Analysis
-
max time kernel
1796s -
max time network
1798s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
04/10/2021, 13:22
Static task
static1
Behavioral task
behavioral1
Sample
DkAiW.vbs
Resource
win7-en-20210920
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
DkAiW.vbs
Resource
win10v20210408
0 signatures
0 seconds
General
-
Target
DkAiW.vbs
-
Size
180KB
-
MD5
4d8f225d32a420d577abb43f11109a4d
-
SHA1
f7d8c8bf04aee5d32ea7a935a79a5f87a2913216
-
SHA256
0434bd170395b848da4c6acd9e0a93c32e578bf76357d6e32603f3237a53f4fc
-
SHA512
831fe1f5519b48556c5311f269275a8f6ffa2134807d0cff19b3c728f922f069b883abebcb9a1af5bde8ba4927cdc57474d174876e67ec1b6c99ee227eb525c8
Score
10/10
Malware Config
Signatures
-
WSHRAT Payload 1 IoCs
resource yara_rule behavioral2/files/0x000200000001ab3f-115.dat family_wshrat -
Blocklisted process makes network request 1 IoCs
flow pid Process 2 1004 wscript.exe -
Adds Run key to start application 2 TTPs 8 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DkAiW = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\DkAiW.vbs\"" wscript.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\software\microsoft\windows\currentversion\run WScript.exe Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\DkAiW = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\DkAiW.vbs\"" WScript.exe Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run WScript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DkAiW = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\DkAiW.vbs\"" WScript.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\DkAiW = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\DkAiW.vbs\"" wscript.exe Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run wscript.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 1 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 636 wrote to memory of 1004 636 WScript.exe 68 PID 636 wrote to memory of 1004 636 WScript.exe 68
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\DkAiW.vbs"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:636 -
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\DkAiW.vbs"2⤵
- Blocklisted process makes network request
- Adds Run key to start application
PID:1004
-