Analysis
-
max time kernel
143s -
max time network
162s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
21-06-2022 14:30
Static task
static1
Behavioral task
behavioral1
Sample
MgBMOjoQWC_hwstub.js
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
MgBMOjoQWC_hwstub.js
Resource
win10v2004-20220414-en
Behavioral task
behavioral3
Sample
bJHtVihBXX_acserver.js
Resource
win7-20220414-en
Behavioral task
behavioral4
Sample
bJHtVihBXX_acserver.js
Resource
win10v2004-20220414-en
Behavioral task
behavioral5
Sample
sYCuOOjDOl_vjstub.js
Resource
win7-20220414-en
Behavioral task
behavioral6
Sample
sYCuOOjDOl_vjstub.js
Resource
win10v2004-20220414-en
General
-
Target
sYCuOOjDOl_vjstub.js
-
Size
29KB
-
MD5
dac9ed798f79a40ef59756c710f61593
-
SHA1
199bfa38a09181e9396cef4d3b29b0762c5ba987
-
SHA256
94036cd95dde4d8ec66e76a24755a15ac474c64b12e74ec87d29ff9b8a889160
-
SHA512
ec5119052e545e0246234b51777bc3a1a3a64ea0c9a3eab98b948896235bd5a49eca1616788636dc09ddd8328382f00b03e5c39139972cff2198667baf5bbcef
Malware Config
Signatures
-
Blocklisted process makes network request 15 IoCs
Processes:
wscript.exewscript.exeflow pid process 8 3896 wscript.exe 10 1772 wscript.exe 23 1772 wscript.exe 30 1772 wscript.exe 31 3896 wscript.exe 34 1772 wscript.exe 37 1772 wscript.exe 38 3896 wscript.exe 39 1772 wscript.exe 46 1772 wscript.exe 47 3896 wscript.exe 51 1772 wscript.exe 52 1772 wscript.exe 53 3896 wscript.exe 54 1772 wscript.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
wscript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation wscript.exe -
Drops startup file 2 IoCs
Processes:
wscript.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\egqENcOXOr.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\egqENcOXOr.js wscript.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
wscript.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Windows\CurrentVersion\Run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\YVBPFHTJIQ = "\"C:\\Users\\Admin\\AppData\\Roaming\\egqENcOXOr.js\"" wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
wscript.exedescription pid process target process PID 3896 wrote to memory of 1772 3896 wscript.exe wscript.exe PID 3896 wrote to memory of 1772 3896 wscript.exe wscript.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\sYCuOOjDOl_vjstub.js1⤵
- Blocklisted process makes network request
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\egqENcOXOr.js"2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\egqENcOXOr.jsFilesize
10KB
MD5dffdb0fc6b534c658575b72bfd4826ae
SHA1d6cc3039c628b6d9e8a137933fa953e785a9ef0b
SHA2567e4297ebdde73b716fafb213529d79007e6825b786a471ca7e5a52024fddb939
SHA512c9f4be68cc09ad027a65745233363940ed7ee7b82ecf919096336ddfec90932ad707ec30089e40f8e2918df2b14f400c96d3d854c0d89ae56897e06e849637ae
-
memory/1772-130-0x0000000000000000-mapping.dmp