Analysis

  • max time kernel
    150s
  • max time network
    149s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    13-01-2021 09:12

General

  • Target

    OCOLZ552720.js

  • Size

    195KB

  • MD5

    86f5e65bcc64e04ba7946d8071f213b1

  • SHA1

    403129cb5514917a278e91e0643f852964912c03

  • SHA256

    ba68c2acc5b4ce72444fd74f4dab6661bad90e865b0992d5ff9bb4afe32f3557

  • SHA512

    8580b921516571a57edcf22de46be1b938167a19278fa1f2eb3de6994198a9d6e3d305f18dfe1ed8e293c2ab0ffb2464a5788756c3be3fd02cb352b5af3d691d

Malware Config

Signatures

  • STRRAT

    STRRAT is a remote access tool than can steal credentials and log keystrokes.

  • Drops startup file 1 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 32 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe C:\Users\Admin\AppData\Local\Temp\OCOLZ552720.js
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1036
    • C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe
      "C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\bwkbv.txt"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2612
      • C:\Windows\SYSTEM32\wscript.exe
        wscript C:\Users\Admin\fquimaihdd.js
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3244
        • C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe
          "C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\rtwfngte.txt"
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:2756
          • C:\Program Files\Java\jre1.8.0_66\bin\java.exe
            "C:\Program Files\Java\jre1.8.0_66\bin\java.exe" -jar "C:\Users\Admin\rtwfngte.txt"
            5⤵
            • Drops startup file
            • Loads dropped DLL
            • Adds Run key to start application
            • Suspicious use of WriteProcessMemory
            PID:4024
            • C:\Program Files\Java\jre1.8.0_66\bin\java.exe
              "C:\Program Files\Java\jre1.8.0_66\bin\java.exe" -jar "C:\Users\Admin\AppData\Roaming\rtwfngte.txt"
              6⤵
              • Loads dropped DLL
              • Suspicious use of WriteProcessMemory
              PID:3108
              • C:\Program Files\Java\jre1.8.0_66\bin\java.exe
                "C:\Program Files\Java\jre1.8.0_66\bin\java.exe" -jar "C:\Users\Admin\AppData\Roaming\plugins.jar" mp
                7⤵
                • Loads dropped DLL
                • Adds Run key to start application
                PID:2100
              • C:\Windows\SYSTEM32\cmd.exe
                cmd.exe /c "wmic /node:. /namespace:'\\root\cimv2' path win32_logicaldisk get volumeserialnumber /format:list"
                7⤵
                • Suspicious use of WriteProcessMemory
                PID:3060
                • C:\Windows\System32\Wbem\WMIC.exe
                  wmic /node:. /namespace:'\\root\cimv2' path win32_logicaldisk get volumeserialnumber /format:list
                  8⤵
                  • Suspicious use of AdjustPrivilegeToken
                  PID:612
              • C:\Windows\SYSTEM32\cmd.exe
                cmd.exe /c "wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get caption,OSArchitecture /format:list"
                7⤵
                • Suspicious use of WriteProcessMemory
                PID:4048
                • C:\Windows\System32\Wbem\WMIC.exe
                  wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get caption,OSArchitecture /format:list
                  8⤵
                  • Suspicious use of AdjustPrivilegeToken
                  PID:3892
              • C:\Windows\SYSTEM32\cmd.exe
                cmd.exe /c "wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get version /format:list"
                7⤵
                • Suspicious use of WriteProcessMemory
                PID:1348
              • C:\Windows\SYSTEM32\cmd.exe
                cmd.exe /c "wmic /node:localhost /namespace:'\\root\securitycenter2' path antivirusproduct get displayname /format:list"
                7⤵
                • Suspicious use of WriteProcessMemory
                PID:1320
                • C:\Windows\System32\Wbem\WMIC.exe
                  wmic /node:localhost /namespace:'\\root\securitycenter2' path antivirusproduct get displayname /format:list
                  8⤵
                    PID:804
              • C:\Windows\SYSTEM32\cmd.exe
                cmd /c schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\rtwfngte.txt"
                6⤵
                • Suspicious use of WriteProcessMemory
                PID:188
                • C:\Windows\system32\schtasks.exe
                  schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\rtwfngte.txt"
                  7⤵
                  • Creates scheduled task(s)
                  PID:2180
    • C:\Windows\System32\Wbem\WMIC.exe
      wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get version /format:list
      1⤵
        PID:2196

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\.oracle_jre_usage\90737d32e3aba4b.timestamp

        MD5

        d41d8cd98f00b204e9800998ecf8427e

        SHA1

        da39a3ee5e6b4b0d3255bfef95601890afd80709

        SHA256

        e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

        SHA512

        cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

      • C:\Users\Admin\.oracle_jre_usage\90737d32e3aba4b.timestamp

        MD5

        d41d8cd98f00b204e9800998ecf8427e

        SHA1

        da39a3ee5e6b4b0d3255bfef95601890afd80709

        SHA256

        e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

        SHA512

        cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

      • C:\Users\Admin\.oracle_jre_usage\90737d32e3aba4b.timestamp

        MD5

        d41d8cd98f00b204e9800998ecf8427e

        SHA1

        da39a3ee5e6b4b0d3255bfef95601890afd80709

        SHA256

        e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

        SHA512

        cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

      • C:\Users\Admin\.oracle_jre_usage\90737d32e3aba4b.timestamp

        MD5

        29d27d3eb502ab954775fdd49198a60c

        SHA1

        26d8acd31bf7b6c59b7d56bfba0da8e5f74f895e

        SHA256

        a40eccf26e7768d4bdc79aa815b5167b10e9ab81905b6b5f8d331a3570efc9a1

        SHA512

        8d1d83424caed8074a1313b70f8297837111292ab182f53171700ddf4098669120b882f8361d9a22bcb49106e24f3c3c116c845c791c90f8486a28590889af39

      • C:\Users\Admin\AppData\Local\Temp\jna-63116079\jna5665664333553481247.dll

        MD5

        e02979ecd43bcc9061eb2b494ab5af50

        SHA1

        3122ac0e751660f646c73b10c4f79685aa65c545

        SHA256

        a66959bec2ef5af730198db9f3b3f7cab0d4ae70ce01bec02bf1d738e6d1ee7a

        SHA512

        1e6f7dcb6a557c9b896412a48dd017c16f7a52fa2b9ab513593c9ecd118e86083979821ca7a3e2f098ee349200c823c759cec6599740dd391cb5f354dc29b372

      • C:\Users\Admin\AppData\Local\Temp\jna-63116079\jna8825707140264237711.dll

        MD5

        e02979ecd43bcc9061eb2b494ab5af50

        SHA1

        3122ac0e751660f646c73b10c4f79685aa65c545

        SHA256

        a66959bec2ef5af730198db9f3b3f7cab0d4ae70ce01bec02bf1d738e6d1ee7a

        SHA512

        1e6f7dcb6a557c9b896412a48dd017c16f7a52fa2b9ab513593c9ecd118e86083979821ca7a3e2f098ee349200c823c759cec6599740dd391cb5f354dc29b372

      • C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3341490333-719741536-2920803124-1000\83aa4cc77f591dfc2374580bbd95f6ba_4a1d5b5d-6336-41a4-a4da-b4af65e6deff

        MD5

        c8366ae350e7019aefc9d1e6e6a498c6

        SHA1

        5731d8a3e6568a5f2dfbbc87e3db9637df280b61

        SHA256

        11e6aca8e682c046c83b721eeb5c72c5ef03cb5936c60df6f4993511ddc61238

        SHA512

        33c980d5a638bfc791de291ebf4b6d263b384247ab27f261a54025108f2f85374b579a026e545f81395736dd40fa4696f2163ca17640dd47f1c42bc9971b18cd

      • C:\Users\Admin\AppData\Roaming\bwkbv.txt

        MD5

        8c8bd4c98378cbfd170cef3fea63ad10

        SHA1

        289800651479f0f5180c2bd85330933cd84d9f55

        SHA256

        e0384f56f6db64896fbc40b41f82e2559abf10880fd618677867c23d45ab003c

        SHA512

        95cb754afd2e61f8849b640c14ee1940667d29f6cf215664c17e3206ad58e236ccea2cc0070f9d2246b92257db5361804053f30f2a9dd25ad39cbc0f0f9bd163

      • C:\Users\Admin\AppData\Roaming\lib\jna-5.5.0.jar

        MD5

        acfb5b5fd9ee10bf69497792fd469f85

        SHA1

        0e0845217c4907822403912ad6828d8e0b256208

        SHA256

        b308faebfe4ed409de8410e0a632d164b2126b035f6eacff968d3908cafb4d9e

        SHA512

        e52575f58a195ceb3bd16b9740eadf5bc5b1d4d63c0734e8e5fd1d1776aa2d068d2e4c7173b83803f95f72c0a6759ae1c9b65773c734250d4cfcdf47a19f82aa

      • C:\Users\Admin\AppData\Roaming\lib\jna-platform-5.5.0.jar

        MD5

        2f4a99c2758e72ee2b59a73586a2322f

        SHA1

        af38e7c4d0fc73c23ecd785443705bfdee5b90bf

        SHA256

        24d81621f82ac29fcdd9a74116031f5907a2343158e616f4573bbfa2434ae0d5

        SHA512

        b860459a0d3bf7ccb600a03aa1d2ac0358619ee89b2b96ed723541e182b6fdab53aefef7992acb4e03fca67aa47cbe3907b1e6060a60b57ed96c4e00c35c7494

      • C:\Users\Admin\AppData\Roaming\lib\sqlite-jdbc-3.14.2.1.jar

        MD5

        b33387e15ab150a7bf560abdc73c3bec

        SHA1

        66b8075784131f578ef893fd7674273f709b9a4c

        SHA256

        2eae3dea1c3dde6104c49f9601074b6038ff6abcf3be23f4b56f6720a4f6a491

        SHA512

        25cfb0d6ce35d0bcb18527d3aa12c63ecb2d9c1b8b78805d1306e516c13480b79bb0d74730aa93bd1752f9ac2da9fdd51781c48844cea2fd52a06c62852c8279

      • C:\Users\Admin\AppData\Roaming\lib\system-hook-3.5.jar

        MD5

        e1aa38a1e78a76a6de73efae136cdb3a

        SHA1

        c463da71871f780b2e2e5dba115d43953b537daf

        SHA256

        2ddda8af6faef8bde46acf43ec546603180bcf8dcb2e5591fff8ac9cd30b5609

        SHA512

        fee16fe9364926ec337e52f551fd62ed81984808a847de2fd68ff29b6c5da0dcc04ef6d8977f0fe675662a7d2ea1065cdcdd2a5259446226a7c7c5516bd7d60d

      • C:\Users\Admin\AppData\Roaming\plugins.jar

        MD5

        0414a9d9911fa094e029be12bf629f6b

        SHA1

        987e79d11e4240c387d3009894f8f29dbfb3c940

        SHA256

        98528533c73fac9d93db386d2390e006f5b26545d521140c3196303c991b4bc4

        SHA512

        0bc6120addf889a14d50799e3d0c60a035fffc3d169d87be65442f3643c7ceefaef09379bca2c6aca6c226e0127d2a19d32525225c2bca3b63c673ba222903f3

      • C:\Users\Admin\AppData\Roaming\rtwfngte.txt

        MD5

        0414a9d9911fa094e029be12bf629f6b

        SHA1

        987e79d11e4240c387d3009894f8f29dbfb3c940

        SHA256

        98528533c73fac9d93db386d2390e006f5b26545d521140c3196303c991b4bc4

        SHA512

        0bc6120addf889a14d50799e3d0c60a035fffc3d169d87be65442f3643c7ceefaef09379bca2c6aca6c226e0127d2a19d32525225c2bca3b63c673ba222903f3

      • C:\Users\Admin\AppData\Roaming\rtwfngte.txt

        MD5

        0414a9d9911fa094e029be12bf629f6b

        SHA1

        987e79d11e4240c387d3009894f8f29dbfb3c940

        SHA256

        98528533c73fac9d93db386d2390e006f5b26545d521140c3196303c991b4bc4

        SHA512

        0bc6120addf889a14d50799e3d0c60a035fffc3d169d87be65442f3643c7ceefaef09379bca2c6aca6c226e0127d2a19d32525225c2bca3b63c673ba222903f3

      • C:\Users\Admin\fquimaihdd.js

        MD5

        b544135c8bde6ae3eb47f3fffab790e0

        SHA1

        127e34ec41a98affd2c3ca2e6c51aa9678363771

        SHA256

        88917bfabede7854485f688d3b0e1f3fa49e49cd4935b58df0bca5e9c975ecd5

        SHA512

        df0448ac0e1353401222a29ef4f30bb40f2dd0583b2d8101f6f7d725b25636d3b6f9c51d452627d06dcc704ab7c872c9c46c469431b4952db1402d29843aeffc

      • C:\Users\Admin\lib\jna-5.5.0.jar

        MD5

        acfb5b5fd9ee10bf69497792fd469f85

        SHA1

        0e0845217c4907822403912ad6828d8e0b256208

        SHA256

        b308faebfe4ed409de8410e0a632d164b2126b035f6eacff968d3908cafb4d9e

        SHA512

        e52575f58a195ceb3bd16b9740eadf5bc5b1d4d63c0734e8e5fd1d1776aa2d068d2e4c7173b83803f95f72c0a6759ae1c9b65773c734250d4cfcdf47a19f82aa

      • C:\Users\Admin\lib\jna-platform-5.5.0.jar

        MD5

        2f4a99c2758e72ee2b59a73586a2322f

        SHA1

        af38e7c4d0fc73c23ecd785443705bfdee5b90bf

        SHA256

        24d81621f82ac29fcdd9a74116031f5907a2343158e616f4573bbfa2434ae0d5

        SHA512

        b860459a0d3bf7ccb600a03aa1d2ac0358619ee89b2b96ed723541e182b6fdab53aefef7992acb4e03fca67aa47cbe3907b1e6060a60b57ed96c4e00c35c7494

      • C:\Users\Admin\lib\sqlite-jdbc-3.14.2.1.jar

        MD5

        b33387e15ab150a7bf560abdc73c3bec

        SHA1

        66b8075784131f578ef893fd7674273f709b9a4c

        SHA256

        2eae3dea1c3dde6104c49f9601074b6038ff6abcf3be23f4b56f6720a4f6a491

        SHA512

        25cfb0d6ce35d0bcb18527d3aa12c63ecb2d9c1b8b78805d1306e516c13480b79bb0d74730aa93bd1752f9ac2da9fdd51781c48844cea2fd52a06c62852c8279

      • C:\Users\Admin\lib\system-hook-3.5.jar

        MD5

        e1aa38a1e78a76a6de73efae136cdb3a

        SHA1

        c463da71871f780b2e2e5dba115d43953b537daf

        SHA256

        2ddda8af6faef8bde46acf43ec546603180bcf8dcb2e5591fff8ac9cd30b5609

        SHA512

        fee16fe9364926ec337e52f551fd62ed81984808a847de2fd68ff29b6c5da0dcc04ef6d8977f0fe675662a7d2ea1065cdcdd2a5259446226a7c7c5516bd7d60d

      • C:\Users\Admin\rtwfngte.txt

        MD5

        0414a9d9911fa094e029be12bf629f6b

        SHA1

        987e79d11e4240c387d3009894f8f29dbfb3c940

        SHA256

        98528533c73fac9d93db386d2390e006f5b26545d521140c3196303c991b4bc4

        SHA512

        0bc6120addf889a14d50799e3d0c60a035fffc3d169d87be65442f3643c7ceefaef09379bca2c6aca6c226e0127d2a19d32525225c2bca3b63c673ba222903f3

      • \Users\Admin\AppData\Local\Temp\jna-63116079\jna5665664333553481247.dll

        MD5

        e02979ecd43bcc9061eb2b494ab5af50

        SHA1

        3122ac0e751660f646c73b10c4f79685aa65c545

        SHA256

        a66959bec2ef5af730198db9f3b3f7cab0d4ae70ce01bec02bf1d738e6d1ee7a

        SHA512

        1e6f7dcb6a557c9b896412a48dd017c16f7a52fa2b9ab513593c9ecd118e86083979821ca7a3e2f098ee349200c823c759cec6599740dd391cb5f354dc29b372

      • \Users\Admin\AppData\Local\Temp\jna-63116079\jna7766916446325736793.dll

        MD5

        e02979ecd43bcc9061eb2b494ab5af50

        SHA1

        3122ac0e751660f646c73b10c4f79685aa65c545

        SHA256

        a66959bec2ef5af730198db9f3b3f7cab0d4ae70ce01bec02bf1d738e6d1ee7a

        SHA512

        1e6f7dcb6a557c9b896412a48dd017c16f7a52fa2b9ab513593c9ecd118e86083979821ca7a3e2f098ee349200c823c759cec6599740dd391cb5f354dc29b372

      • \Users\Admin\AppData\Local\Temp\jna-63116079\jna8825707140264237711.dll

        MD5

        e02979ecd43bcc9061eb2b494ab5af50

        SHA1

        3122ac0e751660f646c73b10c4f79685aa65c545

        SHA256

        a66959bec2ef5af730198db9f3b3f7cab0d4ae70ce01bec02bf1d738e6d1ee7a

        SHA512

        1e6f7dcb6a557c9b896412a48dd017c16f7a52fa2b9ab513593c9ecd118e86083979821ca7a3e2f098ee349200c823c759cec6599740dd391cb5f354dc29b372

      • memory/188-54-0x0000000000000000-mapping.dmp

      • memory/612-84-0x0000000000000000-mapping.dmp

      • memory/804-95-0x0000000000000000-mapping.dmp

      • memory/1320-94-0x0000000000000000-mapping.dmp

      • memory/1348-92-0x0000000000000000-mapping.dmp

      • memory/2100-72-0x0000000000000000-mapping.dmp

      • memory/2180-58-0x0000000000000000-mapping.dmp

      • memory/2196-93-0x0000000000000000-mapping.dmp

      • memory/2612-2-0x0000000000000000-mapping.dmp

      • memory/2756-7-0x0000000000000000-mapping.dmp

      • memory/3060-80-0x0000000000000000-mapping.dmp

      • memory/3108-55-0x0000000000000000-mapping.dmp

      • memory/3244-5-0x0000000000000000-mapping.dmp

      • memory/3892-91-0x0000000000000000-mapping.dmp

      • memory/4024-39-0x0000000000000000-mapping.dmp

      • memory/4048-90-0x0000000000000000-mapping.dmp