Analysis
-
max time kernel
150s -
max time network
154s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
15-06-2022 10:26
Static task
static1
Behavioral task
behavioral1
Sample
PO00498221.js
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
PO00498221.js
Resource
win10v2004-20220414-en
General
-
Target
PO00498221.js
-
Size
47KB
-
MD5
84b89a74efeee5ada47c8873f1716071
-
SHA1
79aeef590dfb5ffd6e0c7a3b17db18e27ad883fb
-
SHA256
2fcb91ed942cf840ed6e2c38005f26b5bdd3d69488a018e2c23c546a66423638
-
SHA512
a0569e8cba284e88f144ea722dc0eae54ce8385eaa666a5bc7c732e870938cd3614a3c12da5717593489b6e6b17f9bb8bdf7668cae49ebcf4f9842f20192760c
Malware Config
Signatures
-
Blocklisted process makes network request 21 IoCs
Processes:
wscript.exewscript.exeflow pid process 6 1936 wscript.exe 7 840 wscript.exe 9 1936 wscript.exe 10 1936 wscript.exe 13 840 wscript.exe 16 1936 wscript.exe 17 1936 wscript.exe 19 1936 wscript.exe 22 840 wscript.exe 23 1936 wscript.exe 25 1936 wscript.exe 27 840 wscript.exe 28 1936 wscript.exe 31 1936 wscript.exe 34 1936 wscript.exe 35 840 wscript.exe 36 1936 wscript.exe 39 1936 wscript.exe 42 1936 wscript.exe 43 840 wscript.exe 45 1936 wscript.exe -
Drops startup file 4 IoCs
Processes:
wscript.exewscript.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ejike.vbs wscript.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\spHAeMTgHF.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\spHAeMTgHF.js wscript.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ejike.vbs wscript.exe -
Adds Run key to start application 2 TTPs 6 IoCs
Processes:
wscript.exewscript.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows\CurrentVersion\Run\YVBPFHTJIQ = "\"C:\\Users\\Admin\\AppData\\Roaming\\spHAeMTgHF.js\"" wscript.exe Key created \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows\CurrentVersion\Run\ejike = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\ejike.vbs\"" wscript.exe Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ejike = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\ejike.vbs\"" wscript.exe Key created \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows\CurrentVersion\Run wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
wscript.exedescription pid process target process PID 2008 wrote to memory of 1936 2008 wscript.exe wscript.exe PID 2008 wrote to memory of 1936 2008 wscript.exe wscript.exe PID 2008 wrote to memory of 1936 2008 wscript.exe wscript.exe PID 2008 wrote to memory of 840 2008 wscript.exe wscript.exe PID 2008 wrote to memory of 840 2008 wscript.exe wscript.exe PID 2008 wrote to memory of 840 2008 wscript.exe wscript.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\PO00498221.js1⤵
- Suspicious use of WriteProcessMemory
PID:2008 -
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\spHAeMTgHF.js"2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
PID:1936 -
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" "C:\Users\Admin\AppData\Local\Temp\ejike.vbs"2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
PID:840
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\ejike.vbsFilesize
13KB
MD57cc6dd150c0252491d11af69da01800a
SHA1f38f64d89c21347049d3651c07532f5ec8741459
SHA25652044f4d57cc20e56a0087b0f3b516567b23debfc250a8f54f9b4c853da0fd38
SHA512fffc47c9dd97688b400cc8bb6db9b073a713705f54a0db11243bfe062850d26ed030028792a279e2226761c50cac7dd8c468f2e7908f844fd70afbcf579649b8
-
C:\Users\Admin\AppData\Roaming\spHAeMTgHF.jsFilesize
9KB
MD5c576dc63c42e5e08a7fb375c7a0791bc
SHA122009107c606ac099b157e38653d5c325c9b0c8b
SHA256f3afa68cd5ba1c5466c1215913fb9bacca94d40c07c758e93fafc495af15ba9f
SHA512185bd10e42bb15312cd8af5a1b5e6aee3d1a85744607117161566ad67fc4108d959f9fa05b8ccd27e218de03272945aafa2127be3631014f7c164a80b631ab48
-
memory/840-56-0x0000000000000000-mapping.dmp
-
memory/1936-55-0x0000000000000000-mapping.dmp
-
memory/2008-54-0x000007FEFBA41000-0x000007FEFBA43000-memory.dmpFilesize
8KB