Analysis
-
max time kernel
151s -
max time network
151s -
platform
windows7_x64 -
resource
win7-en-20211014 -
submitted
21/10/2021, 18:21
Static task
static1
Behavioral task
behavioral1
Sample
IMG-9877-PO-PDF-LIST9576867.js
Resource
win7-en-20211014
Behavioral task
behavioral2
Sample
IMG-9877-PO-PDF-LIST9576867.js
Resource
win10-en-20210920
General
-
Target
IMG-9877-PO-PDF-LIST9576867.js
-
Size
2.1MB
-
MD5
66ce275ae44bfac23f7a71c0e3df1e76
-
SHA1
a8f6afbb0c136b8dcfe6f108cde75b40b7c0d2ce
-
SHA256
46648093234287c679db48c441de8f2d12306a3c8299b4d30e3fcf0057bcd633
-
SHA512
94e9ead33c3a0ff6133f46951fb9a52d4e59215f79a05f7c006cbff47712ab39130bcafabfc165cd5fa1402336a1a63b204b7eb33631a0172fc5e6463ba36afe
Malware Config
Extracted
wshrat
http://concideritdone.duckdns.org:5001
Signatures
-
WSHRAT Payload 2 IoCs
resource yara_rule behavioral1/files/0x0006000000012239-80.dat family_wshrat behavioral1/files/0x0006000000012241-88.dat family_wshrat -
Blocklisted process makes network request 10 IoCs
flow pid Process 8 296 wscript.exe 7 1572 wscript.exe 12 1572 wscript.exe 13 296 wscript.exe 15 1572 wscript.exe 17 296 wscript.exe 19 1572 wscript.exe 21 296 wscript.exe 25 1572 wscript.exe 27 296 wscript.exe -
Executes dropped EXE 3 IoCs
pid Process 580 IMG-9877-PO-PDF-LIST9576867.exe 1644 WHS2.0.exe 436 gmebm.pif -
Drops startup file 4 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EkoHX.vbs wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EkoHX.vbs wscript.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OPAFu.vbs wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OPAFu.vbs wscript.exe -
Loads dropped DLL 9 IoCs
pid Process 580 IMG-9877-PO-PDF-LIST9576867.exe 580 IMG-9877-PO-PDF-LIST9576867.exe 580 IMG-9877-PO-PDF-LIST9576867.exe 580 IMG-9877-PO-PDF-LIST9576867.exe 580 IMG-9877-PO-PDF-LIST9576867.exe 580 IMG-9877-PO-PDF-LIST9576867.exe 580 IMG-9877-PO-PDF-LIST9576867.exe 580 IMG-9877-PO-PDF-LIST9576867.exe 580 IMG-9877-PO-PDF-LIST9576867.exe -
Adds Run key to start application 2 TTPs 8 IoCs
description ioc Process Key created \REGISTRY\MACHINE\software\Wow6432Node\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\EkoHX = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\EkoHX.vbs\"" wscript.exe Key created \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Windows\CurrentVersion\Run\OPAFu = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\OPAFu.vbs\"" wscript.exe Key created \REGISTRY\MACHINE\software\Wow6432Node\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\OPAFu = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\OPAFu.vbs\"" wscript.exe Key created \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Windows\CurrentVersion\Run\EkoHX = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\EkoHX.vbs\"" wscript.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 5 ip-api.com 6 ip-api.com -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 436 set thread context of 1384 436 gmebm.pif 32 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 1384 RegSvcs.exe 1384 RegSvcs.exe 1384 RegSvcs.exe 1384 RegSvcs.exe -
Suspicious use of WriteProcessMemory 29 IoCs
description pid Process procid_target PID 1868 wrote to memory of 580 1868 wscript.exe 28 PID 1868 wrote to memory of 580 1868 wscript.exe 28 PID 1868 wrote to memory of 580 1868 wscript.exe 28 PID 1868 wrote to memory of 580 1868 wscript.exe 28 PID 580 wrote to memory of 1644 580 IMG-9877-PO-PDF-LIST9576867.exe 29 PID 580 wrote to memory of 1644 580 IMG-9877-PO-PDF-LIST9576867.exe 29 PID 580 wrote to memory of 1644 580 IMG-9877-PO-PDF-LIST9576867.exe 29 PID 580 wrote to memory of 1644 580 IMG-9877-PO-PDF-LIST9576867.exe 29 PID 580 wrote to memory of 436 580 IMG-9877-PO-PDF-LIST9576867.exe 30 PID 580 wrote to memory of 436 580 IMG-9877-PO-PDF-LIST9576867.exe 30 PID 580 wrote to memory of 436 580 IMG-9877-PO-PDF-LIST9576867.exe 30 PID 580 wrote to memory of 436 580 IMG-9877-PO-PDF-LIST9576867.exe 30 PID 1644 wrote to memory of 1572 1644 WHS2.0.exe 31 PID 1644 wrote to memory of 1572 1644 WHS2.0.exe 31 PID 1644 wrote to memory of 1572 1644 WHS2.0.exe 31 PID 1644 wrote to memory of 1572 1644 WHS2.0.exe 31 PID 436 wrote to memory of 1384 436 gmebm.pif 32 PID 436 wrote to memory of 1384 436 gmebm.pif 32 PID 436 wrote to memory of 1384 436 gmebm.pif 32 PID 436 wrote to memory of 1384 436 gmebm.pif 32 PID 436 wrote to memory of 1384 436 gmebm.pif 32 PID 436 wrote to memory of 1384 436 gmebm.pif 32 PID 436 wrote to memory of 1384 436 gmebm.pif 32 PID 436 wrote to memory of 1384 436 gmebm.pif 32 PID 436 wrote to memory of 1384 436 gmebm.pif 32 PID 1384 wrote to memory of 296 1384 RegSvcs.exe 33 PID 1384 wrote to memory of 296 1384 RegSvcs.exe 33 PID 1384 wrote to memory of 296 1384 RegSvcs.exe 33 PID 1384 wrote to memory of 296 1384 RegSvcs.exe 33
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\IMG-9877-PO-PDF-LIST9576867.js1⤵
- Suspicious use of WriteProcessMemory
PID:1868 -
C:\Users\Admin\AppData\Roaming\IMG-9877-PO-PDF-LIST9576867.exe"C:\Users\Admin\AppData\Roaming\IMG-9877-PO-PDF-LIST9576867.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:580 -
C:\Users\Admin\AppData\Roaming\61849594\WHS2.0.exe"C:\Users\Admin\AppData\Roaming\61849594\WHS2.0.exe" ... that Dmitri Smirnov (pictured) composed the Triple Concerto No.3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1644 -
C:\Windows\SysWOW64\wscript.exe"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Roaming\EkoHX.vbs4⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
PID:1572
-
-
-
C:\Users\Admin\AppData\Roaming\61849594\gmebm.pif"C:\Users\Admin\AppData\Roaming\61849594\gmebm.pif" qardexmt.mdc3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:436 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1384 -
C:\Windows\SysWOW64\wscript.exe"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Roaming\OPAFu.vbs5⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
PID:296
-
-
-
-