Analysis
-
max time kernel
152s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
15-06-2022 10:26
Static task
static1
Behavioral task
behavioral1
Sample
PO00498221.js
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
PO00498221.js
Resource
win10v2004-20220414-en
General
-
Target
PO00498221.js
-
Size
47KB
-
MD5
84b89a74efeee5ada47c8873f1716071
-
SHA1
79aeef590dfb5ffd6e0c7a3b17db18e27ad883fb
-
SHA256
2fcb91ed942cf840ed6e2c38005f26b5bdd3d69488a018e2c23c546a66423638
-
SHA512
a0569e8cba284e88f144ea722dc0eae54ce8385eaa666a5bc7c732e870938cd3614a3c12da5717593489b6e6b17f9bb8bdf7668cae49ebcf4f9842f20192760c
Malware Config
Signatures
-
Blocklisted process makes network request 11 IoCs
Processes:
wscript.exewscript.exeflow pid process 4 624 wscript.exe 5 4548 wscript.exe 10 624 wscript.exe 12 4548 wscript.exe 24 624 wscript.exe 25 4548 wscript.exe 43 624 wscript.exe 44 4548 wscript.exe 47 624 wscript.exe 51 4548 wscript.exe 58 624 wscript.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
wscript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation wscript.exe -
Drops startup file 4 IoCs
Processes:
wscript.exewscript.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ejike.vbs wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ejike.vbs wscript.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\spHAeMTgHF.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\spHAeMTgHF.js wscript.exe -
Adds Run key to start application 2 TTPs 6 IoCs
Processes:
wscript.exewscript.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ejike = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\ejike.vbs\"" wscript.exe Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ejike = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\ejike.vbs\"" wscript.exe Key created \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Windows\CurrentVersion\Run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\YVBPFHTJIQ = "\"C:\\Users\\Admin\\AppData\\Roaming\\spHAeMTgHF.js\"" wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
wscript.exedescription pid process target process PID 5060 wrote to memory of 624 5060 wscript.exe wscript.exe PID 5060 wrote to memory of 624 5060 wscript.exe wscript.exe PID 5060 wrote to memory of 4548 5060 wscript.exe wscript.exe PID 5060 wrote to memory of 4548 5060 wscript.exe wscript.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\PO00498221.js1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5060 -
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\spHAeMTgHF.js"2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
PID:624 -
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" "C:\Users\Admin\AppData\Local\Temp\ejike.vbs"2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
PID:4548
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\ejike.vbsFilesize
13KB
MD57cc6dd150c0252491d11af69da01800a
SHA1f38f64d89c21347049d3651c07532f5ec8741459
SHA25652044f4d57cc20e56a0087b0f3b516567b23debfc250a8f54f9b4c853da0fd38
SHA512fffc47c9dd97688b400cc8bb6db9b073a713705f54a0db11243bfe062850d26ed030028792a279e2226761c50cac7dd8c468f2e7908f844fd70afbcf579649b8
-
C:\Users\Admin\AppData\Roaming\spHAeMTgHF.jsFilesize
9KB
MD5c576dc63c42e5e08a7fb375c7a0791bc
SHA122009107c606ac099b157e38653d5c325c9b0c8b
SHA256f3afa68cd5ba1c5466c1215913fb9bacca94d40c07c758e93fafc495af15ba9f
SHA512185bd10e42bb15312cd8af5a1b5e6aee3d1a85744607117161566ad67fc4108d959f9fa05b8ccd27e218de03272945aafa2127be3631014f7c164a80b631ab48
-
memory/624-130-0x0000000000000000-mapping.dmp
-
memory/4548-131-0x0000000000000000-mapping.dmp