Analysis
-
max time kernel
170s -
max time network
95s -
platform
windows10-1703_x64 -
resource
win10-20230220-en -
resource tags
arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system -
submitted
10-03-2023 06:54
Static task
static1
Behavioral task
behavioral1
Sample
89b160f22663f77c4e2956b11518575a1a4209a5a9bf07996855f88d9eb4a138.js
Resource
win10-20230220-en
Behavioral task
behavioral2
Sample
89b160f22663f77c4e2956b11518575a1a4209a5a9bf07996855f88d9eb4a138.js
Resource
win7-20230220-en
General
-
Target
89b160f22663f77c4e2956b11518575a1a4209a5a9bf07996855f88d9eb4a138.js
-
Size
126KB
-
MD5
e702cdeeafff5a57b0974f691c5f5ed0
-
SHA1
dab829194a44d00022e977fa4d1a9243d9d08dc9
-
SHA256
89b160f22663f77c4e2956b11518575a1a4209a5a9bf07996855f88d9eb4a138
-
SHA512
87d624bacd91a5ebeb11774e2097cc80f5f958ee7f9342591e8e6502dfadb9e6a8def4992567607c2596215668f825b5c6993214946683e292a74cc1a461cb47
-
SSDEEP
1536:fWTzQGRrHGeRK6Kh6PwuQDZ3zWrCEij97Mj27q3bixCF0+F0k8c5rNiifIwPrLpj:fazLrH98hgcCbijs5rYif7TLpJp
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 9 IoCs
pid Process 4500 poWERsHelL.exe 4500 poWERsHelL.exe 4500 poWERsHelL.exe 4500 poWERsHelL.exe 4500 poWERsHelL.exe 4500 poWERsHelL.exe 4500 poWERsHelL.exe 4500 poWERsHelL.exe 4500 poWERsHelL.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4500 poWERsHelL.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 4012 wrote to memory of 2768 4012 wscript.EXE 67 PID 4012 wrote to memory of 2768 4012 wscript.EXE 67 PID 2768 wrote to memory of 4500 2768 cscript.exe 69 PID 2768 wrote to memory of 4500 2768 cscript.exe 69 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\89b160f22663f77c4e2956b11518575a1a4209a5a9bf07996855f88d9eb4a138.js1⤵PID:1608
-
\??\c:\windows\system32\wscript.EXEc:\windows\system32\wscript.EXE SUSTAI~1.JS1⤵
- Suspicious use of WriteProcessMemory
PID:4012 -
C:\Windows\System32\cscript.exe"C:\Windows\System32\cscript.exe" "SUSTAI~1.JS"2⤵
- Suspicious use of WriteProcessMemory
PID:2768 -
C:\Windows\System32\WindowsPowerShell\v1.0\poWERsHelL.exepoWERsHelL3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4500
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1B
MD5c4ca4238a0b923820dcc509a6f75849b
SHA1356a192b7913b04c54574d18c28d46e6395428ab
SHA2566b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA5124dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a
-
Filesize
43.9MB
MD5631b612204b6b0ff943877e47b86afdc
SHA1753f06f8eca9d96ace001ffd3c37c8ff69325988
SHA256da28a5e75b7ae2ec120c2ce83673d8b1d0b2995e6f9e27c204befd050b94074f
SHA512f0f683717f62176907e62e02ea6a9befb4a81c25a104c2e73c3c440b1cd8d49d2ee8ab65e469aeed644b16cc1781894fbd439c2fab4ba8d08e274349c1952408