Analysis
-
max time kernel
133s -
max time network
144s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
13-01-2021 06:47
Static task
static1
Behavioral task
behavioral1
Sample
FYI Jan2021.js
Resource
win7v20201028
Behavioral task
behavioral2
Sample
FYI Jan2021.js
Resource
win10v20201028
General
-
Target
FYI Jan2021.js
-
Size
179KB
-
MD5
cc6b06080d6ed3d480da394b0ed1c502
-
SHA1
5a5842f4441de74004240970524830ef82ecc0db
-
SHA256
b6f981e71a5ae535ab355f72ace1b43a1242a9a80c8472868b10b56273d9ecf1
-
SHA512
f97e556ff60622c8ae5843285f2365b0be975c9d9a04c413dafdabfbe9a7bc293a3cb455ba3d14a1fd09fe8e35ddaf7f40a94f9c5a173f9a7475171d02b83392
Malware Config
Signatures
-
Blocklisted process makes network request 7 IoCs
Processes:
wscript.exeflow pid process 8 1480 wscript.exe 10 1480 wscript.exe 19 1480 wscript.exe 20 1480 wscript.exe 21 1480 wscript.exe 22 1480 wscript.exe 23 1480 wscript.exe -
Drops startup file 2 IoCs
Processes:
wscript.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FYI Jan2021.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FYI Jan2021.js wscript.exe -
Adds Run key to start application 2 TTPs 8 IoCs
Processes:
wscript.exewscript.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\FYI Jan2021 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\FYI Jan2021.js\"" wscript.exe Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\FYI Jan2021 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\FYI Jan2021.js\"" wscript.exe Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\FYI Jan2021 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\FYI Jan2021.js\"" wscript.exe Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\FYI Jan2021 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\FYI Jan2021.js\"" wscript.exe Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\software\microsoft\windows\currentversion\run wscript.exe -
JavaScript code in executable 1 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\FYI Jan2021.js js -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 7 ip-api.com -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
wscript.exedescription pid process target process PID 576 wrote to memory of 1480 576 wscript.exe wscript.exe PID 576 wrote to memory of 1480 576 wscript.exe wscript.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe "C:\Users\Admin\AppData\Local\Temp\FYI Jan2021.js"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:576 -
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\FYI Jan2021.js"2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
PID:1480
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\FYI Jan2021.jsMD5
cc6b06080d6ed3d480da394b0ed1c502
SHA15a5842f4441de74004240970524830ef82ecc0db
SHA256b6f981e71a5ae535ab355f72ace1b43a1242a9a80c8472868b10b56273d9ecf1
SHA512f97e556ff60622c8ae5843285f2365b0be975c9d9a04c413dafdabfbe9a7bc293a3cb455ba3d14a1fd09fe8e35ddaf7f40a94f9c5a173f9a7475171d02b83392
-
memory/1480-2-0x0000000000000000-mapping.dmp