Analysis
-
max time kernel
119s -
max time network
119s -
platform
windows7_x64 -
resource
win7-en-20210920 -
submitted
07-10-2021 16:35
Static task
static1
Behavioral task
behavioral1
Sample
I1B26A8C6D5Z.js
Resource
win7-en-20210920
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
I1B26A8C6D5Z.js
Resource
win10v20210408
windows10_x64
0 signatures
0 seconds
General
-
Target
I1B26A8C6D5Z.js
-
Size
81KB
-
MD5
fd18077eddfff5bb1d86e8f0de281d6d
-
SHA1
1a415d1c8263b8de8eb9352f4855dead687ce7fa
-
SHA256
53838e5cc5aed0da2d6f91ab858a442e3e1760aef0cc333ba69e9610993e9ce3
-
SHA512
f63f848bcf69be3f71d28ac98bb09e8f6186076d08e216423cedbe3a7cd75b0f1c7bdeb67bf77532730acf9cd3db9bf97d07c57948a4d655eeee802d80c531ec
Score
10/10
Malware Config
Signatures
-
Blocklisted process makes network request 1 IoCs
Processes:
wscript.exeflow pid process 5 1424 wscript.exe -
Drops startup file 2 IoCs
Processes:
wscript.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\I1B26A8C6D5Z.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\I1B26A8C6D5Z.js wscript.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
wscript.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows\CurrentVersion\Run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows\CurrentVersion\Run\4YC5ICXZVV = "'C:\\Users\\Admin\\AppData\\Local\\Temp\\I1B26A8C6D5Z.js'" wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
wscript.exedescription pid process target process PID 1424 wrote to memory of 576 1424 wscript.exe schtasks.exe PID 1424 wrote to memory of 576 1424 wscript.exe schtasks.exe PID 1424 wrote to memory of 576 1424 wscript.exe schtasks.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\I1B26A8C6D5Z.js1⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /sc minute /mo 30 /tn Skype /tr 'C:\Users\Admin\AppData\Local\Temp\I1B26A8C6D5Z.js2⤵
- Creates scheduled task(s)