Analysis
-
max time kernel
145s -
max time network
154s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
02-02-2022 08:30
Static task
static1
Behavioral task
behavioral1
Sample
RGDWPBDPM728HJNS5053.js
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
RGDWPBDPM728HJNS5053.js
Resource
win10v2004-en-20220112
General
-
Target
RGDWPBDPM728HJNS5053.js
-
Size
13KB
-
MD5
c5ec831cc7614d4c4788432f4ab26c2a
-
SHA1
96118b4a23d05f840d4fe8094b3653a9edef2393
-
SHA256
8f5181621b7256b4db75d16e9f99a6e696155f0b516b01177b67d5ad23acfe3f
-
SHA512
9f92b9cee92a51f5f868147742ff9d1bde95065921a1f71810997abfb95ac3cd1fc9c1b33d432501f9ed8924ebcdcf059dcb01de84935222c760cf1f2c2331ba
Malware Config
Signatures
-
Blocklisted process makes network request 5 IoCs
Processes:
wscript.exeflow pid process 5 808 wscript.exe 6 808 wscript.exe 7 808 wscript.exe 9 808 wscript.exe 10 808 wscript.exe -
Drops startup file 2 IoCs
Processes:
wscript.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RGDWPBDPM728HJNS5053.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RGDWPBDPM728HJNS5053.js wscript.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
wscript.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\4TQA81RBOA = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\RGDWPBDPM728HJNS5053.js\"" wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
wscript.exedescription pid process target process PID 808 wrote to memory of 976 808 wscript.exe schtasks.exe PID 808 wrote to memory of 976 808 wscript.exe schtasks.exe PID 808 wrote to memory of 976 808 wscript.exe schtasks.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\RGDWPBDPM728HJNS5053.js1⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Local\Temp\RGDWPBDPM728HJNS5053.js2⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/808-55-0x000007FEFBF31000-0x000007FEFBF33000-memory.dmpFilesize
8KB