Analysis
-
max time kernel
166s -
max time network
180s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
07-02-2022 16:50
Static task
static1
Behavioral task
behavioral1
Sample
RTK009ENF.js
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
RTK009ENF.js
Resource
win10v2004-en-20220112
Behavioral task
behavioral3
Sample
YRGH009QA.js
Resource
win7-en-20211208
Behavioral task
behavioral4
Sample
YRGH009QA.js
Resource
win10v2004-en-20220113
General
-
Target
YRGH009QA.js
-
Size
13KB
-
MD5
7e4052c4ef66b69ea6567cf9511cddcd
-
SHA1
4d3b046443bbba80244121c7ff44b3c4425292d3
-
SHA256
c91b33406d00fdedeebd6ce809a612df96b5cea7835c2c13061498c6960d76e3
-
SHA512
2b0ee57fdd1f77cb54f657fbea8637f040bba3728916f7e376e9f465ecca70e52dc9296c185908b9a37760812f85962b323bfcc7acdb74563cb45b089e8c0f19
Malware Config
Signatures
-
Blocklisted process makes network request 14 IoCs
Processes:
wscript.exeflow pid process 24 3332 wscript.exe 34 3332 wscript.exe 43 3332 wscript.exe 44 3332 wscript.exe 45 3332 wscript.exe 50 3332 wscript.exe 51 3332 wscript.exe 52 3332 wscript.exe 53 3332 wscript.exe 54 3332 wscript.exe 55 3332 wscript.exe 59 3332 wscript.exe 60 3332 wscript.exe 61 3332 wscript.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
wscript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation wscript.exe -
Drops startup file 2 IoCs
Processes:
wscript.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\YRGH009QA.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\YRGH009QA.js wscript.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
wscript.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Q0K8KAC1S1 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\YRGH009QA.js\"" wscript.exe Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Windows\CurrentVersion\Run wscript.exe -
Drops file in Windows directory 8 IoCs
Processes:
TiWorker.exesvchost.exedescription ioc process File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exeTiWorker.exedescription pid process Token: SeShutdownPrivilege 1908 svchost.exe Token: SeCreatePagefilePrivilege 1908 svchost.exe Token: SeShutdownPrivilege 1908 svchost.exe Token: SeCreatePagefilePrivilege 1908 svchost.exe Token: SeShutdownPrivilege 1908 svchost.exe Token: SeCreatePagefilePrivilege 1908 svchost.exe Token: SeSecurityPrivilege 4136 TiWorker.exe Token: SeRestorePrivilege 4136 TiWorker.exe Token: SeBackupPrivilege 4136 TiWorker.exe Token: SeBackupPrivilege 4136 TiWorker.exe Token: SeRestorePrivilege 4136 TiWorker.exe Token: SeSecurityPrivilege 4136 TiWorker.exe Token: SeBackupPrivilege 4136 TiWorker.exe Token: SeRestorePrivilege 4136 TiWorker.exe Token: SeSecurityPrivilege 4136 TiWorker.exe Token: SeBackupPrivilege 4136 TiWorker.exe Token: SeRestorePrivilege 4136 TiWorker.exe Token: SeSecurityPrivilege 4136 TiWorker.exe Token: SeBackupPrivilege 4136 TiWorker.exe Token: SeRestorePrivilege 4136 TiWorker.exe Token: SeSecurityPrivilege 4136 TiWorker.exe Token: SeBackupPrivilege 4136 TiWorker.exe Token: SeRestorePrivilege 4136 TiWorker.exe Token: SeSecurityPrivilege 4136 TiWorker.exe Token: SeBackupPrivilege 4136 TiWorker.exe Token: SeRestorePrivilege 4136 TiWorker.exe Token: SeSecurityPrivilege 4136 TiWorker.exe Token: SeBackupPrivilege 4136 TiWorker.exe Token: SeRestorePrivilege 4136 TiWorker.exe Token: SeSecurityPrivilege 4136 TiWorker.exe Token: SeBackupPrivilege 4136 TiWorker.exe Token: SeRestorePrivilege 4136 TiWorker.exe Token: SeSecurityPrivilege 4136 TiWorker.exe Token: SeBackupPrivilege 4136 TiWorker.exe Token: SeRestorePrivilege 4136 TiWorker.exe Token: SeSecurityPrivilege 4136 TiWorker.exe Token: SeBackupPrivilege 4136 TiWorker.exe Token: SeRestorePrivilege 4136 TiWorker.exe Token: SeSecurityPrivilege 4136 TiWorker.exe Token: SeBackupPrivilege 4136 TiWorker.exe Token: SeRestorePrivilege 4136 TiWorker.exe Token: SeSecurityPrivilege 4136 TiWorker.exe Token: SeBackupPrivilege 4136 TiWorker.exe Token: SeRestorePrivilege 4136 TiWorker.exe Token: SeSecurityPrivilege 4136 TiWorker.exe Token: SeBackupPrivilege 4136 TiWorker.exe Token: SeRestorePrivilege 4136 TiWorker.exe Token: SeSecurityPrivilege 4136 TiWorker.exe Token: SeBackupPrivilege 4136 TiWorker.exe Token: SeRestorePrivilege 4136 TiWorker.exe Token: SeSecurityPrivilege 4136 TiWorker.exe Token: SeBackupPrivilege 4136 TiWorker.exe Token: SeRestorePrivilege 4136 TiWorker.exe Token: SeSecurityPrivilege 4136 TiWorker.exe Token: SeBackupPrivilege 4136 TiWorker.exe Token: SeRestorePrivilege 4136 TiWorker.exe Token: SeSecurityPrivilege 4136 TiWorker.exe Token: SeBackupPrivilege 4136 TiWorker.exe Token: SeRestorePrivilege 4136 TiWorker.exe Token: SeSecurityPrivilege 4136 TiWorker.exe Token: SeBackupPrivilege 4136 TiWorker.exe Token: SeRestorePrivilege 4136 TiWorker.exe Token: SeSecurityPrivilege 4136 TiWorker.exe Token: SeBackupPrivilege 4136 TiWorker.exe -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
wscript.exedescription pid process target process PID 3332 wrote to memory of 1864 3332 wscript.exe schtasks.exe PID 3332 wrote to memory of 1864 3332 wscript.exe schtasks.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\YRGH009QA.js1⤵
- Blocklisted process makes network request
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3332 -
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Local\Temp\YRGH009QA.js2⤵
- Creates scheduled task(s)
PID:1864
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1908
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4136