Overview

overview

7

Static

static

1

spooki.js

windows7-x64

3

spooki.js

windows10-2004-x64

7

Resubmissions

13/02/2023, 21:24

230213-z9jensgd52 7

13/02/2023, 21:16

230213-z4xp4sgd23 7

Analysis

  • max time kernel
    1612s
  • max time network
    1614s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    13/02/2023, 21:24

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    spooki.js

  • Size

    66KB

  • MD5

    c93eb2574a0b549f06fa495de52f8135

  • SHA1

    d5c6b541ebea9cda17ee4985e015c15613b2b64f

  • SHA256

    78cd8f64193207e61119ce1f9db37462796896ef2e2244454c630f504c0bc126

  • SHA512

    564faf0d0f1fd9aaf6030d491436691d4acd99cf4937b4e69e17824ba5db220735e17910330121376a4df320aaa9ef35599754b99bd68730ea679b701cbd7e12

  • SSDEEP

    768:vWw7n5D87ZwfbDsA3spXsqF3SReX/lPaXGl+wKyYxYTSbjKC8sTvl:3WVADsekNFPlPay+B4+b

Score
3/10

Malware Config

Signatures

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe C:\Users\Admin\AppData\Local\Temp\spooki.js
    1⤵
      PID:1404
    • C:\Windows\system32\taskeng.exe
      taskeng.exe {2BB7F528-FA61-4242-A46A-A6D2211E971B} S-1-5-21-2292972927-2705560509-2768824231-1000:GRXNNIIE\Admin:Interactive:[1]
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:1220
      • C:\Windows\system32\wscript.EXE
        C:\Windows\system32\wscript.EXE INTERA~1.JS
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1500
        • C:\Windows\System32\cscript.exe
          "C:\Windows\System32\cscript.exe" "INTERA~1.JS"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:1664
          • C:\Windows\System32\WindowsPowerShell\v1.0\PoWeRshelL.exe
            PoWeRshelL
            4⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:976

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\Macromedia\INTERA~1.JS
      Filesize

      40.6MB

      MD5

      7bba5c40a90d7c2249fd7463d3ef5807

      SHA1

      6e7c3e91ed3d8382b112f58b3a84ae41d7adc60e

      SHA256

      f45529a6a1bcc98bf37ed3d2844575920f4ffa3f0234629a154ffd245085c945

      SHA512

      986241dbe472dc7e91d23ecb1a2f9bb42d2f464edb52866125040290eb14a5656b337a8262a0576cd8e7307864788b06349da86997fc77944a17030c66569464

      Download Submit

    • memory/976-58-0x000007FEFB8A1000-0x000007FEFB8A3000-memory.dmp

      Filesize

      8KB

      Download

    • memory/976-59-0x000007FEF34D0000-0x000007FEF3EF3000-memory.dmp

      Filesize

      10.1MB

      Download

    • memory/976-60-0x000007FEF2330000-0x000007FEF2E8D000-memory.dmp

      Filesize

      11.4MB

      Download

    • memory/976-61-0x00000000027D4000-0x00000000027D7000-memory.dmp

      Filesize

      12KB

      Download

    • memory/976-62-0x000000001B700000-0x000000001B9FF000-memory.dmp

      Filesize

      3.0MB

      Download

    • memory/976-63-0x00000000027DB000-0x00000000027FA000-memory.dmp

      Filesize

      124KB

      Download

    • memory/976-64-0x00000000027D4000-0x00000000027D7000-memory.dmp

      Filesize

      12KB

      Download