Analysis
-
max time kernel
145s -
max time network
149s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
21-12-2021 14:37
Static task
static1
Behavioral task
behavioral1
Sample
ZXTEJDJGDMND.js
Resource
win7-en-20211208
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
ZXTEJDJGDMND.js
Resource
win10-en-20211208
0 signatures
0 seconds
General
-
Target
ZXTEJDJGDMND.js
-
Size
9KB
-
MD5
4bf6f13902c5c69baf11914cc4c6eb4c
-
SHA1
5fcb4b1f0092a79c2f050c678a69fbc6ee8e2852
-
SHA256
d1d87467831ba4b691160509772995bb99ce7d2abcc96bd6b6cdd6ec1af058dc
-
SHA512
1b3ecdf7dd4a8541c80d0fa51359228bdb10687715697cb1ceaea8e14d36db5f6f53425a3e5f065797faf2ff8ebdc7c9afe5e32a9149de1d81e79b68a10dbaa9
Score
10/10
Malware Config
Signatures
-
Blocklisted process makes network request 18 IoCs
Processes:
wscript.exeflow pid process 10 2196 wscript.exe 12 2196 wscript.exe 15 2196 wscript.exe 16 2196 wscript.exe 27 2196 wscript.exe 28 2196 wscript.exe 34 2196 wscript.exe 35 2196 wscript.exe 36 2196 wscript.exe 38 2196 wscript.exe 39 2196 wscript.exe 40 2196 wscript.exe 41 2196 wscript.exe 42 2196 wscript.exe 43 2196 wscript.exe 44 2196 wscript.exe 45 2196 wscript.exe 46 2196 wscript.exe -
Drops startup file 2 IoCs
Processes:
wscript.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ZXTEJDJGDMND.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ZXTEJDJGDMND.js wscript.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
wscript.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Windows\CurrentVersion\Run\POXI8QWF6K = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\ZXTEJDJGDMND.js\"" wscript.exe Key created \REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Windows\CurrentVersion\Run wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
wscript.exedescription pid process target process PID 2196 wrote to memory of 3784 2196 wscript.exe schtasks.exe PID 2196 wrote to memory of 3784 2196 wscript.exe schtasks.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\ZXTEJDJGDMND.js1⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Local\Temp\ZXTEJDJGDMND.js2⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/3784-118-0x0000000000000000-mapping.dmp