Analysis
-
max time kernel
144s -
max time network
153s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
07-07-2021 08:40
Static task
static1
Behavioral task
behavioral1
Sample
4.js
Resource
win7v20210410
Behavioral task
behavioral2
Sample
4.js
Resource
win10v20210410
General
-
Target
4.js
-
Size
9KB
-
MD5
b5e34472d72474569a2332ce317f4cc1
-
SHA1
209017707d1e40faa9ec527e2128ef25de4b76ce
-
SHA256
99d7b67e0d011b22fe3e491445fe0a6dab5e6999d8f7fb99ec505d434255d712
-
SHA512
2d18a8be9a19fa77336d950c18257039f4fe5165c354aae253efba0509c72a879a6ccbf3ec2275345deeed39d31227ae95ff7c56fa1583919e715ad6f5ba0094
Malware Config
Signatures
-
Blocklisted process makes network request 5 IoCs
Processes:
wscript.exeWScript.exewscript.exeflow pid process 7 3176 wscript.exe 13 2088 WScript.exe 18 1700 wscript.exe 20 1700 wscript.exe 21 1700 wscript.exe -
Drops startup file 6 IoCs
Processes:
wscript.exewscript.exeWScript.exeWScript.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\A84AXBNN6A.js wscript.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\4.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\4.js wscript.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EA347B7QRQ.js WScript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EA347B7QRQ.js WScript.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\A84AXBNN6A.js WScript.exe -
Adds Run key to start application 2 TTPs 12 IoCs
Processes:
wscript.exeWScript.exeWScript.exewscript.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\A84AXBNN6A = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\A84AXBNN6A.js\"" wscript.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run WScript.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\software\microsoft\windows\currentversion\run WScript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\A84AXBNN6A = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\A84AXBNN6A.js\"" WScript.exe Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\A84AXBNN6A = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\A84AXBNN6A.js\"" WScript.exe Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run WScript.exe Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\A84AXBNN6A = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\A84AXBNN6A.js\"" wscript.exe Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run wscript.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\I0ZIRGD8RJ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\4.js\"" wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\GF5EHB4I0U = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\EA347B7QRQ.js\"" WScript.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 17 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 1676 schtasks.exe 4088 schtasks.exe -
Modifies registry class 1 IoCs
Processes:
wscript.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings wscript.exe -
Script User-Agent 2 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 20 WSHRAT|A2C56C1C|RJMQBVDN|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 7/7/2021|JavaScript-v3.4|NL:Netherlands HTTP User-Agent header 21 WSHRAT|A2C56C1C|RJMQBVDN|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 7/7/2021|JavaScript-v3.4|NL:Netherlands -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
wscript.exeWScript.exeWScript.exedescription pid process target process PID 3176 wrote to memory of 1676 3176 wscript.exe schtasks.exe PID 3176 wrote to memory of 1676 3176 wscript.exe schtasks.exe PID 3176 wrote to memory of 2088 3176 wscript.exe WScript.exe PID 3176 wrote to memory of 2088 3176 wscript.exe WScript.exe PID 2088 wrote to memory of 4088 2088 WScript.exe schtasks.exe PID 2088 wrote to memory of 4088 2088 WScript.exe schtasks.exe PID 3176 wrote to memory of 3848 3176 wscript.exe WScript.exe PID 3176 wrote to memory of 3848 3176 wscript.exe WScript.exe PID 3848 wrote to memory of 1700 3848 WScript.exe wscript.exe PID 3848 wrote to memory of 1700 3848 WScript.exe wscript.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\4.js1⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Local\Temp\4.js2⤵
- Creates scheduled task(s)
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\EA347B7QRQ.js"2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Local\Temp\EA347B7QRQ.js3⤵
- Creates scheduled task(s)
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\A84AXBNN6A.js"2⤵
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\A84AXBNN6A.js"3⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\A84AXBNN6A.jsMD5
6874d678e690727b4a78c048c4a52ce1
SHA1b3da716221772dd30e68f38177295d6c8162d548
SHA256b5347aa946a20eb48f39202f5d5b749676948014e4eaa347a15e504f3f5f6d58
SHA512d201a990eb7c0d913d45b4066a69b0b6c6c88a5844d43c1d222ed135454b0609b4345ab1ed27d4ed40d86aa1d94e1cec0eced44335ee6bd3ac23ede659de0249
-
C:\Users\Admin\AppData\Local\Temp\EA347B7QRQ.jsMD5
1fcdabf0091e9b0c9688f3197749cc51
SHA1758692234294f34d068477aef9b37389f9abb13b
SHA2568676da33f9c52582e2759516dbd1d19e836edcc1132babf4839d81e6b3b08a07
SHA512b484f33c7ea540c08e06d02742d925a4867af8b7046b028f81a4be53acc8290fcbd703704e3ae032cde449914acb5495244460749c9cf1fc08e1bbdc61233748
-
C:\Users\Admin\AppData\Roaming\A84AXBNN6A.jsMD5
6874d678e690727b4a78c048c4a52ce1
SHA1b3da716221772dd30e68f38177295d6c8162d548
SHA256b5347aa946a20eb48f39202f5d5b749676948014e4eaa347a15e504f3f5f6d58
SHA512d201a990eb7c0d913d45b4066a69b0b6c6c88a5844d43c1d222ed135454b0609b4345ab1ed27d4ed40d86aa1d94e1cec0eced44335ee6bd3ac23ede659de0249
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\A84AXBNN6A.jsMD5
6874d678e690727b4a78c048c4a52ce1
SHA1b3da716221772dd30e68f38177295d6c8162d548
SHA256b5347aa946a20eb48f39202f5d5b749676948014e4eaa347a15e504f3f5f6d58
SHA512d201a990eb7c0d913d45b4066a69b0b6c6c88a5844d43c1d222ed135454b0609b4345ab1ed27d4ed40d86aa1d94e1cec0eced44335ee6bd3ac23ede659de0249
-
memory/1676-114-0x0000000000000000-mapping.dmp
-
memory/1700-120-0x0000000000000000-mapping.dmp
-
memory/2088-115-0x0000000000000000-mapping.dmp
-
memory/3848-118-0x0000000000000000-mapping.dmp
-
memory/4088-117-0x0000000000000000-mapping.dmp