Analysis
-
max time kernel
143s -
max time network
147s -
platform
windows10_x64 -
resource
win10-en-20210920 -
submitted
04-10-2021 15:07
Static task
static1
Behavioral task
behavioral1
Sample
jhfehhyldo.js
Resource
win7v20210408
Behavioral task
behavioral2
Sample
jhfehhyldo.js
Resource
win10-en-20210920
General
-
Target
jhfehhyldo.js
-
Size
207KB
-
MD5
5e62b21da65c21843765eec3519d08fa
-
SHA1
be3a7074f1f9bf1065859c200f41389d289c7de5
-
SHA256
741c1ef88d98a8945e91a8d899c93e31d0639ee727d541f0658e8f80136faf39
-
SHA512
83d6c6d0f667bd0c9ff7b558f4982a6f18dc33b19ddd4fa48c703bc8ff3948018420c6dab586553588e8a9db8f19bf392486b65c994fa472cf4c209983fff11e
Malware Config
Signatures
-
Blocklisted process makes network request 18 IoCs
Processes:
WScript.exeflow pid process 4 4160 WScript.exe 7 4160 WScript.exe 9 4160 WScript.exe 10 4160 WScript.exe 11 4160 WScript.exe 12 4160 WScript.exe 13 4160 WScript.exe 14 4160 WScript.exe 15 4160 WScript.exe 16 4160 WScript.exe 17 4160 WScript.exe 18 4160 WScript.exe 19 4160 WScript.exe 20 4160 WScript.exe 21 4160 WScript.exe 22 4160 WScript.exe 23 4160 WScript.exe 24 4160 WScript.exe -
Drops startup file 2 IoCs
Processes:
WScript.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\eohMqhWkvF.js WScript.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\eohMqhWkvF.js WScript.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
WScript.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows\CurrentVersion\Run WScript.exe Set value (str) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows\CurrentVersion\Run\SEJOKAOI5S = "\"C:\\Users\\Admin\\AppData\\Roaming\\eohMqhWkvF.js\"" WScript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 4336 3100 WerFault.exe javaw.exe -
Modifies registry class 1 IoCs
Processes:
wscript.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings wscript.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
WerFault.exepid process 4336 WerFault.exe 4336 WerFault.exe 4336 WerFault.exe 4336 WerFault.exe 4336 WerFault.exe 4336 WerFault.exe 4336 WerFault.exe 4336 WerFault.exe 4336 WerFault.exe 4336 WerFault.exe 4336 WerFault.exe 4336 WerFault.exe 4336 WerFault.exe 4336 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
WerFault.exedescription pid process Token: SeDebugPrivilege 4336 WerFault.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
wscript.exedescription pid process target process PID 3704 wrote to memory of 4160 3704 wscript.exe WScript.exe PID 3704 wrote to memory of 4160 3704 wscript.exe WScript.exe PID 3704 wrote to memory of 3100 3704 wscript.exe javaw.exe PID 3704 wrote to memory of 3100 3704 wscript.exe javaw.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\jhfehhyldo.js1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\eohMqhWkvF.js"2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
-
C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe"C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\xwgeentccy.txt"2⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3100 -s 3563⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\eohMqhWkvF.jsMD5
bd854a8caf7e7c7755481169afebeb9d
SHA146d81477627836bdda15137a8837d10eb84bbbfc
SHA256c346c5553d730a5f500588c0cb604454019e0a9a8c234b09e3050de08c5c4de9
SHA5125d311fdf3958f117d5b06cb4e975a7bd373a1b9e8379e2df133472bcd30dca710afd382b848bffaf3899cfa1e887f0fe74f019878a24c326a081d15afa73e3e5
-
C:\Users\Admin\AppData\Roaming\xwgeentccy.txtMD5
60822b2d52ae85dd32f95feb662be372
SHA13181aeefc4d180403b58245110dd9fe031a5274a
SHA2569608f3f45074b5797b9b3e62c09480e3f78a1ba4b8550b67ad9287e9311b3e70
SHA512064f9df2b7515087d3d54ba23a023e4b6ca429d6c1004aac2b2c50abb16561228cb6f3322059afadb47f200580468a2af2f4d053ad04337551f4f9337ce2c969
-
memory/3100-117-0x0000000000000000-mapping.dmp
-
memory/4160-115-0x0000000000000000-mapping.dmp