0419649389ae3389a8133907858ff7844f5b9130755d21f649a1f594990e85d5

Analysis

max time kernel
146s
max time network
150s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
13/03/2023, 06:41

Target

Contract Tender.js
Size

345KB
MD5

74a8701c0a76d1fdaccbb6a39ac3a427
SHA1

96578577dd9d2063b257f7b43d735792cc84e4c1
SHA256

0419649389ae3389a8133907858ff7844f5b9130755d21f649a1f594990e85d5
SHA512

9f5c9cc8780e5d678cc975126e4586f367a67231fe80400c58b155f7fecd12bc43fc1fb14d9e12db65a4d8dfba7a725dce317e1fa1730f52ec6675e58b7f79a9
SSDEEP

6144:GQFQhWlP6ek95bcGCnhj21THlnII0pDI8he7v+qlJ5/Qceq5rEd6JDpu6Bz68:N2clP6obkT9L0pDk+qbS6LB5

Score

3^/10

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1104 wrote to memory of 2028	1104	wscript.exe	27
PID 1104 wrote to memory of 2028	1104	wscript.exe	27
PID 1104 wrote to memory of 2028	1104	wscript.exe	27

C:\Windows\system32\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Local\Temp\Contract Tender.js"
1⤵
- Suspicious use of WriteProcessMemory
PID:1104
- C:\Program Files\Java\jre7\bin\javaw.exe
  "C:\Program Files\Java\jre7\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\jyryuvx.txt"
  2⤵
  PID:2028

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

C:\Users\Admin\AppData\Roaming\jyryuvx.txt

Filesize
164KB

MD5
3834513023ec311a08f09b81a3b13fb8

SHA1
cb2faf30e64be67532aa01a59480052a2438ded6

SHA256
7b43f6ba187bf62f37f43374ef60808601cd187f5796e97458d15954f50c619b

SHA512
7fbf3b5b180fc0427cd641810806ebbb0e6c8fb710faf15bbf579af9fa668ed8257ea011e27b73cf3921f0714c0ad82d1be3eed3729319396017592d5f6df859

Download Submit
memory/2028-65-0x0000000000120000-0x0000000000121000-memory.dmp

Filesize
4KB

Download
memory/2028-66-0x0000000000120000-0x0000000000121000-memory.dmp

Filesize
4KB

Download
memory/2028-67-0x0000000000120000-0x0000000000121000-memory.dmp

Filesize
4KB

Download
memory/2028-94-0x0000000000120000-0x0000000000121000-memory.dmp

Filesize
4KB

Download
memory/2028-109-0x0000000000120000-0x0000000000121000-memory.dmp

Filesize
4KB

Download
memory/2028-114-0x0000000000120000-0x0000000000121000-memory.dmp

Filesize
4KB

Download