Analysis
-
max time kernel
151s -
max time network
155s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
08/12/2021, 16:07
Static task
static1
Behavioral task
behavioral1
Sample
js-decoded-1.js
Resource
win7-en-20211208
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
js-decoded-1.js
Resource
win10-en-20211208
0 signatures
0 seconds
General
-
Target
js-decoded-1.js
-
Size
346KB
-
MD5
241d3041e2bb264cf886eff9fc3de24e
-
SHA1
7f3fe68b0ef727fca62441cff8eea28c5cd51941
-
SHA256
e817bd6a89f5bc3ee448e3c39e5c4739cf010bb815d087ecdd1b5e1f30c04959
-
SHA512
078b8f61b2afeefdf283d6e8f6b33986fc3500788b8d77e7672fc6aae70221ac140d850f91401a3e65a8996f49b4c9babdabac7071d7ea40adc84c62e9bbddc0
Score
10/10
Malware Config
Signatures
-
Blocklisted process makes network request 18 IoCs
flow pid Process 7 3080 WScript.exe 10 3080 WScript.exe 27 3080 WScript.exe 32 3080 WScript.exe 33 3080 WScript.exe 34 3080 WScript.exe 35 3080 WScript.exe 36 3080 WScript.exe 38 3080 WScript.exe 39 3080 WScript.exe 40 3080 WScript.exe 41 3080 WScript.exe 42 3080 WScript.exe 43 3080 WScript.exe 46 3080 WScript.exe 47 3080 WScript.exe 48 3080 WScript.exe 49 3080 WScript.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IwhBHZSsWd.js WScript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IwhBHZSsWd.js WScript.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Windows\CurrentVersion\Run WScript.exe Set value (str) \REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Windows\CurrentVersion\Run\SEJOKAOI5S = "\"C:\\Users\\Admin\\AppData\\Roaming\\IwhBHZSsWd.js\"" WScript.exe -
Drops file in Program Files directory 12 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\server\dll\jvm.pdb java.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\server\symbols\dll\jvm.pdb java.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\jvm.pdb java.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\server\dll\ntdll.pdb java.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\symbols\dll\ntdll.pdb java.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\server\jvm.pdb java.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\dll\jvm.pdb java.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\symbols\dll\jvm.pdb java.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\server\ntdll.pdb java.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\server\symbols\dll\ntdll.pdb java.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\ntdll.pdb java.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\dll\ntdll.pdb java.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\Local Settings wscript.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 3692 wrote to memory of 3080 3692 wscript.exe 68 PID 3692 wrote to memory of 3080 3692 wscript.exe 68 PID 3692 wrote to memory of 2072 3692 wscript.exe 70 PID 3692 wrote to memory of 2072 3692 wscript.exe 70 PID 2072 wrote to memory of 64 2072 javaw.exe 71 PID 2072 wrote to memory of 64 2072 javaw.exe 71
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\js-decoded-1.js1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3692 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\IwhBHZSsWd.js"2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
PID:3080
-
-
C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe"C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\vhlxhgn.txt"2⤵
- Suspicious use of WriteProcessMemory
PID:2072 -
C:\Program Files\Java\jre1.8.0_66\bin\java.exe"C:\Program Files\Java\jre1.8.0_66\bin\java.exe" -jar "C:\Users\Admin\vhlxhgn.txt"3⤵
- Drops file in Program Files directory
PID:64
-
-