Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
17/08/2022, 06:30
Static task
static1
Behavioral task
behavioral1
Sample
Request for PI.js
Resource
win7-20220812-en
General
-
Target
Request for PI.js
-
Size
50KB
-
MD5
72a7b0c6616ec12b73957b808c7cbabc
-
SHA1
6fa031b34174966d214bd9ab9428b405fede8d77
-
SHA256
0274e6f327598725f0b88d7044264a0f85598ac00ba227b13a7045c080d4c46d
-
SHA512
46347307f066377819272f76ecc5792f93a4f90744317c973816fdb879f0622de9d15def30e7ec34e51544d84b0d2cf52fa8aa4b67dd2eb176e08d8b14051857
Malware Config
Signatures
-
Blocklisted process makes network request 24 IoCs
flow pid Process 8 2604 wscript.exe 15 4772 wscript.exe 16 2224 wscript.exe 23 4772 wscript.exe 24 4772 wscript.exe 32 2224 wscript.exe 38 4772 wscript.exe 40 2224 wscript.exe 41 4772 wscript.exe 42 2224 wscript.exe 45 4772 wscript.exe 46 2224 wscript.exe 48 4772 wscript.exe 50 2224 wscript.exe 51 4772 wscript.exe 52 2224 wscript.exe 53 4772 wscript.exe 54 4772 wscript.exe 55 4772 wscript.exe 56 2224 wscript.exe 57 4772 wscript.exe 58 2224 wscript.exe 59 4772 wscript.exe 60 2224 wscript.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation wscript.exe Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation wscript.exe -
Drops startup file 4 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bZQEUbJxNj.js wscript.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ToLSGtelkO.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ToLSGtelkO.js wscript.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bZQEUbJxNj.js wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2604 wrote to memory of 4772 2604 wscript.exe 84 PID 2604 wrote to memory of 4772 2604 wscript.exe 84 PID 4772 wrote to memory of 2224 4772 wscript.exe 85 PID 4772 wrote to memory of 2224 4772 wscript.exe 85
Processes
-
C:\Windows\system32\wscript.exewscript.exe "C:\Users\Admin\AppData\Local\Temp\Request for PI.js"1⤵
- Blocklisted process makes network request
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2604 -
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\ToLSGtelkO.js"2⤵
- Blocklisted process makes network request
- Checks computer location settings
- Drops startup file
- Suspicious use of WriteProcessMemory
PID:4772 -
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\bZQEUbJxNj.js"3⤵
- Blocklisted process makes network request
- Drops startup file
PID:2224
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
26KB
MD550c6f77435d4987498d7c5b67e7e3715
SHA14ef9674b6918f666814b26717dafe740246ce8bc
SHA2564960d6a2c4bddf11663bec4cbf3a06a57b01f9509b82c92e1ee0ec97890911e0
SHA51245947604ac1bc959b3af7a49c7bdc9917b16ff117b81724f100a0f8a7e4ce672bfae25e03ef9c89dcea21f98c9963b4d0aa893a88af64ba3d1b445b79cb7aeff
-
Filesize
6KB
MD5a542a21ecaba36f6ba8c6457b8ab67f9
SHA13f05ddc6d6e59554cd9870b9e4b17919b81eaa6c
SHA256bc831f27e6da7b5e82be628a1564c8b6aee02ec9290c5d21f99733dd2d1db47b
SHA51278ca13a83bbd029470978b1e465ee6b0c2a9345a1fe8ee3e86d9f1d48bd52b7927a16e607f71084a91706213d8ddc0293ed06a1927e478b9bbc21ab0b47b9a2a