Analysis
-
max time kernel
147s -
max time network
147s -
platform
windows10_x64 -
resource
win10-en-20211014 -
submitted
19/10/2021, 08:27
Static task
static1
Behavioral task
behavioral1
Sample
CPVN - PO 1910450087085-03 - C.P Việt Nam - CPV-01.js
Resource
win7-en-20210920
General
-
Target
CPVN - PO 1910450087085-03 - C.P Việt Nam - CPV-01.js
-
Size
45KB
-
MD5
8c7d90878061ce94f70b41a3d2678379
-
SHA1
7d08d5be9c64a49ccfeeb14aee806cb017d941db
-
SHA256
d52a0835e1845e89e134b1701d39b4f1fe4091814d9c1746f2f722599328dd13
-
SHA512
e510040078a0dc4b305abaf1a6d33d44f871f77f91c90c721c810fbb629b3c633e44654193bebd9b4bf537b9d124696432f808bdfbc60daf7c49e206eadb0792
Malware Config
Extracted
wshrat
http://faxjohn01.dyn.ddnss.de:1251
Signatures
-
suricata: ET MALWARE WSHRAT CnC Checkin
suricata: ET MALWARE WSHRAT CnC Checkin
-
suricata: ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm Checkin 1
suricata: ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm Checkin 1
-
Blocklisted process makes network request 64 IoCs
flow pid Process 11 3348 wscript.exe 12 4372 wscript.exe 13 416 wscript.exe 16 3348 wscript.exe 25 4372 wscript.exe 26 416 wscript.exe 27 3348 wscript.exe 28 3348 wscript.exe 29 4372 wscript.exe 30 416 wscript.exe 31 3348 wscript.exe 36 416 wscript.exe 37 4372 wscript.exe 38 3348 wscript.exe 39 3348 wscript.exe 40 416 wscript.exe 41 4372 wscript.exe 42 3348 wscript.exe 43 3348 wscript.exe 44 4372 wscript.exe 45 416 wscript.exe 46 3348 wscript.exe 47 4372 wscript.exe 48 416 wscript.exe 49 3348 wscript.exe 50 3348 wscript.exe 51 4372 wscript.exe 52 416 wscript.exe 55 3348 wscript.exe 56 3348 wscript.exe 57 4372 wscript.exe 58 416 wscript.exe 59 3348 wscript.exe 60 4372 wscript.exe 61 416 wscript.exe 62 3348 wscript.exe 63 3348 wscript.exe 64 4372 wscript.exe 65 416 wscript.exe 66 3348 wscript.exe 67 3348 wscript.exe 68 4372 wscript.exe 69 416 wscript.exe 70 3348 wscript.exe 71 4372 wscript.exe 72 416 wscript.exe 73 3348 wscript.exe 74 3348 wscript.exe 75 4372 wscript.exe 76 416 wscript.exe 77 3348 wscript.exe 78 3348 wscript.exe 79 4372 wscript.exe 80 416 wscript.exe 81 3348 wscript.exe 82 4372 wscript.exe 83 416 wscript.exe 84 3348 wscript.exe 85 3348 wscript.exe 86 4372 wscript.exe 87 416 wscript.exe 88 3348 wscript.exe 89 3348 wscript.exe 90 4372 wscript.exe -
Drops startup file 5 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fSHKTxYIwQ.js wscript.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CPVN - PO 1910450087085-03 - C.P Việt Nam - CPV-01.js wscript.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fSHKTxYIwQ.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fSHKTxYIwQ.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CPVN - PO 1910450087085-03 - C.P Việt Nam - CPV-01.js wscript.exe -
Adds Run key to start application 2 TTPs 12 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows\CurrentVersion\Run\CPVN - PO 1910450087085-03 - C = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\CPVN - PO 1910450087085-03 - C.P Vi?t Nam - CPV-01.js\"" wscript.exe Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows\CurrentVersion\Run\CPVN - PO 1910450087085-03 - C = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\CPVN - PO 1910450087085-03 - C.P Vi?t Nam - CPV-01.js\"" wscript.exe Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CPVN - PO 1910450087085-03 - C = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\CPVN - PO 1910450087085-03 - C.P Vi?t Nam - CPV-01.js\"" wscript.exe Key created \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows\CurrentVersion\Run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows\CurrentVersion\Run\SEJOKAOI5S = "\"C:\\Users\\Admin\\AppData\\Roaming\\fSHKTxYIwQ.js\"" wscript.exe Key created \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CPVN - PO 1910450087085-03 - C = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\CPVN - PO 1910450087085-03 - C.P Vi?t Nam - CPV-01.js\"" wscript.exe Key created \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows\CurrentVersion\Run\SEJOKAOI5S = "\"C:\\Users\\Admin\\AppData\\Roaming\\fSHKTxYIwQ.js\"" wscript.exe Key created \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows\CurrentVersion\Run wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Script User-Agent 29 IoCs
Uses user-agent string associated with script host/environment.
description flow ioc HTTP User-Agent header 16 WSHRAT|DA5D582B|JQKTJDNJ|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 16/10/2021|JavaScript HTTP User-Agent header 38 WSHRAT|DA5D582B|JQKTJDNJ|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 16/10/2021|JavaScript HTTP User-Agent header 66 WSHRAT|DA5D582B|JQKTJDNJ|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 16/10/2021|JavaScript HTTP User-Agent header 42 WSHRAT|DA5D582B|JQKTJDNJ|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 16/10/2021|JavaScript HTTP User-Agent header 74 WSHRAT|DA5D582B|JQKTJDNJ|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 16/10/2021|JavaScript HTTP User-Agent header 77 WSHRAT|DA5D582B|JQKTJDNJ|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 16/10/2021|JavaScript HTTP User-Agent header 11 WSHRAT|DA5D582B|JQKTJDNJ|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 16/10/2021|JavaScript HTTP User-Agent header 27 WSHRAT|DA5D582B|JQKTJDNJ|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 16/10/2021|JavaScript HTTP User-Agent header 43 WSHRAT|DA5D582B|JQKTJDNJ|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 16/10/2021|JavaScript HTTP User-Agent header 39 WSHRAT|DA5D582B|JQKTJDNJ|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 16/10/2021|JavaScript HTTP User-Agent header 50 WSHRAT|DA5D582B|JQKTJDNJ|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 16/10/2021|JavaScript HTTP User-Agent header 70 WSHRAT|DA5D582B|JQKTJDNJ|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 16/10/2021|JavaScript HTTP User-Agent header 84 WSHRAT|DA5D582B|JQKTJDNJ|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 16/10/2021|JavaScript HTTP User-Agent header 28 WSHRAT|DA5D582B|JQKTJDNJ|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 16/10/2021|JavaScript HTTP User-Agent header 56 WSHRAT|DA5D582B|JQKTJDNJ|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 16/10/2021|JavaScript HTTP User-Agent header 67 WSHRAT|DA5D582B|JQKTJDNJ|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 16/10/2021|JavaScript HTTP User-Agent header 55 WSHRAT|DA5D582B|JQKTJDNJ|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 16/10/2021|JavaScript HTTP User-Agent header 62 WSHRAT|DA5D582B|JQKTJDNJ|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 16/10/2021|JavaScript HTTP User-Agent header 73 WSHRAT|DA5D582B|JQKTJDNJ|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 16/10/2021|JavaScript HTTP User-Agent header 78 WSHRAT|DA5D582B|JQKTJDNJ|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 16/10/2021|JavaScript HTTP User-Agent header 81 WSHRAT|DA5D582B|JQKTJDNJ|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 16/10/2021|JavaScript HTTP User-Agent header 31 WSHRAT|DA5D582B|JQKTJDNJ|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 16/10/2021|JavaScript HTTP User-Agent header 46 WSHRAT|DA5D582B|JQKTJDNJ|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 16/10/2021|JavaScript HTTP User-Agent header 49 WSHRAT|DA5D582B|JQKTJDNJ|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 16/10/2021|JavaScript HTTP User-Agent header 88 WSHRAT|DA5D582B|JQKTJDNJ|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 16/10/2021|JavaScript HTTP User-Agent header 89 WSHRAT|DA5D582B|JQKTJDNJ|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 16/10/2021|JavaScript HTTP User-Agent header 59 WSHRAT|DA5D582B|JQKTJDNJ|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 16/10/2021|JavaScript HTTP User-Agent header 63 WSHRAT|DA5D582B|JQKTJDNJ|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 16/10/2021|JavaScript HTTP User-Agent header 85 WSHRAT|DA5D582B|JQKTJDNJ|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 16/10/2021|JavaScript -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4024 wrote to memory of 416 4024 wscript.exe 70 PID 4024 wrote to memory of 416 4024 wscript.exe 70 PID 4024 wrote to memory of 3348 4024 wscript.exe 72 PID 4024 wrote to memory of 3348 4024 wscript.exe 72 PID 3348 wrote to memory of 4372 3348 wscript.exe 73 PID 3348 wrote to memory of 4372 3348 wscript.exe 73
Processes
-
C:\Windows\system32\wscript.exewscript.exe "C:\Users\Admin\AppData\Local\Temp\CPVN - PO 1910450087085-03 - C.P Việt Nam - CPV-01.js"1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4024 -
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\fSHKTxYIwQ.js"2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
PID:416
-
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\CPVN - PO 1910450087085-03 - C.P Việt Nam - CPV-01.js"2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3348 -
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\fSHKTxYIwQ.js"3⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
PID:4372
-
-