Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
26-02-2021 08:13
Static task
static1
Behavioral task
behavioral1
Sample
Detalles Del Comparendo Por La CTE.js
Resource
win7v20201028
Behavioral task
behavioral2
Sample
Detalles Del Comparendo Por La CTE.js
Resource
win10v20201028
General
-
Target
Detalles Del Comparendo Por La CTE.js
-
Size
658KB
-
MD5
d6e145e5a98669b41b35b1ecda1d96a6
-
SHA1
bef627ba2e04899013ad2732d26d262453477c3f
-
SHA256
76f0269fadaf8730fa587c38fc72fda6ecdb1949894161dc6fdc69b5bba05ca9
-
SHA512
9506af2f6dc2ff9e6c50b5658bcdb27ccea5184bed8eac37005db20908dd332e006e78ffa2d4cd99acb3d3e59aa326b04f2cf28f39f1074edccd0a99b79f91d7
Malware Config
Signatures
-
Blocklisted process makes network request 15 IoCs
Processes:
wscript.exeflow pid process 6 1724 wscript.exe 8 1724 wscript.exe 9 1724 wscript.exe 10 1724 wscript.exe 12 1724 wscript.exe 13 1724 wscript.exe 14 1724 wscript.exe 16 1724 wscript.exe 17 1724 wscript.exe 18 1724 wscript.exe 20 1724 wscript.exe 21 1724 wscript.exe 22 1724 wscript.exe 24 1724 wscript.exe 25 1724 wscript.exe -
Drops startup file 2 IoCs
Processes:
wscript.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Detalles Del Comparendo Por La CTE.js wscript.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Detalles Del Comparendo Por La CTE.js wscript.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
wscript.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\Detalles Del Comparendo Por La CTE = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\Detalles Del Comparendo Por La CTE.js\"" wscript.exe Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Detalles Del Comparendo Por La CTE = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\Detalles Del Comparendo Por La CTE.js\"" wscript.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 5 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Script User-Agent 14 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 8 WSHRAT|80120786|EIDQHRRL|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 26/2/2021|JavaScript-v3.3|NL:Netherlands HTTP User-Agent header 14 WSHRAT|80120786|EIDQHRRL|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 26/2/2021|JavaScript-v3.3|NL:Netherlands HTTP User-Agent header 16 WSHRAT|80120786|EIDQHRRL|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 26/2/2021|JavaScript-v3.3|NL:Netherlands HTTP User-Agent header 17 WSHRAT|80120786|EIDQHRRL|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 26/2/2021|JavaScript-v3.3|NL:Netherlands HTTP User-Agent header 25 WSHRAT|80120786|EIDQHRRL|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 26/2/2021|JavaScript-v3.3|NL:Netherlands HTTP User-Agent header 9 WSHRAT|80120786|EIDQHRRL|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 26/2/2021|JavaScript-v3.3|NL:Netherlands HTTP User-Agent header 12 WSHRAT|80120786|EIDQHRRL|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 26/2/2021|JavaScript-v3.3|NL:Netherlands HTTP User-Agent header 18 WSHRAT|80120786|EIDQHRRL|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 26/2/2021|JavaScript-v3.3|NL:Netherlands HTTP User-Agent header 21 WSHRAT|80120786|EIDQHRRL|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 26/2/2021|JavaScript-v3.3|NL:Netherlands HTTP User-Agent header 10 WSHRAT|80120786|EIDQHRRL|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 26/2/2021|JavaScript-v3.3|NL:Netherlands HTTP User-Agent header 13 WSHRAT|80120786|EIDQHRRL|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 26/2/2021|JavaScript-v3.3|NL:Netherlands HTTP User-Agent header 20 WSHRAT|80120786|EIDQHRRL|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 26/2/2021|JavaScript-v3.3|NL:Netherlands HTTP User-Agent header 22 WSHRAT|80120786|EIDQHRRL|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 26/2/2021|JavaScript-v3.3|NL:Netherlands HTTP User-Agent header 24 WSHRAT|80120786|EIDQHRRL|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 26/2/2021|JavaScript-v3.3|NL:Netherlands
Processes
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1356-2-0x000007FEF7D90000-0x000007FEF800A000-memory.dmpFilesize
2.5MB