Analysis
-
max time kernel
873s -
max time network
889s -
platform
windows10-ltsc 2021_x64 -
resource
win10ltsc2021-20241211-en -
resource tags
arch:x64arch:x86image:win10ltsc2021-20241211-enlocale:en-usos:windows10-ltsc 2021-x64system -
submitted
09-01-2025 16:47
Static task
static1
Behavioral task
behavioral1
Sample
sus.js
Resource
win10ltsc2021-20241211-en
General
-
Target
sus.js
-
Size
5KB
-
MD5
5ffa64bc687da9b568eaaca857db1a1f
-
SHA1
5593dcbaee25124b49a9bd76a491c53cefb54acb
-
SHA256
f494422ec0931062c6fd39171b0363299073cb78b18209b11fe36f1c3065f8d6
-
SHA512
5ec4704d2da3c221d8dcf4df7adb2845e1ccafce689d33141c3bbd8bd702355e71fc91e9e5b5c2f763c6b76c05f33c401004d085608147dd720da31db834399a
-
SSDEEP
96:SABNo5DRk2c24ZRMHXE6/BI0w+Ys+fJrDdQqR7bJyKIROS4Uu/ingHXRZfzYMe/d:zSa2c24ZRMlBI0TYs+fJXfRfNJingHXm
Malware Config
Signatures
-
Vjw0rm family
-
Blocklisted process makes network request 32 IoCs
flow pid Process 7 2496 wscript.exe 33 2496 wscript.exe 46 2496 wscript.exe 60 2496 wscript.exe 61 2496 wscript.exe 68 2496 wscript.exe 76 2496 wscript.exe 77 2496 wscript.exe 78 2496 wscript.exe 86 2496 wscript.exe 87 2496 wscript.exe 90 2496 wscript.exe 96 2496 wscript.exe 97 2496 wscript.exe 101 2496 wscript.exe 102 2496 wscript.exe 112 2496 wscript.exe 113 2496 wscript.exe 114 2496 wscript.exe 115 2496 wscript.exe 116 2496 wscript.exe 117 2496 wscript.exe 118 2496 wscript.exe 120 2496 wscript.exe 121 2496 wscript.exe 123 2496 wscript.exe 124 2496 wscript.exe 125 2496 wscript.exe 127 2496 wscript.exe 128 2496 wscript.exe 129 2496 wscript.exe 131 2496 wscript.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1411052346-3904498293-150013998-1000\Control Panel\International\Geo\Nation wscript.exe -
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sus.js wscript.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1411052346-3904498293-150013998-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\M3T1JCIFSQ = "\"C:\\Users\\Public\\sus.js\"" wscript.exe -
Command and Scripting Interpreter: JavaScript 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 556 schtasks.exe -
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 2496 wrote to memory of 556 2496 wscript.exe 91 PID 2496 wrote to memory of 556 2496 wscript.exe 91 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\sus.js1⤵
- Blocklisted process makes network request
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2496 -
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Public\sus.js2⤵
- Scheduled Task/Job: Scheduled Task
PID:556
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --string-annotations=is-enterprise-managed=no --field-trial-handle=1912,i,818110668446499479,16931387444156440193,262144 --variations-seed-version --mojo-platform-channel-handle=5388 /prefetch:81⤵PID:2284
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --string-annotations=is-enterprise-managed=no --field-trial-handle=3736,i,818110668446499479,16931387444156440193,262144 --variations-seed-version --mojo-platform-channel-handle=3940 /prefetch:81⤵PID:2084
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --string-annotations=is-enterprise-managed=no --field-trial-handle=4376,i,818110668446499479,16931387444156440193,262144 --variations-seed-version --mojo-platform-channel-handle=3164 /prefetch:81⤵PID:4556
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1JavaScript
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1