Analysis
-
max time kernel
147s -
max time network
151s -
platform
windows10_x64 -
resource
win10-en-20210920 -
submitted
11/10/2021, 06:54
Static task
static1
Behavioral task
behavioral1
Sample
Scan00051.js
Resource
win7-en-20210920
Behavioral task
behavioral2
Sample
Scan00051.js
Resource
win10-en-20210920
General
-
Target
Scan00051.js
-
Size
1006KB
-
MD5
88cc26a74a561426df5302d399744ffb
-
SHA1
defaafa787d512c1bd654266bbb052965d225e16
-
SHA256
4ee22add9e3dfc6d9b5f02f56aeebed5944d7b325196c04d935f8093ba3bc301
-
SHA512
6f5cd63b18c3646b4052f2e895e9bc69db1829fbbc4e86d228d32bc7188f14b130d4ff8427fdc4aa2aa7730d8813ac169752725da26e84aab65a9b00ad02ab0b
Malware Config
Extracted
wshrat
http://147.182.241.104:7121
Signatures
-
suricata: ET MALWARE WSHRAT CnC Checkin
suricata: ET MALWARE WSHRAT CnC Checkin
-
suricata: ET MALWARE WSHRAT Credential Dump Module Download Command Inbound
suricata: ET MALWARE WSHRAT Credential Dump Module Download Command Inbound
-
suricata: ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm Checkin 1
suricata: ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm Checkin 1
-
Blocklisted process makes network request 23 IoCs
flow pid Process 9 2472 wscript.exe 11 2472 wscript.exe 12 2472 wscript.exe 21 2472 wscript.exe 22 2472 wscript.exe 23 2472 wscript.exe 25 2472 wscript.exe 35 2472 wscript.exe 40 2472 wscript.exe 41 2472 wscript.exe 43 2472 wscript.exe 45 2472 wscript.exe 47 2472 wscript.exe 48 2472 wscript.exe 50 2472 wscript.exe 51 2472 wscript.exe 52 2472 wscript.exe 53 2472 wscript.exe 56 2472 wscript.exe 58 2472 wscript.exe 60 2472 wscript.exe 62 2472 wscript.exe 64 2472 wscript.exe -
Executes dropped EXE 3 IoCs
pid Process 3432 python.exe 1276 python.exe 4092 cmdc.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Scan00051.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Scan00051.js wscript.exe -
Loads dropped DLL 26 IoCs
pid Process 3432 python.exe 3432 python.exe 3432 python.exe 3432 python.exe 3432 python.exe 3432 python.exe 3432 python.exe 3432 python.exe 3432 python.exe 3432 python.exe 3432 python.exe 3432 python.exe 3432 python.exe 3432 python.exe 3432 python.exe 3432 python.exe 3432 python.exe 3432 python.exe 3432 python.exe 3432 python.exe 3432 python.exe 3432 python.exe 3432 python.exe 3432 python.exe 1276 python.exe 1276 python.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts cmdc.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows\CurrentVersion\Run\Scan00051 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\Scan00051.js\"" wscript.exe Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Scan00051 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\Scan00051.js\"" wscript.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 10 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Kills process with taskkill 2 IoCs
pid Process 2280 taskkill.exe 2000 taskkill.exe -
Script User-Agent 21 IoCs
Uses user-agent string associated with script host/environment.
description flow ioc HTTP User-Agent header 41 WSHRAT|A6E40E89|RSSLLXYN|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 14/10/2021|JavaScript-v3.4|NL:Netherlands HTTP User-Agent header 48 WSHRAT|A6E40E89|RSSLLXYN|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 14/10/2021|JavaScript-v3.4|NL:Netherlands HTTP User-Agent header 50 WSHRAT|A6E40E89|RSSLLXYN|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 14/10/2021|JavaScript-v3.4|NL:Netherlands HTTP User-Agent header 51 WSHRAT|A6E40E89|RSSLLXYN|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 14/10/2021|JavaScript-v3.4|NL:Netherlands HTTP User-Agent header 53 WSHRAT|A6E40E89|RSSLLXYN|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 14/10/2021|JavaScript-v3.4|NL:Netherlands HTTP User-Agent header 64 WSHRAT|A6E40E89|RSSLLXYN|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 14/10/2021|JavaScript-v3.4|NL:Netherlands HTTP User-Agent header 40 WSHRAT|A6E40E89|RSSLLXYN|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 14/10/2021|JavaScript-v3.4|NL:Netherlands HTTP User-Agent header 43 WSHRAT|A6E40E89|RSSLLXYN|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 14/10/2021|JavaScript-v3.4|NL:Netherlands HTTP User-Agent header 45 WSHRAT|A6E40E89|RSSLLXYN|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 14/10/2021|JavaScript-v3.4|NL:Netherlands HTTP User-Agent header 47 WSHRAT|A6E40E89|RSSLLXYN|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 14/10/2021|JavaScript-v3.4|NL:Netherlands HTTP User-Agent header 52 WSHRAT|A6E40E89|RSSLLXYN|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 14/10/2021|JavaScript-v3.4|NL:Netherlands HTTP User-Agent header 35 WSHRAT|A6E40E89|RSSLLXYN|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 14/10/2021|JavaScript-v3.4|NL:Netherlands HTTP User-Agent header 21 WSHRAT|A6E40E89|RSSLLXYN|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 14/10/2021|JavaScript-v3.4|NL:Netherlands HTTP User-Agent header 23 WSHRAT|A6E40E89|RSSLLXYN|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 14/10/2021|JavaScript-v3.4|NL:Netherlands HTTP User-Agent header 58 WSHRAT|A6E40E89|RSSLLXYN|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 14/10/2021|JavaScript-v3.4|NL:Netherlands HTTP User-Agent header 60 WSHRAT|A6E40E89|RSSLLXYN|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 14/10/2021|JavaScript-v3.4|NL:Netherlands HTTP User-Agent header 62 WSHRAT|A6E40E89|RSSLLXYN|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 14/10/2021|JavaScript-v3.4|NL:Netherlands HTTP User-Agent header 9 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 22 WSHRAT|A6E40E89|RSSLLXYN|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 14/10/2021|JavaScript-v3.4|NL:Netherlands HTTP User-Agent header 56 WSHRAT|A6E40E89|RSSLLXYN|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 14/10/2021|JavaScript-v3.4|NL:Netherlands HTTP User-Agent header 12 WSHRAT|A6E40E89|RSSLLXYN|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 14/10/2021|JavaScript-v3.4|NL:Netherlands -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 2840 powershell.exe 2840 powershell.exe 2840 powershell.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeDebugPrivilege 2840 powershell.exe Token: 35 3432 python.exe Token: 35 1276 python.exe Token: SeDebugPrivilege 2280 taskkill.exe Token: SeDebugPrivilege 2000 taskkill.exe -
Suspicious use of WriteProcessMemory 25 IoCs
description pid Process procid_target PID 2472 wrote to memory of 2840 2472 wscript.exe 74 PID 2472 wrote to memory of 2840 2472 wscript.exe 74 PID 2472 wrote to memory of 3136 2472 wscript.exe 76 PID 2472 wrote to memory of 3136 2472 wscript.exe 76 PID 3136 wrote to memory of 3432 3136 cmd.exe 78 PID 3136 wrote to memory of 3432 3136 cmd.exe 78 PID 3136 wrote to memory of 3432 3136 cmd.exe 78 PID 2472 wrote to memory of 956 2472 wscript.exe 81 PID 2472 wrote to memory of 956 2472 wscript.exe 81 PID 956 wrote to memory of 1276 956 cmd.exe 83 PID 956 wrote to memory of 1276 956 cmd.exe 83 PID 956 wrote to memory of 1276 956 cmd.exe 83 PID 2472 wrote to memory of 2176 2472 wscript.exe 84 PID 2472 wrote to memory of 2176 2472 wscript.exe 84 PID 2176 wrote to memory of 2280 2176 cmd.exe 86 PID 2176 wrote to memory of 2280 2176 cmd.exe 86 PID 2472 wrote to memory of 3516 2472 wscript.exe 87 PID 2472 wrote to memory of 3516 2472 wscript.exe 87 PID 3516 wrote to memory of 2000 3516 cmd.exe 89 PID 3516 wrote to memory of 2000 3516 cmd.exe 89 PID 2472 wrote to memory of 4092 2472 wscript.exe 90 PID 2472 wrote to memory of 4092 2472 wscript.exe 90 PID 2472 wrote to memory of 4092 2472 wscript.exe 90 PID 2472 wrote to memory of 2980 2472 wscript.exe 92 PID 2472 wrote to memory of 2980 2472 wscript.exe 92
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\Scan00051.js1⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2472 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -command [void][Windows.Security.Credentials.PasswordVault,Windows.Security.Credentials,ContentType=WindowsRuntime] $vault = New-Object Windows.Security.Credentials.PasswordVault $vault.RetrieveAll() | % { $_.RetrievePassword();$_ } > "C:\Users\Admin\AppData\Local\Temp\tmp.txt"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2840
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c cd "C:\Users\Admin\AppData\Local\Temp\wshsdk" && C:\Users\Admin\AppData\Local\Temp\wshsdk\python.exe C:\Users\Admin\AppData\Local\Temp\rundll > "C:\Users\Admin\AppData\Local\Temp\wshout"2⤵
- Suspicious use of WriteProcessMemory
PID:3136 -
C:\Users\Admin\AppData\Local\Temp\wshsdk\python.exeC:\Users\Admin\AppData\Local\Temp\wshsdk\python.exe C:\Users\Admin\AppData\Local\Temp\rundll3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:3432
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c cd "C:\Users\Admin\AppData\Local\Temp\wshsdk" && C:\Users\Admin\AppData\Local\Temp\wshsdk\python.exe C:\Users\Admin\AppData\Local\Temp\rundll > "C:\Users\Admin\AppData\Local\Temp\wshout"2⤵
- Suspicious use of WriteProcessMemory
PID:956 -
C:\Users\Admin\AppData\Local\Temp\wshsdk\python.exeC:\Users\Admin\AppData\Local\Temp\wshsdk\python.exe C:\Users\Admin\AppData\Local\Temp\rundll3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1276
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c taskkill /F /IM cmdc.exe2⤵
- Suspicious use of WriteProcessMemory
PID:2176 -
C:\Windows\system32\taskkill.exetaskkill /F /IM cmdc.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2280
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c taskkill /F /IM cmdc.exe2⤵
- Suspicious use of WriteProcessMemory
PID:3516 -
C:\Windows\system32\taskkill.exetaskkill /F /IM cmdc.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2000
-
-
-
C:\Users\Admin\AppData\Local\Temp\cmdc.exe"C:\Users\Admin\AppData\Local\Temp\cmdc.exe" /stext C:\Users\Admin\AppData\Local\Temp\cmdc.exedata2⤵
- Executes dropped EXE
- Accesses Microsoft Outlook accounts
PID:4092
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c mkdir "C:\Users\Admin\AppData\Local\Temp\wshlogs"2⤵PID:2980
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {3eef301f-b596-4c0b-bd92-013beafce793} -Embedding1⤵PID:1432