Analysis
-
max time kernel
176s -
max time network
207s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
16-06-2022 09:31
Static task
static1
Behavioral task
behavioral1
Sample
Documents for your perusal.js
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
Documents for your perusal.js
Resource
win10v2004-20220414-en
General
-
Target
Documents for your perusal.js
-
Size
90KB
-
MD5
e3a8ced8143a9c234569bf6537acb455
-
SHA1
dc687bbfcccb3740806c848a2b948f6f59f721ff
-
SHA256
d8267f242a04debd7ce7975644e938a4d54a6cbcfd5fd606b861d9faac7b8b4c
-
SHA512
db64c212f6b8237b9f4270828e9013456382941f0fdf80051164ef5e1fd2c9963042ae3ef9089cecbd2e0bf972e75db2d529ce20cc96364418c9e20598f6d8d5
Malware Config
Signatures
-
Blocklisted process makes network request 22 IoCs
Processes:
wscript.exewscript.exeflow pid process 18 1412 wscript.exe 20 1808 wscript.exe 29 1808 wscript.exe 30 1808 wscript.exe 33 1412 wscript.exe 34 1808 wscript.exe 39 1412 wscript.exe 40 1808 wscript.exe 43 1412 wscript.exe 54 1808 wscript.exe 56 1412 wscript.exe 58 1808 wscript.exe 59 1412 wscript.exe 62 1808 wscript.exe 65 1808 wscript.exe 67 1808 wscript.exe 69 1412 wscript.exe 72 1808 wscript.exe 77 1412 wscript.exe 78 1808 wscript.exe 83 1412 wscript.exe 84 1808 wscript.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
wscript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation wscript.exe -
Drops startup file 4 IoCs
Processes:
wscript.exewscript.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AtIWpASqaS.js wscript.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Documents for your perusal.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Documents for your perusal.js wscript.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AtIWpASqaS.js wscript.exe -
Adds Run key to start application 2 TTPs 6 IoCs
Processes:
wscript.exewscript.exedescription ioc process Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Documents for your perusal = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\Documents for your perusal.js\"" wscript.exe Key created \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Windows\CurrentVersion\Run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\YVBPFHTJIQ = "\"C:\\Users\\Admin\\AppData\\Roaming\\AtIWpASqaS.js\"" wscript.exe Key created \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Documents for your perusal = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\Documents for your perusal.js\"" wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
wscript.exedescription pid process target process PID 1412 wrote to memory of 1808 1412 wscript.exe wscript.exe PID 1412 wrote to memory of 1808 1412 wscript.exe wscript.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe "C:\Users\Admin\AppData\Local\Temp\Documents for your perusal.js"1⤵
- Blocklisted process makes network request
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1412 -
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\AtIWpASqaS.js"2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
PID:1808
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\AtIWpASqaS.jsFilesize
24KB
MD5cc927e8d06586b3b3d99ddf1a7d649e0
SHA12b3493875137f64ecf46c92ac596f62f24d2d310
SHA2568610d243c784955f3487c7a82c0e4a08ca59f5924b48d6f508b849b4a42646eb
SHA512855b0c60734c8b4fe2411f9df42d0187f0eacd1c4c4fa04361d0fa072974cc5e891d25550692cc82996647d05e46420b244a95d113eb3c2e4b1896e55ec2392b
-
memory/1808-131-0x0000000000000000-mapping.dmp