Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
21-04-2021 19:32
Static task
static1
Behavioral task
behavioral1
Sample
Rut.js
Resource
win7v20210410
Behavioral task
behavioral2
Sample
Rut.js
Resource
win10v20210408
General
-
Target
Rut.js
-
Size
412KB
-
MD5
b90b295157b57ba84dd525b8a0788cea
-
SHA1
b58705476941038c5c0f4e0604c55276c8fc2096
-
SHA256
6e348ed0aac3c01961f86af5fe843e1e1c5d2d977ea62eea7960efbb6a1c78fd
-
SHA512
e291cd979fc2e75c308b4b98fe8f45e3b2ed1bb416825c0b52a588b6b2268695a5d6f4beed6f6817741368691d9acb98bad9229e9166bad023698d0393bd77b4
Malware Config
Signatures
-
Blocklisted process makes network request 17 IoCs
Processes:
wscript.exeflow pid process 6 2020 wscript.exe 8 2020 wscript.exe 9 2020 wscript.exe 10 2020 wscript.exe 12 2020 wscript.exe 13 2020 wscript.exe 14 2020 wscript.exe 16 2020 wscript.exe 17 2020 wscript.exe 18 2020 wscript.exe 20 2020 wscript.exe 21 2020 wscript.exe 22 2020 wscript.exe 24 2020 wscript.exe 25 2020 wscript.exe 26 2020 wscript.exe 28 2020 wscript.exe -
Drops startup file 2 IoCs
Processes:
wscript.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Rut.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Rut.js wscript.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
wscript.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Rut = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\Rut.js\"" wscript.exe Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Rut = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\Rut.js\"" wscript.exe Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run wscript.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 5 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Script User-Agent 16 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 13 WSHRAT|58B980FB|MRBKYMNO|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 21/4/2021|JavaScript-v2.0|NL:Netherlands HTTP User-Agent header 22 WSHRAT|58B980FB|MRBKYMNO|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 21/4/2021|JavaScript-v2.0|NL:Netherlands HTTP User-Agent header 24 WSHRAT|58B980FB|MRBKYMNO|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 21/4/2021|JavaScript-v2.0|NL:Netherlands HTTP User-Agent header 28 WSHRAT|58B980FB|MRBKYMNO|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 21/4/2021|JavaScript-v2.0|NL:Netherlands HTTP User-Agent header 8 WSHRAT|58B980FB|MRBKYMNO|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 21/4/2021|JavaScript-v2.0|NL:Netherlands HTTP User-Agent header 10 WSHRAT|58B980FB|MRBKYMNO|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 21/4/2021|JavaScript-v2.0|NL:Netherlands HTTP User-Agent header 21 WSHRAT|58B980FB|MRBKYMNO|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 21/4/2021|JavaScript-v2.0|NL:Netherlands HTTP User-Agent header 9 WSHRAT|58B980FB|MRBKYMNO|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 21/4/2021|JavaScript-v2.0|NL:Netherlands HTTP User-Agent header 12 WSHRAT|58B980FB|MRBKYMNO|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 21/4/2021|JavaScript-v2.0|NL:Netherlands HTTP User-Agent header 14 WSHRAT|58B980FB|MRBKYMNO|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 21/4/2021|JavaScript-v2.0|NL:Netherlands HTTP User-Agent header 17 WSHRAT|58B980FB|MRBKYMNO|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 21/4/2021|JavaScript-v2.0|NL:Netherlands HTTP User-Agent header 20 WSHRAT|58B980FB|MRBKYMNO|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 21/4/2021|JavaScript-v2.0|NL:Netherlands HTTP User-Agent header 16 WSHRAT|58B980FB|MRBKYMNO|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 21/4/2021|JavaScript-v2.0|NL:Netherlands HTTP User-Agent header 18 WSHRAT|58B980FB|MRBKYMNO|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 21/4/2021|JavaScript-v2.0|NL:Netherlands HTTP User-Agent header 25 WSHRAT|58B980FB|MRBKYMNO|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 21/4/2021|JavaScript-v2.0|NL:Netherlands HTTP User-Agent header 26 WSHRAT|58B980FB|MRBKYMNO|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 21/4/2021|JavaScript-v2.0|NL:Netherlands
Processes
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2020-60-0x000007FEFC141000-0x000007FEFC143000-memory.dmpFilesize
8KB