Analysis
-
max time kernel
140s -
max time network
147s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
13-01-2021 06:47
Static task
static1
Behavioral task
behavioral1
Sample
FYI Jan2021.js
Resource
win7v20201028
Behavioral task
behavioral2
Sample
FYI Jan2021.js
Resource
win10v20201028
General
-
Target
FYI Jan2021.js
-
Size
179KB
-
MD5
cc6b06080d6ed3d480da394b0ed1c502
-
SHA1
5a5842f4441de74004240970524830ef82ecc0db
-
SHA256
b6f981e71a5ae535ab355f72ace1b43a1242a9a80c8472868b10b56273d9ecf1
-
SHA512
f97e556ff60622c8ae5843285f2365b0be975c9d9a04c413dafdabfbe9a7bc293a3cb455ba3d14a1fd09fe8e35ddaf7f40a94f9c5a173f9a7475171d02b83392
Malware Config
Signatures
-
Blocklisted process makes network request 7 IoCs
Processes:
wscript.exeflow pid process 6 2008 wscript.exe 8 2008 wscript.exe 9 2008 wscript.exe 10 2008 wscript.exe 12 2008 wscript.exe 13 2008 wscript.exe 14 2008 wscript.exe -
Drops startup file 2 IoCs
Processes:
wscript.exewscript.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FYI Jan2021.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FYI Jan2021.js wscript.exe -
Adds Run key to start application 2 TTPs 8 IoCs
Processes:
wscript.exewscript.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\FYI Jan2021 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\FYI Jan2021.js\"" wscript.exe Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\FYI Jan2021 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\FYI Jan2021.js\"" wscript.exe Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\FYI Jan2021 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\FYI Jan2021.js\"" wscript.exe Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\FYI Jan2021 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\FYI Jan2021.js\"" wscript.exe Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\software\microsoft\windows\currentversion\run wscript.exe -
JavaScript code in executable 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\FYI Jan2021.js js C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FYI Jan2021.js js -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 5 ip-api.com -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
wscript.exedescription pid process target process PID 644 wrote to memory of 2008 644 wscript.exe wscript.exe PID 644 wrote to memory of 2008 644 wscript.exe wscript.exe PID 644 wrote to memory of 2008 644 wscript.exe wscript.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe "C:\Users\Admin\AppData\Local\Temp\FYI Jan2021.js"1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:644 -
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\FYI Jan2021.js"2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
PID:2008
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\FYI Jan2021.jsMD5
cc6b06080d6ed3d480da394b0ed1c502
SHA15a5842f4441de74004240970524830ef82ecc0db
SHA256b6f981e71a5ae535ab355f72ace1b43a1242a9a80c8472868b10b56273d9ecf1
SHA512f97e556ff60622c8ae5843285f2365b0be975c9d9a04c413dafdabfbe9a7bc293a3cb455ba3d14a1fd09fe8e35ddaf7f40a94f9c5a173f9a7475171d02b83392
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FYI Jan2021.jsMD5
cc6b06080d6ed3d480da394b0ed1c502
SHA15a5842f4441de74004240970524830ef82ecc0db
SHA256b6f981e71a5ae535ab355f72ace1b43a1242a9a80c8472868b10b56273d9ecf1
SHA512f97e556ff60622c8ae5843285f2365b0be975c9d9a04c413dafdabfbe9a7bc293a3cb455ba3d14a1fd09fe8e35ddaf7f40a94f9c5a173f9a7475171d02b83392
-
memory/644-4-0x0000000002540000-0x0000000002544000-memory.dmpFilesize
16KB
-
memory/728-6-0x000007FEF7300000-0x000007FEF757A000-memory.dmpFilesize
2.5MB
-
memory/2008-2-0x0000000000000000-mapping.dmp