Analysis
-
max time kernel
148s -
max time network
147s -
platform
windows7_x64 -
resource
win7-en-20210920 -
submitted
06-10-2021 18:55
Static task
static1
Behavioral task
behavioral1
Sample
INTERAC Service Request9466544665440.js
Resource
win7-en-20210920
Behavioral task
behavioral2
Sample
INTERAC Service Request9466544665440.js
Resource
win10v20210408
General
-
Target
INTERAC Service Request9466544665440.js
-
Size
3KB
-
MD5
82ccbb5d83d342bf2a38081b98b1704d
-
SHA1
7b72886e685c44f752a72826c315f86dee81251f
-
SHA256
1204d1db36163eef881e0e2293c27fa3b83f036e1c5f8b9f39eee6de138b8752
-
SHA512
05d9ed5a6499d4bd920f27d5e750874fdd812811117ce2fd4fbc4587a5f3121bf9d6b5f512c345c1cfa02ccad94c098758570b7c1d4dd173de60a093abd921a9
Malware Config
Signatures
-
Blocklisted process makes network request 1 IoCs
Processes:
wscript.exeflow pid process 4 1540 wscript.exe -
Drops startup file 2 IoCs
Processes:
wscript.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\INTERAC Service Request9466544665440.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\INTERAC Service Request9466544665440.js wscript.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
wscript.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows\CurrentVersion\Run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows\CurrentVersion\Run\IFOPY6H4EL = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\INTERAC Service Request9466544665440.js\"" wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
wscript.exedescription pid process target process PID 1540 wrote to memory of 1148 1540 wscript.exe schtasks.exe PID 1540 wrote to memory of 1148 1540 wscript.exe schtasks.exe PID 1540 wrote to memory of 1148 1540 wscript.exe schtasks.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe "C:\Users\Admin\AppData\Local\Temp\INTERAC Service Request9466544665440.js"1⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Local\Temp\INTERAC Service Request9466544665440.js2⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1148-53-0x0000000000000000-mapping.dmp