Analysis
-
max time kernel
299s -
max time network
304s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
17/08/2022, 17:31
Static task
static1
Behavioral task
behavioral1
Sample
TRANSFERENCIA $112987.17.js
Resource
win7-20220812-en
General
-
Target
TRANSFERENCIA $112987.17.js
-
Size
50KB
-
MD5
fec5ad2c4cd364f6780813e4170d43d5
-
SHA1
b7ce2fb648f9cbf7fd69a16f083599bfe5511d53
-
SHA256
5dfaea003a9b484fad723fc13f79303169e4c8f2f414a4ee0ef187f7ebd0aac9
-
SHA512
bfa44ffc12478a1bb12266e8a00ff912def28f321a1eaa400c0cec730f2aacfb97e78822b33f5ad436421e1aa8e170c0da3da01ad646a59f466b0cd04dae4838
Malware Config
Signatures
-
Blocklisted process makes network request 64 IoCs
flow pid Process 6 1248 wscript.exe 8 1248 wscript.exe 12 1976 wscript.exe 13 1624 wscript.exe 14 1248 wscript.exe 16 1624 wscript.exe 17 1976 wscript.exe 19 1248 wscript.exe 21 1976 wscript.exe 22 1624 wscript.exe 26 1624 wscript.exe 28 1976 wscript.exe 33 1624 wscript.exe 34 1976 wscript.exe 36 1624 wscript.exe 38 1976 wscript.exe 42 1976 wscript.exe 43 1624 wscript.exe 46 1976 wscript.exe 48 1624 wscript.exe 49 1624 wscript.exe 52 1976 wscript.exe 55 1624 wscript.exe 57 1976 wscript.exe 60 1976 wscript.exe 62 1624 wscript.exe 63 1624 wscript.exe 65 1976 wscript.exe 69 1624 wscript.exe 71 1976 wscript.exe 74 1624 wscript.exe 75 1976 wscript.exe 78 1624 wscript.exe 79 1976 wscript.exe 83 1624 wscript.exe 85 1976 wscript.exe 87 1624 wscript.exe 89 1976 wscript.exe 91 1624 wscript.exe 94 1976 wscript.exe 98 1976 wscript.exe 100 1624 wscript.exe 102 1624 wscript.exe 104 1976 wscript.exe 106 1624 wscript.exe 108 1976 wscript.exe 111 1624 wscript.exe 114 1976 wscript.exe 116 1624 wscript.exe 118 1976 wscript.exe 120 1624 wscript.exe 121 1976 wscript.exe 126 1624 wscript.exe 128 1976 wscript.exe 130 1624 wscript.exe 131 1976 wscript.exe 134 1624 wscript.exe 136 1976 wscript.exe 140 1624 wscript.exe 141 1976 wscript.exe 144 1624 wscript.exe 146 1976 wscript.exe 148 1976 wscript.exe 150 1624 wscript.exe -
Drops startup file 4 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jQCWVHjWAA.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jQCWVHjWAA.js wscript.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bZQEUbJxNj.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bZQEUbJxNj.js wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 1248 wrote to memory of 1976 1248 wscript.exe 26 PID 1248 wrote to memory of 1976 1248 wscript.exe 26 PID 1248 wrote to memory of 1976 1248 wscript.exe 26 PID 1976 wrote to memory of 1624 1976 wscript.exe 27 PID 1976 wrote to memory of 1624 1976 wscript.exe 27 PID 1976 wrote to memory of 1624 1976 wscript.exe 27
Processes
-
C:\Windows\system32\wscript.exewscript.exe "C:\Users\Admin\AppData\Local\Temp\TRANSFERENCIA $112987.17.js"1⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
PID:1248 -
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\jQCWVHjWAA.js"2⤵
- Blocklisted process makes network request
- Drops startup file
- Suspicious use of WriteProcessMemory
PID:1976 -
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\bZQEUbJxNj.js"3⤵
- Blocklisted process makes network request
- Drops startup file
PID:1624
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
6KB
MD5a542a21ecaba36f6ba8c6457b8ab67f9
SHA13f05ddc6d6e59554cd9870b9e4b17919b81eaa6c
SHA256bc831f27e6da7b5e82be628a1564c8b6aee02ec9290c5d21f99733dd2d1db47b
SHA51278ca13a83bbd029470978b1e465ee6b0c2a9345a1fe8ee3e86d9f1d48bd52b7927a16e607f71084a91706213d8ddc0293ed06a1927e478b9bbc21ab0b47b9a2a
-
Filesize
26KB
MD51f7855c87513cf8d9f4b5319445865cf
SHA1a73d48e0da18067c2e943da97c45acb679e18139
SHA256b386904566434edecd5319ebe730f8c5ecd05d8003eaf8b695cc771aa17c2579
SHA51241eb3f05e08fa6b878b1a8ffa90cba44756be53ea09d00c63425ba176f1bef31dc677caea99acfb2e6298403efaae1af4e71ea5a7fe29158a9c0510bfee022a9