Analysis
-
max time kernel
146s -
max time network
146s -
platform
windows7_x64 -
resource
win7-en-20210920 -
submitted
07-10-2021 15:44
Static task
static1
Behavioral task
behavioral1
Sample
INTERAC Service Request9466544665440.js
Resource
win7-en-20210920
Behavioral task
behavioral2
Sample
INTERAC Service Request9466544665440.js
Resource
win10-en-20210920
General
-
Target
INTERAC Service Request9466544665440.js
-
Size
3KB
-
MD5
38ecf70cf09d8c499546c01c028dd70f
-
SHA1
d4d57eeb688d2abe1eeae5b0dc142d588246648b
-
SHA256
7acb1e3e7f173f2cc884c87a15260f06f59ed45e79e979afb37e361dd0b2625d
-
SHA512
bd92d0a81b6c9b553d11ace0f680f677a727de965703205955c92650ed43fe68f593b228e62d90acafc53e34864e4715eebd877808e2b160ee1d3dfeaf9462bc
Malware Config
Signatures
-
Blocklisted process makes network request 1 IoCs
Processes:
wscript.exeflow pid process 5 2008 wscript.exe -
Drops startup file 2 IoCs
Processes:
wscript.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\INTERAC Service Request9466544665440.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\INTERAC Service Request9466544665440.js wscript.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
wscript.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows\CurrentVersion\Run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows\CurrentVersion\Run\K3A8F1X622 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\INTERAC Service Request9466544665440.js\"" wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
wscript.exedescription pid process target process PID 2008 wrote to memory of 772 2008 wscript.exe schtasks.exe PID 2008 wrote to memory of 772 2008 wscript.exe schtasks.exe PID 2008 wrote to memory of 772 2008 wscript.exe schtasks.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe "C:\Users\Admin\AppData\Local\Temp\INTERAC Service Request9466544665440.js"1⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Local\Temp\INTERAC Service Request9466544665440.js2⤵
- Creates scheduled task(s)