Analysis
-
max time kernel
157s -
max time network
156s -
platform
windows7_x64 -
resource
win7-en-20210920 -
submitted
27/09/2021, 08:03
Static task
static1
Behavioral task
behavioral1
Sample
#RS00HNAWZ1.js
Resource
win7-en-20210920
Behavioral task
behavioral2
Sample
#RS00HNAWZ1.js
Resource
win10v20210408
General
-
Target
#RS00HNAWZ1.js
-
Size
6KB
-
MD5
63166917fe9a799888f57c5d5e687170
-
SHA1
00ac624acb5674ccd82c15370b1295c270d4e1ec
-
SHA256
c6dd7fd1f49c9bfdba8c03b92d856a086c4ba218a204daa35ebaee0a91ab6a9d
-
SHA512
6cdabe9785bcc8efe34468a1260454f096589c400f743809df9da450a77f3bd96a10cca0021f1b04b8150855e0e1f9a639b31e8ace41d66e26c23d2e7e68cc84
Malware Config
Signatures
-
suricata: ET MALWARE WSHRAT CnC Checkin
suricata: ET MALWARE WSHRAT CnC Checkin
-
suricata: ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm Checkin 1
suricata: ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm Checkin 1
-
Blocklisted process makes network request 21 IoCs
flow pid Process 4 1464 wscript.exe 7 1692 wscript.exe 9 1692 wscript.exe 10 1692 wscript.exe 11 1692 wscript.exe 13 1692 wscript.exe 14 1692 wscript.exe 15 1692 wscript.exe 17 1692 wscript.exe 18 1692 wscript.exe 19 1692 wscript.exe 21 392 wscript.exe 22 392 wscript.exe 24 1692 wscript.exe 26 392 wscript.exe 27 1692 wscript.exe 29 392 wscript.exe 31 1692 wscript.exe 33 392 wscript.exe 35 1692 wscript.exe 38 1692 wscript.exe -
Drops startup file 6 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\S55OMESZ0S.js wscript.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\#RS00HNAWZ1.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\#RS00HNAWZ1.js wscript.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\L52ZDTVG87.js WScript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\L52ZDTVG87.js wscript.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\S55OMESZ0S.js WScript.exe -
Adds Run key to start application 2 TTPs 18 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\S55OMESZ0S = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\S55OMESZ0S.js\"" wscript.exe Key created \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows\CurrentVersion\Run wscript.exe Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\L52ZDTVG87 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\L52ZDTVG87.js\"" wscript.exe Key created \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\software\microsoft\windows\currentversion\run WScript.exe Set value (str) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows\CurrentVersion\Run\L52ZDTVG87 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\L52ZDTVG87.js\"" WScript.exe Key created \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\software\microsoft\windows\currentversion\run wscript.exe Key created \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\software\microsoft\windows\currentversion\run WScript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\L52ZDTVG87 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\L52ZDTVG87.js\"" WScript.exe Set value (str) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows\CurrentVersion\Run\S55OMESZ0S = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\S55OMESZ0S.js\"" wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows\CurrentVersion\Run\S55OMESZ0S = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\S55OMESZ0S.js\"" WScript.exe Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run WScript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\S55OMESZ0S = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\S55OMESZ0S.js\"" WScript.exe Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows\CurrentVersion\Run\G3VX00GAKU = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\#RS00HNAWZ1.js\"" wscript.exe Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run WScript.exe Key created \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows\CurrentVersion\Run\L52ZDTVG87 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\L52ZDTVG87.js\"" wscript.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 6 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1300 schtasks.exe -
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.
description flow ioc HTTP User-Agent header 33 WSHRAT|DCE526E0|JZCKHXIN|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 27/9/2021|JavaScript-v3.4|NL:Netherlands -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 1464 wrote to memory of 1300 1464 wscript.exe 28 PID 1464 wrote to memory of 1300 1464 wscript.exe 28 PID 1464 wrote to memory of 1300 1464 wscript.exe 28 PID 1464 wrote to memory of 1160 1464 wscript.exe 34 PID 1464 wrote to memory of 1160 1464 wscript.exe 34 PID 1464 wrote to memory of 1160 1464 wscript.exe 34 PID 1160 wrote to memory of 1692 1160 WScript.exe 35 PID 1160 wrote to memory of 1692 1160 WScript.exe 35 PID 1160 wrote to memory of 1692 1160 WScript.exe 35 PID 1464 wrote to memory of 1500 1464 wscript.exe 39 PID 1464 wrote to memory of 1500 1464 wscript.exe 39 PID 1464 wrote to memory of 1500 1464 wscript.exe 39 PID 1500 wrote to memory of 392 1500 WScript.exe 40 PID 1500 wrote to memory of 392 1500 WScript.exe 40 PID 1500 wrote to memory of 392 1500 WScript.exe 40
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\#RS00HNAWZ1.js1⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1464 -
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Local\Temp\#RS00HNAWZ1.js2⤵
- Creates scheduled task(s)
PID:1300
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\L52ZDTVG87.js"2⤵
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1160 -
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\L52ZDTVG87.js"3⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
PID:1692
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\S55OMESZ0S.js"2⤵
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1500 -
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\S55OMESZ0S.js"3⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
PID:392
-
-