Analysis
-
max time kernel
122s -
max time network
125s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
15/12/2021, 07:22
Static task
static1
Behavioral task
behavioral1
Sample
Proof of payment.js
Resource
win7-en-20211208
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
Proof of payment.js
Resource
win10-en-20211208
0 signatures
0 seconds
General
-
Target
Proof of payment.js
-
Size
182KB
-
MD5
5eaa5af5395fa6f3c827fc0e47aa1777
-
SHA1
836112a65cca4e6e37ef7950fc5167417c79845e
-
SHA256
c2c538a26d9de315c6c94c98513a02d2c17e5e96666191a208426eb9f0d5f3ca
-
SHA512
9dd863c44b5c83abf231218596983aa475a530ae8d72a923cb47850e7bad8cda7ede079b6c2299064caee8494d59b78d97c17a4197293b061f263c22bed08603
Score
4/10
Malware Config
Signatures
-
Drops file in Program Files directory 12 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\server\jvm.pdb javaw.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\server\symbols\dll\jvm.pdb javaw.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\server\symbols\dll\ntdll.pdb javaw.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\ntdll.pdb javaw.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\dll\ntdll.pdb javaw.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\server\dll\jvm.pdb javaw.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\jvm.pdb javaw.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\dll\jvm.pdb javaw.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\symbols\dll\jvm.pdb javaw.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\server\ntdll.pdb javaw.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\server\dll\ntdll.pdb javaw.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\symbols\dll\ntdll.pdb javaw.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 2624 wrote to memory of 2900 2624 wscript.exe 68 PID 2624 wrote to memory of 2900 2624 wscript.exe 68
Processes
-
C:\Windows\system32\wscript.exewscript.exe "C:\Users\Admin\AppData\Local\Temp\Proof of payment.js"1⤵
- Suspicious use of WriteProcessMemory
PID:2624 -
C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe"C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\nuicblxgl.txt"2⤵
- Drops file in Program Files directory
PID:2900
-