2028 javaw.exe WerFault.exe PID 2028 wrote to memory of 1368 2028 javaw.exe WerFault.exe PID 2028 wrote to memory of 1368 2028 javaw.exe WerFault.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\新命令__________.PDF.js1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\WOChiHyFPM.js"2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
-
C:\Program Files\Java\jre7\bin\javaw.exe"C:\Program Files\Java\jre7\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\agmymyvv.txt"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2028 -s 1403⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\WOChiHyFPM.jsMD5
5f1405a47e8cf0bc0188332a4a791761
SHA1638fe4be43f13d79266be5ee35b7879fdeafc71a
SHA256d9d12a49414db2909da558bed4013e0987fe61140f3c4e17501800ac32d422f7
SHA512d2e722dea389123c24534bc661352a7bf42188b47428bb24f1507db4b68f0d47e49b3f95d8cab3f7d5470aa31f51fa72be5d63a4560e785d04860d2a5bd54313
-
C:\Users\Admin\AppData\Roaming\agmymyvv.txtMD5
2e458a59025b390fbdf7d3717314b507
SHA1d5a84f501bfa81682ebde5e31a68794140141785
SHA2566b723bd260b53c68c716ef218c78718d3e99ab4d4238a4bd823fd0cd6ec8007b
SHA5122b463bc4ef98264560abad47053549c463fc9ee098c97cd60d58c959ba67f4ddf2ca60856f6564802a9f056740fbedbb6bdc829388c136c13b334563465d1f22
-
memory/1080-53-0x000007FEFC331000-0x000007FEFC333000-memory.dmpFilesize
8KB
-
memory/1368-59-0x0000000000000000-mapping.dmp
-
memory/1368-61-0x0000000000450000-0x0000000000451000-memory.dmpFilesize
4KB
-
memory/1712-54-0x0000000000000000-mapping.dmp
-
memory/2028-56-0x0000000000000000-mapping.dmp