Analysis
-
max time kernel
150s -
max time network
188s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
08-10-2021 17:58
Static task
static1
Behavioral task
behavioral1
Sample
H6A4X3S1N9Z.js
Resource
win7v20210408
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
H6A4X3S1N9Z.js
Resource
win10-en-20210920
windows10_x64
0 signatures
0 seconds
General
-
Target
H6A4X3S1N9Z.js
-
Size
81KB
-
MD5
a31982d00a3a562bf83d278381faf93f
-
SHA1
91f492ec2722df91bd4c97a1eb4446e62f9822a1
-
SHA256
122fd7c3913dfaba9361882a48ad391f14dfcaa978d603e80620ddc204eb73b0
-
SHA512
8aed8e36b4ca759a78bab195e9112f5a3bb643b7266470684c93f1abb329406e334e0553bee86b1ce43cf1ba1df22e3cde5cfeeab5e6115458a693487cc0269f
Score
10/10
Malware Config
Signatures
-
Blocklisted process makes network request 18 IoCs
Processes:
wscript.exeflow pid process 7 1660 wscript.exe 9 1660 wscript.exe 10 1660 wscript.exe 12 1660 wscript.exe 13 1660 wscript.exe 14 1660 wscript.exe 16 1660 wscript.exe 17 1660 wscript.exe 18 1660 wscript.exe 20 1660 wscript.exe 21 1660 wscript.exe 22 1660 wscript.exe 24 1660 wscript.exe 25 1660 wscript.exe 26 1660 wscript.exe 28 1660 wscript.exe 29 1660 wscript.exe 30 1660 wscript.exe -
Drops startup file 2 IoCs
Processes:
wscript.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\H6A4X3S1N9Z.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\H6A4X3S1N9Z.js wscript.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
wscript.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\RZJR7TBG32 = "'C:\\Users\\Admin\\AppData\\Local\\Temp\\H6A4X3S1N9Z.js'" wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
wscript.exedescription pid process target process PID 1660 wrote to memory of 1124 1660 wscript.exe schtasks.exe PID 1660 wrote to memory of 1124 1660 wscript.exe schtasks.exe PID 1660 wrote to memory of 1124 1660 wscript.exe schtasks.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\H6A4X3S1N9Z.js1⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /sc minute /mo 30 /tn Skype /tr 'C:\Users\Admin\AppData\Local\Temp\H6A4X3S1N9Z.js2⤵
- Creates scheduled task(s)