Analysis
-
max time kernel
24s -
max time network
64s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
09-11-2022 14:39
Static task
static1
Behavioral task
behavioral1
Sample
879-5160.js
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
879-5160.js
Resource
win10v2004-20220812-en
General
-
Target
879-5160.js
-
Size
438KB
-
MD5
90764ebb7698c03e99414abebcb5746c
-
SHA1
047fae3fc68e5a3d540606e23a9e0c776caed390
-
SHA256
74fca8bc66d82048835fd2683fb673f82c6bbba6fc5ae1f7b07c2be6f5437a68
-
SHA512
e88154b0e2db0ea886e0ea1de3ff0053dbff387f2b1b941f5ceedaa73d3c72d26dbc6e8c9b97e6f7d79f1f624afad65ff4ec3eafe2f57db831f10af2ecbfdcdc
-
SSDEEP
6144:uG40ClC7RcWn8EZ5K9wCmZ7FMI5L2sDlPt8rXC8kjJ1egfVX8IPxxmVfhiUJeeI+:uG4BiF5K9YV2mtw3gdXZXEIvYcXM
Malware Config
Signatures
-
Drops startup file 4 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\879-5160.js wscript.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VBWjfUFDNu.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VBWjfUFDNu.js wscript.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\879-5160.js wscript.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\879-5160 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\879-5160.js\"" wscript.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\879-5160 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\879-5160.js\"" wscript.exe Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 608 wrote to memory of 1752 608 wscript.exe 28 PID 608 wrote to memory of 1752 608 wscript.exe 28 PID 608 wrote to memory of 1752 608 wscript.exe 28 PID 608 wrote to memory of 1444 608 wscript.exe 30 PID 608 wrote to memory of 1444 608 wscript.exe 30 PID 608 wrote to memory of 1444 608 wscript.exe 30
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\879-5160.js1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:608 -
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\VBWjfUFDNu.js"2⤵
- Drops startup file
PID:1752
-
-
C:\Program Files\Java\jre7\bin\javaw.exe"C:\Program Files\Java\jre7\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Local\Temp\food.jar"2⤵PID:1444
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
100KB
MD53af77cc94136164de04568f4f1aed56c
SHA14cbff075ffa329b5b98cf892512f88dcd5804218
SHA256b751a9ded2c54c5759c1609d497bad0cad7ebd324243bbd45cfbfe435749cede
SHA512657769932dfb6bde085d0f17aff937bbe556765ac7456060a86010de19dadbc354ea0c7a60de71a348c5618480bd772c3bcbea6c377e5b91260bcccd4cb1f403
-
Filesize
7KB
MD54ae28435a346bd27612683e2dd95d23a
SHA1cf1e5c6550216f15e175576d9229a6ed2bed965f
SHA256c18232e11968884595a6ca0f2c3c6d43c864d97f3212b99d4eb6b4194a589cfa
SHA5129d7140675a82e375364f7726f83bc311028644ff2f8f6857b1cf91ec3ea74938ed3a6c0d1c0dc099918d886db0e70c01721c17e5ec0930e9a201d450336df13f