Analysis
-
max time kernel
197s -
max time network
207s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
16-06-2022 09:44
Static task
static1
Behavioral task
behavioral1
Sample
AWB-14062022.js
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
AWB-14062022.js
Resource
win10v2004-20220414-en
General
-
Target
AWB-14062022.js
-
Size
47KB
-
MD5
db27256d436350714fb51710dc897335
-
SHA1
ce68eda62d41b82fe24b0a2afa75204c401f33d4
-
SHA256
d5dde5256817dcaa65fa26a9a34283989c61aa3b675f3e9e3f87ad48045a47ff
-
SHA512
88ffd93ccd02a1505e7bf792500d48ea6f6784921edb7006fc85f90af3c6903088d210af1c4fb6c1f2c8f112dc1f5cc578ef17e0585588a196738de33fe288bf
Malware Config
Signatures
-
Blocklisted process makes network request 18 IoCs
Processes:
wscript.exewscript.exeflow pid process 14 4628 wscript.exe 16 4592 wscript.exe 17 4592 wscript.exe 18 4628 wscript.exe 29 4628 wscript.exe 30 4592 wscript.exe 34 4628 wscript.exe 35 4592 wscript.exe 46 4628 wscript.exe 47 4592 wscript.exe 50 4592 wscript.exe 54 4592 wscript.exe 58 4592 wscript.exe 59 4628 wscript.exe 60 4592 wscript.exe 65 4628 wscript.exe 66 4628 wscript.exe 67 4592 wscript.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
wscript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation wscript.exe -
Drops startup file 4 IoCs
Processes:
wscript.exewscript.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coco.vbs wscript.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IbabFGXugh.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IbabFGXugh.js wscript.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coco.vbs wscript.exe -
Adds Run key to start application 2 TTPs 6 IoCs
Processes:
wscript.exewscript.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\YVBPFHTJIQ = "\"C:\\Users\\Admin\\AppData\\Roaming\\IbabFGXugh.js\"" wscript.exe Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\coco = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\coco.vbs\"" wscript.exe Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\coco = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\coco.vbs\"" wscript.exe Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Windows\CurrentVersion\Run wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
wscript.exedescription pid process target process PID 4064 wrote to memory of 4592 4064 wscript.exe wscript.exe PID 4064 wrote to memory of 4592 4064 wscript.exe wscript.exe PID 4064 wrote to memory of 4628 4064 wscript.exe wscript.exe PID 4064 wrote to memory of 4628 4064 wscript.exe wscript.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\AWB-14062022.js1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\IbabFGXugh.js"2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" "C:\Users\Admin\AppData\Local\Temp\coco.vbs"2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\coco.vbsFilesize
13KB
MD5c654a6599cf8a2a114c82cf39890527e
SHA10fdd2f5ac577d5491cdad11e9ab9682eb29f2e3b
SHA256cc7f0bb9d21b137fd799468d7e6823881134b5c18a2d48a24a69c5af3286bdcc
SHA512dc954af78c3e4daaa53ee81cbab5b6831e95b6fa80e7fff56febf884389da5feb473207b0121a81d704755039ed3b8d3870f07620e5fc58161df1c82210bf357
-
C:\Users\Admin\AppData\Roaming\IbabFGXugh.jsFilesize
9KB
MD5a7ef36ca4a8acfd3cb53d47a03d038b6
SHA1c927276040e11629198ad9417382c38472726cf2
SHA25682495325de3618c6ccb18a342e852ea876e5e9deba2d8d0739807f7c2f882112
SHA5121594a78af5df8ba4ece0e540859095f1a005a7d419b32c37ddb95a5d1b946dccfb6e00f76eee9dccf88bd7f7c86436cb2b619c579d14655e847679535fd7f027
-
memory/4592-130-0x0000000000000000-mapping.dmp
-
memory/4628-131-0x0000000000000000-mapping.dmp