Analysis
-
max time kernel
142s -
max time network
142s -
platform
windows7_x64 -
resource
win7-en-20210920 -
submitted
02-10-2021 06:48
Static task
static1
Behavioral task
behavioral1
Sample
3064816-000_01.js
Resource
win7-en-20210920
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
3064816-000_01.js
Resource
win10v20210408
windows10_x64
0 signatures
0 seconds
General
-
Target
3064816-000_01.js
-
Size
9KB
-
MD5
1c519a89da5132e9046d9c3540c6e88f
-
SHA1
fc7ac238769d25f0262dbde4bdea09ba0b9dbe57
-
SHA256
5ee13a966733f2954080c2063ec56f41528017c1e91c94ccc467c1e79f3562f8
-
SHA512
a67be27b7b722f8087f94c4b0c4337241537c75d5d9abe9b360973dab64521cc49a3b05592b883619deba7cdf0556d23b122fa4e08ec84a4dd35fbbaa98fdebe
Score
10/10
Malware Config
Signatures
-
Blocklisted process makes network request 1 IoCs
Processes:
wscript.exeflow pid process 4 2004 wscript.exe -
Drops startup file 2 IoCs
Processes:
wscript.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\3064816-000_01.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\3064816-000_01.js wscript.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
wscript.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows\CurrentVersion\Run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows\CurrentVersion\Run\AAHTJLXP64 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\3064816-000_01.js\"" wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
wscript.exedescription pid process target process PID 2004 wrote to memory of 1524 2004 wscript.exe schtasks.exe PID 2004 wrote to memory of 1524 2004 wscript.exe schtasks.exe PID 2004 wrote to memory of 1524 2004 wscript.exe schtasks.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\3064816-000_01.js1⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Local\Temp\3064816-000_01.js2⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1524-53-0x0000000000000000-mapping.dmp