Analysis
-
max time kernel
1798s -
max time network
1793s -
platform
windows7_x64 -
resource
win7-en-20210920 -
submitted
04/10/2021, 13:22
Static task
static1
Behavioral task
behavioral1
Sample
DkAiW.vbs
Resource
win7-en-20210920
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
DkAiW.vbs
Resource
win10v20210408
0 signatures
0 seconds
General
-
Target
DkAiW.vbs
-
Size
180KB
-
MD5
4d8f225d32a420d577abb43f11109a4d
-
SHA1
f7d8c8bf04aee5d32ea7a935a79a5f87a2913216
-
SHA256
0434bd170395b848da4c6acd9e0a93c32e578bf76357d6e32603f3237a53f4fc
-
SHA512
831fe1f5519b48556c5311f269275a8f6ffa2134807d0cff19b3c728f922f069b883abebcb9a1af5bde8ba4927cdc57474d174876e67ec1b6c99ee227eb525c8
Score
10/10
Malware Config
Signatures
-
WSHRAT Payload 2 IoCs
resource yara_rule behavioral1/files/0x00070000000121fe-55.dat family_wshrat behavioral1/files/0x00070000000121fe-57.dat family_wshrat -
Blocklisted process makes network request 1 IoCs
flow pid Process 4 2004 wscript.exe -
Adds Run key to start application 2 TTPs 8 IoCs
description ioc Process Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DkAiW = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\DkAiW.vbs\"" wscript.exe Key created \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\software\microsoft\windows\currentversion\run WScript.exe Set value (str) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows\CurrentVersion\Run\DkAiW = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\DkAiW.vbs\"" WScript.exe Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run WScript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DkAiW = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\DkAiW.vbs\"" WScript.exe Key created \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows\CurrentVersion\Run\DkAiW = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\DkAiW.vbs\"" wscript.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 3 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: 33 1672 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1672 AUDIODG.EXE Token: 33 1672 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1672 AUDIODG.EXE -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1740 wrote to memory of 2004 1740 WScript.exe 27 PID 1740 wrote to memory of 2004 1740 WScript.exe 27 PID 1740 wrote to memory of 2004 1740 WScript.exe 27
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\DkAiW.vbs"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1740 -
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\DkAiW.vbs"2⤵
- Blocklisted process makes network request
- Adds Run key to start application
PID:2004
-
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"1⤵PID:1948
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x4581⤵
- Suspicious use of AdjustPrivilegeToken
PID:1672