Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10_x64 -
resource
win10 -
submitted
15-10-2020 14:17
Static task
static1
Behavioral task
behavioral1
Sample
InstallSlimPDFReader.js
Resource
win7v200722
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
InstallSlimPDFReader.js
Resource
win10
windows10_x64
0 signatures
0 seconds
General
-
Target
InstallSlimPDFReader.js
-
Size
552KB
-
MD5
3e3c515ce53a1aedb1fe7e8689f2cd39
-
SHA1
17b761826748ac4c63232f227d529b59323864d0
-
SHA256
ef487da7a8301df9dca1e74c58433912fca910fb06bc4c941e4c756ce5ff0712
-
SHA512
f786aebec2f7f31ca0a4b8d3d3dcad2dc3a5d2405d9a5c8f43aab84145d8a52978ee5861d048d49193bcc5c543d641ea8aeb486a4703ce9d746676a3ff579a13
Score
10/10
Malware Config
Signatures
-
Blacklisted process makes network request 21 IoCs
flow pid Process 7 3924 wscript.exe 9 3924 wscript.exe 14 3924 wscript.exe 15 3924 wscript.exe 16 3924 wscript.exe 17 3924 wscript.exe 18 3924 wscript.exe 19 3924 wscript.exe 20 3924 wscript.exe 21 3924 wscript.exe 22 3924 wscript.exe 23 3924 wscript.exe 24 3924 wscript.exe 25 3924 wscript.exe 26 3924 wscript.exe 27 3924 wscript.exe 28 3924 wscript.exe 29 3924 wscript.exe 30 3924 wscript.exe 31 3924 wscript.exe 32 3924 wscript.exe -
Executes dropped EXE 1 IoCs
pid Process 2812 kl-plugin.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\InstallSlimPDFReader.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\InstallSlimPDFReader.js wscript.exe -
Adds Run key to start application 2 TTPs 8 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\InstallSlimPDFReader = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\InstallSlimPDFReader.js\"" wscript.exe Key created \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Windows\CurrentVersion\Run\InstallSlimPDFReader = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\InstallSlimPDFReader.js\"" wscript.exe Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\InstallSlimPDFReader = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\InstallSlimPDFReader.js\"" wscript.exe Key created \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Windows\CurrentVersion\Run\InstallSlimPDFReader = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\InstallSlimPDFReader.js\"" wscript.exe Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run wscript.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 6 ip-api.com -
Kills process with taskkill 1 IoCs
pid Process 2460 taskkill.exe -
Script User-Agent 19 IoCs
Uses user-agent string associated with script host/environment.
description flow ioc HTTP User-Agent header 22 WSHRAT|1236D52C|GOHCSFBB|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 15/10/2020|JavaScript-v2.0|NL:Netherlands HTTP User-Agent header 24 WSHRAT|1236D52C|GOHCSFBB|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 15/10/2020|JavaScript-v2.0|NL:Netherlands HTTP User-Agent header 27 WSHRAT|1236D52C|GOHCSFBB|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 15/10/2020|JavaScript-v2.0|NL:Netherlands HTTP User-Agent header 9 WSHRAT|1236D52C|GOHCSFBB|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 15/10/2020|JavaScript-v2.0|NL:Netherlands HTTP User-Agent header 14 WSHRAT|1236D52C|GOHCSFBB|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 15/10/2020|JavaScript-v2.0|NL:Netherlands HTTP User-Agent header 20 WSHRAT|1236D52C|GOHCSFBB|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 15/10/2020|JavaScript-v2.0|NL:Netherlands HTTP User-Agent header 19 WSHRAT|1236D52C|GOHCSFBB|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 15/10/2020|JavaScript-v2.0|NL:Netherlands HTTP User-Agent header 31 WSHRAT|1236D52C|GOHCSFBB|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 15/10/2020|JavaScript-v2.0|NL:Netherlands HTTP User-Agent header 16 WSHRAT|1236D52C|GOHCSFBB|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 15/10/2020|JavaScript-v2.0|NL:Netherlands HTTP User-Agent header 17 WSHRAT|1236D52C|GOHCSFBB|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 15/10/2020|JavaScript-v2.0|NL:Netherlands HTTP User-Agent header 23 WSHRAT|1236D52C|GOHCSFBB|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 15/10/2020|JavaScript-v2.0|NL:Netherlands HTTP User-Agent header 25 WSHRAT|1236D52C|GOHCSFBB|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 15/10/2020|JavaScript-v2.0|NL:Netherlands HTTP User-Agent header 26 WSHRAT|1236D52C|GOHCSFBB|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 15/10/2020|JavaScript-v2.0|NL:Netherlands HTTP User-Agent header 28 WSHRAT|1236D52C|GOHCSFBB|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 15/10/2020|JavaScript-v2.0|NL:Netherlands HTTP User-Agent header 29 WSHRAT|1236D52C|GOHCSFBB|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 15/10/2020|JavaScript-v2.0|NL:Netherlands HTTP User-Agent header 30 WSHRAT|1236D52C|GOHCSFBB|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 15/10/2020|JavaScript-v2.0|NL:Netherlands HTTP User-Agent header 15 WSHRAT|1236D52C|GOHCSFBB|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 15/10/2020|JavaScript-v2.0|NL:Netherlands HTTP User-Agent header 18 WSHRAT|1236D52C|GOHCSFBB|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 15/10/2020|JavaScript-v2.0|NL:Netherlands HTTP User-Agent header 21 WSHRAT|1236D52C|GOHCSFBB|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 15/10/2020|JavaScript-v2.0|NL:Netherlands -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2460 taskkill.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2812 kl-plugin.exe 2812 kl-plugin.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 3984 wrote to memory of 3924 3984 wscript.exe 71 PID 3984 wrote to memory of 3924 3984 wscript.exe 71 PID 3924 wrote to memory of 2184 3924 wscript.exe 78 PID 3924 wrote to memory of 2184 3924 wscript.exe 78 PID 2184 wrote to memory of 2460 2184 cmd.exe 80 PID 2184 wrote to memory of 2460 2184 cmd.exe 80 PID 3924 wrote to memory of 2812 3924 wscript.exe 81 PID 3924 wrote to memory of 2812 3924 wscript.exe 81 PID 3924 wrote to memory of 2812 3924 wscript.exe 81
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\InstallSlimPDFReader.js1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3984 -
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\InstallSlimPDFReader.js"2⤵
- Blacklisted process makes network request
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3924 -
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c taskkill /F /IM kl-plugin.exe3⤵
- Suspicious use of WriteProcessMemory
PID:2184 -
C:\Windows\system32\taskkill.exetaskkill /F /IM kl-plugin.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2460
-
-
-
C:\Users\Admin\AppData\Roaming\kl-plugin.exe"C:\Users\Admin\AppData\Roaming\kl-plugin.exe" blackid-43205.portmap.io 1118 "WSHRAT|1236D52C|GOHCSFBB|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 15/10/2020|JavaScript-v2.0|NL:Netherlands" 13⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2812
-
-