Analysis
-
max time kernel
160s -
max time network
193s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
08-02-2022 01:27
Static task
static1
Behavioral task
behavioral1
Sample
YRGH009QA.js
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
YRGH009QA.js
Resource
win10v2004-en-20220113
General
-
Target
YRGH009QA.js
-
Size
13KB
-
MD5
7e4052c4ef66b69ea6567cf9511cddcd
-
SHA1
4d3b046443bbba80244121c7ff44b3c4425292d3
-
SHA256
c91b33406d00fdedeebd6ce809a612df96b5cea7835c2c13061498c6960d76e3
-
SHA512
2b0ee57fdd1f77cb54f657fbea8637f040bba3728916f7e376e9f465ecca70e52dc9296c185908b9a37760812f85962b323bfcc7acdb74563cb45b089e8c0f19
Malware Config
Signatures
-
Blocklisted process makes network request 12 IoCs
Processes:
wscript.exeflow pid process 38 3476 wscript.exe 52 3476 wscript.exe 63 3476 wscript.exe 66 3476 wscript.exe 70 3476 wscript.exe 73 3476 wscript.exe 78 3476 wscript.exe 81 3476 wscript.exe 85 3476 wscript.exe 86 3476 wscript.exe 87 3476 wscript.exe 88 3476 wscript.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
wscript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation wscript.exe -
Drops startup file 2 IoCs
Processes:
wscript.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\YRGH009QA.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\YRGH009QA.js wscript.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
wscript.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Windows\CurrentVersion\Run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Q0K8KAC1S1 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\YRGH009QA.js\"" wscript.exe -
Drops file in Windows directory 8 IoCs
Processes:
TiWorker.exesvchost.exedescription ioc process File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exeTiWorker.exedescription pid process Token: SeShutdownPrivilege 3608 svchost.exe Token: SeCreatePagefilePrivilege 3608 svchost.exe Token: SeShutdownPrivilege 3608 svchost.exe Token: SeCreatePagefilePrivilege 3608 svchost.exe Token: SeShutdownPrivilege 3608 svchost.exe Token: SeCreatePagefilePrivilege 3608 svchost.exe Token: SeSecurityPrivilege 3496 TiWorker.exe Token: SeRestorePrivilege 3496 TiWorker.exe Token: SeBackupPrivilege 3496 TiWorker.exe Token: SeBackupPrivilege 3496 TiWorker.exe Token: SeRestorePrivilege 3496 TiWorker.exe Token: SeSecurityPrivilege 3496 TiWorker.exe Token: SeBackupPrivilege 3496 TiWorker.exe Token: SeRestorePrivilege 3496 TiWorker.exe Token: SeSecurityPrivilege 3496 TiWorker.exe Token: SeBackupPrivilege 3496 TiWorker.exe Token: SeRestorePrivilege 3496 TiWorker.exe Token: SeSecurityPrivilege 3496 TiWorker.exe Token: SeBackupPrivilege 3496 TiWorker.exe Token: SeRestorePrivilege 3496 TiWorker.exe Token: SeSecurityPrivilege 3496 TiWorker.exe Token: SeBackupPrivilege 3496 TiWorker.exe Token: SeRestorePrivilege 3496 TiWorker.exe Token: SeSecurityPrivilege 3496 TiWorker.exe Token: SeBackupPrivilege 3496 TiWorker.exe Token: SeRestorePrivilege 3496 TiWorker.exe Token: SeSecurityPrivilege 3496 TiWorker.exe Token: SeBackupPrivilege 3496 TiWorker.exe Token: SeRestorePrivilege 3496 TiWorker.exe Token: SeSecurityPrivilege 3496 TiWorker.exe Token: SeBackupPrivilege 3496 TiWorker.exe Token: SeRestorePrivilege 3496 TiWorker.exe Token: SeSecurityPrivilege 3496 TiWorker.exe Token: SeBackupPrivilege 3496 TiWorker.exe Token: SeRestorePrivilege 3496 TiWorker.exe Token: SeSecurityPrivilege 3496 TiWorker.exe Token: SeBackupPrivilege 3496 TiWorker.exe Token: SeRestorePrivilege 3496 TiWorker.exe Token: SeSecurityPrivilege 3496 TiWorker.exe Token: SeBackupPrivilege 3496 TiWorker.exe Token: SeRestorePrivilege 3496 TiWorker.exe Token: SeSecurityPrivilege 3496 TiWorker.exe Token: SeBackupPrivilege 3496 TiWorker.exe Token: SeRestorePrivilege 3496 TiWorker.exe Token: SeSecurityPrivilege 3496 TiWorker.exe Token: SeBackupPrivilege 3496 TiWorker.exe Token: SeRestorePrivilege 3496 TiWorker.exe Token: SeSecurityPrivilege 3496 TiWorker.exe Token: SeBackupPrivilege 3496 TiWorker.exe Token: SeRestorePrivilege 3496 TiWorker.exe Token: SeSecurityPrivilege 3496 TiWorker.exe Token: SeBackupPrivilege 3496 TiWorker.exe Token: SeRestorePrivilege 3496 TiWorker.exe Token: SeSecurityPrivilege 3496 TiWorker.exe Token: SeBackupPrivilege 3496 TiWorker.exe Token: SeRestorePrivilege 3496 TiWorker.exe Token: SeSecurityPrivilege 3496 TiWorker.exe Token: SeBackupPrivilege 3496 TiWorker.exe Token: SeRestorePrivilege 3496 TiWorker.exe Token: SeSecurityPrivilege 3496 TiWorker.exe Token: SeBackupPrivilege 3496 TiWorker.exe Token: SeRestorePrivilege 3496 TiWorker.exe Token: SeSecurityPrivilege 3496 TiWorker.exe Token: SeBackupPrivilege 3496 TiWorker.exe -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
wscript.exedescription pid process target process PID 3476 wrote to memory of 3900 3476 wscript.exe schtasks.exe PID 3476 wrote to memory of 3900 3476 wscript.exe schtasks.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\YRGH009QA.js1⤵
- Blocklisted process makes network request
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Local\Temp\YRGH009QA.js2⤵
- Creates scheduled task(s)
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken