Analysis
-
max time kernel
201s -
max time network
208s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
16-06-2022 09:44
Static task
static1
Behavioral task
behavioral1
Sample
AWB-14062022.js
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
AWB-14062022.js
Resource
win10v2004-20220414-en
General
-
Target
AWB-14062022.js
-
Size
47KB
-
MD5
db27256d436350714fb51710dc897335
-
SHA1
ce68eda62d41b82fe24b0a2afa75204c401f33d4
-
SHA256
d5dde5256817dcaa65fa26a9a34283989c61aa3b675f3e9e3f87ad48045a47ff
-
SHA512
88ffd93ccd02a1505e7bf792500d48ea6f6784921edb7006fc85f90af3c6903088d210af1c4fb6c1f2c8f112dc1f5cc578ef17e0585588a196738de33fe288bf
Malware Config
Signatures
-
Blocklisted process makes network request 39 IoCs
Processes:
wscript.exewscript.exeflow pid process 7 948 wscript.exe 8 1756 wscript.exe 9 1756 wscript.exe 10 948 wscript.exe 12 948 wscript.exe 14 1756 wscript.exe 16 1756 wscript.exe 17 948 wscript.exe 19 1756 wscript.exe 20 948 wscript.exe 22 1756 wscript.exe 24 948 wscript.exe 26 1756 wscript.exe 28 1756 wscript.exe 29 948 wscript.exe 31 1756 wscript.exe 32 1756 wscript.exe 33 948 wscript.exe 35 1756 wscript.exe 36 1756 wscript.exe 39 948 wscript.exe 41 1756 wscript.exe 42 1756 wscript.exe 43 948 wscript.exe 45 1756 wscript.exe 46 1756 wscript.exe 47 948 wscript.exe 49 1756 wscript.exe 50 1756 wscript.exe 52 948 wscript.exe 55 1756 wscript.exe 56 1756 wscript.exe 57 948 wscript.exe 59 1756 wscript.exe 60 1756 wscript.exe 61 948 wscript.exe 63 1756 wscript.exe 64 1756 wscript.exe 66 948 wscript.exe -
Drops startup file 4 IoCs
Processes:
wscript.exewscript.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coco.vbs wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coco.vbs wscript.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IbabFGXugh.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IbabFGXugh.js wscript.exe -
Adds Run key to start application 2 TTPs 6 IoCs
Processes:
wscript.exewscript.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run\coco = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\coco.vbs\"" wscript.exe Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\coco = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\coco.vbs\"" wscript.exe Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run\YVBPFHTJIQ = "\"C:\\Users\\Admin\\AppData\\Roaming\\IbabFGXugh.js\"" wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
wscript.exedescription pid process target process PID 1092 wrote to memory of 948 1092 wscript.exe wscript.exe PID 1092 wrote to memory of 948 1092 wscript.exe wscript.exe PID 1092 wrote to memory of 948 1092 wscript.exe wscript.exe PID 1092 wrote to memory of 1756 1092 wscript.exe wscript.exe PID 1092 wrote to memory of 1756 1092 wscript.exe wscript.exe PID 1092 wrote to memory of 1756 1092 wscript.exe wscript.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\AWB-14062022.js1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\IbabFGXugh.js"2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" "C:\Users\Admin\AppData\Local\Temp\coco.vbs"2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\coco.vbsFilesize
13KB
MD5c654a6599cf8a2a114c82cf39890527e
SHA10fdd2f5ac577d5491cdad11e9ab9682eb29f2e3b
SHA256cc7f0bb9d21b137fd799468d7e6823881134b5c18a2d48a24a69c5af3286bdcc
SHA512dc954af78c3e4daaa53ee81cbab5b6831e95b6fa80e7fff56febf884389da5feb473207b0121a81d704755039ed3b8d3870f07620e5fc58161df1c82210bf357
-
C:\Users\Admin\AppData\Roaming\IbabFGXugh.jsFilesize
9KB
MD5a7ef36ca4a8acfd3cb53d47a03d038b6
SHA1c927276040e11629198ad9417382c38472726cf2
SHA25682495325de3618c6ccb18a342e852ea876e5e9deba2d8d0739807f7c2f882112
SHA5121594a78af5df8ba4ece0e540859095f1a005a7d419b32c37ddb95a5d1b946dccfb6e00f76eee9dccf88bd7f7c86436cb2b619c579d14655e847679535fd7f027
-
memory/948-55-0x0000000000000000-mapping.dmp
-
memory/1092-54-0x000007FEFBE11000-0x000007FEFBE13000-memory.dmpFilesize
8KB
-
memory/1756-56-0x0000000000000000-mapping.dmp