Analysis
-
max time kernel
152s -
max time network
194s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
27-08-2021 18:58
Static task
static1
Behavioral task
behavioral1
Sample
#W0091.js
Resource
win7v20210410
Behavioral task
behavioral2
Sample
#W0091.js
Resource
win10v20210408
General
-
Target
#W0091.js
-
Size
12KB
-
MD5
d9cf0592d6515534cb8efa5b63cfae5b
-
SHA1
93764956ad2a38d3f70dde3ac0410b367bb8a92b
-
SHA256
ecb06a64c672927554eeb66d6b0552a147e35eb85a30dadf28d4a2f92d8cb45d
-
SHA512
e739a973e401bd3f96721a18fa1dbb5827e63365c4dacc46c7017adc0f6c93cc82b1c0d9fa71726b8e77b6fe1bdad4863d7ba2b4b71741fd001ce912557673f3
Malware Config
Signatures
-
Blocklisted process makes network request 17 IoCs
Processes:
wscript.exewscript.exeWScript.exeflow pid process 6 1304 wscript.exe 9 1784 wscript.exe 11 1784 wscript.exe 12 1784 wscript.exe 13 1784 wscript.exe 15 1784 wscript.exe 16 1784 wscript.exe 17 1784 wscript.exe 19 1784 wscript.exe 21 1028 WScript.exe 22 1784 wscript.exe 23 1784 wscript.exe 25 1784 wscript.exe 27 1784 wscript.exe 29 1784 wscript.exe 32 1784 wscript.exe 34 1784 wscript.exe -
Drops startup file 6 IoCs
Processes:
wscript.exeWScript.exewscript.exeWScript.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\#W0091.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\#W0091.js wscript.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Z23K20ZB7L.js WScript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Z23K20ZB7L.js wscript.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RX7V5HA0F8.js WScript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RX7V5HA0F8.js WScript.exe -
Adds Run key to start application 2 TTPs 12 IoCs
Processes:
WScript.exewscript.exeWScript.exewscript.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\software\microsoft\windows\currentversion\run WScript.exe Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Z23K20ZB7L = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Z23K20ZB7L.js\"" WScript.exe Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\software\microsoft\windows\currentversion\run wscript.exe Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\GF5EHB4I0U = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\RX7V5HA0F8.js\"" WScript.exe Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run WScript.exe Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\VXBM5F7PI1 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\#W0091.js\"" wscript.exe Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run WScript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Z23K20ZB7L = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Z23K20ZB7L.js\"" WScript.exe Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Z23K20ZB7L = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Z23K20ZB7L.js\"" wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Z23K20ZB7L = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Z23K20ZB7L.js\"" wscript.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 8 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
wscript.exeWScript.exeWScript.exedescription pid process target process PID 1304 wrote to memory of 1132 1304 wscript.exe schtasks.exe PID 1304 wrote to memory of 1132 1304 wscript.exe schtasks.exe PID 1304 wrote to memory of 1132 1304 wscript.exe schtasks.exe PID 1304 wrote to memory of 584 1304 wscript.exe WScript.exe PID 1304 wrote to memory of 584 1304 wscript.exe WScript.exe PID 1304 wrote to memory of 584 1304 wscript.exe WScript.exe PID 584 wrote to memory of 1784 584 WScript.exe wscript.exe PID 584 wrote to memory of 1784 584 WScript.exe wscript.exe PID 584 wrote to memory of 1784 584 WScript.exe wscript.exe PID 1304 wrote to memory of 1028 1304 wscript.exe WScript.exe PID 1304 wrote to memory of 1028 1304 wscript.exe WScript.exe PID 1304 wrote to memory of 1028 1304 wscript.exe WScript.exe PID 1028 wrote to memory of 820 1028 WScript.exe schtasks.exe PID 1028 wrote to memory of 820 1028 WScript.exe schtasks.exe PID 1028 wrote to memory of 820 1028 WScript.exe schtasks.exe PID 1304 wrote to memory of 1492 1304 wscript.exe WScript.exe PID 1304 wrote to memory of 1492 1304 wscript.exe WScript.exe PID 1304 wrote to memory of 1492 1304 wscript.exe WScript.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\#W0091.js1⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1304 -
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Local\Temp\#W0091.js2⤵
- Creates scheduled task(s)
PID:1132 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Z23K20ZB7L.js"2⤵
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:584 -
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\Z23K20ZB7L.js"3⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
PID:1784 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RX7V5HA0F8.js"2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1028 -
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Local\Temp\RX7V5HA0F8.js3⤵
- Creates scheduled task(s)
PID:820 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\VMGOLB27GG.js"2⤵PID:1492
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\RX7V5HA0F8.jsMD5
737ab81779d546b3ccc019569acb0269
SHA1d746edccdfb5ba9f357ab6a6281c1c09c25b5912
SHA25681f1d78c95edb2952a13f5ec068a3b30be04c4e128c6348bc07439a4f4fdd82c
SHA512961b5f3f1913595352914bd159c34d3767b96494a5be211cd69dbe64f921b29a12321498298ee0c93e3b2c85a443c0fd9b4593dc73fe3266e8517e17e5bfa951
-
C:\Users\Admin\AppData\Local\Temp\VMGOLB27GG.jsMD5
737ab81779d546b3ccc019569acb0269
SHA1d746edccdfb5ba9f357ab6a6281c1c09c25b5912
SHA25681f1d78c95edb2952a13f5ec068a3b30be04c4e128c6348bc07439a4f4fdd82c
SHA512961b5f3f1913595352914bd159c34d3767b96494a5be211cd69dbe64f921b29a12321498298ee0c93e3b2c85a443c0fd9b4593dc73fe3266e8517e17e5bfa951
-
C:\Users\Admin\AppData\Local\Temp\Z23K20ZB7L.jsMD5
2471491441a6ab34e7647dca6014d354
SHA1be879fe6e18938b59642490e53030f4d457d3f1a
SHA25634f15ec739df72f5ac245db3fff11ea56407e95b94e24bbb820d7999032866d8
SHA5127f5991b29e091dfcea4b0924f4736e3619e4f9fcc99f66ae18592ba9981ec228f9081a3e9fa86e8d8ba9c93f31ac46394b3cd723679bad8715f31013efe0f7fb
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Z23K20ZB7L.jsMD5
2471491441a6ab34e7647dca6014d354
SHA1be879fe6e18938b59642490e53030f4d457d3f1a
SHA25634f15ec739df72f5ac245db3fff11ea56407e95b94e24bbb820d7999032866d8
SHA5127f5991b29e091dfcea4b0924f4736e3619e4f9fcc99f66ae18592ba9981ec228f9081a3e9fa86e8d8ba9c93f31ac46394b3cd723679bad8715f31013efe0f7fb
-
C:\Users\Admin\AppData\Roaming\Z23K20ZB7L.jsMD5
2471491441a6ab34e7647dca6014d354
SHA1be879fe6e18938b59642490e53030f4d457d3f1a
SHA25634f15ec739df72f5ac245db3fff11ea56407e95b94e24bbb820d7999032866d8
SHA5127f5991b29e091dfcea4b0924f4736e3619e4f9fcc99f66ae18592ba9981ec228f9081a3e9fa86e8d8ba9c93f31ac46394b3cd723679bad8715f31013efe0f7fb
-
memory/584-61-0x0000000000000000-mapping.dmp
-
memory/820-68-0x0000000000000000-mapping.dmp
-
memory/1028-66-0x0000000000000000-mapping.dmp
-
memory/1132-60-0x0000000000000000-mapping.dmp
-
memory/1492-69-0x0000000000000000-mapping.dmp
-
memory/1784-63-0x0000000000000000-mapping.dmp