Analysis
-
max time kernel
143s -
max time network
146s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
21-04-2021 04:28
Static task
static1
Behavioral task
behavioral1
Sample
sample.js
Resource
win7v20210410
Behavioral task
behavioral2
Sample
sample.js
Resource
win10v20210410
General
-
Target
sample.js
-
Size
910KB
-
MD5
883fa46edf3dfc3d4160faa2704c828e
-
SHA1
27163d08ca6d045bd9a377cf6e7908c48f986caa
-
SHA256
fc594743679135ba55d13ef203c1a4110ec80cf207f01af9dfdf287fc83321e8
-
SHA512
dd5627aa87a517e82c74a7a189e2f4ba00715fd4f09d2888323317d098b7b78a615936f3e236e4f4308ea2ee1d0fd245755a61bb6830e9f58ac539bff6865d09
Malware Config
Signatures
-
Blocklisted process makes network request 20 IoCs
Processes:
wscript.exeflow pid process 9 416 wscript.exe 11 416 wscript.exe 21 416 wscript.exe 23 416 wscript.exe 24 416 wscript.exe 25 416 wscript.exe 26 416 wscript.exe 27 416 wscript.exe 28 416 wscript.exe 29 416 wscript.exe 30 416 wscript.exe 31 416 wscript.exe 32 416 wscript.exe 33 416 wscript.exe 34 416 wscript.exe 35 416 wscript.exe 36 416 wscript.exe 37 416 wscript.exe 38 416 wscript.exe 39 416 wscript.exe -
Drops startup file 2 IoCs
Processes:
wscript.exewscript.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sample.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sample.js wscript.exe -
Adds Run key to start application 2 TTPs 8 IoCs
Processes:
wscript.exewscript.exedescription ioc process Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sample = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\sample.js\"" wscript.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\sample = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\sample.js\"" wscript.exe Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sample = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\sample.js\"" wscript.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\sample = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\sample.js\"" wscript.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 8 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Script User-Agent 19 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 36 WSHRAT|A2C56C1C|RJMQBVDN|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 21/4/2021|JavaScript-v3.3|NL:Netherlands HTTP User-Agent header 21 WSHRAT|A2C56C1C|RJMQBVDN|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 21/4/2021|JavaScript-v3.3|NL:Netherlands HTTP User-Agent header 23 WSHRAT|A2C56C1C|RJMQBVDN|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 21/4/2021|JavaScript-v3.3|NL:Netherlands HTTP User-Agent header 30 WSHRAT|A2C56C1C|RJMQBVDN|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 21/4/2021|JavaScript-v3.3|NL:Netherlands HTTP User-Agent header 31 WSHRAT|A2C56C1C|RJMQBVDN|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 21/4/2021|JavaScript-v3.3|NL:Netherlands HTTP User-Agent header 35 WSHRAT|A2C56C1C|RJMQBVDN|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 21/4/2021|JavaScript-v3.3|NL:Netherlands HTTP User-Agent header 11 WSHRAT|A2C56C1C|RJMQBVDN|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 21/4/2021|JavaScript-v3.3|NL:Netherlands HTTP User-Agent header 25 WSHRAT|A2C56C1C|RJMQBVDN|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 21/4/2021|JavaScript-v3.3|NL:Netherlands HTTP User-Agent header 29 WSHRAT|A2C56C1C|RJMQBVDN|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 21/4/2021|JavaScript-v3.3|NL:Netherlands HTTP User-Agent header 33 WSHRAT|A2C56C1C|RJMQBVDN|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 21/4/2021|JavaScript-v3.3|NL:Netherlands HTTP User-Agent header 37 WSHRAT|A2C56C1C|RJMQBVDN|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 21/4/2021|JavaScript-v3.3|NL:Netherlands HTTP User-Agent header 26 WSHRAT|A2C56C1C|RJMQBVDN|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 21/4/2021|JavaScript-v3.3|NL:Netherlands HTTP User-Agent header 27 WSHRAT|A2C56C1C|RJMQBVDN|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 21/4/2021|JavaScript-v3.3|NL:Netherlands HTTP User-Agent header 34 WSHRAT|A2C56C1C|RJMQBVDN|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 21/4/2021|JavaScript-v3.3|NL:Netherlands HTTP User-Agent header 38 WSHRAT|A2C56C1C|RJMQBVDN|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 21/4/2021|JavaScript-v3.3|NL:Netherlands HTTP User-Agent header 39 WSHRAT|A2C56C1C|RJMQBVDN|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 21/4/2021|JavaScript-v3.3|NL:Netherlands HTTP User-Agent header 24 WSHRAT|A2C56C1C|RJMQBVDN|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 21/4/2021|JavaScript-v3.3|NL:Netherlands HTTP User-Agent header 28 WSHRAT|A2C56C1C|RJMQBVDN|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 21/4/2021|JavaScript-v3.3|NL:Netherlands HTTP User-Agent header 32 WSHRAT|A2C56C1C|RJMQBVDN|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 21/4/2021|JavaScript-v3.3|NL:Netherlands -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
wscript.exedescription pid process target process PID 3944 wrote to memory of 416 3944 wscript.exe wscript.exe PID 3944 wrote to memory of 416 3944 wscript.exe wscript.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\sample.js1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\sample.js"2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sample.jsMD5
50b161e153799ebfcd888603b54506be
SHA18e68d6610af48ef5254bd2bc5f86e090438a6c57
SHA256e6ebda58c277bdad5a4bb46104a3d23c91f8e7b056a79163f573a22388446d75
SHA512a4426e78af6b6a083f609b01ce7e4e8b8bd1c49dc6320cc687088ce4237207f861e26e6c3f008c362793c342b82193dd90508930df1916d8cc71676a7b5259a7
-
C:\Users\Admin\AppData\Roaming\sample.jsMD5
883fa46edf3dfc3d4160faa2704c828e
SHA127163d08ca6d045bd9a377cf6e7908c48f986caa
SHA256fc594743679135ba55d13ef203c1a4110ec80cf207f01af9dfdf287fc83321e8
SHA512dd5627aa87a517e82c74a7a189e2f4ba00715fd4f09d2888323317d098b7b78a615936f3e236e4f4308ea2ee1d0fd245755a61bb6830e9f58ac539bff6865d09
-
memory/416-114-0x0000000000000000-mapping.dmp