Analysis
-
max time kernel
147s -
max time network
152s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
20-06-2022 14:03
Static task
static1
Behavioral task
behavioral1
Sample
PO 062022.js
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
PO 062022.js
Resource
win10v2004-20220414-en
General
-
Target
PO 062022.js
-
Size
106KB
-
MD5
6b40bc20c20e427d9f3eff75a199e5c2
-
SHA1
eeeba7f94c0c71545dc1a412181bbf59ab3816a3
-
SHA256
5382fee9aa7bef18d245bd37a9f93feb2671e6dd4b76fdaf90623c2438d22d71
-
SHA512
c1642890fefb1f65481b4144bce53cf9b51b2cf7834bce3dc9bfbfbe496d56111861014375e6a59cd4d3741e64039f30085abce33a3ccc0d2d1253e203eeb9d2
Malware Config
Signatures
-
Blocklisted process makes network request 21 IoCs
Processes:
wscript.exewscript.exeflow pid process 6 1676 wscript.exe 7 1248 wscript.exe 8 1676 wscript.exe 9 1676 wscript.exe 12 1248 wscript.exe 13 1676 wscript.exe 15 1676 wscript.exe 16 1676 wscript.exe 19 1248 wscript.exe 20 1676 wscript.exe 21 1676 wscript.exe 23 1248 wscript.exe 24 1676 wscript.exe 26 1676 wscript.exe 27 1676 wscript.exe 29 1248 wscript.exe 30 1676 wscript.exe 32 1676 wscript.exe 33 1676 wscript.exe 35 1248 wscript.exe 36 1676 wscript.exe -
Drops startup file 4 IoCs
Processes:
wscript.exewscript.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\raw file.vbs wscript.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tuRAviYxIE.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tuRAviYxIE.js wscript.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\raw file.vbs wscript.exe -
Adds Run key to start application 2 TTPs 6 IoCs
Processes:
wscript.exewscript.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run\YVBPFHTJIQ = "\"C:\\Users\\Admin\\AppData\\Roaming\\tuRAviYxIE.js\"" wscript.exe Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run\raw file = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\raw file.vbs\"" wscript.exe Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\raw file = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\raw file.vbs\"" wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
wscript.exedescription pid process target process PID 1648 wrote to memory of 1676 1648 wscript.exe wscript.exe PID 1648 wrote to memory of 1676 1648 wscript.exe wscript.exe PID 1648 wrote to memory of 1676 1648 wscript.exe wscript.exe PID 1648 wrote to memory of 1248 1648 wscript.exe wscript.exe PID 1648 wrote to memory of 1248 1648 wscript.exe wscript.exe PID 1648 wrote to memory of 1248 1648 wscript.exe wscript.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe "C:\Users\Admin\AppData\Local\Temp\PO 062022.js"1⤵
- Suspicious use of WriteProcessMemory
PID:1648 -
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\tuRAviYxIE.js"2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
PID:1676 -
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" "C:\Users\Admin\AppData\Local\Temp\raw file.vbs"2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
PID:1248
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\raw file.vbsFilesize
13KB
MD5f0112f7f776f1ca4af78430a2d61922e
SHA1cae4289f99fa422619c07acada55933a11947386
SHA256e3e4ac1927f81001d587f36f402db771265abe51e9b78ff3335e3882b2f336fb
SHA5122fe9eee2df3c5c040a13df5bd3bc6b04c1f64665cea2bc8ded6bae6671943c282bdfd1faa201429009ece05acb1e92d4058326898a160fef0e972662200df0ac
-
C:\Users\Admin\AppData\Roaming\tuRAviYxIE.jsFilesize
30KB
MD5b787d5ed468e32e92071c74167b45174
SHA10adaac7768738778fc95c44d56d9d9ebc6be7fb7
SHA2568d5e763e5db83aa3d7cdb03a0973f95617626ddfb218cecfc9b12dc6fc097184
SHA5126d71a511d355a4897874ab4360c2be862e2c17c04e0ce7129ce6ecf2160d179a26bdcaf82d09ec074dd9fca0031a3ce717351632b06d502ce3015b9844c89ae2
-
memory/1248-56-0x0000000000000000-mapping.dmp
-
memory/1648-54-0x000007FEFBAF1000-0x000007FEFBAF3000-memory.dmpFilesize
8KB
-
memory/1676-55-0x0000000000000000-mapping.dmp