Analysis
-
max time kernel
148s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
11/10/2022, 08:41
Static task
static1
Behavioral task
behavioral1
Sample
transaction-statement_632ac8d3-e96d-a443-8227-db1e5339fb8c_de-de_381b3d.js
Resource
win7-20220901-en
General
-
Target
transaction-statement_632ac8d3-e96d-a443-8227-db1e5339fb8c_de-de_381b3d.js
-
Size
113KB
-
MD5
a3f0fc528a20dbcacfb69e1b69907a4b
-
SHA1
400c75cffd7342908c1282b862d3df10d5a95e65
-
SHA256
508b21cb602b5a3e9e19eb6ba9e010fb0d4a743d18e4a869063f72e2454324f7
-
SHA512
6c750e6f3c53d4bdc1e7c1602c46692ef04143434a76e66ab373a7091c9ddf1816c67dd39106c5db27212eb6a905858677f24ae479f29d6ad1a2ded836b022ae
-
SSDEEP
1536:W7KmfMkwheMurpzqwPUSvf0cCF11blV6DmEJMAB/iJuoG2446rTCRLTiR6RccQ:o2Mrqe7C/0vB2uo96/U/XPQ
Malware Config
Signatures
-
Blocklisted process makes network request 5 IoCs
flow pid Process 5 472 WScript.exe 7 472 WScript.exe 9 472 WScript.exe 12 472 WScript.exe 14 472 WScript.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HzqeCuGMns.js WScript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HzqeCuGMns.js WScript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1628 javaw.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 620 wrote to memory of 472 620 wscript.exe 27 PID 620 wrote to memory of 472 620 wscript.exe 27 PID 620 wrote to memory of 472 620 wscript.exe 27 PID 620 wrote to memory of 1628 620 wscript.exe 28 PID 620 wrote to memory of 1628 620 wscript.exe 28 PID 620 wrote to memory of 1628 620 wscript.exe 28
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\transaction-statement_632ac8d3-e96d-a443-8227-db1e5339fb8c_de-de_381b3d.js1⤵
- Suspicious use of WriteProcessMemory
PID:620 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\HzqeCuGMns.js"2⤵
- Blocklisted process makes network request
- Drops startup file
PID:472
-
-
C:\Program Files\Java\jre7\bin\javaw.exe"C:\Program Files\Java\jre7\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\phbumwz.txt"2⤵
- Suspicious use of SetWindowsHookEx
PID:1628
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5KB
MD57d8cc50c80e29db13ca0032d3e00a56d
SHA1d8d138717093b67b4d6205234c82a6fe4f801429
SHA2560ff424c14ee63e81e35e1431f9b5636b2bfe1e6f49e8fc5650260e9806f3402b
SHA512b1f2d71401d7d4cdc4bf55569c04b1ea2c49097bacd04b2bc24c0e84bfd6bd418ffb4aeadd171032944aaf1ac94c5b868bf9924ffe0e84fa60866c9e8b583b1c
-
Filesize
51KB
MD5c1783ea3118978252aa6c8891d0ea61c
SHA19986142768fd83fb445f8ac6dfd196aba3fb3139
SHA25623b78abed63ac1a61a43873aa4bc168f30a4bef0e1fa9132a89f479c02805855
SHA5126a22b6683589c981eaa8d1aad2bfaffc06789ec9671b3a6ec6b7279f4fcbaf6d2c1b1bf8ed3ffb047a86e711294d66b532d313805b4973566afd27b2fc182006