Analysis
-
max time kernel
149s -
max time network
155s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
01-11-2022 08:16
Static task
static1
Behavioral task
behavioral1
Sample
FCR22001306.js
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
FCR22001306.js
Resource
win10v2004-20220812-en
General
-
Target
FCR22001306.js
-
Size
268KB
-
MD5
d873c25379f94f8a1803f4c968befaf6
-
SHA1
13293c020e2eec88e5627a44ec8eafa3b0d0f6ab
-
SHA256
da581bea8917ae4b052e9978b8264b3257e06d80b2973c29e80cdf216a8640c4
-
SHA512
d3ee46a7e61496230bb65082b5c07c4641c965ed523471d548bd1694e7df0f8d6c5c851f99dba5a981454224cdeac4ba0f1ed30266d8235d11e111db983be062
-
SSDEEP
3072:xGFYHhbq8fCQFiem5yBmExNr2sBB1fbNQnTXFEZhRZfUQ0jShn8nc2KVHybnuRAL:sF8fCQHWsBBJpYEPfM3jY2+4CAU9i
Malware Config
Extracted
wshrat
http://egodds.longmusic.com:2084
Signatures
-
NirSoft MailPassView 2 IoCs
Password recovery tool for various email clients
resource yara_rule behavioral1/files/0x0003000000020b07-71.dat MailPassView behavioral1/files/0x0003000000020b07-77.dat MailPassView -
Nirsoft 2 IoCs
resource yara_rule behavioral1/files/0x0003000000020b07-71.dat Nirsoft behavioral1/files/0x0003000000020b07-77.dat Nirsoft -
Blocklisted process makes network request 24 IoCs
flow pid Process 7 1168 wscript.exe 8 1360 wscript.exe 10 1168 wscript.exe 11 1168 wscript.exe 12 1168 wscript.exe 13 1168 wscript.exe 15 1168 wscript.exe 18 1360 wscript.exe 22 1360 wscript.exe 23 1168 wscript.exe 24 1168 wscript.exe 25 1168 wscript.exe 26 1168 wscript.exe 27 1168 wscript.exe 30 1360 wscript.exe 32 1168 wscript.exe 33 1168 wscript.exe 34 1168 wscript.exe 35 1168 wscript.exe 37 1168 wscript.exe 39 1360 wscript.exe 40 1168 wscript.exe 42 1168 wscript.exe 43 1168 wscript.exe -
Executes dropped EXE 2 IoCs
pid Process 1368 cmdc.exe 2008 cmdc.exe -
Drops startup file 4 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FCR22001306.js wscript.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lzwNNcWAsq.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FCR22001306.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lzwNNcWAsq.js wscript.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts cmdc.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\FCR22001306 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\FCR22001306.js\"" wscript.exe Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\FCR22001306 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\FCR22001306.js\"" wscript.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 6 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Kills process with taskkill 3 IoCs
pid Process 1432 taskkill.exe 764 taskkill.exe 868 taskkill.exe -
Script User-Agent 4 IoCs
Uses user-agent string associated with script host/environment.
description flow ioc HTTP User-Agent header 10 WSHRAT|94A7BB46|RYNKSFQE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 1/11/2022|JavaScript-v3.4|NL:Netherlands HTTP User-Agent header 11 WSHRAT|94A7BB46|RYNKSFQE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 1/11/2022|JavaScript-v3.4|NL:Netherlands HTTP User-Agent header 12 WSHRAT|94A7BB46|RYNKSFQE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 1/11/2022|JavaScript-v3.4|NL:Netherlands HTTP User-Agent header 13 WSHRAT|94A7BB46|RYNKSFQE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 1/11/2022|JavaScript-v3.4|NL:Netherlands -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 1460 powershell.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 1460 powershell.exe Token: SeDebugPrivilege 1432 taskkill.exe Token: SeDebugPrivilege 764 taskkill.exe Token: SeDebugPrivilege 868 taskkill.exe -
Suspicious use of WriteProcessMemory 35 IoCs
description pid Process procid_target PID 1168 wrote to memory of 1360 1168 wscript.exe 27 PID 1168 wrote to memory of 1360 1168 wscript.exe 27 PID 1168 wrote to memory of 1360 1168 wscript.exe 27 PID 1168 wrote to memory of 1460 1168 wscript.exe 34 PID 1168 wrote to memory of 1460 1168 wscript.exe 34 PID 1168 wrote to memory of 1460 1168 wscript.exe 34 PID 1168 wrote to memory of 1964 1168 wscript.exe 36 PID 1168 wrote to memory of 1964 1168 wscript.exe 36 PID 1168 wrote to memory of 1964 1168 wscript.exe 36 PID 1964 wrote to memory of 1432 1964 cmd.exe 38 PID 1964 wrote to memory of 1432 1964 cmd.exe 38 PID 1964 wrote to memory of 1432 1964 cmd.exe 38 PID 1168 wrote to memory of 1948 1168 wscript.exe 39 PID 1168 wrote to memory of 1948 1168 wscript.exe 39 PID 1168 wrote to memory of 1948 1168 wscript.exe 39 PID 1948 wrote to memory of 764 1948 cmd.exe 41 PID 1948 wrote to memory of 764 1948 cmd.exe 41 PID 1948 wrote to memory of 764 1948 cmd.exe 41 PID 1168 wrote to memory of 1368 1168 wscript.exe 42 PID 1168 wrote to memory of 1368 1168 wscript.exe 42 PID 1168 wrote to memory of 1368 1168 wscript.exe 42 PID 1168 wrote to memory of 1368 1168 wscript.exe 42 PID 1168 wrote to memory of 748 1168 wscript.exe 43 PID 1168 wrote to memory of 748 1168 wscript.exe 43 PID 1168 wrote to memory of 748 1168 wscript.exe 43 PID 748 wrote to memory of 868 748 cmd.exe 45 PID 748 wrote to memory of 868 748 cmd.exe 45 PID 748 wrote to memory of 868 748 cmd.exe 45 PID 1168 wrote to memory of 2008 1168 wscript.exe 46 PID 1168 wrote to memory of 2008 1168 wscript.exe 46 PID 1168 wrote to memory of 2008 1168 wscript.exe 46 PID 1168 wrote to memory of 2008 1168 wscript.exe 46 PID 1168 wrote to memory of 1692 1168 wscript.exe 48 PID 1168 wrote to memory of 1692 1168 wscript.exe 48 PID 1168 wrote to memory of 1692 1168 wscript.exe 48
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\FCR22001306.js1⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1168 -
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\lzwNNcWAsq.js"2⤵
- Blocklisted process makes network request
- Drops startup file
PID:1360
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -command [void][Windows.Security.Credentials.PasswordVault,Windows.Security.Credentials,ContentType=WindowsRuntime] $vault = New-Object Windows.Security.Credentials.PasswordVault $vault.RetrieveAll() | % { $_.RetrievePassword();$_ } > "C:\Users\Admin\AppData\Local\Temp\tmp.txt"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1460
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c taskkill /F /IM cmdc.exe2⤵
- Suspicious use of WriteProcessMemory
PID:1964 -
C:\Windows\system32\taskkill.exetaskkill /F /IM cmdc.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1432
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c taskkill /F /IM cmdc.exe2⤵
- Suspicious use of WriteProcessMemory
PID:1948 -
C:\Windows\system32\taskkill.exetaskkill /F /IM cmdc.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:764
-
-
-
C:\Users\Admin\AppData\Local\Temp\cmdc.exe"C:\Users\Admin\AppData\Local\Temp\cmdc.exe" /stext C:\Users\Admin\AppData\Local\Temp\cmdc.exedata2⤵
- Executes dropped EXE
PID:1368
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c taskkill /F /IM cmdc.exe2⤵
- Suspicious use of WriteProcessMemory
PID:748 -
C:\Windows\system32\taskkill.exetaskkill /F /IM cmdc.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:868
-
-
-
C:\Users\Admin\AppData\Local\Temp\cmdc.exe"C:\Users\Admin\AppData\Local\Temp\cmdc.exe" /stext C:\Users\Admin\AppData\Local\Temp\cmdc.exedata2⤵
- Executes dropped EXE
- Accesses Microsoft Outlook accounts
PID:2008
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c mkdir "C:\Users\Admin\AppData\Local\Temp\wshlogs"2⤵PID:1692
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
373B
MD570e69155b8080b5db35191ab8426d084
SHA1383deaaee90ce71b28b0a6e22124e77aa1cccf8b
SHA256104e0212403148a018258ef005a64ec73f0a148dbee230cb5c91dd691d03aefe
SHA512c718c69454e4d9bcac24c918bf4c7f05ab93910b8a4701bd1dc914a9ca13dffe5f083f30881b5796d239c11be2f8b3e38a7e2ac7dcabc3d9810f59d9228bf342
-
Filesize
100KB
MD554e8ded7b148a13d3363ac7b33f6eb06
SHA163dcbe2db9cc14564eb84d5e953f2f9f5c54acd9
SHA256400b411a9bffd687c5e74f51d43b7dc92cdb8d5ca9f674456b75a5d37587d342
SHA512bf6d047bb55150b2369bdd7dfea9c815894af2e05e5b45f2eedf67d5d6a9569189ee495870fddf334a173a4beed62d2a08807c000d4c47339ac76b760b4ae349
-
Filesize
100KB
MD554e8ded7b148a13d3363ac7b33f6eb06
SHA163dcbe2db9cc14564eb84d5e953f2f9f5c54acd9
SHA256400b411a9bffd687c5e74f51d43b7dc92cdb8d5ca9f674456b75a5d37587d342
SHA512bf6d047bb55150b2369bdd7dfea9c815894af2e05e5b45f2eedf67d5d6a9569189ee495870fddf334a173a4beed62d2a08807c000d4c47339ac76b760b4ae349
-
Filesize
10KB
MD518aa18aca1d624556d87fd1c3c8dfc4a
SHA145509a074cd5f5d11d507a7fe0bcb733f874e90d
SHA25627765e27d897d45fb5cc093197a65545ed4a120130e12cc88e70f41e68788036
SHA51280e7fcc1551290772a960b76445999f85f5cbef24cf2b860c7d8e0e7ea1a2a284e8b120a203947c2e8f2cdff13193095c00922e6f7e7cc94069e8846bad4554a