Analysis
-
max time kernel
148s -
max time network
187s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
07-07-2021 08:40
Static task
static1
Behavioral task
behavioral1
Sample
4.js
Resource
win7v20210410
Behavioral task
behavioral2
Sample
4.js
Resource
win10v20210410
General
-
Target
4.js
-
Size
9KB
-
MD5
b5e34472d72474569a2332ce317f4cc1
-
SHA1
209017707d1e40faa9ec527e2128ef25de4b76ce
-
SHA256
99d7b67e0d011b22fe3e491445fe0a6dab5e6999d8f7fb99ec505d434255d712
-
SHA512
2d18a8be9a19fa77336d950c18257039f4fe5165c354aae253efba0509c72a879a6ccbf3ec2275345deeed39d31227ae95ff7c56fa1583919e715ad6f5ba0094
Malware Config
Signatures
-
Blocklisted process makes network request 5 IoCs
Processes:
wscript.exeWScript.exewscript.exeflow pid process 5 1104 wscript.exe 7 112 WScript.exe 10 2012 wscript.exe 12 2012 wscript.exe 13 2012 wscript.exe -
Drops startup file 6 IoCs
Processes:
wscript.exeWScript.exeWScript.exewscript.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\4.js wscript.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EA347B7QRQ.js WScript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EA347B7QRQ.js WScript.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XJYUPBHN6D.js WScript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XJYUPBHN6D.js wscript.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\4.js wscript.exe -
Adds Run key to start application 2 TTPs 12 IoCs
Processes:
WScript.exewscript.exeWScript.exewscript.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\XJYUPBHN6D = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\XJYUPBHN6D.js\"" WScript.exe Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run WScript.exe Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\XJYUPBHN6D = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\XJYUPBHN6D.js\"" wscript.exe Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run wscript.exe Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run WScript.exe Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\I0ZIRGD8RJ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\4.js\"" wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\GF5EHB4I0U = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\EA347B7QRQ.js\"" WScript.exe Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\software\microsoft\windows\currentversion\run WScript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XJYUPBHN6D = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\XJYUPBHN6D.js\"" WScript.exe Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XJYUPBHN6D = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\XJYUPBHN6D.js\"" wscript.exe Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run wscript.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 9 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 1348 schtasks.exe 1064 schtasks.exe -
Script User-Agent 2 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 12 WSHRAT|58B980FB|MRBKYMNO|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 7/7/2021|JavaScript-v3.4|NL:Netherlands HTTP User-Agent header 13 WSHRAT|58B980FB|MRBKYMNO|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 7/7/2021|JavaScript-v3.4|NL:Netherlands -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
wscript.exeWScript.exeWScript.exedescription pid process target process PID 1104 wrote to memory of 1348 1104 wscript.exe schtasks.exe PID 1104 wrote to memory of 1348 1104 wscript.exe schtasks.exe PID 1104 wrote to memory of 1348 1104 wscript.exe schtasks.exe PID 1104 wrote to memory of 112 1104 wscript.exe WScript.exe PID 1104 wrote to memory of 112 1104 wscript.exe WScript.exe PID 1104 wrote to memory of 112 1104 wscript.exe WScript.exe PID 112 wrote to memory of 1064 112 WScript.exe schtasks.exe PID 112 wrote to memory of 1064 112 WScript.exe schtasks.exe PID 112 wrote to memory of 1064 112 WScript.exe schtasks.exe PID 1104 wrote to memory of 920 1104 wscript.exe WScript.exe PID 1104 wrote to memory of 920 1104 wscript.exe WScript.exe PID 1104 wrote to memory of 920 1104 wscript.exe WScript.exe PID 920 wrote to memory of 2012 920 WScript.exe wscript.exe PID 920 wrote to memory of 2012 920 WScript.exe wscript.exe PID 920 wrote to memory of 2012 920 WScript.exe wscript.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\4.js1⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Local\Temp\4.js2⤵
- Creates scheduled task(s)
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\EA347B7QRQ.js"2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Local\Temp\EA347B7QRQ.js3⤵
- Creates scheduled task(s)
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\XJYUPBHN6D.js"2⤵
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\XJYUPBHN6D.js"3⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\EA347B7QRQ.jsMD5
1fcdabf0091e9b0c9688f3197749cc51
SHA1758692234294f34d068477aef9b37389f9abb13b
SHA2568676da33f9c52582e2759516dbd1d19e836edcc1132babf4839d81e6b3b08a07
SHA512b484f33c7ea540c08e06d02742d925a4867af8b7046b028f81a4be53acc8290fcbd703704e3ae032cde449914acb5495244460749c9cf1fc08e1bbdc61233748
-
C:\Users\Admin\AppData\Local\Temp\XJYUPBHN6D.jsMD5
6874d678e690727b4a78c048c4a52ce1
SHA1b3da716221772dd30e68f38177295d6c8162d548
SHA256b5347aa946a20eb48f39202f5d5b749676948014e4eaa347a15e504f3f5f6d58
SHA512d201a990eb7c0d913d45b4066a69b0b6c6c88a5844d43c1d222ed135454b0609b4345ab1ed27d4ed40d86aa1d94e1cec0eced44335ee6bd3ac23ede659de0249
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XJYUPBHN6D.jsMD5
986ceec84affa9a0a26c7839d8b85d4e
SHA12e16b61f2e31f78596a6cf6a195b56cf1565de44
SHA256940a421c5562c47d33f2387ae9224ab4c7053edc9ef4cb2edadf2335ad73ddc1
SHA512fd34817a87163aa2112ee3c7590564a8e14c0ec7e0c29bd73ffd38907aaef53751ea6acbc73f2a79668a7716b25d4d30e9bf34647a800e75a8992c424a7dc0c6
-
C:\Users\Admin\AppData\Roaming\XJYUPBHN6D.jsMD5
6874d678e690727b4a78c048c4a52ce1
SHA1b3da716221772dd30e68f38177295d6c8162d548
SHA256b5347aa946a20eb48f39202f5d5b749676948014e4eaa347a15e504f3f5f6d58
SHA512d201a990eb7c0d913d45b4066a69b0b6c6c88a5844d43c1d222ed135454b0609b4345ab1ed27d4ed40d86aa1d94e1cec0eced44335ee6bd3ac23ede659de0249
-
memory/112-60-0x0000000000000000-mapping.dmp
-
memory/920-63-0x0000000000000000-mapping.dmp
-
memory/1064-62-0x0000000000000000-mapping.dmp
-
memory/1348-59-0x0000000000000000-mapping.dmp
-
memory/2012-65-0x0000000000000000-mapping.dmp