Analysis
-
max time kernel
148s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
22/09/2022, 10:31
Static task
static1
Behavioral task
behavioral1
Sample
ION LABZ Statement.js
Resource
win7-20220812-en
General
-
Target
ION LABZ Statement.js
-
Size
117KB
-
MD5
911a689ab23a99b27ec0a41df25dc1b2
-
SHA1
f78334182a6c6af188f996c215ea7b48bb4043ea
-
SHA256
6dde0bc3fc8d0b186be04fd2ca3b284aa7f922f28cd04830adc1e2e03d95e34b
-
SHA512
b0ef082316a219063c26aa92f2adb914fd0ec3648531d9fa0d3082ad13762f3cdedec91b85e936ed6da7bebf227de6f63e8bc10949b059961d1db7beb7517a6d
-
SSDEEP
1536:Exy5MbAav/s5Aj6hQDvY1lnpFjPdTtiS7b2Piz4KBVmNBs3lt66hS5LmFf3:9s/ujSvaJPDjYiXVDloI0I3
Malware Config
Extracted
formbook
te2r
Fd9/7zupFcFsmNMDWQ==
7VlRReDWtbu4LUTd5fNe/zPDyw==
jQgurOY8oCSzrjSP+2/F1jU=
xTMzpNwUaiHAy4+Anaz1
RcLapxVS9iOZhw==
lfLSnVItJp+5ImXLvcrLFTUXRmDxTnik
vj9fMOxFLjrOtdhP1GZo0KXIQ388
/91mgBbtxFIxtQk=
4FZ0aRyH/rEdFibAy+VjQyWIUIZaHBQ=
ScHdt3/t4FIxtQk=
/M9svqdL9iOZhw==
iFX1abANxkj893bVWA==
KzjvVANMpiTBmg==
aEKKEue7E9JtmNMDWQ==
+Mdhw6992svnUbzeo5y0zSn+B2co
albc98wrE0xtKjOoOOQ=
DV6CgU6omcjeZ6bJEG/F1jU=
NH981rm1JdyUNRd1
yi0xIqrxV83bmNMDWQ==
v8l52aXp4VIxtQk=
WMLesyFk2GDrymHL6sJhSA==
mwPvLC+p9iOZhw==
sRcXd1s8v+8ZeG/MtdpqB8uqeVfTxWqJgA==
NrXLmPbOmdX7f7oO2+HlKBajNSM=
rA4qraHeGwuv
81Vavo7TvrmUNRd1
6zFRRxZbN3eOC4Hr/tbSAmYB
NZ20hOzkzFIxtQk=
4W5EBEiJ/efwW2CAnaz1
jvkGKZ7zYuVfhLMOmEQgQA==
n40TaKr5UdZhmNMDWQ==
QL3juFq3IR6LgQ==
ovf90FAiAW3yz0Op6sJhSA==
6dF92/I1XmyZCQxr
pqRGRv1Rfm+K3wY=
ziAsyBFi9iOZhw==
j/n54WNFS/ujqXbX6sJhSA==
uBkjoeEzjwWGVsU+u1ku/zPDyw==
Ani5vYjvBambKG6rJLhY/zPDyw==
bewGzHnhwLTDLE+1kLrcJRajNSM=
Z7W1bBp0c6WV8SJFWjIzlT0=
1lZ79TmoGbM5AakYEza8lVG3hCW40A==
69WD6MoYDTxPzSiZELCTchajNSM=
QkTq40YlGuHCQ8H3Tddh/zPDyw==
XjK6Kjgdi4EUFlG6kKTIJRajNSM=
o/0L0WnZUQwEis1i
l51TzuC8OmWF8kZbKF4kQA==
pvUA6lqaFcVbWC2nwdvkciMJ
qPv9bbUJYOMYapyxk6/9
WiWSlWa+q9bHStE9wmAu/zPDyw==
+Op+6vPJLmbVxmPGUQ==
cjzGJW/JPy3ftZT1u9dd/zPDyw==
aseyfK4eDFIxtQk=
8uikGFKVGmLmwx4=
UZ2tszMF83SrDTxrgn2zXw==
LkLuU1I9trBxN5uA+qri
cvkoGOM9Gxivj3rgt+Jy/6KzTYDG1g==
qqdGxb3/ATVGjH28oW/F1jU=
E1lmbvY2kxZDodQ3KkV52EnisfrxTnik
EVpoA7vkSf+jqXbX6sJhSA==
/E5pOdTcxTFIksP9X9xm/zPDyw==
Mf2d+QmwiFgEis1i
A/2zGEmV7Z4/QFdu0W/F1jU=
Kn+6hS0A7PeUNRd1
riskstudio.uk
Signatures
-
Blocklisted process makes network request 16 IoCs
flow pid Process 6 4408 WScript.exe 13 4408 WScript.exe 21 4408 WScript.exe 34 4408 WScript.exe 35 4408 WScript.exe 38 4408 WScript.exe 44 4408 WScript.exe 46 4408 WScript.exe 47 4408 WScript.exe 48 4408 WScript.exe 50 4408 WScript.exe 51 4408 WScript.exe 52 4408 WScript.exe 53 4408 WScript.exe 54 4408 WScript.exe 55 4408 WScript.exe -
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
pid Process 3732 dl-20451412363164798541208127808.exe 4316 dl-20451412363164798541208127808.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation wscript.exe Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation dl-20451412363164798541208127808.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vZrohjawOK.js WScript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vZrohjawOK.js WScript.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Yhttn = "\"C:\\Users\\Admin\\AppData\\Roaming\\Fgnxz\\Yhttn.exe\"" dl-20451412363164798541208127808.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3732 set thread context of 4316 3732 dl-20451412363164798541208127808.exe 94 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings wscript.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 4272 powershell.exe 4272 powershell.exe 4316 dl-20451412363164798541208127808.exe 4316 dl-20451412363164798541208127808.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 3732 dl-20451412363164798541208127808.exe Token: SeDebugPrivilege 4272 powershell.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4288 javaw.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 4800 wrote to memory of 4408 4800 wscript.exe 82 PID 4800 wrote to memory of 4408 4800 wscript.exe 82 PID 4800 wrote to memory of 4288 4800 wscript.exe 83 PID 4800 wrote to memory of 4288 4800 wscript.exe 83 PID 4288 wrote to memory of 3732 4288 javaw.exe 86 PID 4288 wrote to memory of 3732 4288 javaw.exe 86 PID 4288 wrote to memory of 3732 4288 javaw.exe 86 PID 3732 wrote to memory of 4272 3732 dl-20451412363164798541208127808.exe 92 PID 3732 wrote to memory of 4272 3732 dl-20451412363164798541208127808.exe 92 PID 3732 wrote to memory of 4272 3732 dl-20451412363164798541208127808.exe 92 PID 3732 wrote to memory of 4316 3732 dl-20451412363164798541208127808.exe 94 PID 3732 wrote to memory of 4316 3732 dl-20451412363164798541208127808.exe 94 PID 3732 wrote to memory of 4316 3732 dl-20451412363164798541208127808.exe 94 PID 3732 wrote to memory of 4316 3732 dl-20451412363164798541208127808.exe 94 PID 3732 wrote to memory of 4316 3732 dl-20451412363164798541208127808.exe 94 PID 3732 wrote to memory of 4316 3732 dl-20451412363164798541208127808.exe 94
Processes
-
C:\Windows\system32\wscript.exewscript.exe "C:\Users\Admin\AppData\Local\Temp\ION LABZ Statement.js"1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4800 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\vZrohjawOK.js"2⤵
- Blocklisted process makes network request
- Drops startup file
PID:4408
-
-
C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe"C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\ursgowhxgc.txt"2⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4288 -
C:\Users\Admin\AppData\Local\Temp\dl-20451412363164798541208127808.exeC:\Users\Admin\AppData\Local\Temp\dl-20451412363164798541208127808.exe3⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3732 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAANQAwAA==4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4272
-
-
C:\Users\Admin\AppData\Local\Temp\dl-20451412363164798541208127808.exeC:\Users\Admin\AppData\Local\Temp\dl-20451412363164798541208127808.exe4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4316
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
6KB
MD5ca997af70e0e7ba134bd85015d945684
SHA10d2972cf028063d8086fc6207537d8d1796993b7
SHA25674cb4ffa84249a18ca95cd781bd121a166e2902161a8918d645fa3d6b59032ec
SHA512836c667aba467655a52a1c13f6d8a4eff844af3aedb115dea2a77244d9294cf605d7030ffc9d30e200c5010251aa78cbe8e5265daebee8c4a0cd107ff3253fc9
-
Filesize
6KB
MD5ca997af70e0e7ba134bd85015d945684
SHA10d2972cf028063d8086fc6207537d8d1796993b7
SHA25674cb4ffa84249a18ca95cd781bd121a166e2902161a8918d645fa3d6b59032ec
SHA512836c667aba467655a52a1c13f6d8a4eff844af3aedb115dea2a77244d9294cf605d7030ffc9d30e200c5010251aa78cbe8e5265daebee8c4a0cd107ff3253fc9
-
Filesize
6KB
MD5ca997af70e0e7ba134bd85015d945684
SHA10d2972cf028063d8086fc6207537d8d1796993b7
SHA25674cb4ffa84249a18ca95cd781bd121a166e2902161a8918d645fa3d6b59032ec
SHA512836c667aba467655a52a1c13f6d8a4eff844af3aedb115dea2a77244d9294cf605d7030ffc9d30e200c5010251aa78cbe8e5265daebee8c4a0cd107ff3253fc9
-
Filesize
51KB
MD51d6cb5a374117999329351e6f28268e3
SHA1a08e5a413f3febe7def2dff25717cbfe16b315b5
SHA256cbf7cbc7305bed6abb433ff9b8277c63a2d79dc845d2995adf8cc1c6dd5463dd
SHA5120ce83690f1806a002bd68e6fd1caad2852146e8c03d78aefd5309868e184954793ed0546978dcc86d226c4a5a33437f6feb350cc7ef1a57615dbe80e22042c51
-
Filesize
6KB
MD5aeea41deb4363e0a23003555ffc0ada1
SHA1c1fc845800ef733bfd2886bceba15ed4ec19bbdb
SHA256e4b86c3adb3c82dcbf9e87518210b8f23e813174e93fa8b90f3b0ee0f024da1e
SHA512bcbe6e10d4a6f5166adc864274b534be36b5b238abe7d83c2d26c60cc25a7ff9b2d887c10c132c439108dbdae793d0ad061890a431f1e2b7df659dd67f5cd823