Overview
overview
10Static
static
79e98c04e77...21d.js
windows7-x64
109e98c04e77...21d.js
windows10-2004-x64
10c72d738747...8bf.js
windows7-x64
10c72d738747...8bf.js
windows10-2004-x64
10cc03a8f943...70.exe
windows7-x64
10cc03a8f943...70.exe
windows10-2004-x64
1eb6af295c3...cb.exe
windows7-x64
7eb6af295c3...cb.exe
windows10-2004-x64
7Analysis
-
max time kernel
150s -
max time network
133s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
25-03-2023 09:17
Behavioral task
behavioral1
Sample
9e98c04e777e77b1498f4b3447b6221d.js
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
9e98c04e777e77b1498f4b3447b6221d.js
Resource
win10v2004-20230220-en
Behavioral task
behavioral3
Sample
c72d738747f68d4f8d9e9368e47928bf.js
Resource
win7-20230220-en
Behavioral task
behavioral4
Sample
c72d738747f68d4f8d9e9368e47928bf.js
Resource
win10v2004-20230220-en
Behavioral task
behavioral5
Sample
cc03a8f9433b57e4ea8a87544dde5470.exe
Resource
win7-20230220-en
Behavioral task
behavioral6
Sample
cc03a8f9433b57e4ea8a87544dde5470.exe
Resource
win10v2004-20230220-en
Behavioral task
behavioral7
Sample
eb6af295c348f16f2361cbe96fdc3bcb.exe
Resource
win7-20230220-en
Behavioral task
behavioral8
Sample
eb6af295c348f16f2361cbe96fdc3bcb.exe
Resource
win10v2004-20230220-en
General
-
Target
c72d738747f68d4f8d9e9368e47928bf.js
-
Size
9.2MB
-
MD5
c72d738747f68d4f8d9e9368e47928bf
-
SHA1
00b523b2e3ab0f2bfd7d4aabf3b1c33ae390c585
-
SHA256
06b94b3ec86bd4a61888848f379808954de1ff2a1fe471edcfa312f5e9ba2ab5
-
SHA512
1a01baa0c813b928cf5dfe456f76acdcf9be0e0df8a6131e248f9aa5456c65a69cb9809efe56afc4db32cfeeb93ca42e3319f1e53689ba4ed23b77911b802c61
-
SSDEEP
3072:gNK8RjR/R8x/xqm2O1IrWa7Mjv/GnOv3GmPLjCKKIz9vs2J96i/OBDVOdz83Pm7+:I
Malware Config
Signatures
-
Blocklisted process makes network request 3 IoCs
Processes:
WScript.exeflow pid process 12 520 WScript.exe 14 520 WScript.exe 15 520 WScript.exe -
Drops startup file 2 IoCs
Processes:
WScript.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\oUvEoxxwKv.js WScript.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\oUvEoxxwKv.js WScript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
wscript.exejavaw.exedescription pid process target process PID 1204 wrote to memory of 520 1204 wscript.exe WScript.exe PID 1204 wrote to memory of 520 1204 wscript.exe WScript.exe PID 1204 wrote to memory of 520 1204 wscript.exe WScript.exe PID 1204 wrote to memory of 1340 1204 wscript.exe javaw.exe PID 1204 wrote to memory of 1340 1204 wscript.exe javaw.exe PID 1204 wrote to memory of 1340 1204 wscript.exe javaw.exe PID 1340 wrote to memory of 1580 1340 javaw.exe java.exe PID 1340 wrote to memory of 1580 1340 javaw.exe java.exe PID 1340 wrote to memory of 1580 1340 javaw.exe java.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\c72d738747f68d4f8d9e9368e47928bf.js1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\oUvEoxxwKv.js"2⤵
- Blocklisted process makes network request
- Drops startup file
-
C:\Program Files\Java\jre7\bin\javaw.exe"C:\Program Files\Java\jre7\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\tenotvjsh.txt"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Java\jre7\bin\java.exe"C:\Program Files\Java\jre7\bin\java.exe" -jar "C:\Users\Admin\tenotvjsh.txt"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\oUvEoxxwKv.jsFilesize
1.1MB
MD5b7e9c8bac9afc434944605c2422e1ad0
SHA1a653b478be92ecbd848bf79e175c454ebb9ccf21
SHA256be481241ae35aed859e1b558e23fcf640e0ec5f36d1e993a085ccc499b62c465
SHA512b790f27cce05ee3c754728489c8912501dc5c61d00639db760957697e3ea28855a81ce38634ddf2d98bf865055977c4d5dd2faaecc3a625eb090012161df2190
-
C:\Users\Admin\AppData\Roaming\tenotvjsh.txtFilesize
164KB
MD5ec5e12b3ea2318692c2d2b74c33dfbda
SHA1f7f6c3d3e266c7a85ec489389d5508eaa1983055
SHA256056579d3948044c01ffa21dd8a14f7c4109efd25e609055e24a37cb6db603ef7
SHA5120c91246971bb23ba3801b348ca8148c048de43c4caa7912b681868e471f5a0f080f2969e8fda1b04a002a81b403bddb22b62496b8eee75814cb691391ad5851a
-
C:\Users\Admin\tenotvjsh.txtFilesize
164KB
MD5ec5e12b3ea2318692c2d2b74c33dfbda
SHA1f7f6c3d3e266c7a85ec489389d5508eaa1983055
SHA256056579d3948044c01ffa21dd8a14f7c4109efd25e609055e24a37cb6db603ef7
SHA5120c91246971bb23ba3801b348ca8148c048de43c4caa7912b681868e471f5a0f080f2969e8fda1b04a002a81b403bddb22b62496b8eee75814cb691391ad5851a
-
memory/1340-70-0x00000000000A0000-0x00000000000A1000-memory.dmpFilesize
4KB
-
memory/1340-77-0x00000000000A0000-0x00000000000A1000-memory.dmpFilesize
4KB
-
memory/1340-87-0x00000000000A0000-0x00000000000A1000-memory.dmpFilesize
4KB
-
memory/1340-95-0x00000000000A0000-0x00000000000A1000-memory.dmpFilesize
4KB
-
memory/1340-97-0x00000000000A0000-0x00000000000A1000-memory.dmpFilesize
4KB
-
memory/1580-108-0x0000000000430000-0x0000000000431000-memory.dmpFilesize
4KB