Overview

overview

8

Static

static

373f3b4c63...ect.js

windows7_x64

8

373f3b4c63...ect.js

windows10_x64

8

Analysis

  • max time kernel
    146s
  • max time network
    151s
  • platform
    windows7_x64
  • resource
    win7-en-20210920
  • submitted
    21-10-2021 23:17

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    373f3b4c6384e44a595e9662abbd7978.7e24b5c89b8bf1667ea460d4f9ba143c8aa42557.primary_analysis_subject.js

  • Size

    1.0MB

  • MD5

    373f3b4c6384e44a595e9662abbd7978

  • SHA1

    7e24b5c89b8bf1667ea460d4f9ba143c8aa42557

  • SHA256

    2d9819ba763d5e37c2fa27a4632b1035f26e40e9ab82b3c652b4db7f5575753a

  • SHA512

    116bab476eea3e2e1368ef1d662cf64fdb1848b488cd0498ed152b4babd58f9158e8a21260794bc6c7f726452a15797e189f9cfb9613067d2e988387a9c15c2b

Score
8/10
persistence

Malware Config

Signatures

  • Blocklisted process makes network request 21 IoCs
  • Drops startup file 2 IoCs
  • Adds Run key to start application 2 TTPs 8 IoCs
    persistence
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe C:\Users\Admin\AppData\Local\Temp\373f3b4c6384e44a595e9662abbd7978.7e24b5c89b8bf1667ea460d4f9ba143c8aa42557.primary_analysis_subject.js
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1092
    • C:\Windows\System32\wscript.exe
      "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\373f3b4c6384e44a595e9662abbd7978.7e24b5c89b8bf1667ea460d4f9ba143c8aa42557.primary_analysis_subject.js"
      2⤵
      • Blocklisted process makes network request
      • Drops startup file
      • Adds Run key to start application
      PID:552

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\373f3b4c6384e44a595e9662abbd7978.7e24b5c89b8bf1667ea460d4f9ba143c8aa42557.primary_analysis_subject.js
    MD5

    373f3b4c6384e44a595e9662abbd7978

    SHA1

    7e24b5c89b8bf1667ea460d4f9ba143c8aa42557

    SHA256

    2d9819ba763d5e37c2fa27a4632b1035f26e40e9ab82b3c652b4db7f5575753a

    SHA512

    116bab476eea3e2e1368ef1d662cf64fdb1848b488cd0498ed152b4babd58f9158e8a21260794bc6c7f726452a15797e189f9cfb9613067d2e988387a9c15c2b

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\373f3b4c6384e44a595e9662abbd7978.7e24b5c89b8bf1667ea460d4f9ba143c8aa42557.primary_analysis_subject.js
    MD5

    49eee2725ddb60797545eb33400c73e4

    SHA1

    e5ac02348bc96be7136497267aff15293a57d7d7

    SHA256

    8dff29aed258abb50c17120e7f57de23237c438bf16b65248168a0dc39bbe8b3

    SHA512

    e677d658bd04e3468c90224a64746236f0e26466745e2bf52fb18b4a79c777c4553dffcb5039f84aa8d4a4a856de82a39ccdfc29f925149ab0eaa5ab9cac53db

    Download Submit
  • memory/552-54-0x0000000000000000-mapping.dmp
    Download