Analysis
-
max time kernel
156s -
max time network
162s -
platform
windows10_x64 -
resource
win10-en-20211014 -
submitted
02-12-2021 09:07
Static task
static1
Behavioral task
behavioral1
Sample
PO202104-114.js
Resource
win7-en-20211104
Behavioral task
behavioral2
Sample
PO202104-114.js
Resource
win10-en-20211014
General
-
Target
PO202104-114.js
-
Size
202KB
-
MD5
4f7a5f22ef09e3fd02fc432d51ba12db
-
SHA1
bc55e8c16a3135feb3a0acb9a0e72e48e59e12df
-
SHA256
9f3abf6dd5ae995b5e1d5cdd6457ab61a95fa689b5fbac4c57916a547e1d3c5a
-
SHA512
bd59013fcd969385f455e371b3317a912b1330cd1af87201af863ac0a3f0e8872846b7cf8fccbc87986151f9694393720ee9e7a43933c2c137a0729447513128
Malware Config
Signatures
-
Blocklisted process makes network request 18 IoCs
Processes:
WScript.exeflow pid process 11 3612 WScript.exe 21 3612 WScript.exe 26 3612 WScript.exe 27 3612 WScript.exe 29 3612 WScript.exe 31 3612 WScript.exe 32 3612 WScript.exe 35 3612 WScript.exe 36 3612 WScript.exe 37 3612 WScript.exe 38 3612 WScript.exe 39 3612 WScript.exe 40 3612 WScript.exe 41 3612 WScript.exe 42 3612 WScript.exe 43 3612 WScript.exe 44 3612 WScript.exe 45 3612 WScript.exe -
Drops startup file 2 IoCs
Processes:
WScript.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uxPZcaKnkC.js WScript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uxPZcaKnkC.js WScript.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
WScript.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows\CurrentVersion\Run WScript.exe Set value (str) \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows\CurrentVersion\Run\SEJOKAOI5S = "\"C:\\Users\\Admin\\AppData\\Roaming\\uxPZcaKnkC.js\"" WScript.exe -
Drops file in Program Files directory 12 IoCs
Processes:
javaw.exedescription ioc process File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\server\dll\jvm.pdb javaw.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\jvm.pdb javaw.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\dll\jvm.pdb javaw.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\symbols\dll\jvm.pdb javaw.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\server\dll\ntdll.pdb javaw.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\symbols\dll\ntdll.pdb javaw.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\server\jvm.pdb javaw.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\server\ntdll.pdb javaw.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\server\symbols\dll\ntdll.pdb javaw.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\ntdll.pdb javaw.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\dll\ntdll.pdb javaw.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\server\symbols\dll\jvm.pdb javaw.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
Processes:
wscript.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings wscript.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
wscript.exedescription pid process target process PID 2724 wrote to memory of 3612 2724 wscript.exe WScript.exe PID 2724 wrote to memory of 3612 2724 wscript.exe WScript.exe PID 2724 wrote to memory of 1296 2724 wscript.exe javaw.exe PID 2724 wrote to memory of 1296 2724 wscript.exe javaw.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\PO202104-114.js1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\uxPZcaKnkC.js"2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
-
C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe"C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\wxpferha.txt"2⤵
- Drops file in Program Files directory
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\uxPZcaKnkC.jsMD5
544e461cc49cb88916002eb81569f0ad
SHA12a5325d45b84e12126b2cc8766cc9741d79d0c3f
SHA25688044969fcfb1bfd231ba53e225d4682696e53c5ce194d111968bde11b4c85ac
SHA5129ec912681fd6047c1642f1b8737615fd6ea7101b2de8c3dbd1ba98437204b39f9d443d7bda887871f85a293d6134f33704c7e05ed04fb7506b4773fa536d0651
-
C:\Users\Admin\AppData\Roaming\wxpferha.txtMD5
e5c57969a139fa14269758cb8cc8f9a7
SHA1432f65c2b1da28b421eac3956d8cefd72f04ae6a
SHA256b2b661ff89ba10a5a27a06df63a9ffd158b254aff5f38a96ff5c1f6344959501
SHA512526f7f1717488c87457353d78480ec590d5abf5bf6bdc697dc92433c26a949c649b94bd83cfc7891c24fbc5e96414793fb9a192f77a3ded9ad434d8524a215d5
-
memory/1296-122-0x0000000002740000-0x0000000002741000-memory.dmpFilesize
4KB
-
memory/1296-118-0x0000000000000000-mapping.dmp
-
memory/1296-120-0x0000000002C00000-0x0000000002E70000-memory.dmpFilesize
2.4MB
-
memory/1296-121-0x0000000002C00000-0x0000000002E70000-memory.dmpFilesize
2.4MB
-
memory/1296-123-0x0000000002E70000-0x0000000002E80000-memory.dmpFilesize
64KB
-
memory/1296-125-0x0000000002E90000-0x0000000002EA0000-memory.dmpFilesize
64KB
-
memory/1296-124-0x0000000002E80000-0x0000000002E90000-memory.dmpFilesize
64KB
-
memory/1296-127-0x0000000002EB0000-0x0000000002EC0000-memory.dmpFilesize
64KB
-
memory/1296-128-0x0000000002EC0000-0x0000000002ED0000-memory.dmpFilesize
64KB
-
memory/1296-126-0x0000000002EA0000-0x0000000002EB0000-memory.dmpFilesize
64KB
-
memory/3612-116-0x0000000000000000-mapping.dmp