Analysis
-
max time kernel
149s -
max time network
137s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
13/12/2021, 15:18
Static task
static1
Behavioral task
behavioral1
Sample
SHIPMENT_DOCUMENTS_INV-PLIST01256_BL PDF.js
Resource
win7-en-20211208
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
SHIPMENT_DOCUMENTS_INV-PLIST01256_BL PDF.js
Resource
win10-en-20211208
0 signatures
0 seconds
General
-
Target
SHIPMENT_DOCUMENTS_INV-PLIST01256_BL PDF.js
-
Size
491KB
-
MD5
87abfdba2290a31df0d97e91cc4b1195
-
SHA1
04ccec1a839efb216cfab4c6bf35e25b1b320157
-
SHA256
556e3aa4f1bdf16c72a2ab22884b935936386f69ca4977a6e815bcc1eb3b9408
-
SHA512
bcf7c1528ca72669d43d495f5daa21417f757dbd825593cf6589bf9502e3866b7860a807be81a92d9d20dc2dee4ca84bae85dabcddec3a53b83ba336a840aa9c
Score
10/10
Malware Config
Signatures
-
Blocklisted process makes network request 4 IoCs
flow pid Process 11 2328 WScript.exe 26 2328 WScript.exe 27 2328 WScript.exe 35 2328 WScript.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\oiCIKHrGSI.js WScript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\oiCIKHrGSI.js WScript.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Windows\CurrentVersion\Run WScript.exe Set value (str) \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Windows\CurrentVersion\Run\SEJOKAOI5S = "\"C:\\Users\\Admin\\AppData\\Roaming\\oiCIKHrGSI.js\"" WScript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings wscript.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 3988 wrote to memory of 2328 3988 wscript.exe 69 PID 3988 wrote to memory of 2328 3988 wscript.exe 69 PID 3988 wrote to memory of 3976 3988 wscript.exe 70 PID 3988 wrote to memory of 3976 3988 wscript.exe 70
Processes
-
C:\Windows\system32\wscript.exewscript.exe "C:\Users\Admin\AppData\Local\Temp\SHIPMENT_DOCUMENTS_INV-PLIST01256_BL PDF.js"1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3988 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\oiCIKHrGSI.js"2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
PID:2328
-
-
C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe"C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\wgpwpbh.txt"2⤵PID:3976
-