Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
17-06-2022 17:17
Static task
static1
Behavioral task
behavioral1
Sample
js-decoded-2.js
Resource
win7-20220414-en
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
js-decoded-2.js
Resource
win10v2004-20220414-en
0 signatures
0 seconds
General
-
Target
js-decoded-2.js
-
Size
3KB
-
MD5
6f97e89ac83c12f2dd74e2577da3544c
-
SHA1
926677b800daec16a90d495ba5491fd3e7b136b9
-
SHA256
dd8ae86a69f6a09889c54b29dc299bf10ecb551f809c1fac1eeba97e3f37ae12
-
SHA512
e5f194d774b2ee9f8ee68ea418b531eadd21990e7c8d93970d07c408965753528fe9f02219a1f84dfa064ef76e3655ae6adf5eb6d1302fca66d0f9d3aae97790
Score
10/10
Malware Config
Signatures
-
Blocklisted process makes network request 17 IoCs
Processes:
wscript.exeflow pid process 4 2004 wscript.exe 11 2004 wscript.exe 18 2004 wscript.exe 20 2004 wscript.exe 27 2004 wscript.exe 29 2004 wscript.exe 35 2004 wscript.exe 38 2004 wscript.exe 39 2004 wscript.exe 40 2004 wscript.exe 43 2004 wscript.exe 44 2004 wscript.exe 45 2004 wscript.exe 46 2004 wscript.exe 47 2004 wscript.exe 48 2004 wscript.exe 49 2004 wscript.exe -
Drops startup file 2 IoCs
Processes:
wscript.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\js-decoded-2.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\js-decoded-2.js wscript.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
wscript.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Windows\CurrentVersion\Run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\YVBPFHTJIQ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\js-decoded-2.js\"" wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.