Overview

overview

8

Static

static

?? ??? ???...??.jse

windows7_x64

8

?? ??? ???...??.jse

windows10-2004_x64

8

Analysis

  • max time kernel
    152s
  • max time network
    46s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    22-06-2022 08:46

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ?? ??? ??????????? ??????.jse

  • Size

    5KB

  • MD5

    21edf1a6ae8e0a869aca1890b3e34a97

  • SHA1

    cd19915eb44c6b5d8ec3397db1280bbfbca16435

  • SHA256

    073321b040b9b6820c5701dd61732c1aa88ac7e40687f14c0e37ebd1253211de

  • SHA512

    00c9aeab7a5ce8f2fda77e7a051bc219fc2b9de25cce32deb0073c3bd6cbc3da4a5a61d2c4a2c7b1b85344b82f64a672758ab04d1073f3f19ec1f9c7d30e9a99

Score
8/10

Malware Config

Signatures

  • Blocklisted process makes network request 2 IoCs
  • Deletes itself 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 10 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    C:\Windows\System32\WScript.exe "C:\Users\Admin\AppData\Local\Temp\__ ___ ___________ ______.jse"
    1⤵
    • Blocklisted process makes network request
    • Deletes itself
    • Suspicious use of WriteProcessMemory
    PID:1596
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\rad8FDA9.tmp
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1944
      • C:\Windows\system32\rundll32.exe
        "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\rad8FDA9.tmp
        3⤵
        • Modifies registry class
        • Suspicious use of WriteProcessMemory
        PID:1980
        • C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
          "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\rad8FDA9.tmp"
          4⤵
          • Suspicious use of SetWindowsHookEx
          PID:560

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\rad8FDA9.tmp
    Filesize

    31KB

    MD5

    ea24bc598bea877cebd270701012ee09

    SHA1

    7132efeab2250a2294951156056ce5de74a40fed

    SHA256

    f410c1348fd54a54ba3b041407aec74d2a38fe9ea7118e0163d0f21f5181eaa4

    SHA512

    c9fe24c3d28c042692ace2f8391a9d46cb22da2c2dbfd9f9dbf323469a2678a894172339ece321ed72ebe7dd607bbc558c90f18b080db24cb8ba95204814e76e

    Download Submit

  • memory/560-90-0x0000000075E31000-0x0000000075E33000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1596-54-0x000007FEFC511000-0x000007FEFC513000-memory.dmp

    Filesize

    8KB

    Download