Analysis
-
max time kernel
148s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
17-06-2022 12:24
Static task
static1
Behavioral task
behavioral1
Sample
Custom Clearance Doc. AWB#5305323204643.js
Resource
win7-20220414-en
General
-
Target
Custom Clearance Doc. AWB#5305323204643.js
-
Size
127KB
-
MD5
ca725f6c53d5cd93cdec59ea14d8493e
-
SHA1
ca8118f5fa816e134340e114bccf2e2c2c9605b3
-
SHA256
e83a856d7552c65e3a8ad5f411cfb0193a057de503be751ddd5e85ec42ad2b82
-
SHA512
4b40a794761d31a70b48993523f8996130f2b612bdf0f0cbef6216981f41ea5f5cb7513e605b954e631664e414bcbf1ff4992abbe5458a886abc312268e07d9f
Malware Config
Extracted
wshrat
http://62.102.148.154:4044
Signatures
-
suricata: ET MALWARE WSHRAT CnC Checkin
suricata: ET MALWARE WSHRAT CnC Checkin
-
suricata: ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1
suricata: ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1
-
Blocklisted process makes network request 60 IoCs
Processes:
wscript.exewscript.exewscript.exeflow pid process 5 2116 wscript.exe 6 4412 wscript.exe 7 4068 wscript.exe 14 4412 wscript.exe 15 2116 wscript.exe 16 4068 wscript.exe 21 4412 wscript.exe 24 4412 wscript.exe 25 2116 wscript.exe 26 4068 wscript.exe 27 4412 wscript.exe 29 2116 wscript.exe 30 4068 wscript.exe 31 4412 wscript.exe 39 4412 wscript.exe 40 2116 wscript.exe 41 4068 wscript.exe 42 4412 wscript.exe 43 4412 wscript.exe 44 2116 wscript.exe 45 4068 wscript.exe 46 4412 wscript.exe 47 4412 wscript.exe 51 2116 wscript.exe 52 4068 wscript.exe 53 4412 wscript.exe 56 4412 wscript.exe 57 2116 wscript.exe 58 4068 wscript.exe 60 4412 wscript.exe 61 2116 wscript.exe 62 4412 wscript.exe 63 4068 wscript.exe 64 4412 wscript.exe 65 2116 wscript.exe 66 4068 wscript.exe 67 4412 wscript.exe 71 4412 wscript.exe 72 2116 wscript.exe 73 4068 wscript.exe 74 4412 wscript.exe 75 4412 wscript.exe 76 2116 wscript.exe 77 4068 wscript.exe 78 4412 wscript.exe 79 2116 wscript.exe 80 4068 wscript.exe 81 4412 wscript.exe 82 4412 wscript.exe 83 2116 wscript.exe 84 4068 wscript.exe 85 4412 wscript.exe 86 4412 wscript.exe 87 2116 wscript.exe 88 4068 wscript.exe 89 4412 wscript.exe 90 4412 wscript.exe 91 2116 wscript.exe 92 4068 wscript.exe 93 4412 wscript.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
wscript.exewscript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation wscript.exe Key value queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation wscript.exe -
Drops startup file 5 IoCs
Processes:
wscript.exewscript.exewscript.exewscript.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Custom Clearance Doc. AWB#5305323204643.js wscript.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BkhjCIyWPk.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BkhjCIyWPk.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Custom Clearance Doc. AWB#5305323204643.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BkhjCIyWPk.js wscript.exe -
Adds Run key to start application 2 TTPs 12 IoCs
Processes:
wscript.exewscript.exewscript.exewscript.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Custom Clearance Doc = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Custom Clearance Doc. AWB#5305323204643.js\"" wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Custom Clearance Doc = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Custom Clearance Doc. AWB#5305323204643.js\"" wscript.exe Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Custom Clearance Doc = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Custom Clearance Doc. AWB#5305323204643.js\"" wscript.exe Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Custom Clearance Doc = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Custom Clearance Doc. AWB#5305323204643.js\"" wscript.exe Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Windows\CurrentVersion\Run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\YVBPFHTJIQ = "\"C:\\Users\\Admin\\AppData\\Roaming\\BkhjCIyWPk.js\"" wscript.exe Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\software\microsoft\windows\currentversion\run wscript.exe Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run wscript.exe Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Windows\CurrentVersion\Run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\YVBPFHTJIQ = "\"C:\\Users\\Admin\\AppData\\Roaming\\BkhjCIyWPk.js\"" wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Script User-Agent 28 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 82 WSHRAT|84F3C576|JVJHUWZP|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 17/6/2022|JavaScript HTTP User-Agent header 6 WSHRAT|84F3C576|JVJHUWZP|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 17/6/2022|JavaScript HTTP User-Agent header 43 WSHRAT|84F3C576|JVJHUWZP|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 17/6/2022|JavaScript HTTP User-Agent header 60 WSHRAT|84F3C576|JVJHUWZP|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 17/6/2022|JavaScript HTTP User-Agent header 14 WSHRAT|84F3C576|JVJHUWZP|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 17/6/2022|JavaScript HTTP User-Agent header 47 WSHRAT|84F3C576|JVJHUWZP|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 17/6/2022|JavaScript HTTP User-Agent header 85 WSHRAT|84F3C576|JVJHUWZP|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 17/6/2022|JavaScript HTTP User-Agent header 27 WSHRAT|84F3C576|JVJHUWZP|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 17/6/2022|JavaScript HTTP User-Agent header 46 WSHRAT|84F3C576|JVJHUWZP|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 17/6/2022|JavaScript HTTP User-Agent header 64 WSHRAT|84F3C576|JVJHUWZP|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 17/6/2022|JavaScript HTTP User-Agent header 93 WSHRAT|84F3C576|JVJHUWZP|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 17/6/2022|JavaScript HTTP User-Agent header 21 WSHRAT|84F3C576|JVJHUWZP|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 17/6/2022|JavaScript HTTP User-Agent header 62 WSHRAT|84F3C576|JVJHUWZP|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 17/6/2022|JavaScript HTTP User-Agent header 75 WSHRAT|84F3C576|JVJHUWZP|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 17/6/2022|JavaScript HTTP User-Agent header 53 WSHRAT|84F3C576|JVJHUWZP|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 17/6/2022|JavaScript HTTP User-Agent header 90 WSHRAT|84F3C576|JVJHUWZP|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 17/6/2022|JavaScript HTTP User-Agent header 67 WSHRAT|84F3C576|JVJHUWZP|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 17/6/2022|JavaScript HTTP User-Agent header 78 WSHRAT|84F3C576|JVJHUWZP|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 17/6/2022|JavaScript HTTP User-Agent header 89 WSHRAT|84F3C576|JVJHUWZP|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 17/6/2022|JavaScript HTTP User-Agent header 31 WSHRAT|84F3C576|JVJHUWZP|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 17/6/2022|JavaScript HTTP User-Agent header 39 WSHRAT|84F3C576|JVJHUWZP|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 17/6/2022|JavaScript HTTP User-Agent header 56 WSHRAT|84F3C576|JVJHUWZP|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 17/6/2022|JavaScript HTTP User-Agent header 24 WSHRAT|84F3C576|JVJHUWZP|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 17/6/2022|JavaScript HTTP User-Agent header 74 WSHRAT|84F3C576|JVJHUWZP|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 17/6/2022|JavaScript HTTP User-Agent header 81 WSHRAT|84F3C576|JVJHUWZP|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 17/6/2022|JavaScript HTTP User-Agent header 42 WSHRAT|84F3C576|JVJHUWZP|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 17/6/2022|JavaScript HTTP User-Agent header 71 WSHRAT|84F3C576|JVJHUWZP|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 17/6/2022|JavaScript HTTP User-Agent header 86 WSHRAT|84F3C576|JVJHUWZP|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 17/6/2022|JavaScript -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
wscript.exewscript.exedescription pid process target process PID 2176 wrote to memory of 2116 2176 wscript.exe wscript.exe PID 2176 wrote to memory of 2116 2176 wscript.exe wscript.exe PID 2176 wrote to memory of 4412 2176 wscript.exe wscript.exe PID 2176 wrote to memory of 4412 2176 wscript.exe wscript.exe PID 4412 wrote to memory of 4068 4412 wscript.exe wscript.exe PID 4412 wrote to memory of 4068 4412 wscript.exe wscript.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe "C:\Users\Admin\AppData\Local\Temp\Custom Clearance Doc. AWB#5305323204643.js"1⤵
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\BkhjCIyWPk.js"2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\Custom Clearance Doc. AWB#5305323204643.js"2⤵
- Blocklisted process makes network request
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\BkhjCIyWPk.js"3⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\BkhjCIyWPk.jsFilesize
37KB
MD5863b5a9c6fb45aac728f10cb43fa8a9a
SHA1216392b8a0821a05137229fd38df6af354d9696a
SHA25652374610175d7340729819e2e64a88a5f8a973e9f134280740130341f4ac0ec9
SHA512582db6f1da204e96f892b736e055b40dfd3f5eb5853c01c98c50c8987f7f69007203156341711668ea09126d5d90847c5ec2d1595d2b1ce2fc1dd3255cdb34c1
-
C:\Users\Admin\AppData\Roaming\BkhjCIyWPk.jsFilesize
37KB
MD5863b5a9c6fb45aac728f10cb43fa8a9a
SHA1216392b8a0821a05137229fd38df6af354d9696a
SHA25652374610175d7340729819e2e64a88a5f8a973e9f134280740130341f4ac0ec9
SHA512582db6f1da204e96f892b736e055b40dfd3f5eb5853c01c98c50c8987f7f69007203156341711668ea09126d5d90847c5ec2d1595d2b1ce2fc1dd3255cdb34c1
-
C:\Users\Admin\AppData\Roaming\Custom Clearance Doc. AWB#5305323204643.jsFilesize
127KB
MD5ca725f6c53d5cd93cdec59ea14d8493e
SHA1ca8118f5fa816e134340e114bccf2e2c2c9605b3
SHA256e83a856d7552c65e3a8ad5f411cfb0193a057de503be751ddd5e85ec42ad2b82
SHA5124b40a794761d31a70b48993523f8996130f2b612bdf0f0cbef6216981f41ea5f5cb7513e605b954e631664e414bcbf1ff4992abbe5458a886abc312268e07d9f
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BkhjCIyWPk.jsFilesize
37KB
MD5863b5a9c6fb45aac728f10cb43fa8a9a
SHA1216392b8a0821a05137229fd38df6af354d9696a
SHA25652374610175d7340729819e2e64a88a5f8a973e9f134280740130341f4ac0ec9
SHA512582db6f1da204e96f892b736e055b40dfd3f5eb5853c01c98c50c8987f7f69007203156341711668ea09126d5d90847c5ec2d1595d2b1ce2fc1dd3255cdb34c1
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Custom Clearance Doc. AWB#5305323204643.jsFilesize
127KB
MD5ca725f6c53d5cd93cdec59ea14d8493e
SHA1ca8118f5fa816e134340e114bccf2e2c2c9605b3
SHA256e83a856d7552c65e3a8ad5f411cfb0193a057de503be751ddd5e85ec42ad2b82
SHA5124b40a794761d31a70b48993523f8996130f2b612bdf0f0cbef6216981f41ea5f5cb7513e605b954e631664e414bcbf1ff4992abbe5458a886abc312268e07d9f
-
memory/2116-130-0x0000000000000000-mapping.dmp
-
memory/4068-135-0x0000000000000000-mapping.dmp
-
memory/4412-132-0x0000000000000000-mapping.dmp