Analysis
-
max time kernel
148s -
max time network
151s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
29/09/2021, 03:07
Static task
static1
Behavioral task
behavioral1
Sample
Scano005110.js
Resource
win7v20210408
General
-
Target
Scano005110.js
-
Size
5.2MB
-
MD5
a3a411523aa5bf3818e8925e908be9a2
-
SHA1
e356ce5f29c820c5fc7ca65c242be082bafc8fe8
-
SHA256
052a6543d8392cf4c54e7f88f80b41f571ea4e937e3caa6fa9b42a860b40b30c
-
SHA512
edd2647484ef73879e4c48f8e89f6166bdc73725b17b8a95d3522fbac9954749b93ddc9043a4c0db2e58de382b5a97a7d96ec3ebe7cd36ee7fd7ae6d78f42e88
Malware Config
Extracted
Protocol: smtp- Host:
mail.legacypharma.com.pk - Port:
587 - Username:
[email protected] - Password:
aurangzeb1926
Signatures
-
NirSoft MailPassView 9 IoCs
Password recovery tool for various email clients
resource yara_rule behavioral2/files/0x000100000001ab10-115.dat MailPassView behavioral2/files/0x000100000001ab10-116.dat MailPassView behavioral2/files/0x00020000000155fe-119.dat MailPassView behavioral2/files/0x00020000000155fe-120.dat MailPassView behavioral2/memory/1104-123-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView behavioral2/memory/1104-124-0x0000000000411654-mapping.dmp MailPassView behavioral2/memory/1104-127-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView behavioral2/files/0x000100000001b072-202.dat MailPassView behavioral2/files/0x000100000001b072-203.dat MailPassView -
NirSoft WebBrowserPassView 7 IoCs
Password recovery tool for various web browsers
resource yara_rule behavioral2/files/0x000100000001ab10-115.dat WebBrowserPassView behavioral2/files/0x000100000001ab10-116.dat WebBrowserPassView behavioral2/files/0x00020000000155fe-119.dat WebBrowserPassView behavioral2/files/0x00020000000155fe-120.dat WebBrowserPassView behavioral2/memory/1348-128-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView behavioral2/memory/1348-129-0x0000000000442628-mapping.dmp WebBrowserPassView behavioral2/memory/1348-130-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView -
Nirsoft 12 IoCs
resource yara_rule behavioral2/files/0x000100000001ab10-115.dat Nirsoft behavioral2/files/0x000100000001ab10-116.dat Nirsoft behavioral2/files/0x00020000000155fe-119.dat Nirsoft behavioral2/files/0x00020000000155fe-120.dat Nirsoft behavioral2/memory/1104-123-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral2/memory/1104-124-0x0000000000411654-mapping.dmp Nirsoft behavioral2/memory/1104-127-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral2/memory/1348-128-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft behavioral2/memory/1348-129-0x0000000000442628-mapping.dmp Nirsoft behavioral2/memory/1348-130-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft behavioral2/files/0x000100000001b072-202.dat Nirsoft behavioral2/files/0x000100000001b072-203.dat Nirsoft -
Blocklisted process makes network request 18 IoCs
flow pid Process 4 4000 wscript.exe 6 4000 wscript.exe 7 4000 wscript.exe 8 4000 wscript.exe 9 4000 wscript.exe 10 4000 wscript.exe 12 4000 wscript.exe 25 4000 wscript.exe 26 4000 wscript.exe 27 4000 wscript.exe 28 4000 wscript.exe 33 4000 wscript.exe 34 4000 wscript.exe 35 4000 wscript.exe 36 4000 wscript.exe 37 4000 wscript.exe 38 4000 wscript.exe 39 4000 wscript.exe -
Executes dropped EXE 4 IoCs
pid Process 1912 fthost.exe 736 Windows Update.exe 3176 python.exe 2308 cmdc.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Scano005110.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Scano005110.js wscript.exe -
Loads dropped DLL 3 IoCs
pid Process 3176 python.exe 3176 python.exe 3176 python.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 5 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Scano005110 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\Scano005110.js\"" wscript.exe Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Scano005110 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\Scano005110.js\"" wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\AppData\\Roaming\\WindowsUpdate.exe" Windows Update.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 5 ip-api.com 13 whatismyipaddress.com -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 736 set thread context of 1104 736 Windows Update.exe 70 PID 736 set thread context of 1348 736 Windows Update.exe 71 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Kills process with taskkill 2 IoCs
pid Process 3040 taskkill.exe 3572 taskkill.exe -
Script User-Agent 16 IoCs
Uses user-agent string associated with script host/environment.
description flow ioc HTTP User-Agent header 10 WSHRAT|3ED10BF6|GFBFPSXA|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 29/9/2021|JavaScript-v3.4|NL:Netherlands HTTP User-Agent header 27 WSHRAT|3ED10BF6|GFBFPSXA|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 29/9/2021|JavaScript-v3.4|NL:Netherlands HTTP User-Agent header 9 WSHRAT|3ED10BF6|GFBFPSXA|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 29/9/2021|JavaScript-v3.4|NL:Netherlands HTTP User-Agent header 26 WSHRAT|3ED10BF6|GFBFPSXA|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 29/9/2021|JavaScript-v3.4|NL:Netherlands HTTP User-Agent header 38 WSHRAT|3ED10BF6|GFBFPSXA|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 29/9/2021|JavaScript-v3.4|NL:Netherlands HTTP User-Agent header 39 WSHRAT|3ED10BF6|GFBFPSXA|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 29/9/2021|JavaScript-v3.4|NL:Netherlands HTTP User-Agent header 4 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 8 WSHRAT|3ED10BF6|GFBFPSXA|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 29/9/2021|JavaScript-v3.4|NL:Netherlands HTTP User-Agent header 25 WSHRAT|3ED10BF6|GFBFPSXA|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 29/9/2021|JavaScript-v3.4|NL:Netherlands HTTP User-Agent header 33 WSHRAT|3ED10BF6|GFBFPSXA|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 29/9/2021|JavaScript-v3.4|NL:Netherlands HTTP User-Agent header 34 WSHRAT|3ED10BF6|GFBFPSXA|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 29/9/2021|JavaScript-v3.4|NL:Netherlands HTTP User-Agent header 36 WSHRAT|3ED10BF6|GFBFPSXA|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 29/9/2021|JavaScript-v3.4|NL:Netherlands HTTP User-Agent header 37 WSHRAT|3ED10BF6|GFBFPSXA|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 29/9/2021|JavaScript-v3.4|NL:Netherlands HTTP User-Agent header 7 WSHRAT|3ED10BF6|GFBFPSXA|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 29/9/2021|JavaScript-v3.4|NL:Netherlands HTTP User-Agent header 28 WSHRAT|3ED10BF6|GFBFPSXA|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 29/9/2021|JavaScript-v3.4|NL:Netherlands HTTP User-Agent header 35 WSHRAT|3ED10BF6|GFBFPSXA|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 29/9/2021|JavaScript-v3.4|NL:Netherlands -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 1348 vbc.exe 1348 vbc.exe 736 Windows Update.exe 2412 powershell.exe 2412 powershell.exe 2412 powershell.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeDebugPrivilege 736 Windows Update.exe Token: SeDebugPrivilege 2412 powershell.exe Token: 35 3176 python.exe Token: SeDebugPrivilege 3040 taskkill.exe Token: SeDebugPrivilege 3572 taskkill.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 736 Windows Update.exe -
Suspicious use of WriteProcessMemory 44 IoCs
description pid Process procid_target PID 4000 wrote to memory of 1912 4000 wscript.exe 68 PID 4000 wrote to memory of 1912 4000 wscript.exe 68 PID 4000 wrote to memory of 1912 4000 wscript.exe 68 PID 1912 wrote to memory of 736 1912 fthost.exe 69 PID 1912 wrote to memory of 736 1912 fthost.exe 69 PID 1912 wrote to memory of 736 1912 fthost.exe 69 PID 736 wrote to memory of 1104 736 Windows Update.exe 70 PID 736 wrote to memory of 1104 736 Windows Update.exe 70 PID 736 wrote to memory of 1104 736 Windows Update.exe 70 PID 736 wrote to memory of 1104 736 Windows Update.exe 70 PID 736 wrote to memory of 1104 736 Windows Update.exe 70 PID 736 wrote to memory of 1104 736 Windows Update.exe 70 PID 736 wrote to memory of 1104 736 Windows Update.exe 70 PID 736 wrote to memory of 1104 736 Windows Update.exe 70 PID 736 wrote to memory of 1104 736 Windows Update.exe 70 PID 736 wrote to memory of 1348 736 Windows Update.exe 71 PID 736 wrote to memory of 1348 736 Windows Update.exe 71 PID 736 wrote to memory of 1348 736 Windows Update.exe 71 PID 736 wrote to memory of 1348 736 Windows Update.exe 71 PID 736 wrote to memory of 1348 736 Windows Update.exe 71 PID 736 wrote to memory of 1348 736 Windows Update.exe 71 PID 736 wrote to memory of 1348 736 Windows Update.exe 71 PID 736 wrote to memory of 1348 736 Windows Update.exe 71 PID 736 wrote to memory of 1348 736 Windows Update.exe 71 PID 4000 wrote to memory of 2412 4000 wscript.exe 82 PID 4000 wrote to memory of 2412 4000 wscript.exe 82 PID 4000 wrote to memory of 3192 4000 wscript.exe 84 PID 4000 wrote to memory of 3192 4000 wscript.exe 84 PID 3192 wrote to memory of 3176 3192 cmd.exe 86 PID 3192 wrote to memory of 3176 3192 cmd.exe 86 PID 3192 wrote to memory of 3176 3192 cmd.exe 86 PID 4000 wrote to memory of 2664 4000 wscript.exe 87 PID 4000 wrote to memory of 2664 4000 wscript.exe 87 PID 2664 wrote to memory of 3040 2664 cmd.exe 89 PID 2664 wrote to memory of 3040 2664 cmd.exe 89 PID 4000 wrote to memory of 3852 4000 wscript.exe 90 PID 4000 wrote to memory of 3852 4000 wscript.exe 90 PID 3852 wrote to memory of 3572 3852 cmd.exe 92 PID 3852 wrote to memory of 3572 3852 cmd.exe 92 PID 4000 wrote to memory of 2308 4000 wscript.exe 93 PID 4000 wrote to memory of 2308 4000 wscript.exe 93 PID 4000 wrote to memory of 2308 4000 wscript.exe 93 PID 4000 wrote to memory of 1480 4000 wscript.exe 95 PID 4000 wrote to memory of 1480 4000 wscript.exe 95
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\Scano005110.js1⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4000 -
C:\Users\Admin\AppData\Local\Temp\fthost.exe"C:\Users\Admin\AppData\Local\Temp\fthost.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1912 -
C:\Users\Admin\AppData\Roaming\Windows Update.exe"C:\Users\Admin\AppData\Roaming\Windows Update.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:736 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"4⤵PID:1104
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderwb.txt"4⤵
- Suspicious behavior: EnumeratesProcesses
PID:1348
-
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -command [void][Windows.Security.Credentials.PasswordVault,Windows.Security.Credentials,ContentType=WindowsRuntime] $vault = New-Object Windows.Security.Credentials.PasswordVault $vault.RetrieveAll() | % { $_.RetrievePassword();$_ } > "C:\Users\Admin\AppData\Local\Temp\tmp.txt"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2412
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c cd "C:\Users\Admin\AppData\Local\Temp\wshsdk" && C:\Users\Admin\AppData\Local\Temp\wshsdk\python.exe C:\Users\Admin\AppData\Local\Temp\rundll > "C:\Users\Admin\AppData\Local\Temp\wshout"2⤵
- Suspicious use of WriteProcessMemory
PID:3192 -
C:\Users\Admin\AppData\Local\Temp\wshsdk\python.exeC:\Users\Admin\AppData\Local\Temp\wshsdk\python.exe C:\Users\Admin\AppData\Local\Temp\rundll3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:3176
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c taskkill /F /IM cmdc.exe2⤵
- Suspicious use of WriteProcessMemory
PID:2664 -
C:\Windows\system32\taskkill.exetaskkill /F /IM cmdc.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3040
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c taskkill /F /IM cmdc.exe2⤵
- Suspicious use of WriteProcessMemory
PID:3852 -
C:\Windows\system32\taskkill.exetaskkill /F /IM cmdc.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3572
-
-
-
C:\Users\Admin\AppData\Local\Temp\cmdc.exe"C:\Users\Admin\AppData\Local\Temp\cmdc.exe" /stext C:\Users\Admin\AppData\Local\Temp\cmdc.exedata2⤵
- Executes dropped EXE
PID:2308
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c mkdir "C:\Users\Admin\AppData\Local\Temp\wshlogs"2⤵PID:1480
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {3eef301f-b596-4c0b-bd92-013beafce793} -Embedding1⤵PID:3948