Analysis
-
max time kernel
148s -
max time network
154s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
16-06-2022 09:31
Static task
static1
Behavioral task
behavioral1
Sample
Documents for your perusal.js
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
Documents for your perusal.js
Resource
win10v2004-20220414-en
General
-
Target
Documents for your perusal.js
-
Size
90KB
-
MD5
e3a8ced8143a9c234569bf6537acb455
-
SHA1
dc687bbfcccb3740806c848a2b948f6f59f721ff
-
SHA256
d8267f242a04debd7ce7975644e938a4d54a6cbcfd5fd606b861d9faac7b8b4c
-
SHA512
db64c212f6b8237b9f4270828e9013456382941f0fdf80051164ef5e1fd2c9963042ae3ef9089cecbd2e0bf972e75db2d529ce20cc96364418c9e20598f6d8d5
Malware Config
Signatures
-
Blocklisted process makes network request 37 IoCs
Processes:
wscript.exewscript.exeflow pid process 6 1048 wscript.exe 7 1504 wscript.exe 8 1504 wscript.exe 9 1048 wscript.exe 10 1504 wscript.exe 12 1504 wscript.exe 13 1048 wscript.exe 16 1504 wscript.exe 17 1504 wscript.exe 19 1048 wscript.exe 20 1504 wscript.exe 22 1504 wscript.exe 24 1048 wscript.exe 26 1504 wscript.exe 27 1504 wscript.exe 28 1048 wscript.exe 31 1504 wscript.exe 32 1504 wscript.exe 33 1048 wscript.exe 36 1504 wscript.exe 37 1504 wscript.exe 38 1048 wscript.exe 39 1504 wscript.exe 41 1048 wscript.exe 43 1504 wscript.exe 44 1048 wscript.exe 46 1504 wscript.exe 47 1048 wscript.exe 48 1048 wscript.exe 51 1504 wscript.exe 53 1048 wscript.exe 54 1504 wscript.exe 55 1048 wscript.exe 56 1504 wscript.exe 57 1504 wscript.exe 59 1048 wscript.exe 60 1504 wscript.exe -
Drops startup file 4 IoCs
Processes:
wscript.exewscript.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Documents for your perusal.js wscript.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AtIWpASqaS.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AtIWpASqaS.js wscript.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Documents for your perusal.js wscript.exe -
Adds Run key to start application 2 TTPs 6 IoCs
Processes:
wscript.exewscript.exedescription ioc process Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Documents for your perusal = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\Documents for your perusal.js\"" wscript.exe Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run\YVBPFHTJIQ = "\"C:\\Users\\Admin\\AppData\\Roaming\\AtIWpASqaS.js\"" wscript.exe Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run\Documents for your perusal = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\Documents for your perusal.js\"" wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
wscript.exedescription pid process target process PID 1504 wrote to memory of 1048 1504 wscript.exe wscript.exe PID 1504 wrote to memory of 1048 1504 wscript.exe wscript.exe PID 1504 wrote to memory of 1048 1504 wscript.exe wscript.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe "C:\Users\Admin\AppData\Local\Temp\Documents for your perusal.js"1⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\AtIWpASqaS.js"2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\AtIWpASqaS.jsFilesize
24KB
MD5cc927e8d06586b3b3d99ddf1a7d649e0
SHA12b3493875137f64ecf46c92ac596f62f24d2d310
SHA2568610d243c784955f3487c7a82c0e4a08ca59f5924b48d6f508b849b4a42646eb
SHA512855b0c60734c8b4fe2411f9df42d0187f0eacd1c4c4fa04361d0fa072974cc5e891d25550692cc82996647d05e46420b244a95d113eb3c2e4b1896e55ec2392b
-
memory/1048-55-0x0000000000000000-mapping.dmp
-
memory/1504-54-0x000007FEFC0B1000-0x000007FEFC0B3000-memory.dmpFilesize
8KB