Overview
overview
10Static
static
109a25a65d...f4c.js
windows7-x64
10109a25a65d...f4c.js
windows10-2004-x64
1031f0b844ee...a6.xls
windows7-x64
131f0b844ee...a6.xls
windows10-2004-x64
1641d80a70d...d2e.js
windows7-x64
10641d80a70d...d2e.js
windows10-2004-x64
108aa5dd5a83...486.js
windows7-x64
108aa5dd5a83...486.js
windows10-2004-x64
10e79d5e1f9f...b4.vbs
windows7-x64
1e79d5e1f9f...b4.vbs
windows10-2004-x64
1Analysis
-
max time kernel
148s -
max time network
152s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
29/12/2022, 00:43
Static task
static1
Behavioral task
behavioral1
Sample
109a25a65dcb12435377b0f9f4159f4c.js
Resource
win7-20221111-en
windows7-x64
Behavioral task
behavioral2
Sample
109a25a65dcb12435377b0f9f4159f4c.js
Resource
win10v2004-20221111-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
31f0b844ee61cd2c8bbea74fc2b09ba6.xls
Resource
win7-20221111-en
windows7-x64
Behavioral task
behavioral4
Sample
31f0b844ee61cd2c8bbea74fc2b09ba6.xls
Resource
win10v2004-20220812-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
641d80a70da56a8b33cbaff530cf6d2e.js
Resource
win7-20221111-en
windows7-x64
Behavioral task
behavioral6
Sample
641d80a70da56a8b33cbaff530cf6d2e.js
Resource
win10v2004-20220812-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
8aa5dd5a8392d399292fd831f9ebc486.js
Resource
win7-20220812-en
windows7-x64
Behavioral task
behavioral8
Sample
8aa5dd5a8392d399292fd831f9ebc486.js
Resource
win10v2004-20220812-en
windows10-2004-x64
Behavioral task
behavioral9
Sample
e79d5e1f9fff4bf994e5538522b24eb4.vbs
Resource
win7-20220812-en
windows7-x64
Behavioral task
behavioral10
Sample
e79d5e1f9fff4bf994e5538522b24eb4.vbs
Resource
win10v2004-20221111-en
windows10-2004-x64
General
-
Target
641d80a70da56a8b33cbaff530cf6d2e.js
-
Size
267KB
-
MD5
641d80a70da56a8b33cbaff530cf6d2e
-
SHA1
9dc182e6dd82a28c2546583bdd2c4d7a86f70aeb
-
SHA256
bc6b3044943128e9f326b4c0bde41375596254ac5fb4f0e8c00c2eef33688247
-
SHA512
f0de610da7b3be90db1c591a973fde1da4f6c2e6b27e388d3d7086e1ad975de1d9c645beff98c0b7f193438839d29a36c059f17fe874d7d4ce31feda39228481
-
SSDEEP
3072:U/YirPgDvzlvtD636gUNgUmMuUbemcVGHQmC+DYUzSsqbDrCPx7Yvgke/ikIS363:JpvtD6DumBVGHbrSPrCpkvM3RlP6Rb
Malware Config
Signatures
-
Blocklisted process makes network request 37 IoCs
flow pid Process 7 1096 wscript.exe 8 1164 wscript.exe 10 1096 wscript.exe 11 1096 wscript.exe 13 1164 wscript.exe 14 1096 wscript.exe 16 1164 wscript.exe 19 1096 wscript.exe 21 1164 wscript.exe 23 1096 wscript.exe 24 1164 wscript.exe 26 1096 wscript.exe 28 1096 wscript.exe 30 1164 wscript.exe 32 1096 wscript.exe 34 1164 wscript.exe 35 1096 wscript.exe 38 1164 wscript.exe 39 1096 wscript.exe 41 1164 wscript.exe 42 1096 wscript.exe 44 1096 wscript.exe 45 1164 wscript.exe 48 1096 wscript.exe 50 1164 wscript.exe 51 1096 wscript.exe 53 1164 wscript.exe 55 1096 wscript.exe 57 1096 wscript.exe 58 1164 wscript.exe 60 1096 wscript.exe 61 1164 wscript.exe 63 1096 wscript.exe 66 1164 wscript.exe 68 1096 wscript.exe 70 1164 wscript.exe 71 1096 wscript.exe -
Drops startup file 4 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\641d80a70da56a8b33cbaff530cf6d2e.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\641d80a70da56a8b33cbaff530cf6d2e.js wscript.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ETjJkVMSdD.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ETjJkVMSdD.js wscript.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\641d80a70da56a8b33cbaff530cf6d2e = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\641d80a70da56a8b33cbaff530cf6d2e.js\"" wscript.exe Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\641d80a70da56a8b33cbaff530cf6d2e = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\641d80a70da56a8b33cbaff530cf6d2e.js\"" wscript.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 5 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1096 wrote to memory of 1164 1096 wscript.exe 28 PID 1096 wrote to memory of 1164 1096 wscript.exe 28 PID 1096 wrote to memory of 1164 1096 wscript.exe 28
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\641d80a70da56a8b33cbaff530cf6d2e.js1⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1096 -
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\ETjJkVMSdD.js"2⤵
- Blocklisted process makes network request
- Drops startup file
PID:1164
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
8KB
MD52e63f3ff7040a45ea0bc347772548885
SHA1615f3e2228e727f1c2f161cba09cda1bea0025fe
SHA2561b3200096468c60b55ec3ffcc65176da93cc1e34279c57b040e0c1c170472674
SHA5123f0f826035c71e35dd72782fb286ddaecb9ae7b881ef48e34960456528ab036f690e521a84e9bee4376608f7fb3aec3abc8877ee49f093cf2ebbf35be501f603