Analysis
-
max time kernel
154s -
max time network
155s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
08-12-2021 15:48
Static task
static1
Behavioral task
behavioral1
Sample
IwhBHZSsWd.js
Resource
win7-en-20211208
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
IwhBHZSsWd.js
Resource
win10-en-20211208
windows10_x64
0 signatures
0 seconds
General
-
Target
IwhBHZSsWd.js
-
Size
66KB
-
MD5
be3598b9ef31862aa34d1b79014c22de
-
SHA1
4d102790ec4bb3f6c95dc5097355c5f03c27beaf
-
SHA256
69ffc81cf2305ba7dedc79679eb1929dbdbf9e0a4cd6a53193c0367279750b4c
-
SHA512
778ad27bedbe8c275a5abdcba6f9a1ba43d8963ca67bbc768265fe6e5dcd380e1c7a191f7471364f5d6c22b1ba954819574f185141c631b2deca53a3ba6f7c01
Score
10/10
Malware Config
Signatures
-
Blocklisted process makes network request 18 IoCs
Processes:
wscript.exeflow pid process 7 2492 wscript.exe 18 2492 wscript.exe 19 2492 wscript.exe 20 2492 wscript.exe 26 2492 wscript.exe 28 2492 wscript.exe 29 2492 wscript.exe 30 2492 wscript.exe 33 2492 wscript.exe 34 2492 wscript.exe 35 2492 wscript.exe 36 2492 wscript.exe 37 2492 wscript.exe 38 2492 wscript.exe 39 2492 wscript.exe 40 2492 wscript.exe 41 2492 wscript.exe 42 2492 wscript.exe -
Drops startup file 2 IoCs
Processes:
wscript.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IwhBHZSsWd.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IwhBHZSsWd.js wscript.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
wscript.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Windows\CurrentVersion\Run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Windows\CurrentVersion\Run\SEJOKAOI5S = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\IwhBHZSsWd.js\"" wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.