Analysis
-
max time kernel
141s -
max time network
149s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
05-04-2021 15:18
Static task
static1
Behavioral task
behavioral1
Sample
Inv_#9045.js
Resource
win7v20201028
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
Inv_#9045.js
Resource
win10v20201028
windows10_x64
0 signatures
0 seconds
General
-
Target
Inv_#9045.js
-
Size
3KB
-
MD5
bd2ef974ff2ac7645c9c1249c6f09c67
-
SHA1
2f91d738794f8dc4e18e61d2ebd138e9cee26118
-
SHA256
999b0576efee65a6c79f2fdc6e6f0d3aca3965d9e3f6193d88d452a5f507fc4e
-
SHA512
65d7b23e6b0d99c73b6a0b8588c15c84ecfd3a5e2aa6e6cbeb4e2204479881b9587cc5dd84d097a1a4a95182fc83c0e41ab4683bab1783af6528e78eb7946303
Score
10/10
Malware Config
Signatures
-
Blocklisted process makes network request 1 IoCs
Processes:
wscript.exeflow pid process 6 2008 wscript.exe -
Drops startup file 2 IoCs
Processes:
wscript.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Inv_#9045.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Inv_#9045.js wscript.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
wscript.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\FPLYPOCV1W = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Inv_#9045.js\"" wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
wscript.exedescription pid process target process PID 2008 wrote to memory of 1080 2008 wscript.exe schtasks.exe PID 2008 wrote to memory of 1080 2008 wscript.exe schtasks.exe PID 2008 wrote to memory of 1080 2008 wscript.exe schtasks.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\Inv_#9045.js1⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Local\Temp\Inv_#9045.js2⤵
- Creates scheduled task(s)