Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
17-06-2022 12:24
Static task
static1
Behavioral task
behavioral1
Sample
Custom Clearance Doc. AWB#5305323204643.js
Resource
win7-20220414-en
General
-
Target
Custom Clearance Doc. AWB#5305323204643.js
-
Size
127KB
-
MD5
ca725f6c53d5cd93cdec59ea14d8493e
-
SHA1
ca8118f5fa816e134340e114bccf2e2c2c9605b3
-
SHA256
e83a856d7552c65e3a8ad5f411cfb0193a057de503be751ddd5e85ec42ad2b82
-
SHA512
4b40a794761d31a70b48993523f8996130f2b612bdf0f0cbef6216981f41ea5f5cb7513e605b954e631664e414bcbf1ff4992abbe5458a886abc312268e07d9f
Malware Config
Extracted
wshrat
http://62.102.148.154:4044
Signatures
-
suricata: ET MALWARE WSHRAT CnC Checkin
suricata: ET MALWARE WSHRAT CnC Checkin
-
suricata: ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1
suricata: ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1
-
Blocklisted process makes network request 57 IoCs
Processes:
wscript.exewscript.exewscript.exeflow pid process 9 1716 wscript.exe 10 992 wscript.exe 11 1628 wscript.exe 12 1628 wscript.exe 14 1716 wscript.exe 16 992 wscript.exe 17 1628 wscript.exe 19 992 wscript.exe 21 1716 wscript.exe 22 1628 wscript.exe 26 1628 wscript.exe 28 1716 wscript.exe 30 992 wscript.exe 31 1628 wscript.exe 35 1628 wscript.exe 37 1716 wscript.exe 39 992 wscript.exe 40 1628 wscript.exe 42 1716 wscript.exe 44 992 wscript.exe 46 1628 wscript.exe 50 1628 wscript.exe 52 1716 wscript.exe 53 992 wscript.exe 55 1628 wscript.exe 57 1716 wscript.exe 59 1628 wscript.exe 60 992 wscript.exe 63 1628 wscript.exe 65 1716 wscript.exe 67 992 wscript.exe 70 1628 wscript.exe 72 1628 wscript.exe 75 1716 wscript.exe 77 992 wscript.exe 79 1628 wscript.exe 81 992 wscript.exe 82 1716 wscript.exe 83 1628 wscript.exe 85 1628 wscript.exe 89 992 wscript.exe 90 1716 wscript.exe 92 1628 wscript.exe 95 1628 wscript.exe 98 992 wscript.exe 99 1716 wscript.exe 100 1628 wscript.exe 103 992 wscript.exe 105 1716 wscript.exe 107 1628 wscript.exe 108 1628 wscript.exe 111 992 wscript.exe 112 1716 wscript.exe 115 1628 wscript.exe 118 992 wscript.exe 120 1716 wscript.exe 121 1628 wscript.exe -
Drops startup file 5 IoCs
Processes:
wscript.exewscript.exewscript.exewscript.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Custom Clearance Doc. AWB#5305323204643.js wscript.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BkhjCIyWPk.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BkhjCIyWPk.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Custom Clearance Doc. AWB#5305323204643.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BkhjCIyWPk.js wscript.exe -
Adds Run key to start application 2 TTPs 12 IoCs
Processes:
wscript.exewscript.exewscript.exewscript.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Run\YVBPFHTJIQ = "\"C:\\Users\\Admin\\AppData\\Roaming\\BkhjCIyWPk.js\"" wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Custom Clearance Doc = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Custom Clearance Doc. AWB#5305323204643.js\"" wscript.exe Key created \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Run wscript.exe Key created \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Run\Custom Clearance Doc = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Custom Clearance Doc. AWB#5305323204643.js\"" wscript.exe Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Custom Clearance Doc = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Custom Clearance Doc. AWB#5305323204643.js\"" wscript.exe Key created \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Run wscript.exe Key created \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Run\Custom Clearance Doc = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Custom Clearance Doc. AWB#5305323204643.js\"" wscript.exe Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Run\YVBPFHTJIQ = "\"C:\\Users\\Admin\\AppData\\Roaming\\BkhjCIyWPk.js\"" wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Script User-Agent 25 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 40 WSHRAT|04D6D9C2|AUVQQRRF|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 17/6/2022|JavaScript HTTP User-Agent header 50 WSHRAT|04D6D9C2|AUVQQRRF|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 17/6/2022|JavaScript HTTP User-Agent header 59 WSHRAT|04D6D9C2|AUVQQRRF|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 17/6/2022|JavaScript HTTP User-Agent header 11 WSHRAT|04D6D9C2|AUVQQRRF|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 17/6/2022|JavaScript HTTP User-Agent header 12 WSHRAT|04D6D9C2|AUVQQRRF|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 17/6/2022|JavaScript HTTP User-Agent header 17 WSHRAT|04D6D9C2|AUVQQRRF|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 17/6/2022|JavaScript HTTP User-Agent header 22 WSHRAT|04D6D9C2|AUVQQRRF|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 17/6/2022|JavaScript HTTP User-Agent header 95 WSHRAT|04D6D9C2|AUVQQRRF|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 17/6/2022|JavaScript HTTP User-Agent header 100 WSHRAT|04D6D9C2|AUVQQRRF|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 17/6/2022|JavaScript HTTP User-Agent header 115 WSHRAT|04D6D9C2|AUVQQRRF|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 17/6/2022|JavaScript HTTP User-Agent header 70 WSHRAT|04D6D9C2|AUVQQRRF|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 17/6/2022|JavaScript HTTP User-Agent header 72 WSHRAT|04D6D9C2|AUVQQRRF|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 17/6/2022|JavaScript HTTP User-Agent header 85 WSHRAT|04D6D9C2|AUVQQRRF|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 17/6/2022|JavaScript HTTP User-Agent header 92 WSHRAT|04D6D9C2|AUVQQRRF|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 17/6/2022|JavaScript HTTP User-Agent header 107 WSHRAT|04D6D9C2|AUVQQRRF|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 17/6/2022|JavaScript HTTP User-Agent header 121 WSHRAT|04D6D9C2|AUVQQRRF|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 17/6/2022|JavaScript HTTP User-Agent header 26 WSHRAT|04D6D9C2|AUVQQRRF|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 17/6/2022|JavaScript HTTP User-Agent header 55 WSHRAT|04D6D9C2|AUVQQRRF|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 17/6/2022|JavaScript HTTP User-Agent header 63 WSHRAT|04D6D9C2|AUVQQRRF|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 17/6/2022|JavaScript HTTP User-Agent header 83 WSHRAT|04D6D9C2|AUVQQRRF|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 17/6/2022|JavaScript HTTP User-Agent header 108 WSHRAT|04D6D9C2|AUVQQRRF|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 17/6/2022|JavaScript HTTP User-Agent header 31 WSHRAT|04D6D9C2|AUVQQRRF|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 17/6/2022|JavaScript HTTP User-Agent header 35 WSHRAT|04D6D9C2|AUVQQRRF|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 17/6/2022|JavaScript HTTP User-Agent header 46 WSHRAT|04D6D9C2|AUVQQRRF|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 17/6/2022|JavaScript HTTP User-Agent header 79 WSHRAT|04D6D9C2|AUVQQRRF|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 17/6/2022|JavaScript -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
wscript.exewscript.exedescription pid process target process PID 1732 wrote to memory of 1716 1732 wscript.exe wscript.exe PID 1732 wrote to memory of 1716 1732 wscript.exe wscript.exe PID 1732 wrote to memory of 1716 1732 wscript.exe wscript.exe PID 1732 wrote to memory of 1628 1732 wscript.exe wscript.exe PID 1732 wrote to memory of 1628 1732 wscript.exe wscript.exe PID 1732 wrote to memory of 1628 1732 wscript.exe wscript.exe PID 1628 wrote to memory of 992 1628 wscript.exe wscript.exe PID 1628 wrote to memory of 992 1628 wscript.exe wscript.exe PID 1628 wrote to memory of 992 1628 wscript.exe wscript.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe "C:\Users\Admin\AppData\Local\Temp\Custom Clearance Doc. AWB#5305323204643.js"1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\BkhjCIyWPk.js"2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\Custom Clearance Doc. AWB#5305323204643.js"2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\BkhjCIyWPk.js"3⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\BkhjCIyWPk.jsFilesize
37KB
MD5863b5a9c6fb45aac728f10cb43fa8a9a
SHA1216392b8a0821a05137229fd38df6af354d9696a
SHA25652374610175d7340729819e2e64a88a5f8a973e9f134280740130341f4ac0ec9
SHA512582db6f1da204e96f892b736e055b40dfd3f5eb5853c01c98c50c8987f7f69007203156341711668ea09126d5d90847c5ec2d1595d2b1ce2fc1dd3255cdb34c1
-
C:\Users\Admin\AppData\Roaming\BkhjCIyWPk.jsFilesize
37KB
MD5863b5a9c6fb45aac728f10cb43fa8a9a
SHA1216392b8a0821a05137229fd38df6af354d9696a
SHA25652374610175d7340729819e2e64a88a5f8a973e9f134280740130341f4ac0ec9
SHA512582db6f1da204e96f892b736e055b40dfd3f5eb5853c01c98c50c8987f7f69007203156341711668ea09126d5d90847c5ec2d1595d2b1ce2fc1dd3255cdb34c1
-
C:\Users\Admin\AppData\Roaming\Custom Clearance Doc. AWB#5305323204643.jsFilesize
127KB
MD5ca725f6c53d5cd93cdec59ea14d8493e
SHA1ca8118f5fa816e134340e114bccf2e2c2c9605b3
SHA256e83a856d7552c65e3a8ad5f411cfb0193a057de503be751ddd5e85ec42ad2b82
SHA5124b40a794761d31a70b48993523f8996130f2b612bdf0f0cbef6216981f41ea5f5cb7513e605b954e631664e414bcbf1ff4992abbe5458a886abc312268e07d9f
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BkhjCIyWPk.jsFilesize
37KB
MD5863b5a9c6fb45aac728f10cb43fa8a9a
SHA1216392b8a0821a05137229fd38df6af354d9696a
SHA25652374610175d7340729819e2e64a88a5f8a973e9f134280740130341f4ac0ec9
SHA512582db6f1da204e96f892b736e055b40dfd3f5eb5853c01c98c50c8987f7f69007203156341711668ea09126d5d90847c5ec2d1595d2b1ce2fc1dd3255cdb34c1
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Custom Clearance Doc. AWB#5305323204643.jsFilesize
127KB
MD5ca725f6c53d5cd93cdec59ea14d8493e
SHA1ca8118f5fa816e134340e114bccf2e2c2c9605b3
SHA256e83a856d7552c65e3a8ad5f411cfb0193a057de503be751ddd5e85ec42ad2b82
SHA5124b40a794761d31a70b48993523f8996130f2b612bdf0f0cbef6216981f41ea5f5cb7513e605b954e631664e414bcbf1ff4992abbe5458a886abc312268e07d9f
-
memory/992-61-0x0000000000000000-mapping.dmp
-
memory/1628-57-0x0000000000000000-mapping.dmp
-
memory/1716-55-0x0000000000000000-mapping.dmp
-
memory/1732-54-0x000007FEFBEF1000-0x000007FEFBEF3000-memory.dmpFilesize
8KB