Analysis
-
max time kernel
148s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
23-01-2023 13:08
Static task
static1
Behavioral task
behavioral1
Sample
1.js
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
1.js
Resource
win10v2004-20220812-en
Behavioral task
behavioral3
Sample
2.js
Resource
win7-20220901-en
Behavioral task
behavioral4
Sample
2.js
Resource
win10v2004-20221111-en
General
-
Target
2.js
-
Size
984KB
-
MD5
23e6dafa419a763923005e18ac40b8b4
-
SHA1
8e1d466bbf8278d773c30198fd166c8f2cc95134
-
SHA256
12736919f6e945cb175325bcffb7ca8fff02db430fea5803c76a73cc2145436c
-
SHA512
9db15577ef3b80a5503c561c01914548e5c2b8a56d59673a1d48d2fa3ba205a654504adc7d297258bb70ee681e81d4b4d6367fe1d7e244ceaaff9e00780efae3
-
SSDEEP
6144:eQfPBx5q0sQ1o7rsbHC01mDBpNW2mTMSbpuV8TSLcNdxzBalYlR:eQ3B7qgpILczr
Malware Config
Signatures
-
Blocklisted process makes network request 48 IoCs
Processes:
wscript.exewscript.exewscript.exeflow pid process 7 4884 wscript.exe 8 1756 wscript.exe 10 5088 wscript.exe 16 4884 wscript.exe 17 1756 wscript.exe 18 4884 wscript.exe 20 1756 wscript.exe 24 5088 wscript.exe 25 1756 wscript.exe 26 4884 wscript.exe 38 5088 wscript.exe 40 1756 wscript.exe 41 4884 wscript.exe 42 5088 wscript.exe 43 1756 wscript.exe 44 4884 wscript.exe 45 5088 wscript.exe 51 5088 wscript.exe 52 1756 wscript.exe 53 4884 wscript.exe 54 5088 wscript.exe 55 1756 wscript.exe 56 4884 wscript.exe 57 5088 wscript.exe 58 4884 wscript.exe 59 1756 wscript.exe 60 5088 wscript.exe 61 5088 wscript.exe 62 1756 wscript.exe 63 4884 wscript.exe 64 5088 wscript.exe 65 1756 wscript.exe 66 4884 wscript.exe 67 5088 wscript.exe 68 1756 wscript.exe 69 4884 wscript.exe 70 5088 wscript.exe 71 1756 wscript.exe 72 4884 wscript.exe 73 5088 wscript.exe 74 1756 wscript.exe 75 4884 wscript.exe 76 1756 wscript.exe 77 4884 wscript.exe 78 5088 wscript.exe 79 1756 wscript.exe 80 4884 wscript.exe 81 5088 wscript.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
wscript.exewscript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation wscript.exe Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation wscript.exe -
Drops startup file 5 IoCs
Processes:
wscript.exewscript.exewscript.exewscript.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\2.js wscript.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bBPGleXeSh.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bBPGleXeSh.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\2.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bBPGleXeSh.js wscript.exe -
Adds Run key to start application 2 TTPs 8 IoCs
Processes:
wscript.exewscript.exedescription ioc process Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\2 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\2.js\"" wscript.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\2 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\2.js\"" wscript.exe Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\2 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\2.js\"" wscript.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\2 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\2.js\"" wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
wscript.exewscript.exedescription pid process target process PID 1976 wrote to memory of 4884 1976 wscript.exe wscript.exe PID 1976 wrote to memory of 4884 1976 wscript.exe wscript.exe PID 1976 wrote to memory of 5088 1976 wscript.exe wscript.exe PID 1976 wrote to memory of 5088 1976 wscript.exe wscript.exe PID 5088 wrote to memory of 1756 5088 wscript.exe wscript.exe PID 5088 wrote to memory of 1756 5088 wscript.exe wscript.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\2.js1⤵
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\bBPGleXeSh.js"2⤵
- Blocklisted process makes network request
- Drops startup file
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\2.js"2⤵
- Blocklisted process makes network request
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\bBPGleXeSh.js"3⤵
- Blocklisted process makes network request
- Drops startup file
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\2.jsFilesize
984KB
MD523e6dafa419a763923005e18ac40b8b4
SHA18e1d466bbf8278d773c30198fd166c8f2cc95134
SHA25612736919f6e945cb175325bcffb7ca8fff02db430fea5803c76a73cc2145436c
SHA5129db15577ef3b80a5503c561c01914548e5c2b8a56d59673a1d48d2fa3ba205a654504adc7d297258bb70ee681e81d4b4d6367fe1d7e244ceaaff9e00780efae3
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\2.jsFilesize
984KB
MD523e6dafa419a763923005e18ac40b8b4
SHA18e1d466bbf8278d773c30198fd166c8f2cc95134
SHA25612736919f6e945cb175325bcffb7ca8fff02db430fea5803c76a73cc2145436c
SHA5129db15577ef3b80a5503c561c01914548e5c2b8a56d59673a1d48d2fa3ba205a654504adc7d297258bb70ee681e81d4b4d6367fe1d7e244ceaaff9e00780efae3
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bBPGleXeSh.jsFilesize
346KB
MD566dc2636a8030d46088ffea48edca927
SHA10b69c990c12f471bae591feff36810bee88dc8be
SHA256f65f356f01c0807a3142dcad0b4ae406dbf835dbe80fe8a6aca8abf59c74242e
SHA5128084c417d30fec47c5b519657f2651bffc7c1c9d403eb5356aae6e47ee572610f4f4095f4f65cd2fef54c1e47592fb7e64e6c2f598539115c84b2647e6b97e0a
-
C:\Users\Admin\AppData\Roaming\bBPGleXeSh.jsFilesize
346KB
MD566dc2636a8030d46088ffea48edca927
SHA10b69c990c12f471bae591feff36810bee88dc8be
SHA256f65f356f01c0807a3142dcad0b4ae406dbf835dbe80fe8a6aca8abf59c74242e
SHA5128084c417d30fec47c5b519657f2651bffc7c1c9d403eb5356aae6e47ee572610f4f4095f4f65cd2fef54c1e47592fb7e64e6c2f598539115c84b2647e6b97e0a
-
C:\Users\Admin\AppData\Roaming\bBPGleXeSh.jsFilesize
346KB
MD566dc2636a8030d46088ffea48edca927
SHA10b69c990c12f471bae591feff36810bee88dc8be
SHA256f65f356f01c0807a3142dcad0b4ae406dbf835dbe80fe8a6aca8abf59c74242e
SHA5128084c417d30fec47c5b519657f2651bffc7c1c9d403eb5356aae6e47ee572610f4f4095f4f65cd2fef54c1e47592fb7e64e6c2f598539115c84b2647e6b97e0a
-
memory/1756-136-0x0000000000000000-mapping.dmp
-
memory/4884-132-0x0000000000000000-mapping.dmp
-
memory/5088-134-0x0000000000000000-mapping.dmp