Analysis
-
max time kernel
151s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
21-06-2022 14:30
Static task
static1
Behavioral task
behavioral1
Sample
PO00921778.js
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
PO00921778.js
Resource
win10v2004-20220414-en
General
-
Target
PO00921778.js
-
Size
102KB
-
MD5
0c202ad80846938dac13198b15f13e5e
-
SHA1
b50ac1c8e51a23ff90934841874e3f3b9ec0d9f5
-
SHA256
165e72eeb78cbe4e36f321fe478c5f24e1e9905e8b8f5587261c2d564e676857
-
SHA512
aae8334e7ea0ba84590a72f9315b1d4feb3f00c23af420e03fc7fdbd632cfd63ae4d6ee3c0039897f2579f32558066b4518a75f82cc4063d03e2b45402f14379
Malware Config
Signatures
-
Blocklisted process makes network request 37 IoCs
Processes:
wscript.exewscript.exeflow pid process 8 764 wscript.exe 9 1876 wscript.exe 16 764 wscript.exe 17 1876 wscript.exe 20 764 wscript.exe 22 1876 wscript.exe 23 764 wscript.exe 25 1876 wscript.exe 33 764 wscript.exe 36 1876 wscript.exe 37 764 wscript.exe 39 764 wscript.exe 42 1876 wscript.exe 45 764 wscript.exe 47 1876 wscript.exe 48 764 wscript.exe 51 1876 wscript.exe 54 764 wscript.exe 56 1876 wscript.exe 57 764 wscript.exe 58 764 wscript.exe 59 1876 wscript.exe 61 764 wscript.exe 62 1876 wscript.exe 63 764 wscript.exe 64 1876 wscript.exe 65 764 wscript.exe 66 1876 wscript.exe 67 764 wscript.exe 68 1876 wscript.exe 69 764 wscript.exe 70 764 wscript.exe 71 1876 wscript.exe 72 764 wscript.exe 73 1876 wscript.exe 74 764 wscript.exe 75 1876 wscript.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
wscript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation wscript.exe -
Drops startup file 4 IoCs
Processes:
wscript.exewscript.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ejike.vbs wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ejike.vbs wscript.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mXxNBYObws.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mXxNBYObws.js wscript.exe -
Adds Run key to start application 2 TTPs 6 IoCs
Processes:
wscript.exewscript.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ejike = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\ejike.vbs\"" wscript.exe Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ejike = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\ejike.vbs\"" wscript.exe Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Windows\CurrentVersion\Run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\YVBPFHTJIQ = "\"C:\\Users\\Admin\\AppData\\Roaming\\mXxNBYObws.js\"" wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
wscript.exedescription pid process target process PID 1940 wrote to memory of 1876 1940 wscript.exe wscript.exe PID 1940 wrote to memory of 1876 1940 wscript.exe wscript.exe PID 1940 wrote to memory of 764 1940 wscript.exe wscript.exe PID 1940 wrote to memory of 764 1940 wscript.exe wscript.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\PO00921778.js1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\mXxNBYObws.js"2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" "C:\Users\Admin\AppData\Local\Temp\ejike.vbs"2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\ejike.vbsFilesize
13KB
MD57cc6dd150c0252491d11af69da01800a
SHA1f38f64d89c21347049d3651c07532f5ec8741459
SHA25652044f4d57cc20e56a0087b0f3b516567b23debfc250a8f54f9b4c853da0fd38
SHA512fffc47c9dd97688b400cc8bb6db9b073a713705f54a0db11243bfe062850d26ed030028792a279e2226761c50cac7dd8c468f2e7908f844fd70afbcf579649b8
-
C:\Users\Admin\AppData\Roaming\mXxNBYObws.jsFilesize
28KB
MD57cdf19d6f4538e8fe1a3f974ffc3905e
SHA168ea179480019a6fc8e106aba174e1b3b8872045
SHA2568db506795ad1239e4a1be48e520b6f92e08cebe33278bcf743cc2c14a10369bd
SHA51228aee478f1b8d6d428d25e75c32e0e1e2388e4b67898c3b9c277a185e1a3d29f82bb662d68a368e558b9b5e2249c91484dda2abd150e4f8a8053efbed2a5e419
-
memory/764-131-0x0000000000000000-mapping.dmp
-
memory/1876-130-0x0000000000000000-mapping.dmp