Analysis
-
max time kernel
127s -
max time network
139s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
10/10/2022, 11:17
Static task
static1
Behavioral task
behavioral1
Sample
DP1010.js
Resource
win7-20220812-en
General
-
Target
DP1010.js
-
Size
462KB
-
MD5
fbed7e5f3d4312ba715856597ca55060
-
SHA1
8b047a323041693ad29f3eb3c56653c2d6630356
-
SHA256
319372731b242e6a2e7b2e159c2272c34dba4f9af69691d7b887df75353f3823
-
SHA512
a9ab7cdd172639eea6076aafe3801f25f67e78a0072b6b5083c9573a030e03a625dc01600a2039fb27486720ff23969368f46b4104288ad3fd32fac149eda750
-
SSDEEP
6144:kJU4h6FzMe3n2xL/l5EMmPfkScu+zbDbMINH8erNLnDQHQOiHWHtTXjRhcHybCh2:kJUAyobEMmPfkScu80ibhJy+HhLjGrV
Malware Config
Signatures
-
Blocklisted process makes network request 5 IoCs
flow pid Process 4 856 wscript.exe 7 856 wscript.exe 9 856 wscript.exe 11 856 wscript.exe 12 856 wscript.exe -
Executes dropped EXE 1 IoCs
pid Process 1324 fireblende.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\iNFyCMUHlt.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\iNFyCMUHlt.js wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1324 fireblende.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 1848 wrote to memory of 856 1848 wscript.exe 28 PID 1848 wrote to memory of 856 1848 wscript.exe 28 PID 1848 wrote to memory of 856 1848 wscript.exe 28 PID 1848 wrote to memory of 1324 1848 wscript.exe 29 PID 1848 wrote to memory of 1324 1848 wscript.exe 29 PID 1848 wrote to memory of 1324 1848 wscript.exe 29 PID 1848 wrote to memory of 1324 1848 wscript.exe 29
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\DP1010.js1⤵
- Suspicious use of WriteProcessMemory
PID:1848 -
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\iNFyCMUHlt.js"2⤵
- Blocklisted process makes network request
- Drops startup file
PID:856
-
-
C:\Users\Admin\AppData\Local\Temp\fireblende.exe"C:\Users\Admin\AppData\Local\Temp\fireblende.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1324
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
252KB
MD5f5eeb7b7ec72a813286f53d736c9f78a
SHA1ce5cf9aef07eeb0f8dfaec7bb708540572a0d7e9
SHA25619f029efa58192c3659eae9ff4e2a19968048d1c0a0f0247ac044c23ca4d8358
SHA5124528a0dbe9f9a2068086d7a2193fd10c81774f6e30c857fb60cb284387613aa5350845a81b74d5b9e37c1d9cd4058fe2b73b451efbfdc452f97d757ff16d14e9
-
Filesize
5KB
MD58a0de3cb189e9f7611b73438796e43ba
SHA173684c9be5b1992510c4e0a8d3b70137a2efd207
SHA256ce31a6b170ccb2670e50cc95c292923cde1aff9ea1bbf6d64c9f2d6338991899
SHA5128c92d8cc47f356b48020bbbfe17dafc9e9420f08b3bfa43b53ef7d3afc129282bc5248db5115202ff58c424c5c5c417271382d5e33ab305d5d550f4165346ac2