Analysis
-
max time kernel
132s -
max time network
135s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
24-04-2021 19:55
Static task
static1
Behavioral task
behavioral1
Sample
6W5MPAEEPH.js
Resource
win7v20210410
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
6W5MPAEEPH.js
Resource
win10v20210408
windows10_x64
0 signatures
0 seconds
General
-
Target
6W5MPAEEPH.js
-
Size
10KB
-
MD5
478634c9781a93f5c34e70623a62ee1e
-
SHA1
ed996dd6ea02d176c46c01f17ebe19c217d3ce5e
-
SHA256
58f2aec1d4020c14b45c8357512b8787eed4a4d208497d6866c29ee2f4f24cfb
-
SHA512
e3ba328dcf8f7766fe9e1b471cc9cd08d24da3d4b4e584262ed1ec4c8fbc972fd9d60e39c7f138390316d61f8292520900fa1b3d5fc0f65dc00dd85a08d6cacd
Score
10/10
Malware Config
Signatures
-
Blocklisted process makes network request 2 IoCs
Processes:
wscript.exeflow pid process 6 1748 wscript.exe 7 1748 wscript.exe -
Drops startup file 2 IoCs
Processes:
wscript.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6W5MPAEEPH.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6W5MPAEEPH.js wscript.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
wscript.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\OXKHGDB6LZ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\6W5MPAEEPH.js\"" wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
wscript.exedescription pid process target process PID 1748 wrote to memory of 1264 1748 wscript.exe schtasks.exe PID 1748 wrote to memory of 1264 1748 wscript.exe schtasks.exe PID 1748 wrote to memory of 1264 1748 wscript.exe schtasks.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\6W5MPAEEPH.js1⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Local\Temp\6W5MPAEEPH.js2⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1264-59-0x0000000000000000-mapping.dmp