Analysis
-
max time kernel
148s -
max time network
161s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
20-06-2022 08:15
Static task
static1
Behavioral task
behavioral1
Sample
MgBMOjoQWC_hwstub.js
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
MgBMOjoQWC_hwstub.js
Resource
win10v2004-20220414-en
Behavioral task
behavioral3
Sample
bJHtVihBXX_acserver.js
Resource
win7-20220414-en
Behavioral task
behavioral4
Sample
bJHtVihBXX_acserver.js
Resource
win10v2004-20220414-en
Behavioral task
behavioral5
Sample
sYCuOOjDOl_vjstub.js
Resource
win7-20220414-en
Behavioral task
behavioral6
Sample
sYCuOOjDOl_vjstub.js
Resource
win10v2004-20220414-en
General
-
Target
sYCuOOjDOl_vjstub.js
-
Size
29KB
-
MD5
dac9ed798f79a40ef59756c710f61593
-
SHA1
199bfa38a09181e9396cef4d3b29b0762c5ba987
-
SHA256
94036cd95dde4d8ec66e76a24755a15ac474c64b12e74ec87d29ff9b8a889160
-
SHA512
ec5119052e545e0246234b51777bc3a1a3a64ea0c9a3eab98b948896235bd5a49eca1616788636dc09ddd8328382f00b03e5c39139972cff2198667baf5bbcef
Malware Config
Signatures
-
Blocklisted process makes network request 19 IoCs
Processes:
wscript.exewscript.exeflow pid process 2 4576 wscript.exe 5 4256 wscript.exe 11 4256 wscript.exe 13 4256 wscript.exe 15 4576 wscript.exe 22 4256 wscript.exe 33 4576 wscript.exe 44 4256 wscript.exe 49 4256 wscript.exe 54 4256 wscript.exe 55 4576 wscript.exe 58 4256 wscript.exe 61 4256 wscript.exe 63 4576 wscript.exe 64 4256 wscript.exe 65 4256 wscript.exe 66 4256 wscript.exe 67 4576 wscript.exe 68 4256 wscript.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
wscript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation wscript.exe -
Drops startup file 2 IoCs
Processes:
wscript.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\egqENcOXOr.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\egqENcOXOr.js wscript.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
wscript.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Windows\CurrentVersion\Run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\YVBPFHTJIQ = "\"C:\\Users\\Admin\\AppData\\Roaming\\egqENcOXOr.js\"" wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
wscript.exedescription pid process target process PID 4576 wrote to memory of 4256 4576 wscript.exe wscript.exe PID 4576 wrote to memory of 4256 4576 wscript.exe wscript.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\sYCuOOjDOl_vjstub.js1⤵
- Blocklisted process makes network request
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4576 -
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\egqENcOXOr.js"2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
PID:4256
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\egqENcOXOr.jsFilesize
10KB
MD5dffdb0fc6b534c658575b72bfd4826ae
SHA1d6cc3039c628b6d9e8a137933fa953e785a9ef0b
SHA2567e4297ebdde73b716fafb213529d79007e6825b786a471ca7e5a52024fddb939
SHA512c9f4be68cc09ad027a65745233363940ed7ee7b82ecf919096336ddfec90932ad707ec30089e40f8e2918df2b14f400c96d3d854c0d89ae56897e06e849637ae
-
memory/4256-130-0x0000000000000000-mapping.dmp