Analysis
-
max time kernel
148s -
max time network
153s -
platform
windows7_x64 -
resource
win7-en-20210920 -
submitted
28-09-2021 09:26
Static task
static1
Behavioral task
behavioral1
Sample
Purchase Order.js
Resource
win7-en-20210920
Behavioral task
behavioral2
Sample
Purchase Order.js
Resource
win10v20210408
General
-
Target
Purchase Order.js
-
Size
181KB
-
MD5
340c38c80f5e5de9e9a9a4e51a21fb0c
-
SHA1
61bc08a3c29f98740133ddbf39db97cbfad33ee9
-
SHA256
2ee2c07468fbd918a5d6be42c2950be67f33932ddfc072fa1097cff11ecee81d
-
SHA512
e175e286082fa3018e318387fd5e4acc6c06549a72572bd1323ee1e99f74222ce5826ac731947e9ca4460f7a440e799ca402f72a194962016e6fd6e04c7aeca8
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 960 1684 WerFault.exe javaw.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
WerFault.exepid process 960 WerFault.exe 960 WerFault.exe 960 WerFault.exe 960 WerFault.exe 960 WerFault.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
WerFault.exepid process 960 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
WerFault.exedescription pid process Token: SeDebugPrivilege 960 WerFault.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
wscript.exejavaw.exedescription pid process target process PID 1528 wrote to memory of 1684 1528 wscript.exe javaw.exe PID 1528 wrote to memory of 1684 1528 wscript.exe javaw.exe PID 1528 wrote to memory of 1684 1528 wscript.exe javaw.exe PID 1684 wrote to memory of 960 1684 javaw.exe WerFault.exe PID 1684 wrote to memory of 960 1684 javaw.exe WerFault.exe PID 1684 wrote to memory of 960 1684 javaw.exe WerFault.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe "C:\Users\Admin\AppData\Local\Temp\Purchase Order.js"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Java\jre7\bin\javaw.exe"C:\Program Files\Java\jre7\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\eblxugng.txt"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1684 -s 1403⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\eblxugng.txtMD5
5155453d759e49880d32caa54962acb0
SHA15f0b3395920fc56a9297866eb32590ff65cf28d2
SHA25628daccdadfd5999b6463f6d1ed0d4da8f369f9d84d9046dd453b1ac78c5b6af5
SHA512f8c97db63f996b5200ce3b1fcdfc26aff03f64714f52f4cf61fed87425347e4642d07e42847a187c2c5c53b8a4cd4c312326664f32ae8f43694ff867f5dd543e
-
memory/960-57-0x0000000000000000-mapping.dmp
-
memory/960-59-0x0000000001C00000-0x0000000001C01000-memory.dmpFilesize
4KB
-
memory/1684-54-0x0000000000000000-mapping.dmp
-
memory/1684-55-0x000007FEFB711000-0x000007FEFB713000-memory.dmpFilesize
8KB