Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
01-09-2021 04:44
Static task
static1
Behavioral task
behavioral1
Sample
extracted.js
Resource
win7v20210410
Behavioral task
behavioral2
Sample
extracted.js
Resource
win10v20210408
General
-
Target
extracted.js
-
Size
18KB
-
MD5
1d9327d69fd263ac645b6a4eef31cb24
-
SHA1
3cff6c8d464e8c254048635dd68e31225ffcb6e4
-
SHA256
b302998fc5e3ff4a61d22f5c35ea5e168e040d10bc8437cf8c190bfc27e63dd0
-
SHA512
50cf6ff55a3f73803b4b1313c029e08e66e62ff6de1fd839fec21aecc09d30254616a3b8aab271828a7a69f4835d155ee4af53bb3c4daaa3b4a1cb2305409e2f
Malware Config
Signatures
-
Blocklisted process makes network request 22 IoCs
Processes:
wscript.exewscript.exeWScript.exeflow pid process 10 4796 wscript.exe 11 3516 wscript.exe 15 3516 wscript.exe 20 3516 wscript.exe 21 3516 wscript.exe 22 3516 wscript.exe 23 3516 wscript.exe 24 3516 wscript.exe 25 3516 wscript.exe 26 3516 wscript.exe 27 3516 wscript.exe 28 3516 wscript.exe 29 3516 wscript.exe 30 3516 wscript.exe 31 3516 wscript.exe 32 3516 wscript.exe 33 3516 wscript.exe 34 3516 wscript.exe 36 1220 WScript.exe 37 1220 WScript.exe 38 3516 wscript.exe 39 1220 WScript.exe -
Executes dropped EXE 1 IoCs
Processes:
kl-plugin.exepid process 2208 kl-plugin.exe -
Drops startup file 4 IoCs
Processes:
wscript.exeWScript.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\amqolYPJMq.js wscript.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XLUWQJIUG1.vbs WScript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XLUWQJIUG1.vbs WScript.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\amqolYPJMq.js wscript.exe -
Adds Run key to start application 2 TTPs 6 IoCs
Processes:
WScript.exewscript.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\XLUWQJIUG1 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\XLUWQJIUG1.vbs\"" WScript.exe Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run WScript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XLUWQJIUG1 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\XLUWQJIUG1.vbs\"" WScript.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\SEJOKAOI5S = "\"C:\\Users\\Admin\\AppData\\Roaming\\amqolYPJMq.js\"" wscript.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\software\microsoft\windows\currentversion\run WScript.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 35 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 1988 taskkill.exe -
Modifies registry class 1 IoCs
Processes:
wscript.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings wscript.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
taskkill.exedescription pid process Token: SeDebugPrivilege 1988 taskkill.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
kl-plugin.exepid process 2208 kl-plugin.exe 2208 kl-plugin.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
wscript.exeWScript.execmd.exedescription pid process target process PID 4796 wrote to memory of 3516 4796 wscript.exe wscript.exe PID 4796 wrote to memory of 3516 4796 wscript.exe wscript.exe PID 4796 wrote to memory of 1220 4796 wscript.exe WScript.exe PID 4796 wrote to memory of 1220 4796 wscript.exe WScript.exe PID 1220 wrote to memory of 1680 1220 WScript.exe cmd.exe PID 1220 wrote to memory of 1680 1220 WScript.exe cmd.exe PID 1680 wrote to memory of 1988 1680 cmd.exe taskkill.exe PID 1680 wrote to memory of 1988 1680 cmd.exe taskkill.exe PID 1220 wrote to memory of 2208 1220 WScript.exe kl-plugin.exe PID 1220 wrote to memory of 2208 1220 WScript.exe kl-plugin.exe PID 1220 wrote to memory of 2208 1220 WScript.exe kl-plugin.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\extracted.js1⤵
- Blocklisted process makes network request
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\amqolYPJMq.js"2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\XLUWQJIUG1.vbs"2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c taskkill /F /IM kl-plugin.exe3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill /F /IM kl-plugin.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\kl-plugin.exe"C:\Users\Admin\AppData\Local\Temp\kl-plugin.exe" 194.5.97.156 8256 "WSHRAT|3ED10BF6|GFBFPSXA|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 9/1/2021|Visual Basic-v2.0|NL:Netherlands" 13⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\XLUWQJIUG1.vbsMD5
e335bd5a685e95d9652d5a600b3605ea
SHA1863cb2c134c72d65138af0da4b4053d5e9d9cfc9
SHA256d0cdcbfd0c9053bf94b6e8a2bdbe2df910833164330013c4ebc5623a2b5215ba
SHA512dba67a7dbabc3a780f0e750ff80817d7ac9b83834c1755ff6b5ddb6541787c16adb2a33d20132184172b37963cd2cf3fced3cbdeaecf09dfbff76c3267f3650f
-
C:\Users\Admin\AppData\Local\Temp\kl-plugin.exeMD5
7099a939fa30d939ccceb2f0597b19ed
SHA137b644ef5722709cd9024a372db4590916381976
SHA256272e64291748fa8be01109faa46c0ea919bf4baf4924177ea6ac2ee0574f1c1a
SHA5126e179a32b3091beee71d425248ae56495e31e9df569159a93af5826ddef28fba904ae4810d3ca2da45fe6dc8be1eeaecf71e8225b3e605f22f41f4e46d1cf721
-
C:\Users\Admin\AppData\Local\Temp\kl-plugin.exeMD5
7099a939fa30d939ccceb2f0597b19ed
SHA137b644ef5722709cd9024a372db4590916381976
SHA256272e64291748fa8be01109faa46c0ea919bf4baf4924177ea6ac2ee0574f1c1a
SHA5126e179a32b3091beee71d425248ae56495e31e9df569159a93af5826ddef28fba904ae4810d3ca2da45fe6dc8be1eeaecf71e8225b3e605f22f41f4e46d1cf721
-
C:\Users\Admin\AppData\Roaming\amqolYPJMq.jsMD5
3f7b92769fc59d8adc125b4d4e8adee4
SHA1b3ea6913dcf3681572a1db1f429cc5e1e49b060e
SHA256e1fccde6528046c2c1e41096085c199efaddc1393d42f6696165aeec43c9a209
SHA512659caad97e885af9d5f2dece465873b517fc34a5c67f5f0aba08b9ef868cca57fe025ed9979bd0933e46ee45792d5b424bd99a24c4449c5b739f17e0b6bdf01f
-
memory/1220-116-0x0000000000000000-mapping.dmp
-
memory/1680-118-0x0000000000000000-mapping.dmp
-
memory/1988-119-0x0000000000000000-mapping.dmp
-
memory/2208-120-0x0000000000000000-mapping.dmp
-
memory/2208-123-0x0000000002710000-0x0000000002711000-memory.dmpFilesize
4KB
-
memory/3516-114-0x0000000000000000-mapping.dmp