Analysis
-
max time kernel
150s -
max time network
155s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
11-04-2023 01:00
Static task
static1
Behavioral task
behavioral1
Sample
d72e9e277f3eadd7b9097a7f8d1d00f905d97df92bbf66982e51899a9d6eec60.js
Resource
win7-20230220-en
General
-
Target
d72e9e277f3eadd7b9097a7f8d1d00f905d97df92bbf66982e51899a9d6eec60.js
-
Size
3.3MB
-
MD5
0d0b1fc606201ddbf74b4833e08994b3
-
SHA1
177895061db3b2264b72bd57b96e707e7a3e50b8
-
SHA256
d72e9e277f3eadd7b9097a7f8d1d00f905d97df92bbf66982e51899a9d6eec60
-
SHA512
45fef7799272fc8606a50c7f75c280a121beb92119f11c00db6155c8b084ae69635c0201fdd96fa0398e33b43f30333767940a75bd5fb88908fb4050160f37b6
-
SSDEEP
24576:pJSd1V8/DH6mBy0ayVbGw9GZ0dKEMRs1Ayq+cISRxQCNj+4AX:ntbNX
Malware Config
Signatures
-
Blocklisted process makes network request 9 IoCs
Processes:
WScript.exeflow pid process 4 584 WScript.exe 6 584 WScript.exe 13 584 WScript.exe 15 584 WScript.exe 16 584 WScript.exe 18 584 WScript.exe 20 584 WScript.exe 21 584 WScript.exe 23 584 WScript.exe -
Drops startup file 2 IoCs
Processes:
WScript.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FAklApsLii.js WScript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FAklApsLii.js WScript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
wscript.exedescription pid process target process PID 1108 wrote to memory of 584 1108 wscript.exe WScript.exe PID 1108 wrote to memory of 584 1108 wscript.exe WScript.exe PID 1108 wrote to memory of 584 1108 wscript.exe WScript.exe PID 1108 wrote to memory of 1484 1108 wscript.exe javaw.exe PID 1108 wrote to memory of 1484 1108 wscript.exe javaw.exe PID 1108 wrote to memory of 1484 1108 wscript.exe javaw.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\d72e9e277f3eadd7b9097a7f8d1d00f905d97df92bbf66982e51899a9d6eec60.js1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\FAklApsLii.js"2⤵
- Blocklisted process makes network request
- Drops startup file
-
C:\Program Files\Java\jre7\bin\javaw.exe"C:\Program Files\Java\jre7\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\fpqttcxqmz.txt"2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\FAklApsLii.jsFilesize
346KB
MD5504251620320ddd73e04fd077598f06b
SHA1ed16dd17a1b3fd621083999e1697ac8d7d4e196a
SHA2565fc4c580b97320b95dae37a9ee422735eb39b660a890d41f1631369f3f477f23
SHA51269f290c8af09736666189ba80a4147dcaf9da793ece50a9a7523e9a27c011f8773971e2687cddc6c04b8d54a15fabdca80d9de63e62a00a4a4de26b9d2ca1157
-
C:\Users\Admin\AppData\Roaming\fpqttcxqmz.txtFilesize
209KB
MD55908fc19ceb339ac7559095bc462e625
SHA1c7d780b9524c732e26112d81a067a8fa664e805c
SHA256255f2eeceeca9b1f4075e8a90a6f2ee46032ce60947b6ab612eaf347d5ae987e
SHA512f3710dc3a78f6af0f59f78aa20f681816a50e2f7a5ccf7783e62c232476e7afe7cedffceb58df6e19a32f1282c79251fa54cadbf9a45509ec90e0cabf490ad82
-
memory/1484-70-0x0000000000210000-0x0000000000211000-memory.dmpFilesize
4KB
-
memory/1484-75-0x0000000000210000-0x0000000000211000-memory.dmpFilesize
4KB
-
memory/1484-85-0x0000000000210000-0x0000000000211000-memory.dmpFilesize
4KB
-
memory/1484-91-0x0000000000210000-0x0000000000211000-memory.dmpFilesize
4KB
-
memory/1484-98-0x0000000000210000-0x0000000000211000-memory.dmpFilesize
4KB
-
memory/1484-114-0x0000000000210000-0x0000000000211000-memory.dmpFilesize
4KB