Analysis
-
max time kernel
152s -
max time network
156s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
31-08-2021 13:00
Static task
static1
Behavioral task
behavioral1
Sample
secondupdate.js
Resource
win7v20210408
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
secondupdate.js
Resource
win10v20210410
0 signatures
0 seconds
General
-
Target
secondupdate.js
-
Size
3KB
-
MD5
293ca6a2020702d30eb057e24d73b559
-
SHA1
1e6bfc2b62210307295f8f8aa11c21c12e5fcad8
-
SHA256
121e224480a89b1ef3d2512062bf6474752b2bbb4afffdd4dda03c079e7aef09
-
SHA512
0795172169cd41fdcdb157ee461e9d1fe5482907813105afb68e271d88ba09421200dfda492089ee1367186d69e72578017d98c2bcccbf835495880242023817
Score
10/10
Malware Config
Signatures
-
Blocklisted process makes network request 19 IoCs
Processes:
wscript.exeflow pid process 8 3164 wscript.exe 14 3164 wscript.exe 17 3164 wscript.exe 18 3164 wscript.exe 19 3164 wscript.exe 20 3164 wscript.exe 21 3164 wscript.exe 22 3164 wscript.exe 23 3164 wscript.exe 24 3164 wscript.exe 25 3164 wscript.exe 26 3164 wscript.exe 27 3164 wscript.exe 28 3164 wscript.exe 29 3164 wscript.exe 30 3164 wscript.exe 31 3164 wscript.exe 32 3164 wscript.exe 33 3164 wscript.exe -
Drops startup file 2 IoCs
Processes:
wscript.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\secondupdate.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\secondupdate.js wscript.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
wscript.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\SEJOKAOI5S = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\secondupdate.js\"" wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.