Analysis
-
max time kernel
167s -
max time network
174s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
16-01-2023 08:56
Static task
static1
Behavioral task
behavioral1
Sample
cd6b788372fc6c577a7f0de514ee7a4ed42da59b866581ddeb0e6c38228428d3.js
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
cd6b788372fc6c577a7f0de514ee7a4ed42da59b866581ddeb0e6c38228428d3.js
Resource
win10v2004-20221111-en
General
-
Target
cd6b788372fc6c577a7f0de514ee7a4ed42da59b866581ddeb0e6c38228428d3.js
-
Size
260KB
-
MD5
ec87b49270ad1afb170890fc4644bd59
-
SHA1
997f47e7d0bd7bc4ba59c2b737c0b5e108858b62
-
SHA256
cd6b788372fc6c577a7f0de514ee7a4ed42da59b866581ddeb0e6c38228428d3
-
SHA512
2daa9b36563380a3d55f2a0ec8ddbd1b8fe5d045acb9b98fb210af0e861ed523adef67ee791680e9a9608733e89ba274507ed2405ac9191f62e01f709f19162f
-
SSDEEP
6144:EPP/pyxHpiGSxCXJZTv+jCtMX1/MJIUDKi:EPHpyR17r+jCtMl/kD9
Malware Config
Signatures
-
Blocklisted process makes network request 26 IoCs
Processes:
wscript.exewscript.exewscript.exeflow pid Process 5 792 wscript.exe 6 1124 wscript.exe 8 2056 wscript.exe 12 1124 wscript.exe 20 1124 wscript.exe 25 2056 wscript.exe 28 792 wscript.exe 29 2056 wscript.exe 30 1124 wscript.exe 33 2056 wscript.exe 34 2056 wscript.exe 43 792 wscript.exe 44 1124 wscript.exe 45 792 wscript.exe 46 2056 wscript.exe 51 2056 wscript.exe 53 2056 wscript.exe 54 1124 wscript.exe 61 792 wscript.exe 64 792 wscript.exe 65 2056 wscript.exe 67 792 wscript.exe 68 1124 wscript.exe 69 1124 wscript.exe 73 2056 wscript.exe 74 792 wscript.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
wscript.exewscript.exedescription ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation wscript.exe Key value queried \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation wscript.exe -
Drops startup file 5 IoCs
Processes:
wscript.exewscript.exewscript.exewscript.exedescription ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cd6b788372fc6c577a7f0de514ee7a4ed42da59b866581ddeb0e6c38228428d3.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cd6b788372fc6c577a7f0de514ee7a4ed42da59b866581ddeb0e6c38228428d3.js wscript.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PQqoNmhZsB.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PQqoNmhZsB.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PQqoNmhZsB.js wscript.exe -
Adds Run key to start application 2 TTPs 8 IoCs
Processes:
wscript.exewscript.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cd6b788372fc6c577a7f0de514ee7a4ed42da59b866581ddeb0e6c38228428d3 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\cd6b788372fc6c577a7f0de514ee7a4ed42da59b866581ddeb0e6c38228428d3.js\"" wscript.exe Key created \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cd6b788372fc6c577a7f0de514ee7a4ed42da59b866581ddeb0e6c38228428d3 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\cd6b788372fc6c577a7f0de514ee7a4ed42da59b866581ddeb0e6c38228428d3.js\"" wscript.exe Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cd6b788372fc6c577a7f0de514ee7a4ed42da59b866581ddeb0e6c38228428d3 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\cd6b788372fc6c577a7f0de514ee7a4ed42da59b866581ddeb0e6c38228428d3.js\"" wscript.exe Key created \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cd6b788372fc6c577a7f0de514ee7a4ed42da59b866581ddeb0e6c38228428d3 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\cd6b788372fc6c577a7f0de514ee7a4ed42da59b866581ddeb0e6c38228428d3.js\"" wscript.exe Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run wscript.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 7 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
wscript.exewscript.exedescription pid Process procid_target PID 360 wrote to memory of 792 360 wscript.exe 80 PID 360 wrote to memory of 792 360 wscript.exe 80 PID 360 wrote to memory of 2056 360 wscript.exe 81 PID 360 wrote to memory of 2056 360 wscript.exe 81 PID 2056 wrote to memory of 1124 2056 wscript.exe 82 PID 2056 wrote to memory of 1124 2056 wscript.exe 82
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\cd6b788372fc6c577a7f0de514ee7a4ed42da59b866581ddeb0e6c38228428d3.js1⤵
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:360 -
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\PQqoNmhZsB.js"2⤵
- Blocklisted process makes network request
- Drops startup file
PID:792
-
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\cd6b788372fc6c577a7f0de514ee7a4ed42da59b866581ddeb0e6c38228428d3.js"2⤵
- Blocklisted process makes network request
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2056 -
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\PQqoNmhZsB.js"3⤵
- Blocklisted process makes network request
- Drops startup file
PID:1124
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
6KB
MD5a46a00fce7c7561dd03f37519c548491
SHA1d707d5893467538b1ef934900fa7953b0ba3be37
SHA256db64faff8266eb46d6e649170da234562332aeb11b6e7adc3073739906a8592b
SHA51261295739a668d5c286bce20c643e2b1498ffc2f4a2873177b655bf9b8fe534c041a12da95ffa0552e1b76ba2ad09344d5bfc70ba09e03a43d08f01a59f992f8c
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cd6b788372fc6c577a7f0de514ee7a4ed42da59b866581ddeb0e6c38228428d3.js
Filesize260KB
MD5ec87b49270ad1afb170890fc4644bd59
SHA1997f47e7d0bd7bc4ba59c2b737c0b5e108858b62
SHA256cd6b788372fc6c577a7f0de514ee7a4ed42da59b866581ddeb0e6c38228428d3
SHA5122daa9b36563380a3d55f2a0ec8ddbd1b8fe5d045acb9b98fb210af0e861ed523adef67ee791680e9a9608733e89ba274507ed2405ac9191f62e01f709f19162f
-
Filesize
6KB
MD5a46a00fce7c7561dd03f37519c548491
SHA1d707d5893467538b1ef934900fa7953b0ba3be37
SHA256db64faff8266eb46d6e649170da234562332aeb11b6e7adc3073739906a8592b
SHA51261295739a668d5c286bce20c643e2b1498ffc2f4a2873177b655bf9b8fe534c041a12da95ffa0552e1b76ba2ad09344d5bfc70ba09e03a43d08f01a59f992f8c
-
Filesize
6KB
MD5a46a00fce7c7561dd03f37519c548491
SHA1d707d5893467538b1ef934900fa7953b0ba3be37
SHA256db64faff8266eb46d6e649170da234562332aeb11b6e7adc3073739906a8592b
SHA51261295739a668d5c286bce20c643e2b1498ffc2f4a2873177b655bf9b8fe534c041a12da95ffa0552e1b76ba2ad09344d5bfc70ba09e03a43d08f01a59f992f8c
-
Filesize
260KB
MD5ec87b49270ad1afb170890fc4644bd59
SHA1997f47e7d0bd7bc4ba59c2b737c0b5e108858b62
SHA256cd6b788372fc6c577a7f0de514ee7a4ed42da59b866581ddeb0e6c38228428d3
SHA5122daa9b36563380a3d55f2a0ec8ddbd1b8fe5d045acb9b98fb210af0e861ed523adef67ee791680e9a9608733e89ba274507ed2405ac9191f62e01f709f19162f