Analysis

  • max time kernel
    123s
  • max time network
    146s
  • platform
    windows7_x64
  • resource
    win7-en-20210920
  • submitted
    09/10/2021, 19:18

General

  • Target

    uspstracker.js

  • Size

    1.1MB

  • MD5

    3151f194fcfe3b210732d3f6bed59cbd

  • SHA1

    84d181e892c2c51d29c70daa7f785aa4b9a256bd

  • SHA256

    878057fe16a4f4bcdf4e3cf5e28c5e5686da8f24ebb03ced117b34a3f76571aa

  • SHA512

    0264ab652876cf84616e713e9e7709679e16a43a9d4d8b2624dc0dfe417eb21925a12f07ef2beff8e712570dc9e5a3777aaf221267abe8e977dde7eb64ac7024

Malware Config

Signatures

  • WSHRAT

    WSHRAT is a variant of Houdini worm and has vbs and js variants.

  • Blocklisted process makes network request 2 IoCs
  • Drops startup file 2 IoCs
  • Adds Run key to start application 2 TTPs 8 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 5 IoCs
  • Script User-Agent 1 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of SetWindowsHookEx 18 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe C:\Users\Admin\AppData\Local\Temp\uspstracker.js
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1400
    • C:\Windows\System32\wscript.exe
      "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\uspstracker.js"
      2⤵
      • Blocklisted process makes network request
      • Drops startup file
      • Adds Run key to start application
      PID:332
  • C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1156
    • C:\Windows\system32\cscript.exe
      cscript uspstracker.js
      2⤵
        PID:1580
    • C:\Windows\system32\osk.exe
      "C:\Windows\system32\osk.exe"
      1⤵
        PID:1028
      • C:\Windows\system32\utilman.exe
        utilman.exe /debug
        1⤵
        • Suspicious use of WriteProcessMemory
        PID:1916
        • C:\Windows\System32\osk.exe
          "C:\Windows\System32\osk.exe"
          2⤵
          • Modifies registry class
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          • Suspicious use of SetWindowsHookEx
          PID:2036
      • C:\Windows\SysWOW64\DllHost.exe
        C:\Windows\SysWOW64\DllHost.exe /Processid:{60A90A2F-858D-42AF-8929-82BE9D99E8A1}
        1⤵
        • Suspicious use of SetWindowsHookEx
        PID:1532
      • C:\Windows\SysWOW64\DllHost.exe
        C:\Windows\SysWOW64\DllHost.exe /Processid:{60A90A2F-858D-42AF-8929-82BE9D99E8A1}
        1⤵
        • Suspicious use of SetWindowsHookEx
        PID:1780
      • C:\Windows\SysWOW64\DllHost.exe
        C:\Windows\SysWOW64\DllHost.exe /Processid:{60A90A2F-858D-42AF-8929-82BE9D99E8A1}
        1⤵
        • Suspicious use of SetWindowsHookEx
        PID:868
      • C:\Windows\system32\utilman.exe
        utilman.exe /debug
        1⤵
          PID:1132

        Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • memory/1916-56-0x000007FEFB541000-0x000007FEFB543000-memory.dmp

          Filesize

          8KB