Analysis
-
max time kernel
150s -
max time network
193s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
04-10-2021 15:07
Static task
static1
Behavioral task
behavioral1
Sample
jhfehhyldo.js
Resource
win7v20210408
Behavioral task
behavioral2
Sample
jhfehhyldo.js
Resource
win10-en-20210920
General
-
Target
jhfehhyldo.js
-
Size
207KB
-
MD5
5e62b21da65c21843765eec3519d08fa
-
SHA1
be3a7074f1f9bf1065859c200f41389d289c7de5
-
SHA256
741c1ef88d98a8945e91a8d899c93e31d0639ee727d541f0658e8f80136faf39
-
SHA512
83d6c6d0f667bd0c9ff7b558f4982a6f18dc33b19ddd4fa48c703bc8ff3948018420c6dab586553588e8a9db8f19bf392486b65c994fa472cf4c209983fff11e
Malware Config
Signatures
-
Blocklisted process makes network request 18 IoCs
Processes:
WScript.exeflow pid process 6 1068 WScript.exe 7 1068 WScript.exe 8 1068 WScript.exe 10 1068 WScript.exe 11 1068 WScript.exe 12 1068 WScript.exe 14 1068 WScript.exe 15 1068 WScript.exe 16 1068 WScript.exe 18 1068 WScript.exe 19 1068 WScript.exe 20 1068 WScript.exe 22 1068 WScript.exe 23 1068 WScript.exe 24 1068 WScript.exe 26 1068 WScript.exe 27 1068 WScript.exe 28 1068 WScript.exe -
Drops startup file 2 IoCs
Processes:
WScript.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\eohMqhWkvF.js WScript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\eohMqhWkvF.js WScript.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
WScript.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run WScript.exe Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\SEJOKAOI5S = "\"C:\\Users\\Admin\\AppData\\Roaming\\eohMqhWkvF.js\"" WScript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1560 1776 WerFault.exe javaw.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
WerFault.exepid process 1560 WerFault.exe 1560 WerFault.exe 1560 WerFault.exe 1560 WerFault.exe 1560 WerFault.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
WerFault.exepid process 1560 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
WerFault.exedescription pid process Token: SeDebugPrivilege 1560 WerFault.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
wscript.exejavaw.exedescription pid process target process PID 1992 wrote to memory of 1068 1992 wscript.exe WScript.exe PID 1992 wrote to memory of 1068 1992 wscript.exe WScript.exe PID 1992 wrote to memory of 1068 1992 wscript.exe WScript.exe PID 1992 wrote to memory of 1776 1992 wscript.exe javaw.exe PID 1992 wrote to memory of 1776 1992 wscript.exe javaw.exe PID 1992 wrote to memory of 1776 1992 wscript.exe javaw.exe PID 1776 wrote to memory of 1560 1776 javaw.exe WerFault.exe PID 1776 wrote to memory of 1560 1776 javaw.exe WerFault.exe PID 1776 wrote to memory of 1560 1776 javaw.exe WerFault.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\jhfehhyldo.js1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\eohMqhWkvF.js"2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
-
C:\Program Files\Java\jre7\bin\javaw.exe"C:\Program Files\Java\jre7\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\jyedccxqfo.txt"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1776 -s 1403⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\eohMqhWkvF.jsMD5
bd854a8caf7e7c7755481169afebeb9d
SHA146d81477627836bdda15137a8837d10eb84bbbfc
SHA256c346c5553d730a5f500588c0cb604454019e0a9a8c234b09e3050de08c5c4de9
SHA5125d311fdf3958f117d5b06cb4e975a7bd373a1b9e8379e2df133472bcd30dca710afd382b848bffaf3899cfa1e887f0fe74f019878a24c326a081d15afa73e3e5
-
C:\Users\Admin\AppData\Roaming\jyedccxqfo.txtMD5
60822b2d52ae85dd32f95feb662be372
SHA13181aeefc4d180403b58245110dd9fe031a5274a
SHA2569608f3f45074b5797b9b3e62c09480e3f78a1ba4b8550b67ad9287e9311b3e70
SHA512064f9df2b7515087d3d54ba23a023e4b6ca429d6c1004aac2b2c50abb16561228cb6f3322059afadb47f200580468a2af2f4d053ad04337551f4f9337ce2c969
-
memory/1068-60-0x0000000000000000-mapping.dmp
-
memory/1560-65-0x0000000000000000-mapping.dmp
-
memory/1560-67-0x0000000001D20000-0x0000000001D21000-memory.dmpFilesize
4KB
-
memory/1776-62-0x0000000000000000-mapping.dmp
-
memory/1992-59-0x000007FEFB7B1000-0x000007FEFB7B3000-memory.dmpFilesize
8KB