Analysis
-
max time kernel
147s -
max time network
152s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
04/10/2021, 14:27
Static task
static1
Behavioral task
behavioral1
Sample
PO50029310.js
Resource
win7-en-20210920
Behavioral task
behavioral2
Sample
PO50029310.js
Resource
win10v20210408
General
-
Target
PO50029310.js
-
Size
1012KB
-
MD5
9942f5e63c2e6084f444410558ce4ee1
-
SHA1
1a0e7f8746755d7e155eea004f3441b34d08563b
-
SHA256
d385dde374b8858e48a85353d81ab03b988901aa49c27bdff815f116fe7742ef
-
SHA512
83ce45e658a6c6edb63d4660b20d732f52c6e4cfe49a97368e5ef3cb707a78b40273b52debd049041a764057d1619e74ebaa06e32a768f550f7c821dd1648e49
Malware Config
Signatures
-
suricata: ET MALWARE WSHRAT CnC Checkin
suricata: ET MALWARE WSHRAT CnC Checkin
-
suricata: ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm Checkin 1
suricata: ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm Checkin 1
-
Blocklisted process makes network request 33 IoCs
flow pid Process 3 4060 wscript.exe 5 4060 wscript.exe 7 4060 wscript.exe 9 4060 wscript.exe 10 4060 wscript.exe 11 4060 wscript.exe 12 4060 wscript.exe 13 4060 wscript.exe 15 4060 wscript.exe 16 4060 wscript.exe 17 4060 wscript.exe 20 4060 wscript.exe 24 4060 wscript.exe 28 4060 wscript.exe 29 4060 wscript.exe 30 4060 wscript.exe 31 4060 wscript.exe 32 4060 wscript.exe 33 4060 wscript.exe 34 4060 wscript.exe 37 4060 wscript.exe 38 4060 wscript.exe 39 4060 wscript.exe 40 4060 wscript.exe 41 4060 wscript.exe 42 4060 wscript.exe 43 4060 wscript.exe 44 4060 wscript.exe 45 4060 wscript.exe 46 4060 wscript.exe 47 4060 wscript.exe 48 4060 wscript.exe 49 4060 wscript.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PO50029310.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PO50029310.js wscript.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\PO50029310 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\PO50029310.js\"" wscript.exe Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PO50029310 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\PO50029310.js\"" wscript.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 8 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Script User-Agent 30 IoCs
Uses user-agent string associated with script host/environment.
description flow ioc HTTP User-Agent header 3 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 10 WSHRAT|3ED10BF6|GFBFPSXA|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 4/10/2021|JavaScript-v3.4|NL:Netherlands HTTP User-Agent header 12 WSHRAT|3ED10BF6|GFBFPSXA|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 4/10/2021|JavaScript-v3.4|NL:Netherlands HTTP User-Agent header 24 WSHRAT|3ED10BF6|GFBFPSXA|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 4/10/2021|JavaScript-v3.4|NL:Netherlands HTTP User-Agent header 49 WSHRAT|3ED10BF6|GFBFPSXA|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 4/10/2021|JavaScript-v3.4|NL:Netherlands HTTP User-Agent header 15 WSHRAT|3ED10BF6|GFBFPSXA|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 4/10/2021|JavaScript-v3.4|NL:Netherlands HTTP User-Agent header 29 WSHRAT|3ED10BF6|GFBFPSXA|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 4/10/2021|JavaScript-v3.4|NL:Netherlands HTTP User-Agent header 30 WSHRAT|3ED10BF6|GFBFPSXA|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 4/10/2021|JavaScript-v3.4|NL:Netherlands HTTP User-Agent header 33 WSHRAT|3ED10BF6|GFBFPSXA|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 4/10/2021|JavaScript-v3.4|NL:Netherlands HTTP User-Agent header 39 WSHRAT|3ED10BF6|GFBFPSXA|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 4/10/2021|JavaScript-v3.4|NL:Netherlands HTTP User-Agent header 41 WSHRAT|3ED10BF6|GFBFPSXA|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 4/10/2021|JavaScript-v3.4|NL:Netherlands HTTP User-Agent header 45 WSHRAT|3ED10BF6|GFBFPSXA|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 4/10/2021|JavaScript-v3.4|NL:Netherlands HTTP User-Agent header 11 WSHRAT|3ED10BF6|GFBFPSXA|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 4/10/2021|JavaScript-v3.4|NL:Netherlands HTTP User-Agent header 31 WSHRAT|3ED10BF6|GFBFPSXA|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 4/10/2021|JavaScript-v3.4|NL:Netherlands HTTP User-Agent header 37 WSHRAT|3ED10BF6|GFBFPSXA|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 4/10/2021|JavaScript-v3.4|NL:Netherlands HTTP User-Agent header 46 WSHRAT|3ED10BF6|GFBFPSXA|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 4/10/2021|JavaScript-v3.4|NL:Netherlands HTTP User-Agent header 44 WSHRAT|3ED10BF6|GFBFPSXA|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 4/10/2021|JavaScript-v3.4|NL:Netherlands HTTP User-Agent header 13 WSHRAT|3ED10BF6|GFBFPSXA|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 4/10/2021|JavaScript-v3.4|NL:Netherlands HTTP User-Agent header 17 WSHRAT|3ED10BF6|GFBFPSXA|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 4/10/2021|JavaScript-v3.4|NL:Netherlands HTTP User-Agent header 38 WSHRAT|3ED10BF6|GFBFPSXA|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 4/10/2021|JavaScript-v3.4|NL:Netherlands HTTP User-Agent header 43 WSHRAT|3ED10BF6|GFBFPSXA|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 4/10/2021|JavaScript-v3.4|NL:Netherlands HTTP User-Agent header 47 WSHRAT|3ED10BF6|GFBFPSXA|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 4/10/2021|JavaScript-v3.4|NL:Netherlands HTTP User-Agent header 16 WSHRAT|3ED10BF6|GFBFPSXA|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 4/10/2021|JavaScript-v3.4|NL:Netherlands HTTP User-Agent header 20 WSHRAT|3ED10BF6|GFBFPSXA|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 4/10/2021|JavaScript-v3.4|NL:Netherlands HTTP User-Agent header 28 WSHRAT|3ED10BF6|GFBFPSXA|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 4/10/2021|JavaScript-v3.4|NL:Netherlands HTTP User-Agent header 40 WSHRAT|3ED10BF6|GFBFPSXA|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 4/10/2021|JavaScript-v3.4|NL:Netherlands HTTP User-Agent header 48 WSHRAT|3ED10BF6|GFBFPSXA|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 4/10/2021|JavaScript-v3.4|NL:Netherlands HTTP User-Agent header 32 WSHRAT|3ED10BF6|GFBFPSXA|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 4/10/2021|JavaScript-v3.4|NL:Netherlands HTTP User-Agent header 34 WSHRAT|3ED10BF6|GFBFPSXA|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 4/10/2021|JavaScript-v3.4|NL:Netherlands HTTP User-Agent header 42 WSHRAT|3ED10BF6|GFBFPSXA|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 4/10/2021|JavaScript-v3.4|NL:Netherlands