Analysis
-
max time kernel
170s -
max time network
175s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
21-06-2022 15:35
Static task
static1
Behavioral task
behavioral1
Sample
Documents for your perusal.js
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
Documents for your perusal.js
Resource
win10v2004-20220414-en
General
-
Target
Documents for your perusal.js
-
Size
90KB
-
MD5
e3a8ced8143a9c234569bf6537acb455
-
SHA1
dc687bbfcccb3740806c848a2b948f6f59f721ff
-
SHA256
d8267f242a04debd7ce7975644e938a4d54a6cbcfd5fd606b861d9faac7b8b4c
-
SHA512
db64c212f6b8237b9f4270828e9013456382941f0fdf80051164ef5e1fd2c9963042ae3ef9089cecbd2e0bf972e75db2d529ce20cc96364418c9e20598f6d8d5
Malware Config
Signatures
-
Blocklisted process makes network request 39 IoCs
Processes:
wscript.exewscript.exeflow pid process 6 1324 wscript.exe 7 916 wscript.exe 9 916 wscript.exe 13 1324 wscript.exe 15 916 wscript.exe 16 916 wscript.exe 18 1324 wscript.exe 19 916 wscript.exe 21 916 wscript.exe 23 1324 wscript.exe 25 916 wscript.exe 26 916 wscript.exe 28 1324 wscript.exe 29 916 wscript.exe 30 916 wscript.exe 31 1324 wscript.exe 33 916 wscript.exe 35 916 wscript.exe 38 1324 wscript.exe 39 916 wscript.exe 40 916 wscript.exe 42 1324 wscript.exe 43 916 wscript.exe 44 916 wscript.exe 45 1324 wscript.exe 47 916 wscript.exe 49 916 wscript.exe 51 1324 wscript.exe 53 916 wscript.exe 54 916 wscript.exe 55 1324 wscript.exe 57 916 wscript.exe 58 916 wscript.exe 59 1324 wscript.exe 62 916 wscript.exe 63 916 wscript.exe 66 1324 wscript.exe 67 916 wscript.exe 68 916 wscript.exe -
Drops startup file 4 IoCs
Processes:
wscript.exewscript.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Documents for your perusal.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Documents for your perusal.js wscript.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AtIWpASqaS.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AtIWpASqaS.js wscript.exe -
Adds Run key to start application 2 TTPs 6 IoCs
Processes:
wscript.exewscript.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Documents for your perusal = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\Documents for your perusal.js\"" wscript.exe Key created \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Run\YVBPFHTJIQ = "\"C:\\Users\\Admin\\AppData\\Roaming\\AtIWpASqaS.js\"" wscript.exe Key created \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Run\Documents for your perusal = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\Documents for your perusal.js\"" wscript.exe Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
wscript.exedescription pid process target process PID 916 wrote to memory of 1324 916 wscript.exe wscript.exe PID 916 wrote to memory of 1324 916 wscript.exe wscript.exe PID 916 wrote to memory of 1324 916 wscript.exe wscript.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe "C:\Users\Admin\AppData\Local\Temp\Documents for your perusal.js"1⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\AtIWpASqaS.js"2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\AtIWpASqaS.jsFilesize
24KB
MD5cc927e8d06586b3b3d99ddf1a7d649e0
SHA12b3493875137f64ecf46c92ac596f62f24d2d310
SHA2568610d243c784955f3487c7a82c0e4a08ca59f5924b48d6f508b849b4a42646eb
SHA512855b0c60734c8b4fe2411f9df42d0187f0eacd1c4c4fa04361d0fa072974cc5e891d25550692cc82996647d05e46420b244a95d113eb3c2e4b1896e55ec2392b
-
memory/916-54-0x000007FEFC041000-0x000007FEFC043000-memory.dmpFilesize
8KB
-
memory/1324-55-0x0000000000000000-mapping.dmp