Analysis
-
max time kernel
7s -
max time network
44s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
02-10-2021 08:36
Static task
static1
Behavioral task
behavioral1
Sample
3064816-000_01.js
Resource
win7v20210408
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
3064816-000_01.js
Resource
win10-en-20210920
windows10_x64
0 signatures
0 seconds
General
-
Target
3064816-000_01.js
-
Size
9KB
-
MD5
1c519a89da5132e9046d9c3540c6e88f
-
SHA1
fc7ac238769d25f0262dbde4bdea09ba0b9dbe57
-
SHA256
5ee13a966733f2954080c2063ec56f41528017c1e91c94ccc467c1e79f3562f8
-
SHA512
a67be27b7b722f8087f94c4b0c4337241537c75d5d9abe9b360973dab64521cc49a3b05592b883619deba7cdf0556d23b122fa4e08ec84a4dd35fbbaa98fdebe
Score
10/10
Malware Config
Signatures
-
Drops startup file 2 IoCs
Processes:
wscript.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\3064816-000_01.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\3064816-000_01.js wscript.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
wscript.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\AAHTJLXP64 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\3064816-000_01.js\"" wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
wscript.exedescription pid process target process PID 1828 wrote to memory of 1256 1828 wscript.exe schtasks.exe PID 1828 wrote to memory of 1256 1828 wscript.exe schtasks.exe PID 1828 wrote to memory of 1256 1828 wscript.exe schtasks.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\3064816-000_01.js1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Local\Temp\3064816-000_01.js2⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1256-60-0x0000000000000000-mapping.dmp