Analysis
-
max time kernel
76s -
max time network
76s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
13-12-2021 17:15
Static task
static1
Behavioral task
behavioral1
Sample
Order_20827.js
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
Order_20827.js
Resource
win10-en-20211208
General
-
Target
Order_20827.js
-
Size
307KB
-
MD5
d3d3edd039a3e591e822bb981e7e1fc7
-
SHA1
dc79c1c6268f32dbe746394868db3d23bd4e4126
-
SHA256
528452ce702d1bc05f0c968137625ae1518faf152aeac200948e39974c6ef4cf
-
SHA512
f377e3a8d3816130cf5db479e980bfad2b2dc13b86b7eee297b0fb9982a808751e429bbd10263fa6b61a066869e67bb88205ae83f27d5527e99cd7c9b5dfba95
Malware Config
Signatures
-
Blocklisted process makes network request 18 IoCs
Processes:
wscript.exewscript.exeflow pid process 8 1492 wscript.exe 9 2036 wscript.exe 10 1492 wscript.exe 12 2036 wscript.exe 13 2036 wscript.exe 15 1492 wscript.exe 18 2036 wscript.exe 20 1492 wscript.exe 22 2036 wscript.exe 23 1492 wscript.exe 24 2036 wscript.exe 26 1492 wscript.exe 29 2036 wscript.exe 31 1492 wscript.exe 32 2036 wscript.exe 34 1492 wscript.exe 35 2036 wscript.exe 37 1492 wscript.exe -
Drops startup file 4 IoCs
Processes:
wscript.exewscript.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Order_20827.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Order_20827.js wscript.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cAcMvTWMWr.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cAcMvTWMWr.js wscript.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
wscript.exewscript.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows\CurrentVersion\Run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows\CurrentVersion\Run\SEJOKAOI5S = "\"C:\\Users\\Admin\\AppData\\Roaming\\cAcMvTWMWr.js\"" wscript.exe Key created \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows\CurrentVersion\Run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows\CurrentVersion\Run\XXM15XR7UO = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Order_20827.js\"" wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
wscript.exedescription pid process target process PID 1492 wrote to memory of 2036 1492 wscript.exe wscript.exe PID 1492 wrote to memory of 2036 1492 wscript.exe wscript.exe PID 1492 wrote to memory of 2036 1492 wscript.exe wscript.exe PID 1492 wrote to memory of 772 1492 wscript.exe schtasks.exe PID 1492 wrote to memory of 772 1492 wscript.exe schtasks.exe PID 1492 wrote to memory of 772 1492 wscript.exe schtasks.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\Order_20827.js1⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1492 -
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\cAcMvTWMWr.js"2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
PID:2036 -
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Local\Temp\Order_20827.js2⤵
- Creates scheduled task(s)
PID:772
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\cAcMvTWMWr.jsMD5
3dc6e38070337cd2f2ad3212b8f01374
SHA1d19f419607ba2f2f64689f1ed43b4ddd2df2a8b2
SHA256e81b55f2232dfaea360908e0046d4997a030f9e8113e5ca8f02a6f3598a4c111
SHA5122e4e75339c0c2b775f90d4e8ed865dd9f3e9fc8603b6244f80ae64eede38806b8f76954698b5d0e41c31b4243520fc441c964c55ad481629cdd36eb4b98f7514
-
memory/772-56-0x0000000000000000-mapping.dmp
-
memory/2036-54-0x0000000000000000-mapping.dmp