Analysis
-
max time kernel
153s -
max time network
170s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
07-02-2022 16:50
Static task
static1
Behavioral task
behavioral1
Sample
RTK009ENF.js
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
RTK009ENF.js
Resource
win10v2004-en-20220112
Behavioral task
behavioral3
Sample
YRGH009QA.js
Resource
win7-en-20211208
Behavioral task
behavioral4
Sample
YRGH009QA.js
Resource
win10v2004-en-20220113
General
-
Target
YRGH009QA.js
-
Size
13KB
-
MD5
7e4052c4ef66b69ea6567cf9511cddcd
-
SHA1
4d3b046443bbba80244121c7ff44b3c4425292d3
-
SHA256
c91b33406d00fdedeebd6ce809a612df96b5cea7835c2c13061498c6960d76e3
-
SHA512
2b0ee57fdd1f77cb54f657fbea8637f040bba3728916f7e376e9f465ecca70e52dc9296c185908b9a37760812f85962b323bfcc7acdb74563cb45b089e8c0f19
Malware Config
Signatures
-
Blocklisted process makes network request 17 IoCs
Processes:
wscript.exeflow pid process 5 1392 wscript.exe 6 1392 wscript.exe 7 1392 wscript.exe 9 1392 wscript.exe 10 1392 wscript.exe 11 1392 wscript.exe 13 1392 wscript.exe 14 1392 wscript.exe 15 1392 wscript.exe 17 1392 wscript.exe 18 1392 wscript.exe 19 1392 wscript.exe 21 1392 wscript.exe 22 1392 wscript.exe 23 1392 wscript.exe 25 1392 wscript.exe 26 1392 wscript.exe -
Drops startup file 2 IoCs
Processes:
wscript.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\YRGH009QA.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\YRGH009QA.js wscript.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
wscript.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows\CurrentVersion\Run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows\CurrentVersion\Run\Q0K8KAC1S1 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\YRGH009QA.js\"" wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
wscript.exedescription pid process target process PID 1392 wrote to memory of 1620 1392 wscript.exe schtasks.exe PID 1392 wrote to memory of 1620 1392 wscript.exe schtasks.exe PID 1392 wrote to memory of 1620 1392 wscript.exe schtasks.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\YRGH009QA.js1⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1392 -
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Local\Temp\YRGH009QA.js2⤵
- Creates scheduled task(s)
PID:1620
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1392-54-0x000007FEFB711000-0x000007FEFB713000-memory.dmpFilesize
8KB