Analysis
-
max time kernel
151s -
max time network
155s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
18-12-2021 08:48
Static task
static1
Behavioral task
behavioral1
Sample
IMG-17122021.js
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
IMG-17122021.js
Resource
win10-en-20211208
General
-
Target
IMG-17122021.js
-
Size
444KB
-
MD5
0df3a8c017448979574150a7ec49268d
-
SHA1
075ed41bbf2157cb4d1bfb64ad4029b30749294f
-
SHA256
796e03ed9e5304d0a2bc4855b89282b0fe9f4522df8e27a3923e26e13e1e257d
-
SHA512
a857399bea5264f8673ae9970ffea02402828b549b57e4f38fd50e8d5aa03d0c5d26f2e5ae72e98cc3cbf2a00d9da34587eed020a51f8989b88c18536360a48c
Malware Config
Signatures
-
Blocklisted process makes network request 36 IoCs
Processes:
wscript.exewscript.exeflow pid process 8 1432 wscript.exe 9 588 wscript.exe 11 588 wscript.exe 12 1432 wscript.exe 14 588 wscript.exe 15 1432 wscript.exe 18 588 wscript.exe 20 1432 wscript.exe 22 588 wscript.exe 23 1432 wscript.exe 25 588 wscript.exe 26 1432 wscript.exe 29 588 wscript.exe 31 1432 wscript.exe 33 588 wscript.exe 34 1432 wscript.exe 35 588 wscript.exe 37 1432 wscript.exe 41 588 wscript.exe 42 1432 wscript.exe 44 588 wscript.exe 45 1432 wscript.exe 46 588 wscript.exe 48 1432 wscript.exe 52 588 wscript.exe 53 1432 wscript.exe 55 588 wscript.exe 56 1432 wscript.exe 58 588 wscript.exe 59 1432 wscript.exe 63 588 wscript.exe 64 1432 wscript.exe 66 588 wscript.exe 67 1432 wscript.exe 69 588 wscript.exe 71 1432 wscript.exe -
Drops startup file 4 IoCs
Processes:
wscript.exewscript.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xFozEXCjGc.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xFozEXCjGc.js wscript.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IMG-17122021.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IMG-17122021.js wscript.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
wscript.exewscript.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows\CurrentVersion\Run\SEJOKAOI5S = "\"C:\\Users\\Admin\\AppData\\Roaming\\xFozEXCjGc.js\"" wscript.exe Key created \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows\CurrentVersion\Run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows\CurrentVersion\Run\R4J2SBXQ4G = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\IMG-17122021.js\"" wscript.exe Key created \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows\CurrentVersion\Run wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
wscript.exedescription pid process target process PID 1432 wrote to memory of 588 1432 wscript.exe wscript.exe PID 1432 wrote to memory of 588 1432 wscript.exe wscript.exe PID 1432 wrote to memory of 588 1432 wscript.exe wscript.exe PID 1432 wrote to memory of 880 1432 wscript.exe schtasks.exe PID 1432 wrote to memory of 880 1432 wscript.exe schtasks.exe PID 1432 wrote to memory of 880 1432 wscript.exe schtasks.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\IMG-17122021.js1⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1432 -
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\xFozEXCjGc.js"2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
PID:588 -
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Local\Temp\IMG-17122021.js2⤵
- Creates scheduled task(s)
PID:880
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\xFozEXCjGc.jsMD5
748521dc9913de2bebe7976db27ebbd4
SHA158d521b95cc87fe0b66301a405a3b7d05ec9c452
SHA25649829dd56456af8482b5da5491fefcf10e556d3240644447d68d3d29c8b93b2f
SHA512578d71c9d32a689466918ee940f0f8e3da95b7dea431e4ec70a1974be587996d74523bc55d36bf72fa1f604ec9995c696826a1c516fc5e3bf1807eecbc1b87bf
-
memory/588-55-0x0000000000000000-mapping.dmp
-
memory/880-57-0x0000000000000000-mapping.dmp
-
memory/1432-54-0x000007FEFB931000-0x000007FEFB933000-memory.dmpFilesize
8KB