Analysis
-
max time kernel
146s -
max time network
149s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
26-02-2021 08:13
Static task
static1
Behavioral task
behavioral1
Sample
Detalles Del Comparendo Por La CTE.js
Resource
win7v20201028
Behavioral task
behavioral2
Sample
Detalles Del Comparendo Por La CTE.js
Resource
win10v20201028
General
-
Target
Detalles Del Comparendo Por La CTE.js
-
Size
658KB
-
MD5
d6e145e5a98669b41b35b1ecda1d96a6
-
SHA1
bef627ba2e04899013ad2732d26d262453477c3f
-
SHA256
76f0269fadaf8730fa587c38fc72fda6ecdb1949894161dc6fdc69b5bba05ca9
-
SHA512
9506af2f6dc2ff9e6c50b5658bcdb27ccea5184bed8eac37005db20908dd332e006e78ffa2d4cd99acb3d3e59aa326b04f2cf28f39f1074edccd0a99b79f91d7
Malware Config
Signatures
-
Blocklisted process makes network request 15 IoCs
Processes:
wscript.exeflow pid process 9 984 wscript.exe 12 984 wscript.exe 18 984 wscript.exe 23 984 wscript.exe 24 984 wscript.exe 25 984 wscript.exe 26 984 wscript.exe 27 984 wscript.exe 28 984 wscript.exe 29 984 wscript.exe 30 984 wscript.exe 31 984 wscript.exe 32 984 wscript.exe 33 984 wscript.exe 34 984 wscript.exe -
Drops startup file 2 IoCs
Processes:
wscript.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Detalles Del Comparendo Por La CTE.js wscript.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Detalles Del Comparendo Por La CTE.js wscript.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
wscript.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\Detalles Del Comparendo Por La CTE = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\Detalles Del Comparendo Por La CTE.js\"" wscript.exe Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Detalles Del Comparendo Por La CTE = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\Detalles Del Comparendo Por La CTE.js\"" wscript.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 8 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Script User-Agent 14 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 18 WSHRAT|22B2BC15|EWYCRADZ|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 26/2/2021|JavaScript-v3.3|NL:Netherlands HTTP User-Agent header 23 WSHRAT|22B2BC15|EWYCRADZ|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 26/2/2021|JavaScript-v3.3|NL:Netherlands HTTP User-Agent header 25 WSHRAT|22B2BC15|EWYCRADZ|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 26/2/2021|JavaScript-v3.3|NL:Netherlands HTTP User-Agent header 30 WSHRAT|22B2BC15|EWYCRADZ|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 26/2/2021|JavaScript-v3.3|NL:Netherlands HTTP User-Agent header 27 WSHRAT|22B2BC15|EWYCRADZ|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 26/2/2021|JavaScript-v3.3|NL:Netherlands HTTP User-Agent header 28 WSHRAT|22B2BC15|EWYCRADZ|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 26/2/2021|JavaScript-v3.3|NL:Netherlands HTTP User-Agent header 12 WSHRAT|22B2BC15|EWYCRADZ|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 26/2/2021|JavaScript-v3.3|NL:Netherlands HTTP User-Agent header 24 WSHRAT|22B2BC15|EWYCRADZ|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 26/2/2021|JavaScript-v3.3|NL:Netherlands HTTP User-Agent header 31 WSHRAT|22B2BC15|EWYCRADZ|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 26/2/2021|JavaScript-v3.3|NL:Netherlands HTTP User-Agent header 33 WSHRAT|22B2BC15|EWYCRADZ|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 26/2/2021|JavaScript-v3.3|NL:Netherlands HTTP User-Agent header 26 WSHRAT|22B2BC15|EWYCRADZ|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 26/2/2021|JavaScript-v3.3|NL:Netherlands HTTP User-Agent header 29 WSHRAT|22B2BC15|EWYCRADZ|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 26/2/2021|JavaScript-v3.3|NL:Netherlands HTTP User-Agent header 32 WSHRAT|22B2BC15|EWYCRADZ|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 26/2/2021|JavaScript-v3.3|NL:Netherlands HTTP User-Agent header 34 WSHRAT|22B2BC15|EWYCRADZ|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 26/2/2021|JavaScript-v3.3|NL:Netherlands