Analysis
-
max time kernel
142s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
23/09/2022, 13:40
Static task
static1
Behavioral task
behavioral1
Sample
Statement Power Metre SRL.js
Resource
win7-20220901-en
General
-
Target
Statement Power Metre SRL.js
-
Size
117KB
-
MD5
911a689ab23a99b27ec0a41df25dc1b2
-
SHA1
f78334182a6c6af188f996c215ea7b48bb4043ea
-
SHA256
6dde0bc3fc8d0b186be04fd2ca3b284aa7f922f28cd04830adc1e2e03d95e34b
-
SHA512
b0ef082316a219063c26aa92f2adb914fd0ec3648531d9fa0d3082ad13762f3cdedec91b85e936ed6da7bebf227de6f63e8bc10949b059961d1db7beb7517a6d
-
SSDEEP
1536:Exy5MbAav/s5Aj6hQDvY1lnpFjPdTtiS7b2Piz4KBVmNBs3lt66hS5LmFf3:9s/ujSvaJPDjYiXVDloI0I3
Malware Config
Signatures
-
Blocklisted process makes network request 13 IoCs
flow pid Process 4 2024 WScript.exe 9 2024 WScript.exe 11 2024 WScript.exe 13 2024 WScript.exe 14 2024 WScript.exe 15 2024 WScript.exe 17 2024 WScript.exe 18 2024 WScript.exe 19 2024 WScript.exe 21 2024 WScript.exe 22 2024 WScript.exe 23 2024 WScript.exe 25 2024 WScript.exe -
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
pid Process 2008 dl-8145328203593744586375516193.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vZrohjawOK.js WScript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vZrohjawOK.js WScript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2008 dl-8145328203593744586375516193.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 580 javaw.exe -
Suspicious use of WriteProcessMemory 10 IoCs
description pid Process procid_target PID 1700 wrote to memory of 2024 1700 wscript.exe 28 PID 1700 wrote to memory of 2024 1700 wscript.exe 28 PID 1700 wrote to memory of 2024 1700 wscript.exe 28 PID 1700 wrote to memory of 580 1700 wscript.exe 29 PID 1700 wrote to memory of 580 1700 wscript.exe 29 PID 1700 wrote to memory of 580 1700 wscript.exe 29 PID 580 wrote to memory of 2008 580 javaw.exe 33 PID 580 wrote to memory of 2008 580 javaw.exe 33 PID 580 wrote to memory of 2008 580 javaw.exe 33 PID 580 wrote to memory of 2008 580 javaw.exe 33
Processes
-
C:\Windows\system32\wscript.exewscript.exe "C:\Users\Admin\AppData\Local\Temp\Statement Power Metre SRL.js"1⤵
- Suspicious use of WriteProcessMemory
PID:1700 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\vZrohjawOK.js"2⤵
- Blocklisted process makes network request
- Drops startup file
PID:2024
-
-
C:\Program Files\Java\jre7\bin\javaw.exe"C:\Program Files\Java\jre7\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\bqdusfmk.txt"2⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:580 -
C:\Users\Admin\AppData\Local\Temp\dl-8145328203593744586375516193.exeC:\Users\Admin\AppData\Local\Temp\dl-8145328203593744586375516193.exe3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2008
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
7KB
MD52febb58744b8f59fe8fcdce3bd4f4aa8
SHA1629cf9935873f774f9c3115a59109253ece7cd00
SHA256b0a8c5dd26ed95dc30f3ad761fef82317011f357c6bc78634331a74cff7d7284
SHA512854935f36be0317641598b8a25e31e170b311c3106fb94ce6d77d89b8a7080b5bce42357b450b4529b57f6834d40bd221a021a511b3ed12e8ebae43edbac3619
-
Filesize
7KB
MD52febb58744b8f59fe8fcdce3bd4f4aa8
SHA1629cf9935873f774f9c3115a59109253ece7cd00
SHA256b0a8c5dd26ed95dc30f3ad761fef82317011f357c6bc78634331a74cff7d7284
SHA512854935f36be0317641598b8a25e31e170b311c3106fb94ce6d77d89b8a7080b5bce42357b450b4529b57f6834d40bd221a021a511b3ed12e8ebae43edbac3619
-
Filesize
51KB
MD51d6cb5a374117999329351e6f28268e3
SHA1a08e5a413f3febe7def2dff25717cbfe16b315b5
SHA256cbf7cbc7305bed6abb433ff9b8277c63a2d79dc845d2995adf8cc1c6dd5463dd
SHA5120ce83690f1806a002bd68e6fd1caad2852146e8c03d78aefd5309868e184954793ed0546978dcc86d226c4a5a33437f6feb350cc7ef1a57615dbe80e22042c51
-
Filesize
6KB
MD5aeea41deb4363e0a23003555ffc0ada1
SHA1c1fc845800ef733bfd2886bceba15ed4ec19bbdb
SHA256e4b86c3adb3c82dcbf9e87518210b8f23e813174e93fa8b90f3b0ee0f024da1e
SHA512bcbe6e10d4a6f5166adc864274b534be36b5b238abe7d83c2d26c60cc25a7ff9b2d887c10c132c439108dbdae793d0ad061890a431f1e2b7df659dd67f5cd823