Analysis
-
max time kernel
152s -
max time network
177s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
21-06-2022 15:35
Static task
static1
Behavioral task
behavioral1
Sample
Documents for your perusal.js
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
Documents for your perusal.js
Resource
win10v2004-20220414-en
General
-
Target
Documents for your perusal.js
-
Size
90KB
-
MD5
e3a8ced8143a9c234569bf6537acb455
-
SHA1
dc687bbfcccb3740806c848a2b948f6f59f721ff
-
SHA256
d8267f242a04debd7ce7975644e938a4d54a6cbcfd5fd606b861d9faac7b8b4c
-
SHA512
db64c212f6b8237b9f4270828e9013456382941f0fdf80051164ef5e1fd2c9963042ae3ef9089cecbd2e0bf972e75db2d529ce20cc96364418c9e20598f6d8d5
Malware Config
Signatures
-
Blocklisted process makes network request 14 IoCs
Processes:
wscript.exewscript.exeflow pid process 25 888 wscript.exe 26 2664 wscript.exe 32 888 wscript.exe 39 2664 wscript.exe 40 888 wscript.exe 41 2664 wscript.exe 44 888 wscript.exe 50 888 wscript.exe 53 2664 wscript.exe 61 888 wscript.exe 71 2664 wscript.exe 75 888 wscript.exe 76 2664 wscript.exe 92 888 wscript.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
wscript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation wscript.exe -
Drops startup file 4 IoCs
Processes:
wscript.exewscript.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Documents for your perusal.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Documents for your perusal.js wscript.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AtIWpASqaS.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AtIWpASqaS.js wscript.exe -
Adds Run key to start application 2 TTPs 6 IoCs
Processes:
wscript.exewscript.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\YVBPFHTJIQ = "\"C:\\Users\\Admin\\AppData\\Roaming\\AtIWpASqaS.js\"" wscript.exe Key created \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Documents for your perusal = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\Documents for your perusal.js\"" wscript.exe Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Documents for your perusal = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\Documents for your perusal.js\"" wscript.exe Key created \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Windows\CurrentVersion\Run wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
wscript.exedescription pid process target process PID 888 wrote to memory of 2664 888 wscript.exe wscript.exe PID 888 wrote to memory of 2664 888 wscript.exe wscript.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe "C:\Users\Admin\AppData\Local\Temp\Documents for your perusal.js"1⤵
- Blocklisted process makes network request
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\AtIWpASqaS.js"2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\AtIWpASqaS.jsFilesize
24KB
MD5cc927e8d06586b3b3d99ddf1a7d649e0
SHA12b3493875137f64ecf46c92ac596f62f24d2d310
SHA2568610d243c784955f3487c7a82c0e4a08ca59f5924b48d6f508b849b4a42646eb
SHA512855b0c60734c8b4fe2411f9df42d0187f0eacd1c4c4fa04361d0fa072974cc5e891d25550692cc82996647d05e46420b244a95d113eb3c2e4b1896e55ec2392b
-
memory/2664-130-0x0000000000000000-mapping.dmp