Analysis
-
max time kernel
115s -
max time network
158s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
08-10-2021 11:52
Static task
static1
Behavioral task
behavioral1
Sample
I1B26A8C6D5Z.js
Resource
win7v20210408
Behavioral task
behavioral2
Sample
I1B26A8C6D5Z.js
Resource
win10v20210408
General
-
Target
I1B26A8C6D5Z.js
-
Size
81KB
-
MD5
fd18077eddfff5bb1d86e8f0de281d6d
-
SHA1
1a415d1c8263b8de8eb9352f4855dead687ce7fa
-
SHA256
53838e5cc5aed0da2d6f91ab858a442e3e1760aef0cc333ba69e9610993e9ce3
-
SHA512
f63f848bcf69be3f71d28ac98bb09e8f6186076d08e216423cedbe3a7cd75b0f1c7bdeb67bf77532730acf9cd3db9bf97d07c57948a4d655eeee802d80c531ec
Malware Config
Extracted
vjw0rm
http://myjs5690.duckdns.org:5690
Signatures
-
Blocklisted process makes network request 1 IoCs
Processes:
wscript.exeflow pid process 6 2016 wscript.exe -
Drops startup file 2 IoCs
Processes:
wscript.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\I1B26A8C6D5Z.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\I1B26A8C6D5Z.js wscript.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
wscript.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\4YC5ICXZVV = "'C:\\Users\\Admin\\AppData\\Local\\Temp\\I1B26A8C6D5Z.js'" wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
wscript.exedescription pid process target process PID 2016 wrote to memory of 1412 2016 wscript.exe schtasks.exe PID 2016 wrote to memory of 1412 2016 wscript.exe schtasks.exe PID 2016 wrote to memory of 1412 2016 wscript.exe schtasks.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\I1B26A8C6D5Z.js1⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /sc minute /mo 30 /tn Skype /tr 'C:\Users\Admin\AppData\Local\Temp\I1B26A8C6D5Z.js2⤵
- Creates scheduled task(s)