Analysis
-
max time kernel
141s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
28-06-2022 10:10
Static task
static1
Behavioral task
behavioral1
Sample
PO202204-VIS015.js
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
PO202204-VIS015.js
Resource
win10v2004-20220414-en
General
-
Target
PO202204-VIS015.js
-
Size
45KB
-
MD5
c468449ee706347ee77ba75f21c2855c
-
SHA1
99fe748710ee03b11adee5d7711a583a39b67d82
-
SHA256
903841d2474ad9d19ef2147cbb393321d142477b52fa628c46cfbd0214e0f3ff
-
SHA512
ea63bf2914649ae85e09c277cd144c02ecf9ac420afd6f0cd480a206a306f3e58c052df35fded442e9d3912a5378e6d63365d47027d4bb15a5f72ff20af54c0e
Malware Config
Signatures
-
Blocklisted process makes network request 17 IoCs
Processes:
wscript.exewscript.exeflow pid process 6 2900 wscript.exe 8 1536 wscript.exe 16 1536 wscript.exe 21 1536 wscript.exe 26 1536 wscript.exe 32 1536 wscript.exe 33 1536 wscript.exe 44 1536 wscript.exe 47 1536 wscript.exe 48 1536 wscript.exe 49 1536 wscript.exe 51 1536 wscript.exe 52 1536 wscript.exe 53 1536 wscript.exe 54 1536 wscript.exe 55 1536 wscript.exe 56 1536 wscript.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
wscript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation wscript.exe -
Drops startup file 2 IoCs
Processes:
wscript.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bAZifrDtEB.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bAZifrDtEB.js wscript.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
wscript.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Windows\CurrentVersion\Run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\YVBPFHTJIQ = "\"C:\\Users\\Admin\\AppData\\Roaming\\bAZifrDtEB.js\"" wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
wscript.exedescription pid process target process PID 2900 wrote to memory of 1536 2900 wscript.exe wscript.exe PID 2900 wrote to memory of 1536 2900 wscript.exe wscript.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\PO202204-VIS015.js1⤵
- Blocklisted process makes network request
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\bAZifrDtEB.js"2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\bAZifrDtEB.jsFilesize
17KB
MD5c985deccdb388fb26c79239fff23c852
SHA160fecf190f59e8f14eba7e1b0c95b8427bcb7179
SHA2563577498781b4836b33b303d8af897cf508a0b29e6349d31b982cae5b44e4e944
SHA5121858da87b49d3ef7d4bc3781faa2574b5428e34dd3ddf764123d7629900fefd3bf7b295fa80a54abce4410f7195c5a02350ff048fa6be6638f2fb7d62cf9e59e
-
memory/1536-130-0x0000000000000000-mapping.dmp