Analysis
-
max time kernel
138s -
max time network
138s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
21-04-2021 04:28
Static task
static1
Behavioral task
behavioral1
Sample
sample.js
Resource
win7v20210410
Behavioral task
behavioral2
Sample
sample.js
Resource
win10v20210410
General
-
Target
sample.js
-
Size
910KB
-
MD5
883fa46edf3dfc3d4160faa2704c828e
-
SHA1
27163d08ca6d045bd9a377cf6e7908c48f986caa
-
SHA256
fc594743679135ba55d13ef203c1a4110ec80cf207f01af9dfdf287fc83321e8
-
SHA512
dd5627aa87a517e82c74a7a189e2f4ba00715fd4f09d2888323317d098b7b78a615936f3e236e4f4308ea2ee1d0fd245755a61bb6830e9f58ac539bff6865d09
Malware Config
Signatures
-
Blocklisted process makes network request 13 IoCs
Processes:
wscript.exeflow pid process 6 1740 wscript.exe 8 1740 wscript.exe 9 1740 wscript.exe 10 1740 wscript.exe 12 1740 wscript.exe 13 1740 wscript.exe 14 1740 wscript.exe 16 1740 wscript.exe 17 1740 wscript.exe 18 1740 wscript.exe 20 1740 wscript.exe 21 1740 wscript.exe 22 1740 wscript.exe -
Drops startup file 2 IoCs
Processes:
wscript.exewscript.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sample.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sample.js wscript.exe -
Adds Run key to start application 2 TTPs 8 IoCs
Processes:
wscript.exewscript.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sample = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\sample.js\"" wscript.exe Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\sample = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\sample.js\"" wscript.exe Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sample = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\sample.js\"" wscript.exe Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\sample = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\sample.js\"" wscript.exe Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run wscript.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 5 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Script User-Agent 12 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 9 WSHRAT|58B980FB|MRBKYMNO|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 21/4/2021|JavaScript-v3.3|NL:Netherlands HTTP User-Agent header 10 WSHRAT|58B980FB|MRBKYMNO|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 21/4/2021|JavaScript-v3.3|NL:Netherlands HTTP User-Agent header 14 WSHRAT|58B980FB|MRBKYMNO|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 21/4/2021|JavaScript-v3.3|NL:Netherlands HTTP User-Agent header 16 WSHRAT|58B980FB|MRBKYMNO|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 21/4/2021|JavaScript-v3.3|NL:Netherlands HTTP User-Agent header 17 WSHRAT|58B980FB|MRBKYMNO|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 21/4/2021|JavaScript-v3.3|NL:Netherlands HTTP User-Agent header 18 WSHRAT|58B980FB|MRBKYMNO|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 21/4/2021|JavaScript-v3.3|NL:Netherlands HTTP User-Agent header 20 WSHRAT|58B980FB|MRBKYMNO|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 21/4/2021|JavaScript-v3.3|NL:Netherlands HTTP User-Agent header 8 WSHRAT|58B980FB|MRBKYMNO|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 21/4/2021|JavaScript-v3.3|NL:Netherlands HTTP User-Agent header 12 WSHRAT|58B980FB|MRBKYMNO|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 21/4/2021|JavaScript-v3.3|NL:Netherlands HTTP User-Agent header 13 WSHRAT|58B980FB|MRBKYMNO|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 21/4/2021|JavaScript-v3.3|NL:Netherlands HTTP User-Agent header 21 WSHRAT|58B980FB|MRBKYMNO|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 21/4/2021|JavaScript-v3.3|NL:Netherlands HTTP User-Agent header 22 WSHRAT|58B980FB|MRBKYMNO|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 21/4/2021|JavaScript-v3.3|NL:Netherlands -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
wscript.exedescription pid process target process PID 1996 wrote to memory of 1740 1996 wscript.exe wscript.exe PID 1996 wrote to memory of 1740 1996 wscript.exe wscript.exe PID 1996 wrote to memory of 1740 1996 wscript.exe wscript.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\sample.js1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\sample.js"2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sample.jsMD5
883fa46edf3dfc3d4160faa2704c828e
SHA127163d08ca6d045bd9a377cf6e7908c48f986caa
SHA256fc594743679135ba55d13ef203c1a4110ec80cf207f01af9dfdf287fc83321e8
SHA512dd5627aa87a517e82c74a7a189e2f4ba00715fd4f09d2888323317d098b7b78a615936f3e236e4f4308ea2ee1d0fd245755a61bb6830e9f58ac539bff6865d09
-
C:\Users\Admin\AppData\Roaming\sample.jsMD5
883fa46edf3dfc3d4160faa2704c828e
SHA127163d08ca6d045bd9a377cf6e7908c48f986caa
SHA256fc594743679135ba55d13ef203c1a4110ec80cf207f01af9dfdf287fc83321e8
SHA512dd5627aa87a517e82c74a7a189e2f4ba00715fd4f09d2888323317d098b7b78a615936f3e236e4f4308ea2ee1d0fd245755a61bb6830e9f58ac539bff6865d09
-
memory/1740-59-0x0000000000000000-mapping.dmp