Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
22/09/2022, 10:31
Static task
static1
Behavioral task
behavioral1
Sample
ION LABZ Statement.js
Resource
win7-20220812-en
General
-
Target
ION LABZ Statement.js
-
Size
117KB
-
MD5
911a689ab23a99b27ec0a41df25dc1b2
-
SHA1
f78334182a6c6af188f996c215ea7b48bb4043ea
-
SHA256
6dde0bc3fc8d0b186be04fd2ca3b284aa7f922f28cd04830adc1e2e03d95e34b
-
SHA512
b0ef082316a219063c26aa92f2adb914fd0ec3648531d9fa0d3082ad13762f3cdedec91b85e936ed6da7bebf227de6f63e8bc10949b059961d1db7beb7517a6d
-
SSDEEP
1536:Exy5MbAav/s5Aj6hQDvY1lnpFjPdTtiS7b2Piz4KBVmNBs3lt66hS5LmFf3:9s/ujSvaJPDjYiXVDloI0I3
Malware Config
Extracted
formbook
te2r
Fd9/7zupFcFsmNMDWQ==
7VlRReDWtbu4LUTd5fNe/zPDyw==
jQgurOY8oCSzrjSP+2/F1jU=
xTMzpNwUaiHAy4+Anaz1
RcLapxVS9iOZhw==
lfLSnVItJp+5ImXLvcrLFTUXRmDxTnik
vj9fMOxFLjrOtdhP1GZo0KXIQ388
/91mgBbtxFIxtQk=
4FZ0aRyH/rEdFibAy+VjQyWIUIZaHBQ=
ScHdt3/t4FIxtQk=
/M9svqdL9iOZhw==
iFX1abANxkj893bVWA==
KzjvVANMpiTBmg==
aEKKEue7E9JtmNMDWQ==
+Mdhw6992svnUbzeo5y0zSn+B2co
albc98wrE0xtKjOoOOQ=
DV6CgU6omcjeZ6bJEG/F1jU=
NH981rm1JdyUNRd1
yi0xIqrxV83bmNMDWQ==
v8l52aXp4VIxtQk=
WMLesyFk2GDrymHL6sJhSA==
mwPvLC+p9iOZhw==
sRcXd1s8v+8ZeG/MtdpqB8uqeVfTxWqJgA==
NrXLmPbOmdX7f7oO2+HlKBajNSM=
rA4qraHeGwuv
81Vavo7TvrmUNRd1
6zFRRxZbN3eOC4Hr/tbSAmYB
NZ20hOzkzFIxtQk=
4W5EBEiJ/efwW2CAnaz1
jvkGKZ7zYuVfhLMOmEQgQA==
n40TaKr5UdZhmNMDWQ==
QL3juFq3IR6LgQ==
ovf90FAiAW3yz0Op6sJhSA==
6dF92/I1XmyZCQxr
pqRGRv1Rfm+K3wY=
ziAsyBFi9iOZhw==
j/n54WNFS/ujqXbX6sJhSA==
uBkjoeEzjwWGVsU+u1ku/zPDyw==
Ani5vYjvBambKG6rJLhY/zPDyw==
bewGzHnhwLTDLE+1kLrcJRajNSM=
Z7W1bBp0c6WV8SJFWjIzlT0=
1lZ79TmoGbM5AakYEza8lVG3hCW40A==
69WD6MoYDTxPzSiZELCTchajNSM=
QkTq40YlGuHCQ8H3Tddh/zPDyw==
XjK6Kjgdi4EUFlG6kKTIJRajNSM=
o/0L0WnZUQwEis1i
l51TzuC8OmWF8kZbKF4kQA==
pvUA6lqaFcVbWC2nwdvkciMJ
qPv9bbUJYOMYapyxk6/9
WiWSlWa+q9bHStE9wmAu/zPDyw==
+Op+6vPJLmbVxmPGUQ==
cjzGJW/JPy3ftZT1u9dd/zPDyw==
aseyfK4eDFIxtQk=
8uikGFKVGmLmwx4=
UZ2tszMF83SrDTxrgn2zXw==
LkLuU1I9trBxN5uA+qri
cvkoGOM9Gxivj3rgt+Jy/6KzTYDG1g==
qqdGxb3/ATVGjH28oW/F1jU=
E1lmbvY2kxZDodQ3KkV52EnisfrxTnik
EVpoA7vkSf+jqXbX6sJhSA==
/E5pOdTcxTFIksP9X9xm/zPDyw==
Mf2d+QmwiFgEis1i
A/2zGEmV7Z4/QFdu0W/F1jU=
Kn+6hS0A7PeUNRd1
riskstudio.uk
Signatures
-
Blocklisted process makes network request 15 IoCs
flow pid Process 7 1340 WScript.exe 9 1340 WScript.exe 10 1340 WScript.exe 13 1340 WScript.exe 14 1340 WScript.exe 15 1340 WScript.exe 17 1340 WScript.exe 18 1340 WScript.exe 19 1340 WScript.exe 21 1340 WScript.exe 22 1340 WScript.exe 23 1340 WScript.exe 25 1340 WScript.exe 26 1340 WScript.exe 27 1340 WScript.exe -
Downloads MZ/PE file
-
Executes dropped EXE 3 IoCs
pid Process 1624 dl8146395848399798364075715024.exe 1528 dl8146395848399798364075715024.exe 1628 dl8146395848399798364075715024.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vZrohjawOK.js WScript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vZrohjawOK.js WScript.exe -
Loads dropped DLL 2 IoCs
pid Process 1624 dl8146395848399798364075715024.exe 1624 dl8146395848399798364075715024.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\Yhttn = "\"C:\\Users\\Admin\\AppData\\Roaming\\Fgnxz\\Yhttn.exe\"" dl8146395848399798364075715024.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1624 set thread context of 1628 1624 dl8146395848399798364075715024.exe 39 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 1804 powershell.exe 1624 dl8146395848399798364075715024.exe 1624 dl8146395848399798364075715024.exe 1628 dl8146395848399798364075715024.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1624 dl8146395848399798364075715024.exe Token: SeDebugPrivilege 1804 powershell.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1200 javaw.exe -
Suspicious use of WriteProcessMemory 25 IoCs
description pid Process procid_target PID 2012 wrote to memory of 1340 2012 wscript.exe 28 PID 2012 wrote to memory of 1340 2012 wscript.exe 28 PID 2012 wrote to memory of 1340 2012 wscript.exe 28 PID 2012 wrote to memory of 1200 2012 wscript.exe 29 PID 2012 wrote to memory of 1200 2012 wscript.exe 29 PID 2012 wrote to memory of 1200 2012 wscript.exe 29 PID 1200 wrote to memory of 1624 1200 javaw.exe 33 PID 1200 wrote to memory of 1624 1200 javaw.exe 33 PID 1200 wrote to memory of 1624 1200 javaw.exe 33 PID 1200 wrote to memory of 1624 1200 javaw.exe 33 PID 1624 wrote to memory of 1804 1624 dl8146395848399798364075715024.exe 34 PID 1624 wrote to memory of 1804 1624 dl8146395848399798364075715024.exe 34 PID 1624 wrote to memory of 1804 1624 dl8146395848399798364075715024.exe 34 PID 1624 wrote to memory of 1804 1624 dl8146395848399798364075715024.exe 34 PID 1624 wrote to memory of 1528 1624 dl8146395848399798364075715024.exe 38 PID 1624 wrote to memory of 1528 1624 dl8146395848399798364075715024.exe 38 PID 1624 wrote to memory of 1528 1624 dl8146395848399798364075715024.exe 38 PID 1624 wrote to memory of 1528 1624 dl8146395848399798364075715024.exe 38 PID 1624 wrote to memory of 1628 1624 dl8146395848399798364075715024.exe 39 PID 1624 wrote to memory of 1628 1624 dl8146395848399798364075715024.exe 39 PID 1624 wrote to memory of 1628 1624 dl8146395848399798364075715024.exe 39 PID 1624 wrote to memory of 1628 1624 dl8146395848399798364075715024.exe 39 PID 1624 wrote to memory of 1628 1624 dl8146395848399798364075715024.exe 39 PID 1624 wrote to memory of 1628 1624 dl8146395848399798364075715024.exe 39 PID 1624 wrote to memory of 1628 1624 dl8146395848399798364075715024.exe 39
Processes
-
C:\Windows\system32\wscript.exewscript.exe "C:\Users\Admin\AppData\Local\Temp\ION LABZ Statement.js"1⤵
- Suspicious use of WriteProcessMemory
PID:2012 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\vZrohjawOK.js"2⤵
- Blocklisted process makes network request
- Drops startup file
PID:1340
-
-
C:\Program Files\Java\jre7\bin\javaw.exe"C:\Program Files\Java\jre7\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\kpakazlev.txt"2⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1200 -
C:\Users\Admin\AppData\Local\Temp\dl8146395848399798364075715024.exeC:\Users\Admin\AppData\Local\Temp\dl8146395848399798364075715024.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1624 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAANQAwAA==4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1804
-
-
C:\Users\Admin\AppData\Local\Temp\dl8146395848399798364075715024.exeC:\Users\Admin\AppData\Local\Temp\dl8146395848399798364075715024.exe4⤵
- Executes dropped EXE
PID:1528
-
-
C:\Users\Admin\AppData\Local\Temp\dl8146395848399798364075715024.exeC:\Users\Admin\AppData\Local\Temp\dl8146395848399798364075715024.exe4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1628
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
6KB
MD5ca997af70e0e7ba134bd85015d945684
SHA10d2972cf028063d8086fc6207537d8d1796993b7
SHA25674cb4ffa84249a18ca95cd781bd121a166e2902161a8918d645fa3d6b59032ec
SHA512836c667aba467655a52a1c13f6d8a4eff844af3aedb115dea2a77244d9294cf605d7030ffc9d30e200c5010251aa78cbe8e5265daebee8c4a0cd107ff3253fc9
-
Filesize
6KB
MD5ca997af70e0e7ba134bd85015d945684
SHA10d2972cf028063d8086fc6207537d8d1796993b7
SHA25674cb4ffa84249a18ca95cd781bd121a166e2902161a8918d645fa3d6b59032ec
SHA512836c667aba467655a52a1c13f6d8a4eff844af3aedb115dea2a77244d9294cf605d7030ffc9d30e200c5010251aa78cbe8e5265daebee8c4a0cd107ff3253fc9
-
Filesize
6KB
MD5ca997af70e0e7ba134bd85015d945684
SHA10d2972cf028063d8086fc6207537d8d1796993b7
SHA25674cb4ffa84249a18ca95cd781bd121a166e2902161a8918d645fa3d6b59032ec
SHA512836c667aba467655a52a1c13f6d8a4eff844af3aedb115dea2a77244d9294cf605d7030ffc9d30e200c5010251aa78cbe8e5265daebee8c4a0cd107ff3253fc9
-
Filesize
6KB
MD5ca997af70e0e7ba134bd85015d945684
SHA10d2972cf028063d8086fc6207537d8d1796993b7
SHA25674cb4ffa84249a18ca95cd781bd121a166e2902161a8918d645fa3d6b59032ec
SHA512836c667aba467655a52a1c13f6d8a4eff844af3aedb115dea2a77244d9294cf605d7030ffc9d30e200c5010251aa78cbe8e5265daebee8c4a0cd107ff3253fc9
-
Filesize
51KB
MD51d6cb5a374117999329351e6f28268e3
SHA1a08e5a413f3febe7def2dff25717cbfe16b315b5
SHA256cbf7cbc7305bed6abb433ff9b8277c63a2d79dc845d2995adf8cc1c6dd5463dd
SHA5120ce83690f1806a002bd68e6fd1caad2852146e8c03d78aefd5309868e184954793ed0546978dcc86d226c4a5a33437f6feb350cc7ef1a57615dbe80e22042c51
-
Filesize
6KB
MD5aeea41deb4363e0a23003555ffc0ada1
SHA1c1fc845800ef733bfd2886bceba15ed4ec19bbdb
SHA256e4b86c3adb3c82dcbf9e87518210b8f23e813174e93fa8b90f3b0ee0f024da1e
SHA512bcbe6e10d4a6f5166adc864274b534be36b5b238abe7d83c2d26c60cc25a7ff9b2d887c10c132c439108dbdae793d0ad061890a431f1e2b7df659dd67f5cd823
-
Filesize
6KB
MD5ca997af70e0e7ba134bd85015d945684
SHA10d2972cf028063d8086fc6207537d8d1796993b7
SHA25674cb4ffa84249a18ca95cd781bd121a166e2902161a8918d645fa3d6b59032ec
SHA512836c667aba467655a52a1c13f6d8a4eff844af3aedb115dea2a77244d9294cf605d7030ffc9d30e200c5010251aa78cbe8e5265daebee8c4a0cd107ff3253fc9
-
Filesize
6KB
MD5ca997af70e0e7ba134bd85015d945684
SHA10d2972cf028063d8086fc6207537d8d1796993b7
SHA25674cb4ffa84249a18ca95cd781bd121a166e2902161a8918d645fa3d6b59032ec
SHA512836c667aba467655a52a1c13f6d8a4eff844af3aedb115dea2a77244d9294cf605d7030ffc9d30e200c5010251aa78cbe8e5265daebee8c4a0cd107ff3253fc9