Analysis
-
max time kernel
46s -
max time network
51s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
30-11-2022 15:28
Static task
static1
Behavioral task
behavioral1
Sample
AS.js
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
AS.js
Resource
win10v2004-20220901-en
Behavioral task
behavioral3
Sample
fix/sidetracks.js
Resource
win7-20220901-en
Behavioral task
behavioral4
Sample
fix/sidetracks.js
Resource
win10v2004-20220812-en
Behavioral task
behavioral5
Sample
fix/towns.ps1
Resource
win7-20221111-en
Behavioral task
behavioral6
Sample
fix/towns.ps1
Resource
win10v2004-20221111-en
General
-
Target
fix/sidetracks.js
-
Size
130B
-
MD5
6ab3b89d6faf74ab79106ab398847eac
-
SHA1
6344745f6912f6bb595120aea452a28abdea97fe
-
SHA256
63291a88c8c4a38a2841cc4830627d267bc26b7916089c95f2a8035d121ecb06
-
SHA512
4060fa17d8b5926ba3bfcb568a1d7aca4b45cde1b8ea278fe49d334041479aa91342eaaf4879ff476bfeb731f5bd37aea4d380de54c4ab900a32c6f45c8c5b44
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
powershell.exepid process 1620 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 1620 powershell.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
wscript.exedescription pid process target process PID 1308 wrote to memory of 1620 1308 wscript.exe powershell.exe PID 1308 wrote to memory of 1620 1308 wscript.exe powershell.exe PID 1308 wrote to memory of 1620 1308 wscript.exe powershell.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\fix\sidetracks.js1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass fix\towns.ps12⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1308-54-0x000007FEFB651000-0x000007FEFB653000-memory.dmpFilesize
8KB
-
memory/1620-55-0x0000000000000000-mapping.dmp
-
memory/1620-57-0x000007FEF3C00000-0x000007FEF4623000-memory.dmpFilesize
10.1MB
-
memory/1620-58-0x000007FEF30A0000-0x000007FEF3BFD000-memory.dmpFilesize
11.4MB
-
memory/1620-59-0x00000000022F0000-0x0000000002370000-memory.dmpFilesize
512KB