Analysis
-
max time kernel
145s -
max time network
148s -
platform
windows7_x64 -
resource
win7-en -
submitted
10-09-2021 05:02
Static task
static1
Behavioral task
behavioral1
Sample
c190431d_hyUa2Op4cf.js
Resource
win7-en
Behavioral task
behavioral2
Sample
c190431d_hyUa2Op4cf.js
Resource
win10-en
General
-
Target
c190431d_hyUa2Op4cf.js
-
Size
207KB
-
MD5
c190431d51eed488359ebc98cbb2e900
-
SHA1
eaa9bbf31cc5c32bc03cd146a3869a2b4abd29ee
-
SHA256
cdf6af99c438ee1c8b18425afd23f07d30c745b89d4a3fdd6220c463a16844c0
-
SHA512
540dab7e3443704b5ad54a5c8dbed684c44ab48d4feac6f5f6f372b847c1367e8808ece7b7a7af01bb178a8b88d42e86cd94dfea220043baf78f54542d90085e
Malware Config
Signatures
-
Blocklisted process makes network request 17 IoCs
Processes:
WScript.exeflow pid process 7 316 WScript.exe 8 316 WScript.exe 9 316 WScript.exe 11 316 WScript.exe 12 316 WScript.exe 13 316 WScript.exe 15 316 WScript.exe 16 316 WScript.exe 17 316 WScript.exe 19 316 WScript.exe 20 316 WScript.exe 21 316 WScript.exe 23 316 WScript.exe 24 316 WScript.exe 25 316 WScript.exe 27 316 WScript.exe 28 316 WScript.exe -
Drops startup file 2 IoCs
Processes:
WScript.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cpfiOsUkOB.js WScript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cpfiOsUkOB.js WScript.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
WScript.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Windows\CurrentVersion\Run\SEJOKAOI5S = "\"C:\\Users\\Admin\\AppData\\Roaming\\cpfiOsUkOB.js\"" WScript.exe Key created \REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Windows\CurrentVersion\Run WScript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1564 1172 WerFault.exe javaw.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
WerFault.exepid process 1564 WerFault.exe 1564 WerFault.exe 1564 WerFault.exe 1564 WerFault.exe 1564 WerFault.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
WerFault.exepid process 1564 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
WerFault.exedescription pid process Token: SeDebugPrivilege 1564 WerFault.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
wscript.exejavaw.exedescription pid process target process PID 1640 wrote to memory of 316 1640 wscript.exe WScript.exe PID 1640 wrote to memory of 316 1640 wscript.exe WScript.exe PID 1640 wrote to memory of 316 1640 wscript.exe WScript.exe PID 1640 wrote to memory of 1172 1640 wscript.exe javaw.exe PID 1640 wrote to memory of 1172 1640 wscript.exe javaw.exe PID 1640 wrote to memory of 1172 1640 wscript.exe javaw.exe PID 1172 wrote to memory of 1564 1172 javaw.exe WerFault.exe PID 1172 wrote to memory of 1564 1172 javaw.exe WerFault.exe PID 1172 wrote to memory of 1564 1172 javaw.exe WerFault.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\c190431d_hyUa2Op4cf.js1⤵
- Suspicious use of WriteProcessMemory
PID:1640 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\cpfiOsUkOB.js"2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
PID:316 -
C:\Program Files\Java\jre7\bin\javaw.exe"C:\Program Files\Java\jre7\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\nqxwgxwnok.txt"2⤵
- Suspicious use of WriteProcessMemory
PID:1172 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1172 -s 1403⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1564
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
4572042fa026d488a4671b852b94a692
SHA13d0f401c799896d9fc04ffc78db5ef31e2384fae
SHA2567f019f498b724ed99ace9c57eaff75f1280a1298b6f4d95c03bf2d74994126fe
SHA51216addb60f8b2dff6223a713bdaf4b9f39a09d7046c2b967ccb38c650e1d90022c993a0aa12371b7f248fe7f7093a48a2c17cedf85fa50b87756e73bb5ae61cdd
-
MD5
a4ac8b8642e628e577d1048ca97cc204
SHA1982102027bf878e74faf9a2b32a6f4ba218d04fd
SHA256af78d72f8eade441cadc93ce4b51766604cde43267d5b610da63503823f8793b
SHA51258f8f47ce6b3a1a367bea63cb8c4aa8c3bc9813d85482bd8fa946b33161829fb17dc5d1cc5b341c639ec464ca7c7bba849f7b4cb37950af9864d3954da7566f5