Analysis
-
max time kernel
146s -
max time network
151s -
platform
windows7_x64 -
resource
win7-en-20210920 -
submitted
21-10-2021 23:17
Static task
static1
Behavioral task
behavioral1
Sample
373f3b4c6384e44a595e9662abbd7978.7e24b5c89b8bf1667ea460d4f9ba143c8aa42557.primary_analysis_subject.js
Resource
win7-en-20210920
Behavioral task
behavioral2
Sample
373f3b4c6384e44a595e9662abbd7978.7e24b5c89b8bf1667ea460d4f9ba143c8aa42557.primary_analysis_subject.js
Resource
win10-en-20211014
General
-
Target
373f3b4c6384e44a595e9662abbd7978.7e24b5c89b8bf1667ea460d4f9ba143c8aa42557.primary_analysis_subject.js
-
Size
1.0MB
-
MD5
373f3b4c6384e44a595e9662abbd7978
-
SHA1
7e24b5c89b8bf1667ea460d4f9ba143c8aa42557
-
SHA256
2d9819ba763d5e37c2fa27a4632b1035f26e40e9ab82b3c652b4db7f5575753a
-
SHA512
116bab476eea3e2e1368ef1d662cf64fdb1848b488cd0498ed152b4babd58f9158e8a21260794bc6c7f726452a15797e189f9cfb9613067d2e988387a9c15c2b
Malware Config
Signatures
-
Blocklisted process makes network request 21 IoCs
Processes:
wscript.exeflow pid process 5 552 wscript.exe 7 552 wscript.exe 8 552 wscript.exe 9 552 wscript.exe 11 552 wscript.exe 12 552 wscript.exe 13 552 wscript.exe 15 552 wscript.exe 16 552 wscript.exe 17 552 wscript.exe 19 552 wscript.exe 20 552 wscript.exe 21 552 wscript.exe 23 552 wscript.exe 24 552 wscript.exe 25 552 wscript.exe 27 552 wscript.exe 28 552 wscript.exe 29 552 wscript.exe 31 552 wscript.exe 32 552 wscript.exe -
Drops startup file 2 IoCs
Processes:
wscript.exewscript.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\373f3b4c6384e44a595e9662abbd7978.7e24b5c89b8bf1667ea460d4f9ba143c8aa42557.primary_analysis_subject.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\373f3b4c6384e44a595e9662abbd7978.7e24b5c89b8bf1667ea460d4f9ba143c8aa42557.primary_analysis_subject.js wscript.exe -
Adds Run key to start application 2 TTPs 8 IoCs
Processes:
wscript.exewscript.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows\CurrentVersion\Run\373f3b4c6384e44a595e9662abbd7978 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\373f3b4c6384e44a595e9662abbd7978.7e24b5c89b8bf1667ea460d4f9ba143c8aa42557.primary_analysis_subject.js\"" wscript.exe Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\373f3b4c6384e44a595e9662abbd7978 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\373f3b4c6384e44a595e9662abbd7978.7e24b5c89b8bf1667ea460d4f9ba143c8aa42557.primary_analysis_subject.js\"" wscript.exe Key created \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows\CurrentVersion\Run\373f3b4c6384e44a595e9662abbd7978 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\373f3b4c6384e44a595e9662abbd7978.7e24b5c89b8bf1667ea460d4f9ba143c8aa42557.primary_analysis_subject.js\"" wscript.exe Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\373f3b4c6384e44a595e9662abbd7978 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\373f3b4c6384e44a595e9662abbd7978.7e24b5c89b8bf1667ea460d4f9ba143c8aa42557.primary_analysis_subject.js\"" wscript.exe Key created \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\software\microsoft\windows\currentversion\run wscript.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
wscript.exedescription pid process target process PID 1092 wrote to memory of 552 1092 wscript.exe wscript.exe PID 1092 wrote to memory of 552 1092 wscript.exe wscript.exe PID 1092 wrote to memory of 552 1092 wscript.exe wscript.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\373f3b4c6384e44a595e9662abbd7978.7e24b5c89b8bf1667ea460d4f9ba143c8aa42557.primary_analysis_subject.js1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\373f3b4c6384e44a595e9662abbd7978.7e24b5c89b8bf1667ea460d4f9ba143c8aa42557.primary_analysis_subject.js"2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\373f3b4c6384e44a595e9662abbd7978.7e24b5c89b8bf1667ea460d4f9ba143c8aa42557.primary_analysis_subject.jsMD5
373f3b4c6384e44a595e9662abbd7978
SHA17e24b5c89b8bf1667ea460d4f9ba143c8aa42557
SHA2562d9819ba763d5e37c2fa27a4632b1035f26e40e9ab82b3c652b4db7f5575753a
SHA512116bab476eea3e2e1368ef1d662cf64fdb1848b488cd0498ed152b4babd58f9158e8a21260794bc6c7f726452a15797e189f9cfb9613067d2e988387a9c15c2b
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\373f3b4c6384e44a595e9662abbd7978.7e24b5c89b8bf1667ea460d4f9ba143c8aa42557.primary_analysis_subject.jsMD5
49eee2725ddb60797545eb33400c73e4
SHA1e5ac02348bc96be7136497267aff15293a57d7d7
SHA2568dff29aed258abb50c17120e7f57de23237c438bf16b65248168a0dc39bbe8b3
SHA512e677d658bd04e3468c90224a64746236f0e26466745e2bf52fb18b4a79c777c4553dffcb5039f84aa8d4a4a856de82a39ccdfc29f925149ab0eaa5ab9cac53db
-
memory/552-54-0x0000000000000000-mapping.dmp