Analysis
-
max time kernel
150s -
max time network
156s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
21-06-2022 14:30
Static task
static1
Behavioral task
behavioral1
Sample
PO00921778.js
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
PO00921778.js
Resource
win10v2004-20220414-en
General
-
Target
PO00921778.js
-
Size
102KB
-
MD5
0c202ad80846938dac13198b15f13e5e
-
SHA1
b50ac1c8e51a23ff90934841874e3f3b9ec0d9f5
-
SHA256
165e72eeb78cbe4e36f321fe478c5f24e1e9905e8b8f5587261c2d564e676857
-
SHA512
aae8334e7ea0ba84590a72f9315b1d4feb3f00c23af420e03fc7fdbd632cfd63ae4d6ee3c0039897f2579f32558066b4518a75f82cc4063d03e2b45402f14379
Malware Config
Signatures
-
Blocklisted process makes network request 45 IoCs
Processes:
wscript.exewscript.exeflow pid process 7 1120 wscript.exe 8 1472 wscript.exe 9 1472 wscript.exe 10 1120 wscript.exe 11 1472 wscript.exe 13 1472 wscript.exe 14 1120 wscript.exe 16 1472 wscript.exe 17 1472 wscript.exe 21 1472 wscript.exe 23 1120 wscript.exe 24 1472 wscript.exe 26 1472 wscript.exe 28 1120 wscript.exe 29 1472 wscript.exe 31 1472 wscript.exe 32 1120 wscript.exe 33 1472 wscript.exe 37 1472 wscript.exe 38 1120 wscript.exe 39 1472 wscript.exe 40 1472 wscript.exe 42 1120 wscript.exe 43 1472 wscript.exe 45 1472 wscript.exe 46 1120 wscript.exe 47 1472 wscript.exe 51 1472 wscript.exe 52 1120 wscript.exe 53 1472 wscript.exe 55 1472 wscript.exe 56 1472 wscript.exe 57 1120 wscript.exe 59 1472 wscript.exe 60 1120 wscript.exe 62 1472 wscript.exe 64 1120 wscript.exe 65 1472 wscript.exe 66 1472 wscript.exe 67 1120 wscript.exe 69 1472 wscript.exe 70 1472 wscript.exe 71 1120 wscript.exe 74 1472 wscript.exe 75 1472 wscript.exe -
Drops startup file 4 IoCs
Processes:
wscript.exewscript.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ejike.vbs wscript.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mXxNBYObws.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mXxNBYObws.js wscript.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ejike.vbs wscript.exe -
Adds Run key to start application 2 TTPs 6 IoCs
Processes:
wscript.exewscript.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run\ejike = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\ejike.vbs\"" wscript.exe Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ejike = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\ejike.vbs\"" wscript.exe Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run\YVBPFHTJIQ = "\"C:\\Users\\Admin\\AppData\\Roaming\\mXxNBYObws.js\"" wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
wscript.exedescription pid process target process PID 1980 wrote to memory of 1120 1980 wscript.exe wscript.exe PID 1980 wrote to memory of 1120 1980 wscript.exe wscript.exe PID 1980 wrote to memory of 1120 1980 wscript.exe wscript.exe PID 1980 wrote to memory of 1472 1980 wscript.exe wscript.exe PID 1980 wrote to memory of 1472 1980 wscript.exe wscript.exe PID 1980 wrote to memory of 1472 1980 wscript.exe wscript.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\PO00921778.js1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\mXxNBYObws.js"2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" "C:\Users\Admin\AppData\Local\Temp\ejike.vbs"2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\ejike.vbsFilesize
13KB
MD57cc6dd150c0252491d11af69da01800a
SHA1f38f64d89c21347049d3651c07532f5ec8741459
SHA25652044f4d57cc20e56a0087b0f3b516567b23debfc250a8f54f9b4c853da0fd38
SHA512fffc47c9dd97688b400cc8bb6db9b073a713705f54a0db11243bfe062850d26ed030028792a279e2226761c50cac7dd8c468f2e7908f844fd70afbcf579649b8
-
C:\Users\Admin\AppData\Roaming\mXxNBYObws.jsFilesize
28KB
MD57cdf19d6f4538e8fe1a3f974ffc3905e
SHA168ea179480019a6fc8e106aba174e1b3b8872045
SHA2568db506795ad1239e4a1be48e520b6f92e08cebe33278bcf743cc2c14a10369bd
SHA51228aee478f1b8d6d428d25e75c32e0e1e2388e4b67898c3b9c277a185e1a3d29f82bb662d68a368e558b9b5e2249c91484dda2abd150e4f8a8053efbed2a5e419
-
memory/1120-55-0x0000000000000000-mapping.dmp
-
memory/1472-56-0x0000000000000000-mapping.dmp
-
memory/1980-54-0x000007FEFBFC1000-0x000007FEFBFC3000-memory.dmpFilesize
8KB