Analysis
-
max time kernel
150s -
max time network
195s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
08-10-2021 17:58
Static task
static1
Behavioral task
behavioral1
Sample
F51N3M18A6S.js
Resource
win7v20210408
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
F51N3M18A6S.js
Resource
win10v20210408
windows10_x64
0 signatures
0 seconds
General
-
Target
F51N3M18A6S.js
-
Size
81KB
-
MD5
e600ddc9272ed25bbf4291460be628d9
-
SHA1
e85a57ab41b248887d8dd55bb41c41b12a9da15c
-
SHA256
a2cbfdcfc29291460269481e1fbb5084ac7d96bd51e8c8e2d1973d6a17faf9e1
-
SHA512
cf3d5d24d72da30def5081b6ebff68d8fbc8feee7fa96d1594daaf98563909c2e0379a2011e3a29ddffee0e5e4724d873f6265d6707f7b208bf7167d77f37ed9
Score
10/10
Malware Config
Signatures
-
Blocklisted process makes network request 18 IoCs
Processes:
wscript.exeflow pid process 8 1080 wscript.exe 9 1080 wscript.exe 10 1080 wscript.exe 12 1080 wscript.exe 13 1080 wscript.exe 14 1080 wscript.exe 16 1080 wscript.exe 17 1080 wscript.exe 18 1080 wscript.exe 20 1080 wscript.exe 21 1080 wscript.exe 22 1080 wscript.exe 24 1080 wscript.exe 25 1080 wscript.exe 26 1080 wscript.exe 28 1080 wscript.exe 29 1080 wscript.exe 30 1080 wscript.exe -
Drops startup file 2 IoCs
Processes:
wscript.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\F51N3M18A6S.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\F51N3M18A6S.js wscript.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
wscript.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\RZJR7TBG32 = "'C:\\Users\\Admin\\AppData\\Local\\Temp\\F51N3M18A6S.js'" wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
wscript.exedescription pid process target process PID 1080 wrote to memory of 1784 1080 wscript.exe schtasks.exe PID 1080 wrote to memory of 1784 1080 wscript.exe schtasks.exe PID 1080 wrote to memory of 1784 1080 wscript.exe schtasks.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\F51N3M18A6S.js1⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /sc minute /mo 30 /tn Skype /tr 'C:\Users\Admin\AppData\Local\Temp\F51N3M18A6S.js2⤵
- Creates scheduled task(s)