Analysis
-
max time kernel
1800s -
max time network
1833s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
25-08-2021 02:15
Static task
static1
Behavioral task
behavioral1
Sample
1ranf80w5x.js
Resource
win7v20210408
Behavioral task
behavioral2
Sample
1ranf80w5x.js
Resource
win10v20210410
General
-
Target
1ranf80w5x.js
-
Size
6KB
-
MD5
737ab81779d546b3ccc019569acb0269
-
SHA1
d746edccdfb5ba9f357ab6a6281c1c09c25b5912
-
SHA256
81f1d78c95edb2952a13f5ec068a3b30be04c4e128c6348bc07439a4f4fdd82c
-
SHA512
961b5f3f1913595352914bd159c34d3767b96494a5be211cd69dbe64f921b29a12321498298ee0c93e3b2c85a443c0fd9b4593dc73fe3266e8517e17e5bfa951
Malware Config
Signatures
-
Blocklisted process makes network request 64 IoCs
Processes:
wscript.exeflow pid process 6 1624 wscript.exe 7 1624 wscript.exe 8 1624 wscript.exe 9 1624 wscript.exe 10 1624 wscript.exe 11 1624 wscript.exe 13 1624 wscript.exe 14 1624 wscript.exe 15 1624 wscript.exe 16 1624 wscript.exe 17 1624 wscript.exe 18 1624 wscript.exe 20 1624 wscript.exe 21 1624 wscript.exe 22 1624 wscript.exe 23 1624 wscript.exe 24 1624 wscript.exe 25 1624 wscript.exe 27 1624 wscript.exe 28 1624 wscript.exe 29 1624 wscript.exe 30 1624 wscript.exe 31 1624 wscript.exe 32 1624 wscript.exe 34 1624 wscript.exe 35 1624 wscript.exe 36 1624 wscript.exe 37 1624 wscript.exe 38 1624 wscript.exe 39 1624 wscript.exe 41 1624 wscript.exe 42 1624 wscript.exe 43 1624 wscript.exe 44 1624 wscript.exe 45 1624 wscript.exe 46 1624 wscript.exe 48 1624 wscript.exe 49 1624 wscript.exe 50 1624 wscript.exe 51 1624 wscript.exe 52 1624 wscript.exe 53 1624 wscript.exe 55 1624 wscript.exe 56 1624 wscript.exe 57 1624 wscript.exe 58 1624 wscript.exe 59 1624 wscript.exe 60 1624 wscript.exe 62 1624 wscript.exe 63 1624 wscript.exe 64 1624 wscript.exe 65 1624 wscript.exe 66 1624 wscript.exe 67 1624 wscript.exe 69 1624 wscript.exe 70 1624 wscript.exe 71 1624 wscript.exe 72 1624 wscript.exe 73 1624 wscript.exe 74 1624 wscript.exe 76 1624 wscript.exe 77 1624 wscript.exe 78 1624 wscript.exe 79 1624 wscript.exe -
Drops startup file 3 IoCs
Processes:
wscript.exeWScript.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1ranf80w5x.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1ranf80w5x.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1ranf80w5x.js WScript.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
wscript.exeWScript.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\GF5EHB4I0U = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\1ranf80w5x.js\"" wscript.exe Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run WScript.exe Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\GF5EHB4I0U = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\1ranf80w5x.js\"" WScript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
wscript.exetaskeng.exeWScript.exedescription pid process target process PID 1624 wrote to memory of 1640 1624 wscript.exe schtasks.exe PID 1624 wrote to memory of 1640 1624 wscript.exe schtasks.exe PID 1624 wrote to memory of 1640 1624 wscript.exe schtasks.exe PID 848 wrote to memory of 1968 848 taskeng.exe WScript.exe PID 848 wrote to memory of 1968 848 taskeng.exe WScript.exe PID 848 wrote to memory of 1968 848 taskeng.exe WScript.exe PID 1968 wrote to memory of 548 1968 WScript.exe schtasks.exe PID 1968 wrote to memory of 548 1968 WScript.exe schtasks.exe PID 1968 wrote to memory of 548 1968 WScript.exe schtasks.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\1ranf80w5x.js1⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Local\Temp\1ranf80w5x.js2⤵
- Creates scheduled task(s)
-
C:\Windows\system32\taskeng.exetaskeng.exe {8C6BF541-66E5-443F-8DA9-F8114B9AAF56} S-1-5-21-2455352368-1077083310-2879168483-1000:QWOCTUPM\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WScript.exeC:\Windows\System32\WScript.exe "C:\Users\Admin\AppData\Local\Temp\1ranf80w5x.js"2⤵
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Local\Temp\1ranf80w5x.js3⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1ranf80w5x.jsMD5
737ab81779d546b3ccc019569acb0269
SHA1d746edccdfb5ba9f357ab6a6281c1c09c25b5912
SHA25681f1d78c95edb2952a13f5ec068a3b30be04c4e128c6348bc07439a4f4fdd82c
SHA512961b5f3f1913595352914bd159c34d3767b96494a5be211cd69dbe64f921b29a12321498298ee0c93e3b2c85a443c0fd9b4593dc73fe3266e8517e17e5bfa951
-
memory/548-62-0x0000000000000000-mapping.dmp
-
memory/848-60-0x000007FEFC031000-0x000007FEFC033000-memory.dmpFilesize
8KB
-
memory/1640-59-0x0000000000000000-mapping.dmp
-
memory/1968-61-0x0000000000000000-mapping.dmp