Analysis
-
max time kernel
144s -
max time network
152s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
04-10-2021 20:51
Static task
static1
Behavioral task
behavioral1
Sample
eohMqhWkvF.js
Resource
win7-en-20210920
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
eohMqhWkvF.js
Resource
win10v20210408
windows10_x64
0 signatures
0 seconds
General
-
Target
eohMqhWkvF.js
-
Size
10KB
-
MD5
bd854a8caf7e7c7755481169afebeb9d
-
SHA1
46d81477627836bdda15137a8837d10eb84bbbfc
-
SHA256
c346c5553d730a5f500588c0cb604454019e0a9a8c234b09e3050de08c5c4de9
-
SHA512
5d311fdf3958f117d5b06cb4e975a7bd373a1b9e8379e2df133472bcd30dca710afd382b848bffaf3899cfa1e887f0fe74f019878a24c326a081d15afa73e3e5
Score
10/10
Malware Config
Signatures
-
Blocklisted process makes network request 18 IoCs
Processes:
wscript.exeflow pid process 3 808 wscript.exe 4 808 wscript.exe 5 808 wscript.exe 12 808 wscript.exe 17 808 wscript.exe 18 808 wscript.exe 19 808 wscript.exe 20 808 wscript.exe 23 808 wscript.exe 24 808 wscript.exe 25 808 wscript.exe 26 808 wscript.exe 27 808 wscript.exe 28 808 wscript.exe 29 808 wscript.exe 30 808 wscript.exe 31 808 wscript.exe 32 808 wscript.exe -
Drops startup file 2 IoCs
Processes:
wscript.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\eohMqhWkvF.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\eohMqhWkvF.js wscript.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
wscript.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\SEJOKAOI5S = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\eohMqhWkvF.js\"" wscript.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.