Analysis

  • max time kernel
    156s
  • max time network
    168s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220113
  • submitted
    01-02-2022 05:42

General

  • Target

    7460accf81db3640d5f7e1e7b430431adfd687918983e78ecc12a0308f95ec47.js

  • Size

    29KB

  • MD5

    d34a29506f9838ca335d18156e2fdebd

  • SHA1

    c1ffab611536705707c4d597bec4c25719200567

  • SHA256

    7460accf81db3640d5f7e1e7b430431adfd687918983e78ecc12a0308f95ec47

  • SHA512

    77413597ba2966dc8a3951dfbaeee85bb5407125716d950cf35f28ad8418ca157bf0035bf85691240bc3c0ca1ceeba80fd094eba2d360f5af11c94ddf5518724

Score
8/10

Malware Config

Signatures

  • Blocklisted process makes network request 4 IoCs
  • Sets service image path in registry 2 TTPs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops file in Windows directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies data under HKEY_USERS 41 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe C:\Users\Admin\AppData\Local\Temp\7460accf81db3640d5f7e1e7b430431adfd687918983e78ecc12a0308f95ec47.js
    1⤵
    • Blocklisted process makes network request
    • Checks computer location settings
    PID:2220
  • C:\Windows\System32\WaaSMedicAgent.exe
    C:\Windows\System32\WaaSMedicAgent.exe 49fa5ae3b4cb56e416efb9bcca221810 ekPSnFBWSkK9Y0Hx78AaXw.0.1.0.0.0
    1⤵
    • Modifies data under HKEY_USERS
    PID:5044
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
    1⤵
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    PID:808

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/808-130-0x00000276D8D70000-0x00000276D8D80000-memory.dmp

    Filesize

    64KB

  • memory/808-137-0x00000276DB9F0000-0x00000276DB9F4000-memory.dmp

    Filesize

    16KB