Analysis
-
max time kernel
146s -
max time network
150s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
24-08-2021 17:57
Static task
static1
Behavioral task
behavioral1
Sample
ruYArSxXtj.js
Resource
win7v20210408
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
ruYArSxXtj.js
Resource
win10v20210410
windows10_x64
0 signatures
0 seconds
General
-
Target
ruYArSxXtj.js
-
Size
9KB
-
MD5
ca4e11b0bbf70a587e0d653bfceded8c
-
SHA1
c70eeac3273988740e937e21e11948b003295582
-
SHA256
d0a3dc9322f9f6f9028f437d45757560de849fd0a0a6dcf8c92beed012b61e0d
-
SHA512
291bbeb73d3ecacfe5c50aa9fd59f0542eea4950a82d0def79318017d5a0c9bcd3792a49c17309414c7678235ffeae284f29643e2be4b4a368592c0f5f64bdf0
Score
10/10
Malware Config
Signatures
-
Blocklisted process makes network request 17 IoCs
Processes:
wscript.exeflow pid process 11 3204 wscript.exe 20 3204 wscript.exe 22 3204 wscript.exe 23 3204 wscript.exe 24 3204 wscript.exe 25 3204 wscript.exe 26 3204 wscript.exe 27 3204 wscript.exe 28 3204 wscript.exe 29 3204 wscript.exe 30 3204 wscript.exe 31 3204 wscript.exe 32 3204 wscript.exe 33 3204 wscript.exe 34 3204 wscript.exe 35 3204 wscript.exe 36 3204 wscript.exe -
Drops startup file 2 IoCs
Processes:
wscript.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ruYArSxXtj.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ruYArSxXtj.js wscript.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
wscript.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\SEJOKAOI5S = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\ruYArSxXtj.js\"" wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.