Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10_x64 -
resource
win10-en-20211014 -
submitted
05-12-2021 07:26
Static task
static1
Behavioral task
behavioral1
Sample
Signed agreement documents.js
Resource
win7-en-20211104
Behavioral task
behavioral2
Sample
Signed agreement documents.js
Resource
win10-en-20211014
General
-
Target
Signed agreement documents.js
-
Size
272KB
-
MD5
c15a7e48753b74413ffd8c4bedebf689
-
SHA1
0673e275a19a4f35b09c24941cf9baaae57e3b36
-
SHA256
37dea53db80a227936238a3e43a474a48114b3f209cf2d44606735a5cfecf727
-
SHA512
e3d7ed11f895999c564d34aba8ae293dae8ab1e3498f32cdbbb6af828d4550971db2c1ab903315461be58afdb0a8fd1f5a7eeea81869f68d473df32b45c2fde0
Malware Config
Signatures
-
Blocklisted process makes network request 19 IoCs
Processes:
WScript.exeflow pid process 9 3892 WScript.exe 18 3892 WScript.exe 19 3892 WScript.exe 26 3892 WScript.exe 27 3892 WScript.exe 28 3892 WScript.exe 29 3892 WScript.exe 30 3892 WScript.exe 32 3892 WScript.exe 33 3892 WScript.exe 34 3892 WScript.exe 35 3892 WScript.exe 36 3892 WScript.exe 37 3892 WScript.exe 38 3892 WScript.exe 39 3892 WScript.exe 40 3892 WScript.exe 41 3892 WScript.exe 42 3892 WScript.exe -
Drops startup file 2 IoCs
Processes:
WScript.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\kBPnCuqwkU.js WScript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\kBPnCuqwkU.js WScript.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
WScript.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows\CurrentVersion\Run WScript.exe Set value (str) \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows\CurrentVersion\Run\SEJOKAOI5S = "\"C:\\Users\\Admin\\AppData\\Roaming\\kBPnCuqwkU.js\"" WScript.exe -
Drops file in Program Files directory 12 IoCs
Processes:
javaw.exedescription ioc process File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\dll\jvm.pdb javaw.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\server\dll\ntdll.pdb javaw.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\ntdll.pdb javaw.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\dll\ntdll.pdb javaw.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\server\symbols\dll\ntdll.pdb javaw.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\symbols\dll\ntdll.pdb javaw.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\server\jvm.pdb javaw.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\server\dll\jvm.pdb javaw.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\server\symbols\dll\jvm.pdb javaw.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\jvm.pdb javaw.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\symbols\dll\jvm.pdb javaw.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\server\ntdll.pdb javaw.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
Processes:
wscript.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings wscript.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
wscript.exedescription pid process target process PID 2668 wrote to memory of 3892 2668 wscript.exe WScript.exe PID 2668 wrote to memory of 3892 2668 wscript.exe WScript.exe PID 2668 wrote to memory of 1948 2668 wscript.exe javaw.exe PID 2668 wrote to memory of 1948 2668 wscript.exe javaw.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe "C:\Users\Admin\AppData\Local\Temp\Signed agreement documents.js"1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\kBPnCuqwkU.js"2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
-
C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe"C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\pxoqbv.txt"2⤵
- Drops file in Program Files directory
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\kBPnCuqwkU.jsMD5
d70eaf98a3d76fd9734962cc7a770997
SHA1d981a9ff4cb9859a0139f2170268bc3ab289fec9
SHA256cf853567cef87bd09cc6dbe0ff5840e587a74768c831a91f58c150bef3d47a9c
SHA512255480b15b594605a2300a5c036ec11527c9d18ebe789fc5d85ff77774e7636437e8a8ad43b06e8a67919edf4e530f26ced35b51b3dc0937fa45af2d6e1dbcd7
-
C:\Users\Admin\AppData\Roaming\pxoqbv.txtMD5
3bbd2a35537d45e465e726ceb068e721
SHA11fd2e5d632edeea94e688aacabc373ebe3af11c7
SHA256d10a6e46e300e0b6ab0c038b33cdc173b844f5895a994232e5f5d4b0a39215c7
SHA51289776550c479e12d342b53de4ac5bb512f3546eac9e52186cc080c836b4757e665931b416bee2849e2426fceb1b12e3cb376fbf628282dc3ef28378b16b39808
-
memory/1948-117-0x0000000000000000-mapping.dmp
-
memory/1948-119-0x0000000003160000-0x00000000033D0000-memory.dmpFilesize
2.4MB
-
memory/1948-120-0x0000000003160000-0x00000000033D0000-memory.dmpFilesize
2.4MB
-
memory/1948-121-0x0000000001570000-0x0000000001571000-memory.dmpFilesize
4KB
-
memory/1948-123-0x0000000001570000-0x0000000001571000-memory.dmpFilesize
4KB
-
memory/1948-125-0x00000000033E0000-0x00000000033F0000-memory.dmpFilesize
64KB
-
memory/1948-124-0x00000000033D0000-0x00000000033E0000-memory.dmpFilesize
64KB
-
memory/1948-126-0x00000000033F0000-0x0000000003400000-memory.dmpFilesize
64KB
-
memory/1948-127-0x0000000003400000-0x0000000003410000-memory.dmpFilesize
64KB
-
memory/3892-115-0x0000000000000000-mapping.dmp