Overview

overview

3

Static

static

1

89b160f226...138.js

windows10-1703-x64

3

89b160f226...138.js

windows7-x64

3

Resubmissions

10-03-2023 06:58

230310-hrp13adg4t 3

10-03-2023 06:54

230310-hpdv1sca74 3

Analysis

  • max time kernel
    129s
  • max time network
    31s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    10-03-2023 06:54

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    89b160f22663f77c4e2956b11518575a1a4209a5a9bf07996855f88d9eb4a138.js

  • Size

    126KB

  • MD5

    e702cdeeafff5a57b0974f691c5f5ed0

  • SHA1

    dab829194a44d00022e977fa4d1a9243d9d08dc9

  • SHA256

    89b160f22663f77c4e2956b11518575a1a4209a5a9bf07996855f88d9eb4a138

  • SHA512

    87d624bacd91a5ebeb11774e2097cc80f5f958ee7f9342591e8e6502dfadb9e6a8def4992567607c2596215668f825b5c6993214946683e292a74cc1a461cb47

  • SSDEEP

    1536:fWTzQGRrHGeRK6Kh6PwuQDZ3zWrCEij97Mj27q3bixCF0+F0k8c5rNiifIwPrLpj:fazLrH98hgcCbijs5rYif7TLpJp

Score
3/10

Malware Config

Signatures

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe C:\Users\Admin\AppData\Local\Temp\89b160f22663f77c4e2956b11518575a1a4209a5a9bf07996855f88d9eb4a138.js
    1⤵
      PID:2024
    • C:\Windows\system32\taskeng.exe
      taskeng.exe {785A2403-3A16-4149-896B-AF313A62AC16} S-1-5-21-1283023626-844874658-3193756055-1000:THEQWNRW\Admin:Interactive:[1]
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:276
      • C:\Windows\system32\wscript.EXE
        C:\Windows\system32\wscript.EXE SUSTAI~1.JS
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1100
        • C:\Windows\System32\cscript.exe
          "C:\Windows\System32\cscript.exe" "SUSTAI~1.JS"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:1204
          • C:\Windows\System32\WindowsPowerShell\v1.0\poWERsHelL.exe
            poWERsHelL
            4⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:820

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\Adobe\SUSTAI~1.JS
      Filesize

      43.9MB

      MD5

      e4b919c2ac91de504aaccd15192cab25

      SHA1

      14bba7e858fefea9ea1e25703f45f264aaab71d3

      SHA256

      28d5b70cbdb76a793facc6951629bb658c89cddf9f736e8a217f864ca4a87f37

      SHA512

      acea70f769b40a6540a65710099c4be05f054f371fcb3c940c43cca152f8e40f46ab3d58c1353b19396729250bf85f222c4561e11efbdad342eea402cb2e9704

      Download Submit

    • memory/820-61-0x000000001B210000-0x000000001B4F2000-memory.dmp

      Filesize

      2.9MB

      Download

    • memory/820-62-0x0000000002370000-0x0000000002378000-memory.dmp

      Filesize

      32KB

      Download

    • memory/820-63-0x0000000002480000-0x0000000002500000-memory.dmp

      Filesize

      512KB

      Download

    • memory/820-64-0x0000000002480000-0x0000000002500000-memory.dmp

      Filesize

      512KB

      Download

    • memory/820-65-0x0000000002480000-0x0000000002500000-memory.dmp

      Filesize

      512KB

      Download

    • memory/820-66-0x0000000002480000-0x0000000002500000-memory.dmp

      Filesize

      512KB

      Download

    • memory/820-67-0x0000000002480000-0x0000000002500000-memory.dmp

      Filesize

      512KB

      Download

    • memory/820-68-0x0000000002480000-0x0000000002500000-memory.dmp

      Filesize

      512KB

      Download

    • memory/820-69-0x0000000002480000-0x0000000002500000-memory.dmp

      Filesize

      512KB

      Download

    • memory/820-70-0x0000000002480000-0x0000000002500000-memory.dmp

      Filesize

      512KB

      Download