Analysis
-
max time kernel
151s -
max time network
154s -
platform
windows7_x64 -
resource
win7-en-20210920 -
submitted
19/10/2021, 08:32
Static task
static1
Behavioral task
behavioral1
Sample
PO MFG ORDER W124494 - 2021-10-18 0009.js
Resource
win7-en-20210920
Behavioral task
behavioral2
Sample
PO MFG ORDER W124494 - 2021-10-18 0009.js
Resource
win10-en-20211014
General
-
Target
PO MFG ORDER W124494 - 2021-10-18 0009.js
-
Size
45KB
-
MD5
225bff43c2aa2095bbc11f358628e2a1
-
SHA1
81645b5fa0518200da4b145cb3428e702cb76244
-
SHA256
1555172a8ed40bc21eb2136625a097d1d4c7c376a71ee89d657d070ec513c4be
-
SHA512
af5185929580578438032672b418148391b280180cd7b3e1c35435b485809519a67592d0fe99316f8b7253f9bb1536230036ae21c92c635316417278be4c5cd1
Malware Config
Extracted
wshrat
http://fax-joh.dyn-ip24.de:20224
Signatures
-
Blocklisted process makes network request 64 IoCs
flow pid Process 11 648 wscript.exe 12 1468 wscript.exe 13 1072 wscript.exe 14 1468 wscript.exe 17 1072 wscript.exe 18 648 wscript.exe 20 1468 wscript.exe 22 648 wscript.exe 23 1072 wscript.exe 25 1468 wscript.exe 29 1468 wscript.exe 31 1072 wscript.exe 33 648 wscript.exe 34 1468 wscript.exe 37 1468 wscript.exe 39 1072 wscript.exe 40 648 wscript.exe 41 1468 wscript.exe 43 1072 wscript.exe 45 648 wscript.exe 46 1468 wscript.exe 51 1468 wscript.exe 53 1072 wscript.exe 55 648 wscript.exe 56 1468 wscript.exe 58 1468 wscript.exe 62 1072 wscript.exe 63 648 wscript.exe 64 1468 wscript.exe 67 1072 wscript.exe 68 648 wscript.exe 69 1468 wscript.exe 73 1468 wscript.exe 76 648 wscript.exe 77 1072 wscript.exe 79 1468 wscript.exe 81 1468 wscript.exe 84 1072 wscript.exe 85 648 wscript.exe 87 1468 wscript.exe 90 648 wscript.exe 91 1072 wscript.exe 93 1468 wscript.exe 97 1468 wscript.exe 98 1072 wscript.exe 100 648 wscript.exe 101 1468 wscript.exe 104 1468 wscript.exe 106 1072 wscript.exe 108 648 wscript.exe 109 1468 wscript.exe 112 1072 wscript.exe 113 648 wscript.exe 116 1468 wscript.exe 119 1468 wscript.exe 122 1072 wscript.exe 123 648 wscript.exe 124 1468 wscript.exe 126 1468 wscript.exe 129 1072 wscript.exe 131 648 wscript.exe 132 1468 wscript.exe 135 1072 wscript.exe 136 648 wscript.exe -
Drops startup file 5 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\JDopwXUrEP.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\JDopwXUrEP.js wscript.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PO MFG ORDER W124494 - 2021-10-18 0009.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PO MFG ORDER W124494 - 2021-10-18 0009.js wscript.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\JDopwXUrEP.js wscript.exe -
Adds Run key to start application 2 TTPs 12 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows\CurrentVersion\Run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows\CurrentVersion\Run\PO MFG ORDER W124494 - 2021-10-18 0009 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\PO MFG ORDER W124494 - 2021-10-18 0009.js\"" wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PO MFG ORDER W124494 - 2021-10-18 0009 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\PO MFG ORDER W124494 - 2021-10-18 0009.js\"" wscript.exe Key created \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows\CurrentVersion\Run wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PO MFG ORDER W124494 - 2021-10-18 0009 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\PO MFG ORDER W124494 - 2021-10-18 0009.js\"" wscript.exe Key created \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\software\microsoft\windows\currentversion\run wscript.exe Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows\CurrentVersion\Run\SEJOKAOI5S = "\"C:\\Users\\Admin\\AppData\\Roaming\\JDopwXUrEP.js\"" wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows\CurrentVersion\Run\SEJOKAOI5S = "\"C:\\Users\\Admin\\AppData\\Roaming\\JDopwXUrEP.js\"" wscript.exe Key created \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows\CurrentVersion\Run\PO MFG ORDER W124494 - 2021-10-18 0009 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\PO MFG ORDER W124494 - 2021-10-18 0009.js\"" wscript.exe Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Script User-Agent 29 IoCs
Uses user-agent string associated with script host/environment.
description flow ioc HTTP User-Agent header 37 WSHRAT|DCE526E0|JZCKHXIN|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 19/10/2021|JavaScript HTTP User-Agent header 79 WSHRAT|DCE526E0|JZCKHXIN|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 19/10/2021|JavaScript HTTP User-Agent header 93 WSHRAT|DCE526E0|JZCKHXIN|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 19/10/2021|JavaScript HTTP User-Agent header 116 WSHRAT|DCE526E0|JZCKHXIN|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 19/10/2021|JavaScript HTTP User-Agent header 25 WSHRAT|DCE526E0|JZCKHXIN|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 19/10/2021|JavaScript HTTP User-Agent header 119 WSHRAT|DCE526E0|JZCKHXIN|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 19/10/2021|JavaScript HTTP User-Agent header 132 WSHRAT|DCE526E0|JZCKHXIN|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 19/10/2021|JavaScript HTTP User-Agent header 14 WSHRAT|DCE526E0|JZCKHXIN|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 19/10/2021|JavaScript HTTP User-Agent header 69 WSHRAT|DCE526E0|JZCKHXIN|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 19/10/2021|JavaScript HTTP User-Agent header 101 WSHRAT|DCE526E0|JZCKHXIN|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 19/10/2021|JavaScript HTTP User-Agent header 124 WSHRAT|DCE526E0|JZCKHXIN|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 19/10/2021|JavaScript HTTP User-Agent header 126 WSHRAT|DCE526E0|JZCKHXIN|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 19/10/2021|JavaScript HTTP User-Agent header 12 WSHRAT|DCE526E0|JZCKHXIN|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 19/10/2021|JavaScript HTTP User-Agent header 34 WSHRAT|DCE526E0|JZCKHXIN|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 19/10/2021|JavaScript HTTP User-Agent header 41 WSHRAT|DCE526E0|JZCKHXIN|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 19/10/2021|JavaScript HTTP User-Agent header 51 WSHRAT|DCE526E0|JZCKHXIN|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 19/10/2021|JavaScript HTTP User-Agent header 87 WSHRAT|DCE526E0|JZCKHXIN|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 19/10/2021|JavaScript HTTP User-Agent header 139 WSHRAT|DCE526E0|JZCKHXIN|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 19/10/2021|JavaScript HTTP User-Agent header 29 WSHRAT|DCE526E0|JZCKHXIN|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 19/10/2021|JavaScript HTTP User-Agent header 58 WSHRAT|DCE526E0|JZCKHXIN|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 19/10/2021|JavaScript HTTP User-Agent header 64 WSHRAT|DCE526E0|JZCKHXIN|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 19/10/2021|JavaScript HTTP User-Agent header 81 WSHRAT|DCE526E0|JZCKHXIN|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 19/10/2021|JavaScript HTTP User-Agent header 104 WSHRAT|DCE526E0|JZCKHXIN|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 19/10/2021|JavaScript HTTP User-Agent header 97 WSHRAT|DCE526E0|JZCKHXIN|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 19/10/2021|JavaScript HTTP User-Agent header 20 WSHRAT|DCE526E0|JZCKHXIN|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 19/10/2021|JavaScript HTTP User-Agent header 46 WSHRAT|DCE526E0|JZCKHXIN|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 19/10/2021|JavaScript HTTP User-Agent header 56 WSHRAT|DCE526E0|JZCKHXIN|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 19/10/2021|JavaScript HTTP User-Agent header 73 WSHRAT|DCE526E0|JZCKHXIN|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 19/10/2021|JavaScript HTTP User-Agent header 109 WSHRAT|DCE526E0|JZCKHXIN|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 19/10/2021|JavaScript -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 1356 wrote to memory of 648 1356 wscript.exe 27 PID 1356 wrote to memory of 648 1356 wscript.exe 27 PID 1356 wrote to memory of 648 1356 wscript.exe 27 PID 1356 wrote to memory of 1468 1356 wscript.exe 28 PID 1356 wrote to memory of 1468 1356 wscript.exe 28 PID 1356 wrote to memory of 1468 1356 wscript.exe 28 PID 1468 wrote to memory of 1072 1468 wscript.exe 30 PID 1468 wrote to memory of 1072 1468 wscript.exe 30 PID 1468 wrote to memory of 1072 1468 wscript.exe 30
Processes
-
C:\Windows\system32\wscript.exewscript.exe "C:\Users\Admin\AppData\Local\Temp\PO MFG ORDER W124494 - 2021-10-18 0009.js"1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1356 -
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\JDopwXUrEP.js"2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
PID:648
-
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\PO MFG ORDER W124494 - 2021-10-18 0009.js"2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1468 -
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\JDopwXUrEP.js"3⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
PID:1072
-
-