Analysis
-
max time kernel
150s -
max time network
148s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
16-03-2021 19:06
Static task
static1
Behavioral task
behavioral1
Sample
f94bfce5384f10201df977d67ea6c5d1.js
Resource
win7v20201028
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
f94bfce5384f10201df977d67ea6c5d1.js
Resource
win10v20201028
windows10_x64
0 signatures
0 seconds
General
-
Target
f94bfce5384f10201df977d67ea6c5d1.js
-
Size
179KB
-
MD5
f94bfce5384f10201df977d67ea6c5d1
-
SHA1
fb5f56e7e554d466b6ca7264c2748826daac8cc7
-
SHA256
ba25eeb1352d5aab2e09eaa942324510ecd964671e7def1e158c3a543534ca1b
-
SHA512
492e18b7a219734a9564bd330f5350582bd3c01d72ce0eb491343777d32dec5162c6deaf2c97ee6d6f68e1e2a025182dc20312fc4fe7c1024e0970ab1056ef65
Score
10/10
Malware Config
Signatures
-
WSHRAT Payload 2 IoCs
resource yara_rule behavioral1/files/0x00040000000130f5-3.dat family_wshrat behavioral1/files/0x00040000000130f6-4.dat family_wshrat -
Blocklisted process makes network request 37 IoCs
flow pid Process 5 1264 wscript.exe 6 1264 wscript.exe 7 1264 wscript.exe 8 1264 wscript.exe 9 1264 wscript.exe 10 1264 wscript.exe 11 1264 wscript.exe 13 1264 wscript.exe 14 1264 wscript.exe 15 1264 wscript.exe 16 1264 wscript.exe 17 1264 wscript.exe 18 1264 wscript.exe 20 1264 wscript.exe 21 1264 wscript.exe 22 1264 wscript.exe 23 1264 wscript.exe 24 1264 wscript.exe 25 1264 wscript.exe 27 1264 wscript.exe 28 1264 wscript.exe 29 1264 wscript.exe 30 1264 wscript.exe 31 1264 wscript.exe 32 1264 wscript.exe 34 1264 wscript.exe 35 1264 wscript.exe 36 1264 wscript.exe 37 1264 wscript.exe 38 1264 wscript.exe 39 1264 wscript.exe 41 1264 wscript.exe 42 1264 wscript.exe 43 1264 wscript.exe 44 1264 wscript.exe 45 1264 wscript.exe 46 1264 wscript.exe -
Drops startup file 2 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f94bfce5384f10201df977d67ea6c5d1.js wscript.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f94bfce5384f10201df977d67ea6c5d1.js wscript.exe -
Adds Run key to start application 2 TTPs 8 IoCs
description ioc Process Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\f94bfce5384f10201df977d67ea6c5d1 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\f94bfce5384f10201df977d67ea6c5d1.js\"" wscript.exe Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\f94bfce5384f10201df977d67ea6c5d1 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\f94bfce5384f10201df977d67ea6c5d1.js\"" wscript.exe Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\f94bfce5384f10201df977d67ea6c5d1 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\f94bfce5384f10201df977d67ea6c5d1.js\"" wscript.exe Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\f94bfce5384f10201df977d67ea6c5d1 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\f94bfce5384f10201df977d67ea6c5d1.js\"" wscript.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 4 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1880 wrote to memory of 1264 1880 wscript.exe 26 PID 1880 wrote to memory of 1264 1880 wscript.exe 26 PID 1880 wrote to memory of 1264 1880 wscript.exe 26
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\f94bfce5384f10201df977d67ea6c5d1.js1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1880 -
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\f94bfce5384f10201df977d67ea6c5d1.js"2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
PID:1264
-