Analysis
-
max time kernel
52s -
max time network
64s -
platform
windows10-1703_x64 -
resource
win10-20220901-en -
resource tags
arch:x64arch:x86image:win10-20220901-enlocale:en-usos:windows10-1703-x64system -
submitted
15-09-2022 06:32
Static task
static1
Behavioral task
behavioral1
Sample
test.jse
Resource
win10-20220901-en
4 signatures
150 seconds
General
-
Target
test.jse
-
Size
192KB
-
MD5
b40966619d66f80774ebf817c3316acc
-
SHA1
cdc90f17b5a54005993a4db61ac60e0b905f8416
-
SHA256
5472bce876d0758fb1379260504b791a3b8c95b87fc365f5ce8c3a6424facd34
-
SHA512
a489b19a01b66807e3cc5af17abdc679e72d34139b47f5face96ac68cf183f5d790d24adb065db9327dd82cde24532c3e193a716a5212df310f90eb7e241b88e
-
SSDEEP
6144:9a6398SbpjPvtKLqAMFHEbbz5ek3/Auyn5Ia:xnvkwdizUk3/Auynqa
Score
10/10
Malware Config
Signatures
-
Detect magniber ransomware 3 IoCs
resource yara_rule behavioral1/memory/4468-124-0x0000024CF9A00000-0x0000024CF9A12000-memory.dmp family_magniber behavioral1/memory/4468-126-0x0000024C80000000-0x0000024C81000000-memory.dmp family_magniber behavioral1/memory/2456-127-0x000001E644830000-0x000001E64483B000-memory.dmp family_magniber -
Magniber Ransomware
Ransomware family widely seen in Asia being distributed by the Magnitude exploit kit.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4468 WScript.exe 4468 WScript.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 4468 wrote to memory of 2456 4468 WScript.exe 43 PID 4468 wrote to memory of 2472 4468 WScript.exe 42 PID 4468 wrote to memory of 2772 4468 WScript.exe 37 PID 4468 wrote to memory of 2116 4468 WScript.exe 36 PID 4468 wrote to memory of 3240 4468 WScript.exe 24 PID 4468 wrote to memory of 3256 4468 WScript.exe 35 PID 4468 wrote to memory of 3448 4468 WScript.exe 34 PID 4468 wrote to memory of 3668 4468 WScript.exe 33
Processes
-
C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe"C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mca1⤵PID:3240
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3668
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3448
-
C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe"C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca1⤵PID:3256
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:2116
-
C:\Windows\System32\WScript.exeC:\Windows\System32\WScript.exe "C:\Users\Admin\AppData\Local\Temp\test.jse"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4468
-
-
c:\windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2772
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k unistacksvcgroup -s CDPUserSvc1⤵PID:2472
-
c:\windows\system32\sihost.exesihost.exe1⤵PID:2456