Analysis
-
max time kernel
151s -
max time network
151s -
platform
windows7_x64 -
resource
win7-en-20211014 -
submitted
21-10-2021 18:21
Static task
static1
Behavioral task
behavioral1
Sample
IMG-9877-PO-PDF-LIST9576867.js
Resource
win7-en-20211014
Behavioral task
behavioral2
Sample
IMG-9877-PO-PDF-LIST9576867.js
Resource
win10-en-20210920
General
-
Target
IMG-9877-PO-PDF-LIST9576867.js
-
Size
2.1MB
-
MD5
66ce275ae44bfac23f7a71c0e3df1e76
-
SHA1
a8f6afbb0c136b8dcfe6f108cde75b40b7c0d2ce
-
SHA256
46648093234287c679db48c441de8f2d12306a3c8299b4d30e3fcf0057bcd633
-
SHA512
94e9ead33c3a0ff6133f46951fb9a52d4e59215f79a05f7c006cbff47712ab39130bcafabfc165cd5fa1402336a1a63b204b7eb33631a0172fc5e6463ba36afe
Malware Config
Extracted
wshrat
http://concideritdone.duckdns.org:5001
Signatures
-
WSHRAT Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\EkoHX.vbs family_wshrat C:\Users\Admin\AppData\Roaming\OPAFu.vbs family_wshrat -
Blocklisted process makes network request 10 IoCs
Processes:
wscript.exewscript.exeflow pid process 8 296 wscript.exe 7 1572 wscript.exe 12 1572 wscript.exe 13 296 wscript.exe 15 1572 wscript.exe 17 296 wscript.exe 19 1572 wscript.exe 21 296 wscript.exe 25 1572 wscript.exe 27 296 wscript.exe -
Executes dropped EXE 3 IoCs
Processes:
IMG-9877-PO-PDF-LIST9576867.exeWHS2.0.exegmebm.pifpid process 580 IMG-9877-PO-PDF-LIST9576867.exe 1644 WHS2.0.exe 436 gmebm.pif -
Drops startup file 4 IoCs
Processes:
wscript.exewscript.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EkoHX.vbs wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EkoHX.vbs wscript.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OPAFu.vbs wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OPAFu.vbs wscript.exe -
Loads dropped DLL 9 IoCs
Processes:
IMG-9877-PO-PDF-LIST9576867.exepid process 580 IMG-9877-PO-PDF-LIST9576867.exe 580 IMG-9877-PO-PDF-LIST9576867.exe 580 IMG-9877-PO-PDF-LIST9576867.exe 580 IMG-9877-PO-PDF-LIST9576867.exe 580 IMG-9877-PO-PDF-LIST9576867.exe 580 IMG-9877-PO-PDF-LIST9576867.exe 580 IMG-9877-PO-PDF-LIST9576867.exe 580 IMG-9877-PO-PDF-LIST9576867.exe 580 IMG-9877-PO-PDF-LIST9576867.exe -
Adds Run key to start application 2 TTPs 8 IoCs
Processes:
wscript.exewscript.exedescription ioc process Key created \REGISTRY\MACHINE\software\Wow6432Node\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\EkoHX = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\EkoHX.vbs\"" wscript.exe Key created \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Windows\CurrentVersion\Run\OPAFu = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\OPAFu.vbs\"" wscript.exe Key created \REGISTRY\MACHINE\software\Wow6432Node\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\OPAFu = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\OPAFu.vbs\"" wscript.exe Key created \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Windows\CurrentVersion\Run\EkoHX = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\EkoHX.vbs\"" wscript.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 5 ip-api.com 6 ip-api.com -
Suspicious use of SetThreadContext 1 IoCs
Processes:
gmebm.pifdescription pid process target process PID 436 set thread context of 1384 436 gmebm.pif RegSvcs.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
RegSvcs.exepid process 1384 RegSvcs.exe 1384 RegSvcs.exe 1384 RegSvcs.exe 1384 RegSvcs.exe -
Suspicious use of WriteProcessMemory 29 IoCs
Processes:
wscript.exeIMG-9877-PO-PDF-LIST9576867.exeWHS2.0.exegmebm.pifRegSvcs.exedescription pid process target process PID 1868 wrote to memory of 580 1868 wscript.exe IMG-9877-PO-PDF-LIST9576867.exe PID 1868 wrote to memory of 580 1868 wscript.exe IMG-9877-PO-PDF-LIST9576867.exe PID 1868 wrote to memory of 580 1868 wscript.exe IMG-9877-PO-PDF-LIST9576867.exe PID 1868 wrote to memory of 580 1868 wscript.exe IMG-9877-PO-PDF-LIST9576867.exe PID 580 wrote to memory of 1644 580 IMG-9877-PO-PDF-LIST9576867.exe WHS2.0.exe PID 580 wrote to memory of 1644 580 IMG-9877-PO-PDF-LIST9576867.exe WHS2.0.exe PID 580 wrote to memory of 1644 580 IMG-9877-PO-PDF-LIST9576867.exe WHS2.0.exe PID 580 wrote to memory of 1644 580 IMG-9877-PO-PDF-LIST9576867.exe WHS2.0.exe PID 580 wrote to memory of 436 580 IMG-9877-PO-PDF-LIST9576867.exe gmebm.pif PID 580 wrote to memory of 436 580 IMG-9877-PO-PDF-LIST9576867.exe gmebm.pif PID 580 wrote to memory of 436 580 IMG-9877-PO-PDF-LIST9576867.exe gmebm.pif PID 580 wrote to memory of 436 580 IMG-9877-PO-PDF-LIST9576867.exe gmebm.pif PID 1644 wrote to memory of 1572 1644 WHS2.0.exe wscript.exe PID 1644 wrote to memory of 1572 1644 WHS2.0.exe wscript.exe PID 1644 wrote to memory of 1572 1644 WHS2.0.exe wscript.exe PID 1644 wrote to memory of 1572 1644 WHS2.0.exe wscript.exe PID 436 wrote to memory of 1384 436 gmebm.pif RegSvcs.exe PID 436 wrote to memory of 1384 436 gmebm.pif RegSvcs.exe PID 436 wrote to memory of 1384 436 gmebm.pif RegSvcs.exe PID 436 wrote to memory of 1384 436 gmebm.pif RegSvcs.exe PID 436 wrote to memory of 1384 436 gmebm.pif RegSvcs.exe PID 436 wrote to memory of 1384 436 gmebm.pif RegSvcs.exe PID 436 wrote to memory of 1384 436 gmebm.pif RegSvcs.exe PID 436 wrote to memory of 1384 436 gmebm.pif RegSvcs.exe PID 436 wrote to memory of 1384 436 gmebm.pif RegSvcs.exe PID 1384 wrote to memory of 296 1384 RegSvcs.exe wscript.exe PID 1384 wrote to memory of 296 1384 RegSvcs.exe wscript.exe PID 1384 wrote to memory of 296 1384 RegSvcs.exe wscript.exe PID 1384 wrote to memory of 296 1384 RegSvcs.exe wscript.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\IMG-9877-PO-PDF-LIST9576867.js1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\IMG-9877-PO-PDF-LIST9576867.exe"C:\Users\Admin\AppData\Roaming\IMG-9877-PO-PDF-LIST9576867.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\61849594\WHS2.0.exe"C:\Users\Admin\AppData\Roaming\61849594\WHS2.0.exe" ... that Dmitri Smirnov (pictured) composed the Triple Concerto No.3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\wscript.exe"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Roaming\EkoHX.vbs4⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
-
C:\Users\Admin\AppData\Roaming\61849594\gmebm.pif"C:\Users\Admin\AppData\Roaming\61849594\gmebm.pif" qardexmt.mdc3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\wscript.exe"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Roaming\OPAFu.vbs5⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RHI8KPQK\json[1].jsonMD5
0c17abb0ed055fecf0c48bb6e46eb4eb
SHA1a692730c8ec7353c31b94a888f359edb54aaa4c8
SHA256f41e99f954e33e7b0e39930ec8620bf29801efc44275c1ee6b5cfa5e1be202c0
SHA512645a9f2f94461d8a187261b736949df398ece5cfbf1af8653d18d3487ec1269d9f565534c1e249c12f31b3b1a41a8512953b1e991b001fc1360059e3fd494ec3
-
C:\Users\Admin\AppData\Roaming\61849594\WHS2.0.exeMD5
40acb53d42e4b4d20a0111e6dd847606
SHA1d010be1ba9ceea60098bebbfee425c0cda66b9a2
SHA256213d841404449d68dd9f50c18f7259074c43df2fd5221f0bbd34d2e89b611b73
SHA512a7834c27ab5e432a9243376fc7b058e819c56290580f96c28dcd61ca6356d4a7507f907373635cfec933c2fb916cbd07abb50ef39b7b1416c665c77b3930794d
-
C:\Users\Admin\AppData\Roaming\61849594\WHS2.0.exeMD5
40acb53d42e4b4d20a0111e6dd847606
SHA1d010be1ba9ceea60098bebbfee425c0cda66b9a2
SHA256213d841404449d68dd9f50c18f7259074c43df2fd5221f0bbd34d2e89b611b73
SHA512a7834c27ab5e432a9243376fc7b058e819c56290580f96c28dcd61ca6356d4a7507f907373635cfec933c2fb916cbd07abb50ef39b7b1416c665c77b3930794d
-
C:\Users\Admin\AppData\Roaming\61849594\amihgkew.urbMD5
393bff19f709832ddbd70230f2ccc714
SHA18f605c8557d61a1049f4bd0614165f713b6dcecd
SHA2566e21b346428b764227858b3c69e6c96ce4bf275715cc3b129065dcc41eace024
SHA512b00f498f8576e38edf094ca0337b406d8890f76829e0941fc6974ca4ca9fb20290c928990bcf37a748423a52ac509f8661cb0337df6b003322951acb71923130
-
C:\Users\Admin\AppData\Roaming\61849594\aolgrnrpt.logMD5
a1e3f47b52737f7a0d5136b89369b2f2
SHA137cd3f1073d88e938023915a4196b3ffcbe0dad9
SHA2566ca30a0b9918922c3c3408b48399736998d41b34c2345e9cec712ac132c95ae0
SHA51222ad5473ecc6bb9046f93378a4810ea1966b68567e7875e59b23a62180c62b81a4ae52a4fdfbdeb0bcba524b40223b000158e77067ebf3c5242098a6bff3725e
-
C:\Users\Admin\AppData\Roaming\61849594\gmebm.pifMD5
1d7071dd5cda216508b235c0e2318b05
SHA10b972fbc1ea8a47204b2a187e608744a4e947bc2
SHA256788edeacd860a1a3bb22b839c1ecf408227e1e14bbe0b1baf55824075161f996
SHA51265965d2de629024773dddf5f8f37d40a15afc51cbaec48c8cda3b0763e9391e065c5ee6ab81b7f4e53ab1f531ef53bb9dccd9ddd4a1c9423922eebf37e544118
-
C:\Users\Admin\AppData\Roaming\61849594\qardexmt.mdcMD5
f27a77b9bfeae77c1615e60bcffd751d
SHA1269b839f255d2ed838b6847d7eef644a9e0d83ff
SHA256c9e9898d9a9f16a2eeb18911162d81d9c0d305f689d0f16a6da16aad04e06489
SHA512da05da38700bb0cf4a9cb6b4b3f1306eef2fb7b81cedcf25fbf1dcda75d3c85d7eadc72c8efff73c556d36d310fc365194f34ab33c3828e4776f05c060f479ca
-
C:\Users\Admin\AppData\Roaming\EkoHX.vbsMD5
952b1cbd78885f81760a77dc3b453fd3
SHA14af75b46620b063fc23652c3ecaa3b4081074572
SHA256fe3f15e4a3d59457c16fb955e38be8df4bfe3a0978a2b09c85705f14bb6d751d
SHA5121d6f2f6d91f88725b9515b2877348616dee3d96b862014f6c6b54f41b18835483cdf5b6294e99e0fdff17d80d79b27ac70638cab6376b15526b87b592313b837
-
C:\Users\Admin\AppData\Roaming\IMG-9877-PO-PDF-LIST9576867.exeMD5
4183142d3de98c340787c751ae2f8d03
SHA17b7161f73a3100eea2d67fbdf66488f322408c55
SHA256c9589679c82039bc1fccaf2c300d564e969c651fc6fb440260e222690f3586bb
SHA5128648129e13d7285b7d7d38c3627365f97a79e027173f794a82450bd56f1b0ef35f97a6ebf3c9b59bdf4b0991d95caf7ca3d93bd9c5afe29c03a0a42bdc557a88
-
C:\Users\Admin\AppData\Roaming\IMG-9877-PO-PDF-LIST9576867.exeMD5
4183142d3de98c340787c751ae2f8d03
SHA17b7161f73a3100eea2d67fbdf66488f322408c55
SHA256c9589679c82039bc1fccaf2c300d564e969c651fc6fb440260e222690f3586bb
SHA5128648129e13d7285b7d7d38c3627365f97a79e027173f794a82450bd56f1b0ef35f97a6ebf3c9b59bdf4b0991d95caf7ca3d93bd9c5afe29c03a0a42bdc557a88
-
C:\Users\Admin\AppData\Roaming\OPAFu.vbsMD5
952b1cbd78885f81760a77dc3b453fd3
SHA14af75b46620b063fc23652c3ecaa3b4081074572
SHA256fe3f15e4a3d59457c16fb955e38be8df4bfe3a0978a2b09c85705f14bb6d751d
SHA5121d6f2f6d91f88725b9515b2877348616dee3d96b862014f6c6b54f41b18835483cdf5b6294e99e0fdff17d80d79b27ac70638cab6376b15526b87b592313b837
-
\Users\Admin\AppData\Roaming\61849594\WHS2.0.exeMD5
40acb53d42e4b4d20a0111e6dd847606
SHA1d010be1ba9ceea60098bebbfee425c0cda66b9a2
SHA256213d841404449d68dd9f50c18f7259074c43df2fd5221f0bbd34d2e89b611b73
SHA512a7834c27ab5e432a9243376fc7b058e819c56290580f96c28dcd61ca6356d4a7507f907373635cfec933c2fb916cbd07abb50ef39b7b1416c665c77b3930794d
-
\Users\Admin\AppData\Roaming\61849594\WHS2.0.exeMD5
40acb53d42e4b4d20a0111e6dd847606
SHA1d010be1ba9ceea60098bebbfee425c0cda66b9a2
SHA256213d841404449d68dd9f50c18f7259074c43df2fd5221f0bbd34d2e89b611b73
SHA512a7834c27ab5e432a9243376fc7b058e819c56290580f96c28dcd61ca6356d4a7507f907373635cfec933c2fb916cbd07abb50ef39b7b1416c665c77b3930794d
-
\Users\Admin\AppData\Roaming\61849594\WHS2.0.exeMD5
40acb53d42e4b4d20a0111e6dd847606
SHA1d010be1ba9ceea60098bebbfee425c0cda66b9a2
SHA256213d841404449d68dd9f50c18f7259074c43df2fd5221f0bbd34d2e89b611b73
SHA512a7834c27ab5e432a9243376fc7b058e819c56290580f96c28dcd61ca6356d4a7507f907373635cfec933c2fb916cbd07abb50ef39b7b1416c665c77b3930794d
-
\Users\Admin\AppData\Roaming\61849594\WHS2.0.exeMD5
40acb53d42e4b4d20a0111e6dd847606
SHA1d010be1ba9ceea60098bebbfee425c0cda66b9a2
SHA256213d841404449d68dd9f50c18f7259074c43df2fd5221f0bbd34d2e89b611b73
SHA512a7834c27ab5e432a9243376fc7b058e819c56290580f96c28dcd61ca6356d4a7507f907373635cfec933c2fb916cbd07abb50ef39b7b1416c665c77b3930794d
-
\Users\Admin\AppData\Roaming\61849594\WHS2.0.exeMD5
40acb53d42e4b4d20a0111e6dd847606
SHA1d010be1ba9ceea60098bebbfee425c0cda66b9a2
SHA256213d841404449d68dd9f50c18f7259074c43df2fd5221f0bbd34d2e89b611b73
SHA512a7834c27ab5e432a9243376fc7b058e819c56290580f96c28dcd61ca6356d4a7507f907373635cfec933c2fb916cbd07abb50ef39b7b1416c665c77b3930794d
-
\Users\Admin\AppData\Roaming\61849594\gmebm.pifMD5
1d7071dd5cda216508b235c0e2318b05
SHA10b972fbc1ea8a47204b2a187e608744a4e947bc2
SHA256788edeacd860a1a3bb22b839c1ecf408227e1e14bbe0b1baf55824075161f996
SHA51265965d2de629024773dddf5f8f37d40a15afc51cbaec48c8cda3b0763e9391e065c5ee6ab81b7f4e53ab1f531ef53bb9dccd9ddd4a1c9423922eebf37e544118
-
\Users\Admin\AppData\Roaming\61849594\gmebm.pifMD5
1d7071dd5cda216508b235c0e2318b05
SHA10b972fbc1ea8a47204b2a187e608744a4e947bc2
SHA256788edeacd860a1a3bb22b839c1ecf408227e1e14bbe0b1baf55824075161f996
SHA51265965d2de629024773dddf5f8f37d40a15afc51cbaec48c8cda3b0763e9391e065c5ee6ab81b7f4e53ab1f531ef53bb9dccd9ddd4a1c9423922eebf37e544118
-
\Users\Admin\AppData\Roaming\61849594\gmebm.pifMD5
1d7071dd5cda216508b235c0e2318b05
SHA10b972fbc1ea8a47204b2a187e608744a4e947bc2
SHA256788edeacd860a1a3bb22b839c1ecf408227e1e14bbe0b1baf55824075161f996
SHA51265965d2de629024773dddf5f8f37d40a15afc51cbaec48c8cda3b0763e9391e065c5ee6ab81b7f4e53ab1f531ef53bb9dccd9ddd4a1c9423922eebf37e544118
-
\Users\Admin\AppData\Roaming\61849594\gmebm.pifMD5
1d7071dd5cda216508b235c0e2318b05
SHA10b972fbc1ea8a47204b2a187e608744a4e947bc2
SHA256788edeacd860a1a3bb22b839c1ecf408227e1e14bbe0b1baf55824075161f996
SHA51265965d2de629024773dddf5f8f37d40a15afc51cbaec48c8cda3b0763e9391e065c5ee6ab81b7f4e53ab1f531ef53bb9dccd9ddd4a1c9423922eebf37e544118
-
memory/296-87-0x0000000000000000-mapping.dmp
-
memory/436-71-0x0000000000000000-mapping.dmp
-
memory/580-57-0x0000000075B71000-0x0000000075B73000-memory.dmpFilesize
8KB
-
memory/580-55-0x0000000000000000-mapping.dmp
-
memory/1384-85-0x0000000000270000-0x000000000089E000-memory.dmpFilesize
6.2MB
-
memory/1384-82-0x0000000000270000-0x000000000089E000-memory.dmpFilesize
6.2MB
-
memory/1384-83-0x00000000002F42AE-mapping.dmp
-
memory/1384-81-0x0000000000270000-0x000000000089E000-memory.dmpFilesize
6.2MB
-
memory/1572-79-0x0000000000000000-mapping.dmp
-
memory/1644-64-0x0000000000000000-mapping.dmp
-
memory/1644-76-0x0000000000370000-0x0000000000371000-memory.dmpFilesize
4KB