Analysis
-
max time kernel
129s -
max time network
109s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
01/10/2021, 11:09
Static task
static1
Behavioral task
behavioral1
Sample
Scan0032.js
Resource
win7v20210408
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
Scan0032.js
Resource
win10v20210408
0 signatures
0 seconds
General
-
Target
Scan0032.js
-
Size
1.1MB
-
MD5
126c1417ab24cd6b4bf8889a5254ae18
-
SHA1
b9465bbe07f047f063f8e2a2e3dba87181fceac6
-
SHA256
bd1b9e3102b57857d294df0339682f25e2ccb17d0665c77dfefe6565a68f85ff
-
SHA512
bca88a55671be0e903f9ddaa9002dc37ba0c97f7c15431f09069c3740c41e5702fafa900bdaf0a0d436fc6bd50c669e4a22a70ac28b909ddc98726da24959a55
Score
10/10
Malware Config
Signatures
-
Blocklisted process makes network request 7 IoCs
flow pid Process 2 1804 wscript.exe 6 1804 wscript.exe 7 1804 wscript.exe 10 1804 wscript.exe 11 1804 wscript.exe 12 1804 wscript.exe 14 1804 wscript.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Scan0032.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Scan0032.js wscript.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Scan0032 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\Scan0032.js\"" wscript.exe Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Scan0032 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\Scan0032.js\"" wscript.exe Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run wscript.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 5 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Script User-Agent 5 IoCs
Uses user-agent string associated with script host/environment.
description flow ioc HTTP User-Agent header 11 WSHRAT|40707513|QWOCTUPM|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 1/10/2021|JavaScript-v3.4|NL:Netherlands HTTP User-Agent header 12 WSHRAT|40707513|QWOCTUPM|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 1/10/2021|JavaScript-v3.4|NL:Netherlands HTTP User-Agent header 2 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 7 WSHRAT|40707513|QWOCTUPM|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 1/10/2021|JavaScript-v3.4|NL:Netherlands HTTP User-Agent header 10 WSHRAT|40707513|QWOCTUPM|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 1/10/2021|JavaScript-v3.4|NL:Netherlands