Analysis
-
max time kernel
122s -
max time network
124s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
02-08-2021 20:11
Static task
static1
Behavioral task
behavioral1
Sample
0aa2dd1f59a1d55cd5021244c1d7383cadbef5363c22718a4d9e47610af30d95.js
Resource
win7v20210410
Behavioral task
behavioral2
Sample
0aa2dd1f59a1d55cd5021244c1d7383cadbef5363c22718a4d9e47610af30d95.js
Resource
win10v20210410
General
-
Target
0aa2dd1f59a1d55cd5021244c1d7383cadbef5363c22718a4d9e47610af30d95.js
-
Size
6KB
-
MD5
da985273a6ca8dfb6a17ff26956a2e71
-
SHA1
cda0aff65ed3c91b4788f2f7216831cb1ed563ac
-
SHA256
0aa2dd1f59a1d55cd5021244c1d7383cadbef5363c22718a4d9e47610af30d95
-
SHA512
e0220201e4e60f7b3b88d6908f4c00cadf8c2fdc6dedaa895ac95b4dbee3de8525b020366840d01701a4719f13e4b0a9b4fbcc9e899e8b5d2e278b265e1993bf
Malware Config
Signatures
-
Blocklisted process makes network request 1 IoCs
Processes:
wscript.exeflow pid process 6 1052 wscript.exe -
Drops startup file 2 IoCs
Processes:
wscript.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0aa2dd1f59a1d55cd5021244c1d7383cadbef5363c22718a4d9e47610af30d95.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0aa2dd1f59a1d55cd5021244c1d7383cadbef5363c22718a4d9e47610af30d95.js wscript.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
wscript.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\MX1CAYIRN3 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\0aa2dd1f59a1d55cd5021244c1d7383cadbef5363c22718a4d9e47610af30d95.js\"" wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
wscript.exedescription pid process target process PID 1052 wrote to memory of 1448 1052 wscript.exe schtasks.exe PID 1052 wrote to memory of 1448 1052 wscript.exe schtasks.exe PID 1052 wrote to memory of 1448 1052 wscript.exe schtasks.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\0aa2dd1f59a1d55cd5021244c1d7383cadbef5363c22718a4d9e47610af30d95.js1⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Local\Temp\0aa2dd1f59a1d55cd5021244c1d7383cadbef5363c22718a4d9e47610af30d95.js2⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1448-60-0x0000000000000000-mapping.dmp