Analysis
-
max time kernel
141s -
max time network
189s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
05-07-2021 17:01
Static task
static1
Behavioral task
behavioral1
Sample
PO #008661.js
Resource
win7v20210410
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
PO #008661.js
Resource
win10v20210408
windows10_x64
0 signatures
0 seconds
General
-
Target
PO #008661.js
-
Size
3KB
-
MD5
c9f67a83623894b769cda3123dd64db7
-
SHA1
7b469db6a066919c8b62e249e92b26dfdcf22fd5
-
SHA256
46b304cdebbfac4fc60dbb3a885f6442bf1ec6e7a15a23f10de75f4febe2cecc
-
SHA512
9ebd912945b15e2a42d765fa811963af28598a61ee94e5dcd84368733801055a079f02f96960a2079d451878406e394904bb27b75eda41180ad7dc45ef57c3a8
Score
10/10
Malware Config
Signatures
-
Blocklisted process makes network request 1 IoCs
Processes:
wscript.exeflow pid process 5 592 wscript.exe -
Drops startup file 2 IoCs
Processes:
wscript.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PO #008661.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PO #008661.js wscript.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
wscript.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\8KSMEJ1CM4 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\PO #008661.js\"" wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
wscript.exedescription pid process target process PID 592 wrote to memory of 820 592 wscript.exe schtasks.exe PID 592 wrote to memory of 820 592 wscript.exe schtasks.exe PID 592 wrote to memory of 820 592 wscript.exe schtasks.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe "C:\Users\Admin\AppData\Local\Temp\PO #008661.js"1⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Local\Temp\PO #008661.js2⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/820-60-0x0000000000000000-mapping.dmp