Analysis
-
max time kernel
1798s -
max time network
1802s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
25-08-2021 02:15
Static task
static1
Behavioral task
behavioral1
Sample
1ranf80w5x.js
Resource
win7v20210408
Behavioral task
behavioral2
Sample
1ranf80w5x.js
Resource
win10v20210410
General
-
Target
1ranf80w5x.js
-
Size
6KB
-
MD5
737ab81779d546b3ccc019569acb0269
-
SHA1
d746edccdfb5ba9f357ab6a6281c1c09c25b5912
-
SHA256
81f1d78c95edb2952a13f5ec068a3b30be04c4e128c6348bc07439a4f4fdd82c
-
SHA512
961b5f3f1913595352914bd159c34d3767b96494a5be211cd69dbe64f921b29a12321498298ee0c93e3b2c85a443c0fd9b4593dc73fe3266e8517e17e5bfa951
Malware Config
Signatures
-
Blocklisted process makes network request 64 IoCs
Processes:
wscript.exeflow pid process 7 4048 wscript.exe 15 4048 wscript.exe 17 4048 wscript.exe 18 4048 wscript.exe 19 4048 wscript.exe 20 4048 wscript.exe 21 4048 wscript.exe 22 4048 wscript.exe 23 4048 wscript.exe 24 4048 wscript.exe 25 4048 wscript.exe 26 4048 wscript.exe 27 4048 wscript.exe 28 4048 wscript.exe 29 4048 wscript.exe 30 4048 wscript.exe 31 4048 wscript.exe 32 4048 wscript.exe 33 4048 wscript.exe 34 4048 wscript.exe 35 4048 wscript.exe 36 4048 wscript.exe 37 4048 wscript.exe 38 4048 wscript.exe 39 4048 wscript.exe 40 4048 wscript.exe 41 4048 wscript.exe 42 4048 wscript.exe 43 4048 wscript.exe 44 4048 wscript.exe 51 4048 wscript.exe 52 4048 wscript.exe 53 4048 wscript.exe 54 4048 wscript.exe 55 4048 wscript.exe 56 4048 wscript.exe 57 4048 wscript.exe 60 4048 wscript.exe 61 4048 wscript.exe 62 4048 wscript.exe 63 4048 wscript.exe 64 4048 wscript.exe 65 4048 wscript.exe 66 4048 wscript.exe 67 4048 wscript.exe 68 4048 wscript.exe 69 4048 wscript.exe 70 4048 wscript.exe 71 4048 wscript.exe 72 4048 wscript.exe 73 4048 wscript.exe 74 4048 wscript.exe 75 4048 wscript.exe 76 4048 wscript.exe 77 4048 wscript.exe 78 4048 wscript.exe 79 4048 wscript.exe 80 4048 wscript.exe 81 4048 wscript.exe 82 4048 wscript.exe 83 4048 wscript.exe 84 4048 wscript.exe 85 4048 wscript.exe 86 4048 wscript.exe -
Drops startup file 3 IoCs
Processes:
wscript.exeWScript.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1ranf80w5x.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1ranf80w5x.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1ranf80w5x.js WScript.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
wscript.exeWScript.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\GF5EHB4I0U = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\1ranf80w5x.js\"" wscript.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run WScript.exe Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\GF5EHB4I0U = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\1ranf80w5x.js\"" WScript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 1468 schtasks.exe 2576 schtasks.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
wscript.exeWScript.exedescription pid process target process PID 4048 wrote to memory of 1468 4048 wscript.exe schtasks.exe PID 4048 wrote to memory of 1468 4048 wscript.exe schtasks.exe PID 4012 wrote to memory of 2576 4012 WScript.exe schtasks.exe PID 4012 wrote to memory of 2576 4012 WScript.exe schtasks.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\1ranf80w5x.js1⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Local\Temp\1ranf80w5x.js2⤵
- Creates scheduled task(s)
-
C:\Windows\System32\WScript.exeC:\Windows\System32\WScript.exe "C:\Users\Admin\AppData\Local\Temp\1ranf80w5x.js"1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Local\Temp\1ranf80w5x.js2⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1ranf80w5x.jsMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/1468-114-0x0000000000000000-mapping.dmp
-
memory/2576-115-0x0000000000000000-mapping.dmp