Analysis
-
max time kernel
147s -
max time network
153s -
platform
windows10_x64 -
resource
win10-en-20210920 -
submitted
08-10-2021 17:58
Static task
static1
Behavioral task
behavioral1
Sample
H6A4X3S1N9Z.js
Resource
win7v20210408
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
H6A4X3S1N9Z.js
Resource
win10-en-20210920
windows10_x64
0 signatures
0 seconds
General
-
Target
H6A4X3S1N9Z.js
-
Size
81KB
-
MD5
a31982d00a3a562bf83d278381faf93f
-
SHA1
91f492ec2722df91bd4c97a1eb4446e62f9822a1
-
SHA256
122fd7c3913dfaba9361882a48ad391f14dfcaa978d603e80620ddc204eb73b0
-
SHA512
8aed8e36b4ca759a78bab195e9112f5a3bb643b7266470684c93f1abb329406e334e0553bee86b1ce43cf1ba1df22e3cde5cfeeab5e6115458a693487cc0269f
Score
10/10
Malware Config
Signatures
-
Blocklisted process makes network request 18 IoCs
Processes:
wscript.exeflow pid process 10 2068 wscript.exe 23 2068 wscript.exe 28 2068 wscript.exe 29 2068 wscript.exe 30 2068 wscript.exe 32 2068 wscript.exe 33 2068 wscript.exe 34 2068 wscript.exe 35 2068 wscript.exe 36 2068 wscript.exe 37 2068 wscript.exe 38 2068 wscript.exe 39 2068 wscript.exe 40 2068 wscript.exe 41 2068 wscript.exe 42 2068 wscript.exe 43 2068 wscript.exe 44 2068 wscript.exe -
Drops startup file 2 IoCs
Processes:
wscript.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\H6A4X3S1N9Z.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\H6A4X3S1N9Z.js wscript.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
wscript.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows\CurrentVersion\Run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows\CurrentVersion\Run\RZJR7TBG32 = "'C:\\Users\\Admin\\AppData\\Local\\Temp\\H6A4X3S1N9Z.js'" wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
wscript.exedescription pid process target process PID 2068 wrote to memory of 1260 2068 wscript.exe schtasks.exe PID 2068 wrote to memory of 1260 2068 wscript.exe schtasks.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\H6A4X3S1N9Z.js1⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /sc minute /mo 30 /tn Skype /tr 'C:\Users\Admin\AppData\Local\Temp\H6A4X3S1N9Z.js2⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1260-115-0x0000000000000000-mapping.dmp