Analysis
-
max time kernel
153s -
max time network
160s -
platform
windows10_x64 -
resource
win10-en -
submitted
06/09/2021, 22:06
Static task
static1
Behavioral task
behavioral1
Sample
7002991002.js
Resource
win7v20210408
General
-
Target
7002991002.js
-
Size
5.0MB
-
MD5
a20a192f6475f69d11a5517e9542becf
-
SHA1
d21e1fc4f817ec7410d70a88403dd6e7d4f654f8
-
SHA256
2a0356a320b8202a66e35e71cd8aa503953d8ddea284c0da06ae6f2571ec3ff5
-
SHA512
76df370a5d38d580f120f1eaa4ea1ce64b8a80f70fd6c06db9bf78165ab0b068adb04e3bb0c0fb23231575bcf1386fada6bea21f5eb182361ec7496b8f06af78
Malware Config
Signatures
-
NirSoft MailPassView 7 IoCs
Password recovery tool for various email clients
resource yara_rule behavioral2/files/0x000400000001ab06-116.dat MailPassView behavioral2/files/0x000400000001ab06-117.dat MailPassView behavioral2/files/0x000400000001ab09-120.dat MailPassView behavioral2/files/0x000400000001ab09-121.dat MailPassView behavioral2/memory/4128-125-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView behavioral2/memory/4128-126-0x0000000000411654-mapping.dmp MailPassView behavioral2/memory/4128-128-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView -
NirSoft WebBrowserPassView 7 IoCs
Password recovery tool for various web browsers
resource yara_rule behavioral2/files/0x000400000001ab06-116.dat WebBrowserPassView behavioral2/files/0x000400000001ab06-117.dat WebBrowserPassView behavioral2/files/0x000400000001ab09-120.dat WebBrowserPassView behavioral2/files/0x000400000001ab09-121.dat WebBrowserPassView behavioral2/memory/4184-130-0x0000000000442628-mapping.dmp WebBrowserPassView behavioral2/memory/4184-129-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView behavioral2/memory/4184-131-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView -
Nirsoft 10 IoCs
resource yara_rule behavioral2/files/0x000400000001ab06-116.dat Nirsoft behavioral2/files/0x000400000001ab06-117.dat Nirsoft behavioral2/files/0x000400000001ab09-120.dat Nirsoft behavioral2/files/0x000400000001ab09-121.dat Nirsoft behavioral2/memory/4128-125-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral2/memory/4128-126-0x0000000000411654-mapping.dmp Nirsoft behavioral2/memory/4128-128-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral2/memory/4184-130-0x0000000000442628-mapping.dmp Nirsoft behavioral2/memory/4184-129-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft behavioral2/memory/4184-131-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft -
Blocklisted process makes network request 26 IoCs
flow pid Process 13 3908 wscript.exe 15 3908 wscript.exe 16 3908 wscript.exe 23 3908 wscript.exe 25 3908 wscript.exe 26 3908 wscript.exe 28 3908 wscript.exe 31 3908 wscript.exe 32 3908 wscript.exe 33 3908 wscript.exe 34 3908 wscript.exe 35 3908 wscript.exe 36 3908 wscript.exe 37 3908 wscript.exe 38 3908 wscript.exe 39 3908 wscript.exe 40 3908 wscript.exe 41 3908 wscript.exe 42 3908 wscript.exe 43 3908 wscript.exe 44 3908 wscript.exe 45 3908 wscript.exe 46 3908 wscript.exe 47 3908 wscript.exe 48 3908 wscript.exe 49 3908 wscript.exe -
Executes dropped EXE 2 IoCs
pid Process 3856 whhost.exe 3840 Windows Update.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7002991002.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7002991002.js wscript.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 5 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Windows\CurrentVersion\Run\7002991002 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\7002991002.js\"" wscript.exe Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\7002991002 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\7002991002.js\"" wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\AppData\\Roaming\\WindowsUpdate.exe" Windows Update.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 14 ip-api.com 17 whatismyipaddress.com -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 3840 set thread context of 4128 3840 Windows Update.exe 81 PID 3840 set thread context of 4184 3840 Windows Update.exe 82 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 Windows Update.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e Windows Update.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d0030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e Windows Update.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa20f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349040000000100000010000000497904b0eb8719ac47b0bc11519b74d0200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e Windows Update.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000040000000100000010000000497904b0eb8719ac47b0bc11519b74d0030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d578112861900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e Windows Update.exe -
Script User-Agent 24 IoCs
Uses user-agent string associated with script host/environment.
description flow ioc HTTP User-Agent header 34 WSHRAT|CE86B187|GSNTPAWQ|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 6/9/2021|JavaScript-v3.4|NL:Netherlands HTTP User-Agent header 37 WSHRAT|CE86B187|GSNTPAWQ|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 6/9/2021|JavaScript-v3.4|NL:Netherlands HTTP User-Agent header 38 WSHRAT|CE86B187|GSNTPAWQ|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 6/9/2021|JavaScript-v3.4|NL:Netherlands HTTP User-Agent header 40 WSHRAT|CE86B187|GSNTPAWQ|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 6/9/2021|JavaScript-v3.4|NL:Netherlands HTTP User-Agent header 41 WSHRAT|CE86B187|GSNTPAWQ|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 6/9/2021|JavaScript-v3.4|NL:Netherlands HTTP User-Agent header 46 WSHRAT|CE86B187|GSNTPAWQ|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 6/9/2021|JavaScript-v3.4|NL:Netherlands HTTP User-Agent header 47 WSHRAT|CE86B187|GSNTPAWQ|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 6/9/2021|JavaScript-v3.4|NL:Netherlands HTTP User-Agent header 48 WSHRAT|CE86B187|GSNTPAWQ|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 6/9/2021|JavaScript-v3.4|NL:Netherlands HTTP User-Agent header 23 WSHRAT|CE86B187|GSNTPAWQ|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 6/9/2021|JavaScript-v3.4|NL:Netherlands HTTP User-Agent header 25 WSHRAT|CE86B187|GSNTPAWQ|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 6/9/2021|JavaScript-v3.4|NL:Netherlands HTTP User-Agent header 26 WSHRAT|CE86B187|GSNTPAWQ|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 6/9/2021|JavaScript-v3.4|NL:Netherlands HTTP User-Agent header 31 WSHRAT|CE86B187|GSNTPAWQ|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 6/9/2021|JavaScript-v3.4|NL:Netherlands HTTP User-Agent header 36 WSHRAT|CE86B187|GSNTPAWQ|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 6/9/2021|JavaScript-v3.4|NL:Netherlands HTTP User-Agent header 45 WSHRAT|CE86B187|GSNTPAWQ|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 6/9/2021|JavaScript-v3.4|NL:Netherlands HTTP User-Agent header 16 WSHRAT|CE86B187|GSNTPAWQ|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 6/9/2021|JavaScript-v3.4|NL:Netherlands HTTP User-Agent header 32 WSHRAT|CE86B187|GSNTPAWQ|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 6/9/2021|JavaScript-v3.4|NL:Netherlands HTTP User-Agent header 35 WSHRAT|CE86B187|GSNTPAWQ|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 6/9/2021|JavaScript-v3.4|NL:Netherlands HTTP User-Agent header 39 WSHRAT|CE86B187|GSNTPAWQ|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 6/9/2021|JavaScript-v3.4|NL:Netherlands HTTP User-Agent header 42 WSHRAT|CE86B187|GSNTPAWQ|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 6/9/2021|JavaScript-v3.4|NL:Netherlands HTTP User-Agent header 43 WSHRAT|CE86B187|GSNTPAWQ|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 6/9/2021|JavaScript-v3.4|NL:Netherlands HTTP User-Agent header 49 WSHRAT|CE86B187|GSNTPAWQ|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 6/9/2021|JavaScript-v3.4|NL:Netherlands HTTP User-Agent header 13 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 33 WSHRAT|CE86B187|GSNTPAWQ|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 6/9/2021|JavaScript-v3.4|NL:Netherlands HTTP User-Agent header 44 WSHRAT|CE86B187|GSNTPAWQ|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 6/9/2021|JavaScript-v3.4|NL:Netherlands -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4184 vbc.exe 4184 vbc.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3840 Windows Update.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3840 Windows Update.exe -
Suspicious use of WriteProcessMemory 24 IoCs
description pid Process procid_target PID 3908 wrote to memory of 3856 3908 wscript.exe 78 PID 3908 wrote to memory of 3856 3908 wscript.exe 78 PID 3908 wrote to memory of 3856 3908 wscript.exe 78 PID 3856 wrote to memory of 3840 3856 whhost.exe 79 PID 3856 wrote to memory of 3840 3856 whhost.exe 79 PID 3856 wrote to memory of 3840 3856 whhost.exe 79 PID 3840 wrote to memory of 4128 3840 Windows Update.exe 81 PID 3840 wrote to memory of 4128 3840 Windows Update.exe 81 PID 3840 wrote to memory of 4128 3840 Windows Update.exe 81 PID 3840 wrote to memory of 4128 3840 Windows Update.exe 81 PID 3840 wrote to memory of 4128 3840 Windows Update.exe 81 PID 3840 wrote to memory of 4128 3840 Windows Update.exe 81 PID 3840 wrote to memory of 4128 3840 Windows Update.exe 81 PID 3840 wrote to memory of 4128 3840 Windows Update.exe 81 PID 3840 wrote to memory of 4128 3840 Windows Update.exe 81 PID 3840 wrote to memory of 4184 3840 Windows Update.exe 82 PID 3840 wrote to memory of 4184 3840 Windows Update.exe 82 PID 3840 wrote to memory of 4184 3840 Windows Update.exe 82 PID 3840 wrote to memory of 4184 3840 Windows Update.exe 82 PID 3840 wrote to memory of 4184 3840 Windows Update.exe 82 PID 3840 wrote to memory of 4184 3840 Windows Update.exe 82 PID 3840 wrote to memory of 4184 3840 Windows Update.exe 82 PID 3840 wrote to memory of 4184 3840 Windows Update.exe 82 PID 3840 wrote to memory of 4184 3840 Windows Update.exe 82
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\7002991002.js1⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3908 -
C:\Users\Admin\AppData\Local\Temp\whhost.exe"C:\Users\Admin\AppData\Local\Temp\whhost.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3856 -
C:\Users\Admin\AppData\Roaming\Windows Update.exe"C:\Users\Admin\AppData\Roaming\Windows Update.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3840 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"4⤵PID:4128
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderwb.txt"4⤵
- Suspicious behavior: EnumeratesProcesses
PID:4184
-
-
-