Analysis
-
max time kernel
143s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
22/09/2022, 17:28
Static task
static1
Behavioral task
behavioral1
Sample
ION LABZ Statement.js
Resource
win7-20220901-en
General
-
Target
ION LABZ Statement.js
-
Size
117KB
-
MD5
911a689ab23a99b27ec0a41df25dc1b2
-
SHA1
f78334182a6c6af188f996c215ea7b48bb4043ea
-
SHA256
6dde0bc3fc8d0b186be04fd2ca3b284aa7f922f28cd04830adc1e2e03d95e34b
-
SHA512
b0ef082316a219063c26aa92f2adb914fd0ec3648531d9fa0d3082ad13762f3cdedec91b85e936ed6da7bebf227de6f63e8bc10949b059961d1db7beb7517a6d
-
SSDEEP
1536:Exy5MbAav/s5Aj6hQDvY1lnpFjPdTtiS7b2Piz4KBVmNBs3lt66hS5LmFf3:9s/ujSvaJPDjYiXVDloI0I3
Malware Config
Extracted
formbook
te2r
Fd9/7zupFcFsmNMDWQ==
7VlRReDWtbu4LUTd5fNe/zPDyw==
jQgurOY8oCSzrjSP+2/F1jU=
xTMzpNwUaiHAy4+Anaz1
RcLapxVS9iOZhw==
lfLSnVItJp+5ImXLvcrLFTUXRmDxTnik
vj9fMOxFLjrOtdhP1GZo0KXIQ388
/91mgBbtxFIxtQk=
4FZ0aRyH/rEdFibAy+VjQyWIUIZaHBQ=
ScHdt3/t4FIxtQk=
/M9svqdL9iOZhw==
iFX1abANxkj893bVWA==
KzjvVANMpiTBmg==
aEKKEue7E9JtmNMDWQ==
+Mdhw6992svnUbzeo5y0zSn+B2co
albc98wrE0xtKjOoOOQ=
DV6CgU6omcjeZ6bJEG/F1jU=
NH981rm1JdyUNRd1
yi0xIqrxV83bmNMDWQ==
v8l52aXp4VIxtQk=
WMLesyFk2GDrymHL6sJhSA==
mwPvLC+p9iOZhw==
sRcXd1s8v+8ZeG/MtdpqB8uqeVfTxWqJgA==
NrXLmPbOmdX7f7oO2+HlKBajNSM=
rA4qraHeGwuv
81Vavo7TvrmUNRd1
6zFRRxZbN3eOC4Hr/tbSAmYB
NZ20hOzkzFIxtQk=
4W5EBEiJ/efwW2CAnaz1
jvkGKZ7zYuVfhLMOmEQgQA==
n40TaKr5UdZhmNMDWQ==
QL3juFq3IR6LgQ==
ovf90FAiAW3yz0Op6sJhSA==
6dF92/I1XmyZCQxr
pqRGRv1Rfm+K3wY=
ziAsyBFi9iOZhw==
j/n54WNFS/ujqXbX6sJhSA==
uBkjoeEzjwWGVsU+u1ku/zPDyw==
Ani5vYjvBambKG6rJLhY/zPDyw==
bewGzHnhwLTDLE+1kLrcJRajNSM=
Z7W1bBp0c6WV8SJFWjIzlT0=
1lZ79TmoGbM5AakYEza8lVG3hCW40A==
69WD6MoYDTxPzSiZELCTchajNSM=
QkTq40YlGuHCQ8H3Tddh/zPDyw==
XjK6Kjgdi4EUFlG6kKTIJRajNSM=
o/0L0WnZUQwEis1i
l51TzuC8OmWF8kZbKF4kQA==
pvUA6lqaFcVbWC2nwdvkciMJ
qPv9bbUJYOMYapyxk6/9
WiWSlWa+q9bHStE9wmAu/zPDyw==
+Op+6vPJLmbVxmPGUQ==
cjzGJW/JPy3ftZT1u9dd/zPDyw==
aseyfK4eDFIxtQk=
8uikGFKVGmLmwx4=
UZ2tszMF83SrDTxrgn2zXw==
LkLuU1I9trBxN5uA+qri
cvkoGOM9Gxivj3rgt+Jy/6KzTYDG1g==
qqdGxb3/ATVGjH28oW/F1jU=
E1lmbvY2kxZDodQ3KkV52EnisfrxTnik
EVpoA7vkSf+jqXbX6sJhSA==
/E5pOdTcxTFIksP9X9xm/zPDyw==
Mf2d+QmwiFgEis1i
A/2zGEmV7Z4/QFdu0W/F1jU=
Kn+6hS0A7PeUNRd1
riskstudio.uk
Signatures
-
Blocklisted process makes network request 15 IoCs
flow pid Process 11 4364 WScript.exe 25 4364 WScript.exe 34 4364 WScript.exe 42 4364 WScript.exe 43 4364 WScript.exe 46 4364 WScript.exe 50 4364 WScript.exe 53 4364 WScript.exe 54 4364 WScript.exe 57 4364 WScript.exe 58 4364 WScript.exe 59 4364 WScript.exe 60 4364 WScript.exe 61 4364 WScript.exe 62 4364 WScript.exe -
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
pid Process 4944 dl-16503567014952209964929404604.exe 4784 dl-16503567014952209964929404604.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation dl-16503567014952209964929404604.exe Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation wscript.exe -
Drops startup file 2 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vZrohjawOK.js WScript.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vZrohjawOK.js WScript.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Yhttn = "\"C:\\Users\\Admin\\AppData\\Roaming\\Fgnxz\\Yhttn.exe\"" dl-16503567014952209964929404604.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4944 set thread context of 4784 4944 dl-16503567014952209964929404604.exe 93 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings wscript.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 320 powershell.exe 320 powershell.exe 4784 dl-16503567014952209964929404604.exe 4784 dl-16503567014952209964929404604.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4944 dl-16503567014952209964929404604.exe Token: SeDebugPrivilege 320 powershell.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3824 javaw.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 4568 wrote to memory of 4364 4568 wscript.exe 81 PID 4568 wrote to memory of 4364 4568 wscript.exe 81 PID 4568 wrote to memory of 3824 4568 wscript.exe 82 PID 4568 wrote to memory of 3824 4568 wscript.exe 82 PID 3824 wrote to memory of 4944 3824 javaw.exe 83 PID 3824 wrote to memory of 4944 3824 javaw.exe 83 PID 3824 wrote to memory of 4944 3824 javaw.exe 83 PID 4944 wrote to memory of 320 4944 dl-16503567014952209964929404604.exe 87 PID 4944 wrote to memory of 320 4944 dl-16503567014952209964929404604.exe 87 PID 4944 wrote to memory of 320 4944 dl-16503567014952209964929404604.exe 87 PID 4944 wrote to memory of 4784 4944 dl-16503567014952209964929404604.exe 93 PID 4944 wrote to memory of 4784 4944 dl-16503567014952209964929404604.exe 93 PID 4944 wrote to memory of 4784 4944 dl-16503567014952209964929404604.exe 93 PID 4944 wrote to memory of 4784 4944 dl-16503567014952209964929404604.exe 93 PID 4944 wrote to memory of 4784 4944 dl-16503567014952209964929404604.exe 93 PID 4944 wrote to memory of 4784 4944 dl-16503567014952209964929404604.exe 93
Processes
-
C:\Windows\system32\wscript.exewscript.exe "C:\Users\Admin\AppData\Local\Temp\ION LABZ Statement.js"1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4568 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\vZrohjawOK.js"2⤵
- Blocklisted process makes network request
- Drops startup file
PID:4364
-
-
C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe"C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\rbdaczbn.txt"2⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3824 -
C:\Users\Admin\AppData\Local\Temp\dl-16503567014952209964929404604.exeC:\Users\Admin\AppData\Local\Temp\dl-16503567014952209964929404604.exe3⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4944 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAANQAwAA==4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:320
-
-
C:\Users\Admin\AppData\Local\Temp\dl-16503567014952209964929404604.exeC:\Users\Admin\AppData\Local\Temp\dl-16503567014952209964929404604.exe4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4784
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
6KB
MD5ca997af70e0e7ba134bd85015d945684
SHA10d2972cf028063d8086fc6207537d8d1796993b7
SHA25674cb4ffa84249a18ca95cd781bd121a166e2902161a8918d645fa3d6b59032ec
SHA512836c667aba467655a52a1c13f6d8a4eff844af3aedb115dea2a77244d9294cf605d7030ffc9d30e200c5010251aa78cbe8e5265daebee8c4a0cd107ff3253fc9
-
Filesize
6KB
MD5ca997af70e0e7ba134bd85015d945684
SHA10d2972cf028063d8086fc6207537d8d1796993b7
SHA25674cb4ffa84249a18ca95cd781bd121a166e2902161a8918d645fa3d6b59032ec
SHA512836c667aba467655a52a1c13f6d8a4eff844af3aedb115dea2a77244d9294cf605d7030ffc9d30e200c5010251aa78cbe8e5265daebee8c4a0cd107ff3253fc9
-
Filesize
6KB
MD5ca997af70e0e7ba134bd85015d945684
SHA10d2972cf028063d8086fc6207537d8d1796993b7
SHA25674cb4ffa84249a18ca95cd781bd121a166e2902161a8918d645fa3d6b59032ec
SHA512836c667aba467655a52a1c13f6d8a4eff844af3aedb115dea2a77244d9294cf605d7030ffc9d30e200c5010251aa78cbe8e5265daebee8c4a0cd107ff3253fc9
-
Filesize
51KB
MD51d6cb5a374117999329351e6f28268e3
SHA1a08e5a413f3febe7def2dff25717cbfe16b315b5
SHA256cbf7cbc7305bed6abb433ff9b8277c63a2d79dc845d2995adf8cc1c6dd5463dd
SHA5120ce83690f1806a002bd68e6fd1caad2852146e8c03d78aefd5309868e184954793ed0546978dcc86d226c4a5a33437f6feb350cc7ef1a57615dbe80e22042c51
-
Filesize
6KB
MD5aeea41deb4363e0a23003555ffc0ada1
SHA1c1fc845800ef733bfd2886bceba15ed4ec19bbdb
SHA256e4b86c3adb3c82dcbf9e87518210b8f23e813174e93fa8b90f3b0ee0f024da1e
SHA512bcbe6e10d4a6f5166adc864274b534be36b5b238abe7d83c2d26c60cc25a7ff9b2d887c10c132c439108dbdae793d0ad061890a431f1e2b7df659dd67f5cd823