Analysis
-
max time kernel
123s -
max time network
146s -
platform
windows7_x64 -
resource
win7-en-20210920 -
submitted
09/10/2021, 19:18
Static task
static1
Behavioral task
behavioral1
Sample
uspstracker.js
Resource
win7-en-20210920
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
uspstracker.js
Resource
win10v20210408
0 signatures
0 seconds
General
-
Target
uspstracker.js
-
Size
1.1MB
-
MD5
3151f194fcfe3b210732d3f6bed59cbd
-
SHA1
84d181e892c2c51d29c70daa7f785aa4b9a256bd
-
SHA256
878057fe16a4f4bcdf4e3cf5e28c5e5686da8f24ebb03ced117b34a3f76571aa
-
SHA512
0264ab652876cf84616e713e9e7709679e16a43a9d4d8b2624dc0dfe417eb21925a12f07ef2beff8e712570dc9e5a3777aaf221267abe8e977dde7eb64ac7024
Score
10/10
Malware Config
Signatures
-
Blocklisted process makes network request 2 IoCs
flow pid Process 5 332 wscript.exe 7 332 wscript.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uspstracker.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uspstracker.js wscript.exe -
Adds Run key to start application 2 TTPs 8 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\uspstracker = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\uspstracker.js\"" wscript.exe Key created \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows\CurrentVersion\Run\uspstracker = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\uspstracker.js\"" wscript.exe Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\uspstracker = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\uspstracker.js\"" wscript.exe Key created \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows\CurrentVersion\Run\uspstracker = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\uspstracker.js\"" wscript.exe Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run wscript.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 4 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 5 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8acc2016-04a3-4343-b8e1-1870e35d6a41}\1.0 osk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8acc2016-04a3-4343-b8e1-1870e35d6a41}\1.0\0 osk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8acc2016-04a3-4343-b8e1-1870e35d6a41}\1.0\0\win64 osk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib osk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8acc2016-04a3-4343-b8e1-1870e35d6a41} osk.exe -
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.
description flow ioc HTTP User-Agent header 7 WSHRAT|DCE526E0|JZCKHXIN|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 9/10/2021|JavaScript-v3.4|NL:Netherlands -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2036 osk.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 2036 osk.exe 2036 osk.exe 2036 osk.exe 2036 osk.exe 2036 osk.exe 2036 osk.exe 2036 osk.exe 2036 osk.exe 2036 osk.exe 2036 osk.exe 2036 osk.exe 2036 osk.exe 2036 osk.exe 2036 osk.exe 2036 osk.exe 2036 osk.exe 2036 osk.exe 2036 osk.exe 2036 osk.exe 2036 osk.exe 2036 osk.exe 2036 osk.exe 2036 osk.exe 2036 osk.exe -
Suspicious use of SetWindowsHookEx 18 IoCs
pid Process 2036 osk.exe 2036 osk.exe 2036 osk.exe 2036 osk.exe 2036 osk.exe 2036 osk.exe 2036 osk.exe 1532 DllHost.exe 2036 osk.exe 1532 DllHost.exe 2036 osk.exe 1780 DllHost.exe 2036 osk.exe 1780 DllHost.exe 2036 osk.exe 868 DllHost.exe 2036 osk.exe 868 DllHost.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 1400 wrote to memory of 332 1400 wscript.exe 27 PID 1400 wrote to memory of 332 1400 wscript.exe 27 PID 1400 wrote to memory of 332 1400 wscript.exe 27 PID 1916 wrote to memory of 2036 1916 utilman.exe 35 PID 1916 wrote to memory of 2036 1916 utilman.exe 35 PID 1916 wrote to memory of 2036 1916 utilman.exe 35 PID 1156 wrote to memory of 1580 1156 cmd.exe 41 PID 1156 wrote to memory of 1580 1156 cmd.exe 41 PID 1156 wrote to memory of 1580 1156 cmd.exe 41
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\uspstracker.js1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1400 -
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\uspstracker.js"2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
PID:332
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1156 -
C:\Windows\system32\cscript.execscript uspstracker.js2⤵PID:1580
-
-
C:\Windows\system32\osk.exe"C:\Windows\system32\osk.exe"1⤵PID:1028
-
C:\Windows\system32\utilman.exeutilman.exe /debug1⤵
- Suspicious use of WriteProcessMemory
PID:1916 -
C:\Windows\System32\osk.exe"C:\Windows\System32\osk.exe"2⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2036
-
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{60A90A2F-858D-42AF-8929-82BE9D99E8A1}1⤵
- Suspicious use of SetWindowsHookEx
PID:1532
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{60A90A2F-858D-42AF-8929-82BE9D99E8A1}1⤵
- Suspicious use of SetWindowsHookEx
PID:1780
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{60A90A2F-858D-42AF-8929-82BE9D99E8A1}1⤵
- Suspicious use of SetWindowsHookEx
PID:868
-
C:\Windows\system32\utilman.exeutilman.exe /debug1⤵PID:1132