Analysis
-
max time kernel
149s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
07-07-2022 12:45
Static task
static1
Behavioral task
behavioral1
Sample
js-beautified-1.js
Resource
win7-20220414-en
General
-
Target
js-beautified-1.js
-
Size
31KB
-
MD5
74c140b0a8c5361225c5bb63ee8bba61
-
SHA1
e161bf368ac344a51ec2c17256ad5bd51e752aac
-
SHA256
4dcd9f66d9282e34de85b10101af0de546cfcfae341ebd5fd99505f9cbfe16d6
-
SHA512
d2464c1cf6f783d7e7b8c39af19d3759d26a02c2bd298200f5da935fce8ade5feeaf3a07a587159ca223f10b300133ffd314d22aaa625d10c4020e46e7cbd86b
Malware Config
Signatures
-
Blocklisted process makes network request 14 IoCs
Processes:
wscript.exeflow pid process 5 1884 wscript.exe 13 1884 wscript.exe 36 1884 wscript.exe 42 1884 wscript.exe 44 1884 wscript.exe 45 1884 wscript.exe 46 1884 wscript.exe 48 1884 wscript.exe 49 1884 wscript.exe 51 1884 wscript.exe 52 1884 wscript.exe 53 1884 wscript.exe 54 1884 wscript.exe 55 1884 wscript.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
wscript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation wscript.exe -
Drops startup file 2 IoCs
Processes:
wscript.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\js-beautified-1.js wscript.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\js-beautified-1.js wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
wscript.exedescription pid process target process PID 1884 wrote to memory of 3764 1884 wscript.exe wscript.exe PID 1884 wrote to memory of 3764 1884 wscript.exe wscript.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\js-beautified-1.js1⤵
- Blocklisted process makes network request
- Checks computer location settings
- Drops startup file
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\HnCBlANEKZ.js"2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\HnCBlANEKZ.jsFilesize
8KB
MD5396776d9c2fce3d6cd89a4b25253685c
SHA10037ed7e8c7ce8020c81fc2240f35894cd6040aa
SHA256832bc0cd978dd790936ffcf9845e3cbf3a74fa47ea41dbf6900a7195d38c560e
SHA51256af0a104104e1a7df4bb58974fd2a527d3559a4f5351607df92e6c0633d6e277a265cc390c7f68ab1b6706237235ae3f70aaaddd366430d28fd802878b455c2
-
memory/3764-130-0x0000000000000000-mapping.dmp