Analysis
-
max time kernel
147s -
max time network
155s -
platform
windows10_x64 -
resource
win10-en-20210920 -
submitted
29/09/2021, 04:13
Static task
static1
Behavioral task
behavioral1
Sample
Scano005110.js
Resource
win7v20210408
General
-
Target
Scano005110.js
-
Size
5.2MB
-
MD5
a3a411523aa5bf3818e8925e908be9a2
-
SHA1
e356ce5f29c820c5fc7ca65c242be082bafc8fe8
-
SHA256
052a6543d8392cf4c54e7f88f80b41f571ea4e937e3caa6fa9b42a860b40b30c
-
SHA512
edd2647484ef73879e4c48f8e89f6166bdc73725b17b8a95d3522fbac9954749b93ddc9043a4c0db2e58de382b5a97a7d96ec3ebe7cd36ee7fd7ae6d78f42e88
Malware Config
Extracted
Protocol: smtp- Host:
mail.legacypharma.com.pk - Port:
587 - Username:
[email protected] - Password:
aurangzeb1926
Signatures
-
NirSoft MailPassView 10 IoCs
Password recovery tool for various email clients
resource yara_rule behavioral2/files/0x000400000001abcb-116.dat MailPassView behavioral2/files/0x000400000001abcb-117.dat MailPassView behavioral2/files/0x000400000001abce-120.dat MailPassView behavioral2/files/0x000400000001abce-121.dat MailPassView behavioral2/memory/1972-124-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView behavioral2/memory/1972-125-0x0000000000411654-mapping.dmp MailPassView behavioral2/memory/1972-128-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView behavioral2/files/0x000200000001abe0-160.dat MailPassView behavioral2/files/0x000200000001abe0-161.dat MailPassView behavioral2/files/0x000300000001abe0-169.dat MailPassView -
NirSoft WebBrowserPassView 7 IoCs
Password recovery tool for various web browsers
resource yara_rule behavioral2/files/0x000400000001abcb-116.dat WebBrowserPassView behavioral2/files/0x000400000001abcb-117.dat WebBrowserPassView behavioral2/files/0x000400000001abce-120.dat WebBrowserPassView behavioral2/files/0x000400000001abce-121.dat WebBrowserPassView behavioral2/memory/600-129-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView behavioral2/memory/600-130-0x0000000000442628-mapping.dmp WebBrowserPassView behavioral2/memory/600-131-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView -
Nirsoft 13 IoCs
resource yara_rule behavioral2/files/0x000400000001abcb-116.dat Nirsoft behavioral2/files/0x000400000001abcb-117.dat Nirsoft behavioral2/files/0x000400000001abce-120.dat Nirsoft behavioral2/files/0x000400000001abce-121.dat Nirsoft behavioral2/memory/1972-124-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral2/memory/1972-125-0x0000000000411654-mapping.dmp Nirsoft behavioral2/memory/1972-128-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral2/memory/600-129-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft behavioral2/memory/600-130-0x0000000000442628-mapping.dmp Nirsoft behavioral2/memory/600-131-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft behavioral2/files/0x000200000001abe0-160.dat Nirsoft behavioral2/files/0x000200000001abe0-161.dat Nirsoft behavioral2/files/0x000300000001abe0-169.dat Nirsoft -
Blocklisted process makes network request 31 IoCs
flow pid Process 5 2176 wscript.exe 7 2176 wscript.exe 8 2176 wscript.exe 10 2176 wscript.exe 11 2176 wscript.exe 12 2176 wscript.exe 14 2176 wscript.exe 15 2176 wscript.exe 20 2176 wscript.exe 22 2176 wscript.exe 23 2176 wscript.exe 25 2176 wscript.exe 27 2176 wscript.exe 28 2176 wscript.exe 30 2176 wscript.exe 31 2176 wscript.exe 32 2176 wscript.exe 33 2176 wscript.exe 34 2176 wscript.exe 35 2176 wscript.exe 36 2176 wscript.exe 37 2176 wscript.exe 38 2176 wscript.exe 39 2176 wscript.exe 42 2176 wscript.exe 43 2176 wscript.exe 44 2176 wscript.exe 45 2176 wscript.exe 46 2176 wscript.exe 47 2176 wscript.exe 48 2176 wscript.exe -
Executes dropped EXE 4 IoCs
pid Process 2768 fthost.exe 2004 Windows Update.exe 652 cmdc.exe 1804 cmdc.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Scano005110.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Scano005110.js wscript.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 5 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows\CurrentVersion\Run\Scano005110 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\Scano005110.js\"" wscript.exe Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Scano005110 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\Scano005110.js\"" wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\AppData\\Roaming\\WindowsUpdate.exe" Windows Update.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 6 ip-api.com 16 whatismyipaddress.com -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 2004 set thread context of 1972 2004 Windows Update.exe 73 PID 2004 set thread context of 600 2004 Windows Update.exe 74 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Kills process with taskkill 4 IoCs
pid Process 1300 taskkill.exe 2976 taskkill.exe 3496 taskkill.exe 980 taskkill.exe -
Script User-Agent 29 IoCs
Uses user-agent string associated with script host/environment.
description flow ioc HTTP User-Agent header 15 WSHRAT|A6E40E89|RSSLLXYN|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 29/9/2021|JavaScript-v3.4|NL:Netherlands HTTP User-Agent header 30 WSHRAT|A6E40E89|RSSLLXYN|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 29/9/2021|JavaScript-v3.4|NL:Netherlands HTTP User-Agent header 32 WSHRAT|A6E40E89|RSSLLXYN|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 29/9/2021|JavaScript-v3.4|NL:Netherlands HTTP User-Agent header 34 WSHRAT|A6E40E89|RSSLLXYN|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 29/9/2021|JavaScript-v3.4|NL:Netherlands HTTP User-Agent header 35 WSHRAT|A6E40E89|RSSLLXYN|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 29/9/2021|JavaScript-v3.4|NL:Netherlands HTTP User-Agent header 12 WSHRAT|A6E40E89|RSSLLXYN|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 29/9/2021|JavaScript-v3.4|NL:Netherlands HTTP User-Agent header 39 WSHRAT|A6E40E89|RSSLLXYN|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 29/9/2021|JavaScript-v3.4|NL:Netherlands HTTP User-Agent header 45 WSHRAT|A6E40E89|RSSLLXYN|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 29/9/2021|JavaScript-v3.4|NL:Netherlands HTTP User-Agent header 8 WSHRAT|A6E40E89|RSSLLXYN|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 29/9/2021|JavaScript-v3.4|NL:Netherlands HTTP User-Agent header 25 WSHRAT|A6E40E89|RSSLLXYN|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 29/9/2021|JavaScript-v3.4|NL:Netherlands HTTP User-Agent header 28 WSHRAT|A6E40E89|RSSLLXYN|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 29/9/2021|JavaScript-v3.4|NL:Netherlands HTTP User-Agent header 33 WSHRAT|A6E40E89|RSSLLXYN|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 29/9/2021|JavaScript-v3.4|NL:Netherlands HTTP User-Agent header 42 WSHRAT|A6E40E89|RSSLLXYN|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 29/9/2021|JavaScript-v3.4|NL:Netherlands HTTP User-Agent header 5 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 20 WSHRAT|A6E40E89|RSSLLXYN|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 29/9/2021|JavaScript-v3.4|NL:Netherlands HTTP User-Agent header 31 WSHRAT|A6E40E89|RSSLLXYN|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 29/9/2021|JavaScript-v3.4|NL:Netherlands HTTP User-Agent header 38 WSHRAT|A6E40E89|RSSLLXYN|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 29/9/2021|JavaScript-v3.4|NL:Netherlands HTTP User-Agent header 46 WSHRAT|A6E40E89|RSSLLXYN|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 29/9/2021|JavaScript-v3.4|NL:Netherlands HTTP User-Agent header 23 WSHRAT|A6E40E89|RSSLLXYN|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 29/9/2021|JavaScript-v3.4|NL:Netherlands HTTP User-Agent header 43 WSHRAT|A6E40E89|RSSLLXYN|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 29/9/2021|JavaScript-v3.4|NL:Netherlands HTTP User-Agent header 10 WSHRAT|A6E40E89|RSSLLXYN|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 29/9/2021|JavaScript-v3.4|NL:Netherlands HTTP User-Agent header 36 WSHRAT|A6E40E89|RSSLLXYN|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 29/9/2021|JavaScript-v3.4|NL:Netherlands HTTP User-Agent header 37 WSHRAT|A6E40E89|RSSLLXYN|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 29/9/2021|JavaScript-v3.4|NL:Netherlands HTTP User-Agent header 44 WSHRAT|A6E40E89|RSSLLXYN|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 29/9/2021|JavaScript-v3.4|NL:Netherlands HTTP User-Agent header 47 WSHRAT|A6E40E89|RSSLLXYN|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 29/9/2021|JavaScript-v3.4|NL:Netherlands HTTP User-Agent header 48 WSHRAT|A6E40E89|RSSLLXYN|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 29/9/2021|JavaScript-v3.4|NL:Netherlands HTTP User-Agent header 11 WSHRAT|A6E40E89|RSSLLXYN|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 29/9/2021|JavaScript-v3.4|NL:Netherlands HTTP User-Agent header 22 WSHRAT|A6E40E89|RSSLLXYN|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 29/9/2021|JavaScript-v3.4|NL:Netherlands HTTP User-Agent header 27 WSHRAT|A6E40E89|RSSLLXYN|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 29/9/2021|JavaScript-v3.4|NL:Netherlands -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 600 vbc.exe 600 vbc.exe 2004 Windows Update.exe 3952 powershell.exe 3952 powershell.exe 3952 powershell.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeDebugPrivilege 2004 Windows Update.exe Token: SeDebugPrivilege 3952 powershell.exe Token: SeDebugPrivilege 1300 taskkill.exe Token: SeDebugPrivilege 2976 taskkill.exe Token: SeDebugPrivilege 3496 taskkill.exe Token: SeDebugPrivilege 980 taskkill.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2004 Windows Update.exe -
Suspicious use of WriteProcessMemory 50 IoCs
description pid Process procid_target PID 2176 wrote to memory of 2768 2176 wscript.exe 71 PID 2176 wrote to memory of 2768 2176 wscript.exe 71 PID 2176 wrote to memory of 2768 2176 wscript.exe 71 PID 2768 wrote to memory of 2004 2768 fthost.exe 72 PID 2768 wrote to memory of 2004 2768 fthost.exe 72 PID 2768 wrote to memory of 2004 2768 fthost.exe 72 PID 2004 wrote to memory of 1972 2004 Windows Update.exe 73 PID 2004 wrote to memory of 1972 2004 Windows Update.exe 73 PID 2004 wrote to memory of 1972 2004 Windows Update.exe 73 PID 2004 wrote to memory of 1972 2004 Windows Update.exe 73 PID 2004 wrote to memory of 1972 2004 Windows Update.exe 73 PID 2004 wrote to memory of 1972 2004 Windows Update.exe 73 PID 2004 wrote to memory of 1972 2004 Windows Update.exe 73 PID 2004 wrote to memory of 1972 2004 Windows Update.exe 73 PID 2004 wrote to memory of 1972 2004 Windows Update.exe 73 PID 2004 wrote to memory of 600 2004 Windows Update.exe 74 PID 2004 wrote to memory of 600 2004 Windows Update.exe 74 PID 2004 wrote to memory of 600 2004 Windows Update.exe 74 PID 2004 wrote to memory of 600 2004 Windows Update.exe 74 PID 2004 wrote to memory of 600 2004 Windows Update.exe 74 PID 2004 wrote to memory of 600 2004 Windows Update.exe 74 PID 2004 wrote to memory of 600 2004 Windows Update.exe 74 PID 2004 wrote to memory of 600 2004 Windows Update.exe 74 PID 2004 wrote to memory of 600 2004 Windows Update.exe 74 PID 2176 wrote to memory of 3952 2176 wscript.exe 75 PID 2176 wrote to memory of 3952 2176 wscript.exe 75 PID 2176 wrote to memory of 3776 2176 wscript.exe 79 PID 2176 wrote to memory of 3776 2176 wscript.exe 79 PID 3776 wrote to memory of 1300 3776 cmd.exe 81 PID 3776 wrote to memory of 1300 3776 cmd.exe 81 PID 2176 wrote to memory of 2528 2176 wscript.exe 82 PID 2176 wrote to memory of 2528 2176 wscript.exe 82 PID 2528 wrote to memory of 2976 2528 cmd.exe 84 PID 2528 wrote to memory of 2976 2528 cmd.exe 84 PID 2176 wrote to memory of 652 2176 wscript.exe 85 PID 2176 wrote to memory of 652 2176 wscript.exe 85 PID 2176 wrote to memory of 652 2176 wscript.exe 85 PID 2176 wrote to memory of 3956 2176 wscript.exe 87 PID 2176 wrote to memory of 3956 2176 wscript.exe 87 PID 2176 wrote to memory of 1528 2176 wscript.exe 89 PID 2176 wrote to memory of 1528 2176 wscript.exe 89 PID 1528 wrote to memory of 3496 1528 cmd.exe 91 PID 1528 wrote to memory of 3496 1528 cmd.exe 91 PID 2176 wrote to memory of 4004 2176 wscript.exe 92 PID 2176 wrote to memory of 4004 2176 wscript.exe 92 PID 4004 wrote to memory of 980 4004 cmd.exe 94 PID 4004 wrote to memory of 980 4004 cmd.exe 94 PID 2176 wrote to memory of 1804 2176 wscript.exe 95 PID 2176 wrote to memory of 1804 2176 wscript.exe 95 PID 2176 wrote to memory of 1804 2176 wscript.exe 95
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\Scano005110.js1⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2176 -
C:\Users\Admin\AppData\Local\Temp\fthost.exe"C:\Users\Admin\AppData\Local\Temp\fthost.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2768 -
C:\Users\Admin\AppData\Roaming\Windows Update.exe"C:\Users\Admin\AppData\Roaming\Windows Update.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2004 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"4⤵PID:1972
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderwb.txt"4⤵
- Suspicious behavior: EnumeratesProcesses
PID:600
-
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -command [void][Windows.Security.Credentials.PasswordVault,Windows.Security.Credentials,ContentType=WindowsRuntime] $vault = New-Object Windows.Security.Credentials.PasswordVault $vault.RetrieveAll() | % { $_.RetrievePassword();$_ } > "C:\Users\Admin\AppData\Local\Temp\tmp.txt"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3952
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c taskkill /F /IM cmdc.exe2⤵
- Suspicious use of WriteProcessMemory
PID:3776 -
C:\Windows\system32\taskkill.exetaskkill /F /IM cmdc.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1300
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c taskkill /F /IM cmdc.exe2⤵
- Suspicious use of WriteProcessMemory
PID:2528 -
C:\Windows\system32\taskkill.exetaskkill /F /IM cmdc.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2976
-
-
-
C:\Users\Admin\AppData\Local\Temp\cmdc.exe"C:\Users\Admin\AppData\Local\Temp\cmdc.exe" /stext C:\Users\Admin\AppData\Local\Temp\cmdc.exedata2⤵
- Executes dropped EXE
PID:652
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c mkdir "C:\Users\Admin\AppData\Local\Temp\wshlogs"2⤵PID:3956
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c taskkill /F /IM cmdc.exe2⤵
- Suspicious use of WriteProcessMemory
PID:1528 -
C:\Windows\system32\taskkill.exetaskkill /F /IM cmdc.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3496
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c taskkill /F /IM cmdc.exe2⤵
- Suspicious use of WriteProcessMemory
PID:4004 -
C:\Windows\system32\taskkill.exetaskkill /F /IM cmdc.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:980
-
-
-
C:\Users\Admin\AppData\Local\Temp\cmdc.exe"C:\Users\Admin\AppData\Local\Temp\cmdc.exe" /stext C:\Users\Admin\AppData\Local\Temp\cmdc.exedata2⤵
- Executes dropped EXE
PID:1804
-