Analysis
-
max time kernel
148s -
max time network
156s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
16-06-2022 08:42
Static task
static1
Behavioral task
behavioral1
Sample
Purchase Inquiry AS894 - SG633.js
Resource
win7-20220414-en
General
-
Target
Purchase Inquiry AS894 - SG633.js
-
Size
90KB
-
MD5
ef6bd6f33894ed4aa9dfd7b008fb3848
-
SHA1
f0d5020b90e63e67f8a37619f347c932d35cdd7a
-
SHA256
fe71d2ce160281f80957f5a01d72538a497d305e30aa8fbcdf105fd6034f2d8c
-
SHA512
9452a773fb193724eb1e130d180cc1f0a3c58329badffeeb134db8671df981994058bdce1ab758f5d4289b5c3a7d8bb3465201323fabac43c550199b7404b1ab
Malware Config
Extracted
wshrat
http://62.102.148.154:4044
Signatures
-
suricata: ET MALWARE WSHRAT CnC Checkin
suricata: ET MALWARE WSHRAT CnC Checkin
-
suricata: ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1
suricata: ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1
-
Blocklisted process makes network request 57 IoCs
Processes:
wscript.exewscript.exewscript.exeflow pid process 9 1740 wscript.exe 10 972 wscript.exe 11 1088 wscript.exe 12 1088 wscript.exe 14 972 wscript.exe 15 1740 wscript.exe 17 1088 wscript.exe 19 972 wscript.exe 20 1740 wscript.exe 23 1088 wscript.exe 26 1088 wscript.exe 28 1740 wscript.exe 30 972 wscript.exe 31 1088 wscript.exe 35 1088 wscript.exe 38 1740 wscript.exe 39 972 wscript.exe 40 1088 wscript.exe 43 1740 wscript.exe 44 972 wscript.exe 46 1088 wscript.exe 50 1088 wscript.exe 52 972 wscript.exe 53 1740 wscript.exe 55 1088 wscript.exe 57 1740 wscript.exe 59 1088 wscript.exe 61 972 wscript.exe 63 1088 wscript.exe 66 1740 wscript.exe 67 972 wscript.exe 69 1088 wscript.exe 72 1088 wscript.exe 74 1740 wscript.exe 77 972 wscript.exe 78 1088 wscript.exe 80 1740 wscript.exe 82 972 wscript.exe 83 1088 wscript.exe 85 1088 wscript.exe 88 972 wscript.exe 90 1740 wscript.exe 94 1088 wscript.exe 95 1088 wscript.exe 97 972 wscript.exe 98 1740 wscript.exe 100 1088 wscript.exe 103 972 wscript.exe 105 1740 wscript.exe 107 1088 wscript.exe 108 1088 wscript.exe 110 1740 wscript.exe 112 972 wscript.exe 115 1088 wscript.exe 118 972 wscript.exe 120 1740 wscript.exe 122 1088 wscript.exe -
Drops startup file 5 IoCs
Processes:
wscript.exewscript.exewscript.exewscript.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Purchase Inquiry AS894 - SG633.js wscript.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\atmsLTFoCr.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\atmsLTFoCr.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Purchase Inquiry AS894 - SG633.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\atmsLTFoCr.js wscript.exe -
Adds Run key to start application 2 TTPs 12 IoCs
Processes:
wscript.exewscript.exewscript.exewscript.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Purchase Inquiry AS894 - SG633 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Purchase Inquiry AS894 - SG633.js\"" wscript.exe Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run wscript.exe Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\software\microsoft\windows\currentversion\run wscript.exe Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Purchase Inquiry AS894 - SG633 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Purchase Inquiry AS894 - SG633.js\"" wscript.exe Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run\YVBPFHTJIQ = "\"C:\\Users\\Admin\\AppData\\Roaming\\atmsLTFoCr.js\"" wscript.exe Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run\Purchase Inquiry AS894 - SG633 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Purchase Inquiry AS894 - SG633.js\"" wscript.exe Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run\YVBPFHTJIQ = "\"C:\\Users\\Admin\\AppData\\Roaming\\atmsLTFoCr.js\"" wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run\Purchase Inquiry AS894 - SG633 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Purchase Inquiry AS894 - SG633.js\"" wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Script User-Agent 25 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 59 WSHRAT|D81A57AE|TBHNEBSE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 16/6/2022|JavaScript HTTP User-Agent header 94 WSHRAT|D81A57AE|TBHNEBSE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 16/6/2022|JavaScript HTTP User-Agent header 11 WSHRAT|D81A57AE|TBHNEBSE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 16/6/2022|JavaScript HTTP User-Agent header 12 WSHRAT|D81A57AE|TBHNEBSE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 16/6/2022|JavaScript HTTP User-Agent header 17 WSHRAT|D81A57AE|TBHNEBSE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 16/6/2022|JavaScript HTTP User-Agent header 26 WSHRAT|D81A57AE|TBHNEBSE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 16/6/2022|JavaScript HTTP User-Agent header 35 WSHRAT|D81A57AE|TBHNEBSE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 16/6/2022|JavaScript HTTP User-Agent header 50 WSHRAT|D81A57AE|TBHNEBSE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 16/6/2022|JavaScript HTTP User-Agent header 100 WSHRAT|D81A57AE|TBHNEBSE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 16/6/2022|JavaScript HTTP User-Agent header 107 WSHRAT|D81A57AE|TBHNEBSE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 16/6/2022|JavaScript HTTP User-Agent header 31 WSHRAT|D81A57AE|TBHNEBSE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 16/6/2022|JavaScript HTTP User-Agent header 55 WSHRAT|D81A57AE|TBHNEBSE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 16/6/2022|JavaScript HTTP User-Agent header 83 WSHRAT|D81A57AE|TBHNEBSE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 16/6/2022|JavaScript HTTP User-Agent header 122 WSHRAT|D81A57AE|TBHNEBSE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 16/6/2022|JavaScript HTTP User-Agent header 23 WSHRAT|D81A57AE|TBHNEBSE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 16/6/2022|JavaScript HTTP User-Agent header 108 WSHRAT|D81A57AE|TBHNEBSE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 16/6/2022|JavaScript HTTP User-Agent header 115 WSHRAT|D81A57AE|TBHNEBSE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 16/6/2022|JavaScript HTTP User-Agent header 85 WSHRAT|D81A57AE|TBHNEBSE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 16/6/2022|JavaScript HTTP User-Agent header 95 WSHRAT|D81A57AE|TBHNEBSE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 16/6/2022|JavaScript HTTP User-Agent header 40 WSHRAT|D81A57AE|TBHNEBSE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 16/6/2022|JavaScript HTTP User-Agent header 46 WSHRAT|D81A57AE|TBHNEBSE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 16/6/2022|JavaScript HTTP User-Agent header 63 WSHRAT|D81A57AE|TBHNEBSE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 16/6/2022|JavaScript HTTP User-Agent header 69 WSHRAT|D81A57AE|TBHNEBSE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 16/6/2022|JavaScript HTTP User-Agent header 72 WSHRAT|D81A57AE|TBHNEBSE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 16/6/2022|JavaScript HTTP User-Agent header 78 WSHRAT|D81A57AE|TBHNEBSE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 16/6/2022|JavaScript -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
wscript.exewscript.exedescription pid process target process PID 1296 wrote to memory of 972 1296 wscript.exe wscript.exe PID 1296 wrote to memory of 972 1296 wscript.exe wscript.exe PID 1296 wrote to memory of 972 1296 wscript.exe wscript.exe PID 1296 wrote to memory of 1088 1296 wscript.exe wscript.exe PID 1296 wrote to memory of 1088 1296 wscript.exe wscript.exe PID 1296 wrote to memory of 1088 1296 wscript.exe wscript.exe PID 1088 wrote to memory of 1740 1088 wscript.exe wscript.exe PID 1088 wrote to memory of 1740 1088 wscript.exe wscript.exe PID 1088 wrote to memory of 1740 1088 wscript.exe wscript.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe "C:\Users\Admin\AppData\Local\Temp\Purchase Inquiry AS894 - SG633.js"1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1296 -
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\atmsLTFoCr.js"2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
PID:972 -
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\Purchase Inquiry AS894 - SG633.js"2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1088 -
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\atmsLTFoCr.js"3⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
PID:1740
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Purchase Inquiry AS894 - SG633.jsFilesize
90KB
MD5ef6bd6f33894ed4aa9dfd7b008fb3848
SHA1f0d5020b90e63e67f8a37619f347c932d35cdd7a
SHA256fe71d2ce160281f80957f5a01d72538a497d305e30aa8fbcdf105fd6034f2d8c
SHA5129452a773fb193724eb1e130d180cc1f0a3c58329badffeeb134db8671df981994058bdce1ab758f5d4289b5c3a7d8bb3465201323fabac43c550199b7404b1ab
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\atmsLTFoCr.jsFilesize
24KB
MD59ee8cc5691721deb7ab96277349ecd7b
SHA1ccd5c1da84effb50a657fea77d556a737739f1ae
SHA25603c4c01157ef46153a214956db1c45d6f2fa67bbb6ac2e10afe2634c25663505
SHA512ef398c9e8ea9fec4646a7a5b4296f08df8729b83ad38335be33daa4d5349f89aafccd9984d7d980515875a2c09bbb01edd7506f5efeea4cf6ee04f8322ce7c64
-
C:\Users\Admin\AppData\Roaming\Purchase Inquiry AS894 - SG633.jsFilesize
90KB
MD5ef6bd6f33894ed4aa9dfd7b008fb3848
SHA1f0d5020b90e63e67f8a37619f347c932d35cdd7a
SHA256fe71d2ce160281f80957f5a01d72538a497d305e30aa8fbcdf105fd6034f2d8c
SHA5129452a773fb193724eb1e130d180cc1f0a3c58329badffeeb134db8671df981994058bdce1ab758f5d4289b5c3a7d8bb3465201323fabac43c550199b7404b1ab
-
C:\Users\Admin\AppData\Roaming\atmsLTFoCr.jsFilesize
24KB
MD59ee8cc5691721deb7ab96277349ecd7b
SHA1ccd5c1da84effb50a657fea77d556a737739f1ae
SHA25603c4c01157ef46153a214956db1c45d6f2fa67bbb6ac2e10afe2634c25663505
SHA512ef398c9e8ea9fec4646a7a5b4296f08df8729b83ad38335be33daa4d5349f89aafccd9984d7d980515875a2c09bbb01edd7506f5efeea4cf6ee04f8322ce7c64
-
C:\Users\Admin\AppData\Roaming\atmsLTFoCr.jsFilesize
24KB
MD59ee8cc5691721deb7ab96277349ecd7b
SHA1ccd5c1da84effb50a657fea77d556a737739f1ae
SHA25603c4c01157ef46153a214956db1c45d6f2fa67bbb6ac2e10afe2634c25663505
SHA512ef398c9e8ea9fec4646a7a5b4296f08df8729b83ad38335be33daa4d5349f89aafccd9984d7d980515875a2c09bbb01edd7506f5efeea4cf6ee04f8322ce7c64
-
memory/972-55-0x0000000000000000-mapping.dmp
-
memory/1088-57-0x0000000000000000-mapping.dmp
-
memory/1296-54-0x000007FEFC4B1000-0x000007FEFC4B3000-memory.dmpFilesize
8KB
-
memory/1740-60-0x0000000000000000-mapping.dmp