Analysis
-
max time kernel
150s -
max time network
154s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
17/08/2022, 15:31
Static task
static1
Behavioral task
behavioral1
Sample
jQCWVHjWAA.js
Resource
win7-20220812-en
General
-
Target
jQCWVHjWAA.js
-
Size
26KB
-
MD5
1f7855c87513cf8d9f4b5319445865cf
-
SHA1
a73d48e0da18067c2e943da97c45acb679e18139
-
SHA256
b386904566434edecd5319ebe730f8c5ecd05d8003eaf8b695cc771aa17c2579
-
SHA512
41eb3f05e08fa6b878b1a8ffa90cba44756be53ea09d00c63425ba176f1bef31dc677caea99acfb2e6298403efaae1af4e71ea5a7fe29158a9c0510bfee022a9
Malware Config
Signatures
-
Blocklisted process makes network request 30 IoCs
flow pid Process 7 1416 wscript.exe 8 1528 wscript.exe 9 1528 wscript.exe 10 1416 wscript.exe 12 1528 wscript.exe 13 1416 wscript.exe 17 1528 wscript.exe 18 1416 wscript.exe 21 1416 wscript.exe 23 1528 wscript.exe 25 1416 wscript.exe 26 1528 wscript.exe 29 1528 wscript.exe 31 1416 wscript.exe 32 1528 wscript.exe 33 1416 wscript.exe 35 1528 wscript.exe 37 1416 wscript.exe 40 1528 wscript.exe 41 1416 wscript.exe 43 1416 wscript.exe 45 1528 wscript.exe 46 1528 wscript.exe 47 1416 wscript.exe 51 1528 wscript.exe 53 1416 wscript.exe 54 1528 wscript.exe 55 1416 wscript.exe 57 1528 wscript.exe 59 1416 wscript.exe -
Drops startup file 4 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jQCWVHjWAA.js wscript.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bZQEUbJxNj.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bZQEUbJxNj.js wscript.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jQCWVHjWAA.js wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1416 wrote to memory of 1528 1416 wscript.exe 26 PID 1416 wrote to memory of 1528 1416 wscript.exe 26 PID 1416 wrote to memory of 1528 1416 wscript.exe 26
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\jQCWVHjWAA.js1⤵
- Blocklisted process makes network request
- Drops startup file
- Suspicious use of WriteProcessMemory
PID:1416 -
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\bZQEUbJxNj.js"2⤵
- Blocklisted process makes network request
- Drops startup file
PID:1528
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
6KB
MD5a542a21ecaba36f6ba8c6457b8ab67f9
SHA13f05ddc6d6e59554cd9870b9e4b17919b81eaa6c
SHA256bc831f27e6da7b5e82be628a1564c8b6aee02ec9290c5d21f99733dd2d1db47b
SHA51278ca13a83bbd029470978b1e465ee6b0c2a9345a1fe8ee3e86d9f1d48bd52b7927a16e607f71084a91706213d8ddc0293ed06a1927e478b9bbc21ab0b47b9a2a