Analysis

  • max time kernel
    151s
  • max time network
    151s
  • platform
    windows7_x64
  • resource
    win7-en-20211014
  • submitted
    21/10/2021, 18:21

General

  • Target

    IMG-9877-PO-PDF-LIST9576867.js

  • Size

    2.1MB

  • MD5

    66ce275ae44bfac23f7a71c0e3df1e76

  • SHA1

    a8f6afbb0c136b8dcfe6f108cde75b40b7c0d2ce

  • SHA256

    46648093234287c679db48c441de8f2d12306a3c8299b4d30e3fcf0057bcd633

  • SHA512

    94e9ead33c3a0ff6133f46951fb9a52d4e59215f79a05f7c006cbff47712ab39130bcafabfc165cd5fa1402336a1a63b204b7eb33631a0172fc5e6463ba36afe

Malware Config

Extracted

Family

wshrat

C2

http://concideritdone.duckdns.org:5001

Signatures

  • WSHRAT

    WSHRAT is a variant of Houdini worm and has vbs and js variants.

  • WSHRAT Payload 2 IoCs
  • Blocklisted process makes network request 10 IoCs
  • Executes dropped EXE 3 IoCs
  • Drops startup file 4 IoCs
  • Loads dropped DLL 9 IoCs
  • Adds Run key to start application 2 TTPs 8 IoCs
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of WriteProcessMemory 29 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe C:\Users\Admin\AppData\Local\Temp\IMG-9877-PO-PDF-LIST9576867.js
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1868
    • C:\Users\Admin\AppData\Roaming\IMG-9877-PO-PDF-LIST9576867.exe
      "C:\Users\Admin\AppData\Roaming\IMG-9877-PO-PDF-LIST9576867.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:580
      • C:\Users\Admin\AppData\Roaming\61849594\WHS2.0.exe
        "C:\Users\Admin\AppData\Roaming\61849594\WHS2.0.exe" ... that Dmitri Smirnov (pictured) composed the Triple Concerto No.
        3⤵
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:1644
        • C:\Windows\SysWOW64\wscript.exe
          "C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Roaming\EkoHX.vbs
          4⤵
          • Blocklisted process makes network request
          • Drops startup file
          • Adds Run key to start application
          PID:1572
      • C:\Users\Admin\AppData\Roaming\61849594\gmebm.pif
        "C:\Users\Admin\AppData\Roaming\61849594\gmebm.pif" qardexmt.mdc
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:436
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:1384
          • C:\Windows\SysWOW64\wscript.exe
            "C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Roaming\OPAFu.vbs
            5⤵
            • Blocklisted process makes network request
            • Drops startup file
            • Adds Run key to start application
            PID:296

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/580-57-0x0000000075B71000-0x0000000075B73000-memory.dmp

    Filesize

    8KB

  • memory/1384-85-0x0000000000270000-0x000000000089E000-memory.dmp

    Filesize

    6.2MB

  • memory/1384-82-0x0000000000270000-0x000000000089E000-memory.dmp

    Filesize

    6.2MB

  • memory/1384-81-0x0000000000270000-0x000000000089E000-memory.dmp

    Filesize

    6.2MB

  • memory/1644-76-0x0000000000370000-0x0000000000371000-memory.dmp

    Filesize

    4KB