Analysis
-
max time kernel
1793s -
max time network
1786s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
08/12/2021, 15:49
Static task
static1
Behavioral task
behavioral1
Sample
SHIPMENT_DOCUMENTS PDF.js
Resource
win7-en-20211208
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
SHIPMENT_DOCUMENTS PDF.js
Resource
win10-en-20211208
0 signatures
0 seconds
General
-
Target
SHIPMENT_DOCUMENTS PDF.js
-
Size
531KB
-
MD5
cf4ec0d22c787775c9f46dd0fe19da33
-
SHA1
f0379f9363c0c9955d9b71064a2879fd6b1cff5c
-
SHA256
c399dbe473150a5d2a9d3676d81971de66f2daf5360d2be26e62b5533c4fcbad
-
SHA512
7248e804832f6eb2fb13e73af73a41a695fa131d239ce2b5aa3495858bd387053569e1d1a0e530a1e4f1a949a7c87e0995ad9443b9e2ec49d9a09889e8ccbb1f
Malware Config
Signatures
-
Blocklisted process makes network request 64 IoCs
flow pid Process 5 268 WScript.exe 12 268 WScript.exe 13 268 WScript.exe 17 268 WScript.exe 18 268 WScript.exe 19 268 WScript.exe 21 268 WScript.exe 22 268 WScript.exe 23 268 WScript.exe 25 268 WScript.exe 26 268 WScript.exe 27 268 WScript.exe 29 268 WScript.exe 30 268 WScript.exe 31 268 WScript.exe 33 268 WScript.exe 34 268 WScript.exe 35 268 WScript.exe 37 268 WScript.exe 38 268 WScript.exe 39 268 WScript.exe 41 268 WScript.exe 42 268 WScript.exe 43 268 WScript.exe 45 268 WScript.exe 46 268 WScript.exe 47 268 WScript.exe 49 268 WScript.exe 50 268 WScript.exe 51 268 WScript.exe 53 268 WScript.exe 54 268 WScript.exe 55 268 WScript.exe 57 268 WScript.exe 58 268 WScript.exe 59 268 WScript.exe 61 268 WScript.exe 62 268 WScript.exe 63 268 WScript.exe 65 268 WScript.exe 66 268 WScript.exe 67 268 WScript.exe 69 268 WScript.exe 70 268 WScript.exe 71 268 WScript.exe 73 268 WScript.exe 74 268 WScript.exe 75 268 WScript.exe 77 268 WScript.exe 78 268 WScript.exe 79 268 WScript.exe 81 268 WScript.exe 82 268 WScript.exe 83 268 WScript.exe 85 268 WScript.exe 86 268 WScript.exe 87 268 WScript.exe 89 268 WScript.exe 90 268 WScript.exe 91 268 WScript.exe 93 268 WScript.exe 94 268 WScript.exe 95 268 WScript.exe 97 268 WScript.exe -
Drops startup file 3 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IwhBHZSsWd.js WScript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IwhBHZSsWd.js WScript.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ypvcsiztsk.txt java.exe -
Loads dropped DLL 2 IoCs
pid Process 1916 java.exe 2012 java.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\SEJOKAOI5S = "\"C:\\Users\\Admin\\AppData\\Roaming\\IwhBHZSsWd.js\"" WScript.exe Set value (str) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\ypvcsiztsk = "\"C:\\Users\\Admin\\AppData\\Roaming\\ypvcsiztsk.txt\"" java.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ypvcsiztsk = "\"C:\\Users\\Admin\\AppData\\Roaming\\ypvcsiztsk.txt\"" java.exe Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run WScript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1028 schtasks.exe -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 952 wrote to memory of 268 952 wscript.exe 27 PID 952 wrote to memory of 268 952 wscript.exe 27 PID 952 wrote to memory of 268 952 wscript.exe 27 PID 952 wrote to memory of 1484 952 wscript.exe 28 PID 952 wrote to memory of 1484 952 wscript.exe 28 PID 952 wrote to memory of 1484 952 wscript.exe 28 PID 1484 wrote to memory of 1916 1484 javaw.exe 34 PID 1484 wrote to memory of 1916 1484 javaw.exe 34 PID 1484 wrote to memory of 1916 1484 javaw.exe 34 PID 1916 wrote to memory of 1192 1916 java.exe 38 PID 1916 wrote to memory of 1192 1916 java.exe 38 PID 1916 wrote to memory of 1192 1916 java.exe 38 PID 1916 wrote to memory of 2012 1916 java.exe 37 PID 1916 wrote to memory of 2012 1916 java.exe 37 PID 1916 wrote to memory of 2012 1916 java.exe 37 PID 1192 wrote to memory of 1028 1192 cmd.exe 39 PID 1192 wrote to memory of 1028 1192 cmd.exe 39 PID 1192 wrote to memory of 1028 1192 cmd.exe 39
Processes
-
C:\Windows\system32\wscript.exewscript.exe "C:\Users\Admin\AppData\Local\Temp\SHIPMENT_DOCUMENTS PDF.js"1⤵
- Suspicious use of WriteProcessMemory
PID:952 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\IwhBHZSsWd.js"2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
PID:268
-
-
C:\Program Files\Java\jre7\bin\javaw.exe"C:\Program Files\Java\jre7\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\ypvcsiztsk.txt"2⤵
- Suspicious use of WriteProcessMemory
PID:1484 -
C:\Program Files\Java\jre7\bin\java.exe"C:\Program Files\Java\jre7\bin\java.exe" -jar "C:\Users\Admin\ypvcsiztsk.txt"3⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1916 -
C:\Program Files\Java\jre7\bin\java.exe"C:\Program Files\Java\jre7\bin\java.exe" -jar "C:\Users\Admin\AppData\Roaming\ypvcsiztsk.txt"4⤵
- Loads dropped DLL
PID:2012
-
-
C:\Windows\system32\cmd.execmd /c schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\ypvcsiztsk.txt"4⤵
- Suspicious use of WriteProcessMemory
PID:1192 -
C:\Windows\system32\schtasks.exeschtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\ypvcsiztsk.txt"5⤵
- Creates scheduled task(s)
PID:1028
-
-
-
-