Analysis
-
max time kernel
149s -
max time network
147s -
platform
windows7_x64 -
resource
win7-en-20210920 -
submitted
04-10-2021 20:51
Static task
static1
Behavioral task
behavioral1
Sample
eohMqhWkvF.js
Resource
win7-en-20210920
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
eohMqhWkvF.js
Resource
win10v20210408
windows10_x64
0 signatures
0 seconds
General
-
Target
eohMqhWkvF.js
-
Size
10KB
-
MD5
bd854a8caf7e7c7755481169afebeb9d
-
SHA1
46d81477627836bdda15137a8837d10eb84bbbfc
-
SHA256
c346c5553d730a5f500588c0cb604454019e0a9a8c234b09e3050de08c5c4de9
-
SHA512
5d311fdf3958f117d5b06cb4e975a7bd373a1b9e8379e2df133472bcd30dca710afd382b848bffaf3899cfa1e887f0fe74f019878a24c326a081d15afa73e3e5
Score
10/10
Malware Config
Signatures
-
Blocklisted process makes network request 18 IoCs
Processes:
wscript.exeflow pid process 4 1740 wscript.exe 5 1740 wscript.exe 7 1740 wscript.exe 9 1740 wscript.exe 10 1740 wscript.exe 11 1740 wscript.exe 13 1740 wscript.exe 14 1740 wscript.exe 15 1740 wscript.exe 17 1740 wscript.exe 18 1740 wscript.exe 19 1740 wscript.exe 21 1740 wscript.exe 22 1740 wscript.exe 23 1740 wscript.exe 25 1740 wscript.exe 26 1740 wscript.exe 27 1740 wscript.exe -
Drops startup file 2 IoCs
Processes:
wscript.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\eohMqhWkvF.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\eohMqhWkvF.js wscript.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
wscript.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows\CurrentVersion\Run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows\CurrentVersion\Run\SEJOKAOI5S = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\eohMqhWkvF.js\"" wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.