Analysis
-
max time kernel
11s -
max time network
15s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
17-08-2021 15:17
Static task
static1
Behavioral task
behavioral1
Sample
In_WO071.js
Resource
win7v20210408
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
In_WO071.js
Resource
win10v20210410
0 signatures
0 seconds
General
-
Target
In_WO071.js
-
Size
12KB
-
MD5
eeb0261c57ae2557a73b0a66f862e982
-
SHA1
aca3295dea76d1d31730bff6f30d3ed453eaca0c
-
SHA256
9c048a52d161626ba45d49ba1a412b4cd1fc05520d4193a57d5b2edf7bbb885e
-
SHA512
fe6c2bf415b37c5341294dd5b0bfaefffd73dcb92dda241f82341687456ca2b17d3ab07551a7d277b2fb04b31793b77599e6d5f1a68488f379cb4466b5441588
Score
10/10
Malware Config
Signatures
-
Blocklisted process makes network request 1 IoCs
Processes:
wscript.exeflow pid process 5 1304 wscript.exe -
Drops startup file 2 IoCs
Processes:
wscript.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\In_WO071.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\In_WO071.js wscript.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
wscript.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\O3FNWNFPWY = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\In_WO071.js\"" wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
wscript.exedescription pid process target process PID 1304 wrote to memory of 1192 1304 wscript.exe schtasks.exe PID 1304 wrote to memory of 1192 1304 wscript.exe schtasks.exe PID 1304 wrote to memory of 1192 1304 wscript.exe schtasks.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\In_WO071.js1⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Local\Temp\In_WO071.js2⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1192-60-0x0000000000000000-mapping.dmp