Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10_x64 -
resource
win10-en-20211014 -
submitted
19/10/2021, 08:32
Static task
static1
Behavioral task
behavioral1
Sample
PO MFG ORDER W124494 - 2021-10-18 0009.js
Resource
win7-en-20210920
Behavioral task
behavioral2
Sample
PO MFG ORDER W124494 - 2021-10-18 0009.js
Resource
win10-en-20211014
General
-
Target
PO MFG ORDER W124494 - 2021-10-18 0009.js
-
Size
45KB
-
MD5
225bff43c2aa2095bbc11f358628e2a1
-
SHA1
81645b5fa0518200da4b145cb3428e702cb76244
-
SHA256
1555172a8ed40bc21eb2136625a097d1d4c7c376a71ee89d657d070ec513c4be
-
SHA512
af5185929580578438032672b418148391b280180cd7b3e1c35435b485809519a67592d0fe99316f8b7253f9bb1536230036ae21c92c635316417278be4c5cd1
Malware Config
Extracted
wshrat
http://fax-joh.dyn-ip24.de:20224
Signatures
-
Blocklisted process makes network request 64 IoCs
flow pid Process 9 4056 wscript.exe 10 4524 wscript.exe 11 3460 wscript.exe 15 4056 wscript.exe 26 3460 wscript.exe 27 4524 wscript.exe 28 4056 wscript.exe 29 4056 wscript.exe 30 3460 wscript.exe 31 4524 wscript.exe 38 4056 wscript.exe 39 3460 wscript.exe 40 4524 wscript.exe 41 4056 wscript.exe 42 4056 wscript.exe 43 3460 wscript.exe 44 4524 wscript.exe 45 4056 wscript.exe 46 3460 wscript.exe 47 4524 wscript.exe 48 4056 wscript.exe 49 4056 wscript.exe 50 3460 wscript.exe 51 4524 wscript.exe 52 4056 wscript.exe 53 4056 wscript.exe 54 3460 wscript.exe 55 4524 wscript.exe 58 4056 wscript.exe 59 3460 wscript.exe 60 4524 wscript.exe 61 4056 wscript.exe 62 4056 wscript.exe 63 3460 wscript.exe 64 4524 wscript.exe 65 4056 wscript.exe 66 4056 wscript.exe 67 3460 wscript.exe 68 4524 wscript.exe 69 4056 wscript.exe 70 3460 wscript.exe 71 4524 wscript.exe 72 4056 wscript.exe 73 4056 wscript.exe 74 3460 wscript.exe 75 4524 wscript.exe 76 4056 wscript.exe 77 4056 wscript.exe 78 3460 wscript.exe 79 4524 wscript.exe 80 4056 wscript.exe 81 3460 wscript.exe 82 4524 wscript.exe 83 4056 wscript.exe 84 4056 wscript.exe 85 3460 wscript.exe 86 4524 wscript.exe 87 4056 wscript.exe 88 3460 wscript.exe 89 4524 wscript.exe 90 4056 wscript.exe 91 4056 wscript.exe 92 3460 wscript.exe 93 4524 wscript.exe -
Drops startup file 5 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PO MFG ORDER W124494 - 2021-10-18 0009.js wscript.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\JDopwXUrEP.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\JDopwXUrEP.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\JDopwXUrEP.js wscript.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PO MFG ORDER W124494 - 2021-10-18 0009.js wscript.exe -
Adds Run key to start application 2 TTPs 12 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\software\microsoft\windows\currentversion\run wscript.exe Key created \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows\CurrentVersion\Run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows\CurrentVersion\Run\SEJOKAOI5S = "\"C:\\Users\\Admin\\AppData\\Roaming\\JDopwXUrEP.js\"" wscript.exe Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PO MFG ORDER W124494 - 2021-10-18 0009 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\PO MFG ORDER W124494 - 2021-10-18 0009.js\"" wscript.exe Key created \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows\CurrentVersion\Run wscript.exe Key created \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows\CurrentVersion\Run\PO MFG ORDER W124494 - 2021-10-18 0009 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\PO MFG ORDER W124494 - 2021-10-18 0009.js\"" wscript.exe Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PO MFG ORDER W124494 - 2021-10-18 0009 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\PO MFG ORDER W124494 - 2021-10-18 0009.js\"" wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows\CurrentVersion\Run\PO MFG ORDER W124494 - 2021-10-18 0009 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\PO MFG ORDER W124494 - 2021-10-18 0009.js\"" wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows\CurrentVersion\Run\SEJOKAOI5S = "\"C:\\Users\\Admin\\AppData\\Roaming\\JDopwXUrEP.js\"" wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Script User-Agent 29 IoCs
Uses user-agent string associated with script host/environment.
description flow ioc HTTP User-Agent header 9 WSHRAT|DA5D582B|JQKTJDNJ|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 22/10/2021|JavaScript HTTP User-Agent header 66 WSHRAT|DA5D582B|JQKTJDNJ|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 22/10/2021|JavaScript HTTP User-Agent header 69 WSHRAT|DA5D582B|JQKTJDNJ|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 22/10/2021|JavaScript HTTP User-Agent header 91 WSHRAT|DA5D582B|JQKTJDNJ|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 22/10/2021|JavaScript HTTP User-Agent header 42 WSHRAT|DA5D582B|JQKTJDNJ|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 22/10/2021|JavaScript HTTP User-Agent header 61 WSHRAT|DA5D582B|JQKTJDNJ|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 22/10/2021|JavaScript HTTP User-Agent header 62 WSHRAT|DA5D582B|JQKTJDNJ|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 22/10/2021|JavaScript HTTP User-Agent header 65 WSHRAT|DA5D582B|JQKTJDNJ|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 22/10/2021|JavaScript HTTP User-Agent header 29 WSHRAT|DA5D582B|JQKTJDNJ|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 22/10/2021|JavaScript HTTP User-Agent header 53 WSHRAT|DA5D582B|JQKTJDNJ|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 22/10/2021|JavaScript HTTP User-Agent header 72 WSHRAT|DA5D582B|JQKTJDNJ|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 22/10/2021|JavaScript HTTP User-Agent header 80 WSHRAT|DA5D582B|JQKTJDNJ|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 22/10/2021|JavaScript HTTP User-Agent header 58 WSHRAT|DA5D582B|JQKTJDNJ|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 22/10/2021|JavaScript HTTP User-Agent header 90 WSHRAT|DA5D582B|JQKTJDNJ|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 22/10/2021|JavaScript HTTP User-Agent header 41 WSHRAT|DA5D582B|JQKTJDNJ|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 22/10/2021|JavaScript HTTP User-Agent header 73 WSHRAT|DA5D582B|JQKTJDNJ|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 22/10/2021|JavaScript HTTP User-Agent header 84 WSHRAT|DA5D582B|JQKTJDNJ|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 22/10/2021|JavaScript HTTP User-Agent header 87 WSHRAT|DA5D582B|JQKTJDNJ|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 22/10/2021|JavaScript HTTP User-Agent header 77 WSHRAT|DA5D582B|JQKTJDNJ|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 22/10/2021|JavaScript HTTP User-Agent header 15 WSHRAT|DA5D582B|JQKTJDNJ|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 22/10/2021|JavaScript HTTP User-Agent header 28 WSHRAT|DA5D582B|JQKTJDNJ|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 22/10/2021|JavaScript HTTP User-Agent header 38 WSHRAT|DA5D582B|JQKTJDNJ|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 22/10/2021|JavaScript HTTP User-Agent header 52 WSHRAT|DA5D582B|JQKTJDNJ|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 22/10/2021|JavaScript HTTP User-Agent header 45 WSHRAT|DA5D582B|JQKTJDNJ|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 22/10/2021|JavaScript HTTP User-Agent header 76 WSHRAT|DA5D582B|JQKTJDNJ|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 22/10/2021|JavaScript HTTP User-Agent header 94 WSHRAT|DA5D582B|JQKTJDNJ|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 22/10/2021|JavaScript HTTP User-Agent header 48 WSHRAT|DA5D582B|JQKTJDNJ|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 22/10/2021|JavaScript HTTP User-Agent header 49 WSHRAT|DA5D582B|JQKTJDNJ|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 22/10/2021|JavaScript HTTP User-Agent header 83 WSHRAT|DA5D582B|JQKTJDNJ|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 22/10/2021|JavaScript -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 3504 wrote to memory of 3460 3504 wscript.exe 69 PID 3504 wrote to memory of 3460 3504 wscript.exe 69 PID 3504 wrote to memory of 4056 3504 wscript.exe 70 PID 3504 wrote to memory of 4056 3504 wscript.exe 70 PID 4056 wrote to memory of 4524 4056 wscript.exe 72 PID 4056 wrote to memory of 4524 4056 wscript.exe 72
Processes
-
C:\Windows\system32\wscript.exewscript.exe "C:\Users\Admin\AppData\Local\Temp\PO MFG ORDER W124494 - 2021-10-18 0009.js"1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3504 -
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\JDopwXUrEP.js"2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
PID:3460
-
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\PO MFG ORDER W124494 - 2021-10-18 0009.js"2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4056 -
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\JDopwXUrEP.js"3⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
PID:4524
-
-