Analysis
-
max time kernel
148s -
max time network
152s -
platform
windows10_x64 -
resource
win10-en-20211014 -
submitted
06-12-2021 06:47
Static task
static1
Behavioral task
behavioral1
Sample
2021_11_17_AB2106159.js
Resource
win7-en-20211104
Behavioral task
behavioral2
Sample
2021_11_17_AB2106159.js
Resource
win10-en-20211014
General
-
Target
2021_11_17_AB2106159.js
-
Size
272KB
-
MD5
1fa10808ee55f1de160b3628fde35526
-
SHA1
5422d9396f3b782fc88dfba492a51560a9e98275
-
SHA256
ba43508418c1890886dd6c68e7dc0d0a8291c147c3919147d0ba89b29e427566
-
SHA512
ed6e4c317560165f13dfdaf7839a187c38e2e67255753e11f5c3f090a595a44991a2394210439ad9554e3f501ab12621413b44409ea5d348fbaa0533abba565b
Malware Config
Signatures
-
Blocklisted process makes network request 17 IoCs
Processes:
WScript.exeflow pid process 9 4460 WScript.exe 10 4460 WScript.exe 21 4460 WScript.exe 26 4460 WScript.exe 27 4460 WScript.exe 28 4460 WScript.exe 31 4460 WScript.exe 32 4460 WScript.exe 33 4460 WScript.exe 34 4460 WScript.exe 35 4460 WScript.exe 36 4460 WScript.exe 37 4460 WScript.exe 38 4460 WScript.exe 39 4460 WScript.exe 40 4460 WScript.exe 41 4460 WScript.exe -
Drops startup file 2 IoCs
Processes:
WScript.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xRYuhuOAyv.js WScript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xRYuhuOAyv.js WScript.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
WScript.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows\CurrentVersion\Run WScript.exe Set value (str) \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows\CurrentVersion\Run\SEJOKAOI5S = "\"C:\\Users\\Admin\\AppData\\Roaming\\xRYuhuOAyv.js\"" WScript.exe -
Drops file in Program Files directory 12 IoCs
Processes:
javaw.exedescription ioc process File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\server\symbols\dll\jvm.pdb javaw.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\jvm.pdb javaw.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\symbols\dll\jvm.pdb javaw.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\server\symbols\dll\ntdll.pdb javaw.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\ntdll.pdb javaw.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\dll\ntdll.pdb javaw.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\server\jvm.pdb javaw.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\dll\jvm.pdb javaw.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\server\ntdll.pdb javaw.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\server\dll\ntdll.pdb javaw.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\symbols\dll\ntdll.pdb javaw.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\server\dll\jvm.pdb javaw.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
Processes:
wscript.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings wscript.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
wscript.exedescription pid process target process PID 4312 wrote to memory of 4460 4312 wscript.exe WScript.exe PID 4312 wrote to memory of 4460 4312 wscript.exe WScript.exe PID 4312 wrote to memory of 4452 4312 wscript.exe javaw.exe PID 4312 wrote to memory of 4452 4312 wscript.exe javaw.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\2021_11_17_AB2106159.js1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\xRYuhuOAyv.js"2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
-
C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe"C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\azidrmvop.txt"2⤵
- Drops file in Program Files directory
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\azidrmvop.txtMD5
e5c57969a139fa14269758cb8cc8f9a7
SHA1432f65c2b1da28b421eac3956d8cefd72f04ae6a
SHA256b2b661ff89ba10a5a27a06df63a9ffd158b254aff5f38a96ff5c1f6344959501
SHA512526f7f1717488c87457353d78480ec590d5abf5bf6bdc697dc92433c26a949c649b94bd83cfc7891c24fbc5e96414793fb9a192f77a3ded9ad434d8524a215d5
-
C:\Users\Admin\AppData\Roaming\xRYuhuOAyv.jsMD5
77003839125047ffd125864a341da2c8
SHA1fc0f65ee6753d601c81ca684516d59366e123022
SHA256663031fd5b14f95adef162804c059269979693700b14a7a551d28bde04298372
SHA5129c90e748b94ed8d7fc65f80470df44fbcc1c3d0068232a9fd25b87bcecce48b54de17ac226db416173e5f8b6538695b67a0b9e8e876a5da44393557c0ffcbaad
-
memory/4452-121-0x00000000008A0000-0x00000000008A1000-memory.dmpFilesize
4KB
-
memory/4452-117-0x0000000000000000-mapping.dmp
-
memory/4452-119-0x0000000002A30000-0x0000000002CA0000-memory.dmpFilesize
2.4MB
-
memory/4452-120-0x0000000002A30000-0x0000000002CA0000-memory.dmpFilesize
2.4MB
-
memory/4452-123-0x0000000002CA0000-0x0000000002CB0000-memory.dmpFilesize
64KB
-
memory/4452-126-0x00000000008A0000-0x00000000008A1000-memory.dmpFilesize
4KB
-
memory/4452-127-0x00000000008A0000-0x00000000008A1000-memory.dmpFilesize
4KB
-
memory/4452-128-0x0000000002CB0000-0x0000000002CC0000-memory.dmpFilesize
64KB
-
memory/4452-129-0x0000000002CC0000-0x0000000002CD0000-memory.dmpFilesize
64KB
-
memory/4452-130-0x0000000002CD0000-0x0000000002CE0000-memory.dmpFilesize
64KB
-
memory/4452-132-0x0000000002CE0000-0x0000000002CF0000-memory.dmpFilesize
64KB
-
memory/4460-115-0x0000000000000000-mapping.dmp