Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
18-03-2021 22:40
Static task
static1
Behavioral task
behavioral1
Sample
Finanzierung.js
Resource
win7v20201028
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
Finanzierung.js
Resource
win10v20201028
windows10_x64
0 signatures
0 seconds
General
-
Target
Finanzierung.js
-
Size
179KB
-
MD5
0bc9b5360f88fc7228a93b15ac0a879a
-
SHA1
f1dd1957da7d8fd715bdcd5ce3579c30bd727e88
-
SHA256
262329afc152fa7205598cc6e67751a7b0634e65d2c15cbdb3d4da377a2408c1
-
SHA512
a44bd6b7e4c57b7784c96f8f0176d000a330f413b96f3dfe9221368fce37e28814d5aa8034ccfa0918348cfb174269afe94037a14301b9836e11ad119160cc45
Score
10/10
Malware Config
Signatures
-
WSHRAT Payload 2 IoCs
resource yara_rule behavioral1/files/0x00040000000130fd-3.dat family_wshrat behavioral1/files/0x00040000000130fe-5.dat family_wshrat -
Blocklisted process makes network request 42 IoCs
flow pid Process 3 2008 wscript.exe 4 872 wscript.exe 9 872 wscript.exe 10 872 wscript.exe 11 872 wscript.exe 12 872 wscript.exe 13 872 wscript.exe 14 872 wscript.exe 15 872 wscript.exe 17 872 wscript.exe 18 872 wscript.exe 19 872 wscript.exe 20 872 wscript.exe 21 872 wscript.exe 22 872 wscript.exe 24 872 wscript.exe 25 872 wscript.exe 26 872 wscript.exe 27 872 wscript.exe 28 872 wscript.exe 29 872 wscript.exe 31 872 wscript.exe 32 872 wscript.exe 33 872 wscript.exe 34 872 wscript.exe 35 872 wscript.exe 36 872 wscript.exe 38 872 wscript.exe 39 872 wscript.exe 40 872 wscript.exe 41 872 wscript.exe 42 872 wscript.exe 43 872 wscript.exe 45 872 wscript.exe 46 872 wscript.exe 47 872 wscript.exe 48 872 wscript.exe 49 872 wscript.exe 50 872 wscript.exe 52 872 wscript.exe 53 872 wscript.exe 54 872 wscript.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Finanzierung.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Finanzierung.js wscript.exe -
Adds Run key to start application 2 TTPs 8 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\Finanzierung = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Finanzierung.js\"" wscript.exe Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Finanzierung = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Finanzierung.js\"" wscript.exe Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\Finanzierung = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Finanzierung.js\"" wscript.exe Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Finanzierung = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Finanzierung.js\"" wscript.exe Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\software\microsoft\windows\currentversion\run wscript.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 8 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Script User-Agent 2 IoCs
Uses user-agent string associated with script host/environment.
description flow ioc HTTP User-Agent header 4 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 3 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2008 wrote to memory of 872 2008 wscript.exe 30 PID 2008 wrote to memory of 872 2008 wscript.exe 30 PID 2008 wrote to memory of 872 2008 wscript.exe 30
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\Finanzierung.js1⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2008 -
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\Finanzierung.js"2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
PID:872
-