Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
28-06-2022 10:10
Static task
static1
Behavioral task
behavioral1
Sample
PO202204-VIS015.js
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
PO202204-VIS015.js
Resource
win10v2004-20220414-en
General
-
Target
PO202204-VIS015.js
-
Size
45KB
-
MD5
c468449ee706347ee77ba75f21c2855c
-
SHA1
99fe748710ee03b11adee5d7711a583a39b67d82
-
SHA256
903841d2474ad9d19ef2147cbb393321d142477b52fa628c46cfbd0214e0f3ff
-
SHA512
ea63bf2914649ae85e09c277cd144c02ecf9ac420afd6f0cd480a206a306f3e58c052df35fded442e9d3912a5378e6d63365d47027d4bb15a5f72ff20af54c0e
Malware Config
Signatures
-
Blocklisted process makes network request 15 IoCs
Processes:
wscript.exewscript.exeflow pid process 5 836 wscript.exe 8 1400 wscript.exe 9 1400 wscript.exe 11 1400 wscript.exe 14 1400 wscript.exe 18 1400 wscript.exe 20 1400 wscript.exe 23 1400 wscript.exe 25 1400 wscript.exe 27 1400 wscript.exe 31 1400 wscript.exe 32 1400 wscript.exe 34 1400 wscript.exe 38 1400 wscript.exe 40 1400 wscript.exe -
Drops startup file 2 IoCs
Processes:
wscript.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bAZifrDtEB.js wscript.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bAZifrDtEB.js wscript.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
wscript.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run\YVBPFHTJIQ = "\"C:\\Users\\Admin\\AppData\\Roaming\\bAZifrDtEB.js\"" wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
wscript.exedescription pid process target process PID 836 wrote to memory of 1400 836 wscript.exe wscript.exe PID 836 wrote to memory of 1400 836 wscript.exe wscript.exe PID 836 wrote to memory of 1400 836 wscript.exe wscript.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\PO202204-VIS015.js1⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\bAZifrDtEB.js"2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\bAZifrDtEB.jsFilesize
17KB
MD5c985deccdb388fb26c79239fff23c852
SHA160fecf190f59e8f14eba7e1b0c95b8427bcb7179
SHA2563577498781b4836b33b303d8af897cf508a0b29e6349d31b982cae5b44e4e944
SHA5121858da87b49d3ef7d4bc3781faa2574b5428e34dd3ddf764123d7629900fefd3bf7b295fa80a54abce4410f7195c5a02350ff048fa6be6638f2fb7d62cf9e59e
-
memory/836-54-0x000007FEFB9A1000-0x000007FEFB9A3000-memory.dmpFilesize
8KB
-
memory/1400-55-0x0000000000000000-mapping.dmp