Analysis

  • max time kernel
    122s
  • max time network
    125s
  • platform
    windows10_x64
  • resource
    win10-en-20211208
  • submitted
    15/12/2021, 07:22

General

  • Target

    Proof of payment.js

  • Size

    182KB

  • MD5

    5eaa5af5395fa6f3c827fc0e47aa1777

  • SHA1

    836112a65cca4e6e37ef7950fc5167417c79845e

  • SHA256

    c2c538a26d9de315c6c94c98513a02d2c17e5e96666191a208426eb9f0d5f3ca

  • SHA512

    9dd863c44b5c83abf231218596983aa475a530ae8d72a923cb47850e7bad8cda7ede079b6c2299064caee8494d59b78d97c17a4197293b061f263c22bed08603

Score
4/10

Malware Config

Signatures

  • Drops file in Program Files directory 12 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe "C:\Users\Admin\AppData\Local\Temp\Proof of payment.js"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2624
    • C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe
      "C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\nuicblxgl.txt"
      2⤵
      • Drops file in Program Files directory
      PID:2900

Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • memory/2900-117-0x00000000031C0000-0x0000000003430000-memory.dmp

          Filesize

          2.4MB

        • memory/2900-118-0x00000000031C0000-0x0000000003430000-memory.dmp

          Filesize

          2.4MB

        • memory/2900-119-0x0000000002D60000-0x0000000002D61000-memory.dmp

          Filesize

          4KB