Analysis
-
max time kernel
130s -
max time network
145s -
platform
windows10_x64 -
resource
win10-en-20210920 -
submitted
21/10/2021, 18:21
Static task
static1
Behavioral task
behavioral1
Sample
IMG-9877-PO-PDF-LIST9576867.js
Resource
win7-en-20211014
Behavioral task
behavioral2
Sample
IMG-9877-PO-PDF-LIST9576867.js
Resource
win10-en-20210920
General
-
Target
IMG-9877-PO-PDF-LIST9576867.js
-
Size
2.1MB
-
MD5
66ce275ae44bfac23f7a71c0e3df1e76
-
SHA1
a8f6afbb0c136b8dcfe6f108cde75b40b7c0d2ce
-
SHA256
46648093234287c679db48c441de8f2d12306a3c8299b4d30e3fcf0057bcd633
-
SHA512
94e9ead33c3a0ff6133f46951fb9a52d4e59215f79a05f7c006cbff47712ab39130bcafabfc165cd5fa1402336a1a63b204b7eb33631a0172fc5e6463ba36afe
Malware Config
Extracted
wshrat
http://concideritdone.duckdns.org:5001
Signatures
-
WSHRAT Payload 2 IoCs
resource yara_rule behavioral2/files/0x000400000001abcc-127.dat family_wshrat behavioral2/files/0x00020000000155fa-135.dat family_wshrat -
Blocklisted process makes network request 10 IoCs
flow pid Process 17 1608 wscript.exe 19 1608 wscript.exe 20 496 wscript.exe 21 496 wscript.exe 27 1608 wscript.exe 30 496 wscript.exe 34 1608 wscript.exe 35 496 wscript.exe 36 1608 wscript.exe 37 496 wscript.exe -
Executes dropped EXE 3 IoCs
pid Process 3852 IMG-9877-PO-PDF-LIST9576867.exe 1140 WHS2.0.exe 940 gmebm.pif -
Drops startup file 4 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EkoHX.vbs wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EkoHX.vbs wscript.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OPAFu.vbs wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OPAFu.vbs wscript.exe -
Adds Run key to start application 2 TTPs 8 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\OPAFu = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\OPAFu.vbs\"" wscript.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows\CurrentVersion\Run\EkoHX = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\EkoHX.vbs\"" wscript.exe Key created \REGISTRY\MACHINE\software\WOW6432Node\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\EkoHX = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\EkoHX.vbs\"" wscript.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows\CurrentVersion\Run\OPAFu = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\OPAFu.vbs\"" wscript.exe Key created \REGISTRY\MACHINE\software\WOW6432Node\microsoft\windows\currentversion\run wscript.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 16 ip-api.com -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 940 set thread context of 1484 940 gmebm.pif 74 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 1484 RegSvcs.exe 1484 RegSvcs.exe 1484 RegSvcs.exe 1484 RegSvcs.exe -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 2804 wrote to memory of 3852 2804 wscript.exe 68 PID 2804 wrote to memory of 3852 2804 wscript.exe 68 PID 2804 wrote to memory of 3852 2804 wscript.exe 68 PID 3852 wrote to memory of 1140 3852 IMG-9877-PO-PDF-LIST9576867.exe 69 PID 3852 wrote to memory of 1140 3852 IMG-9877-PO-PDF-LIST9576867.exe 69 PID 3852 wrote to memory of 1140 3852 IMG-9877-PO-PDF-LIST9576867.exe 69 PID 3852 wrote to memory of 940 3852 IMG-9877-PO-PDF-LIST9576867.exe 71 PID 3852 wrote to memory of 940 3852 IMG-9877-PO-PDF-LIST9576867.exe 71 PID 3852 wrote to memory of 940 3852 IMG-9877-PO-PDF-LIST9576867.exe 71 PID 1140 wrote to memory of 1608 1140 WHS2.0.exe 72 PID 1140 wrote to memory of 1608 1140 WHS2.0.exe 72 PID 1140 wrote to memory of 1608 1140 WHS2.0.exe 72 PID 940 wrote to memory of 1484 940 gmebm.pif 74 PID 940 wrote to memory of 1484 940 gmebm.pif 74 PID 940 wrote to memory of 1484 940 gmebm.pif 74 PID 940 wrote to memory of 1484 940 gmebm.pif 74 PID 940 wrote to memory of 1484 940 gmebm.pif 74 PID 1484 wrote to memory of 496 1484 RegSvcs.exe 75 PID 1484 wrote to memory of 496 1484 RegSvcs.exe 75 PID 1484 wrote to memory of 496 1484 RegSvcs.exe 75
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\IMG-9877-PO-PDF-LIST9576867.js1⤵
- Suspicious use of WriteProcessMemory
PID:2804 -
C:\Users\Admin\AppData\Roaming\IMG-9877-PO-PDF-LIST9576867.exe"C:\Users\Admin\AppData\Roaming\IMG-9877-PO-PDF-LIST9576867.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3852 -
C:\Users\Admin\AppData\Roaming\61849594\WHS2.0.exe"C:\Users\Admin\AppData\Roaming\61849594\WHS2.0.exe" ... that Dmitri Smirnov (pictured) composed the Triple Concerto No.3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1140 -
C:\Windows\SysWOW64\wscript.exe"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Roaming\EkoHX.vbs4⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
PID:1608
-
-
-
C:\Users\Admin\AppData\Roaming\61849594\gmebm.pif"C:\Users\Admin\AppData\Roaming\61849594\gmebm.pif" qardexmt.mdc3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:940 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1484 -
C:\Windows\SysWOW64\wscript.exe"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Roaming\OPAFu.vbs5⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
PID:496
-
-
-
-