Analysis
-
max time kernel
150s -
max time network
156s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
21-06-2022 14:30
Static task
static1
Behavioral task
behavioral1
Sample
Custom Clearance Doc. AWB#5305323204643.js
Resource
win7-20220414-en
General
-
Target
Custom Clearance Doc. AWB#5305323204643.js
-
Size
127KB
-
MD5
ca725f6c53d5cd93cdec59ea14d8493e
-
SHA1
ca8118f5fa816e134340e114bccf2e2c2c9605b3
-
SHA256
e83a856d7552c65e3a8ad5f411cfb0193a057de503be751ddd5e85ec42ad2b82
-
SHA512
4b40a794761d31a70b48993523f8996130f2b612bdf0f0cbef6216981f41ea5f5cb7513e605b954e631664e414bcbf1ff4992abbe5458a886abc312268e07d9f
Malware Config
Extracted
wshrat
http://62.102.148.154:4044
Signatures
-
suricata: ET MALWARE WSHRAT CnC Checkin
suricata: ET MALWARE WSHRAT CnC Checkin
-
suricata: ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1
suricata: ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1
-
Blocklisted process makes network request 58 IoCs
Processes:
wscript.exewscript.exewscript.exeflow pid process 9 288 wscript.exe 10 1312 wscript.exe 11 2024 wscript.exe 12 2024 wscript.exe 13 288 wscript.exe 16 1312 wscript.exe 17 2024 wscript.exe 19 2024 wscript.exe 20 1312 wscript.exe 23 288 wscript.exe 26 2024 wscript.exe 27 288 wscript.exe 30 1312 wscript.exe 31 2024 wscript.exe 33 2024 wscript.exe 36 288 wscript.exe 38 1312 wscript.exe 39 2024 wscript.exe 41 288 wscript.exe 42 2024 wscript.exe 44 1312 wscript.exe 48 2024 wscript.exe 49 288 wscript.exe 51 1312 wscript.exe 53 2024 wscript.exe 54 2024 wscript.exe 56 288 wscript.exe 58 1312 wscript.exe 60 2024 wscript.exe 62 1312 wscript.exe 63 288 wscript.exe 65 2024 wscript.exe 68 2024 wscript.exe 70 288 wscript.exe 73 1312 wscript.exe 74 2024 wscript.exe 75 2024 wscript.exe 76 288 wscript.exe 79 1312 wscript.exe 80 2024 wscript.exe 82 288 wscript.exe 85 1312 wscript.exe 88 2024 wscript.exe 89 2024 wscript.exe 91 1312 wscript.exe 92 288 wscript.exe 94 2024 wscript.exe 97 1312 wscript.exe 99 288 wscript.exe 100 2024 wscript.exe 101 2024 wscript.exe 103 288 wscript.exe 105 1312 wscript.exe 108 2024 wscript.exe 110 2024 wscript.exe 111 288 wscript.exe 114 1312 wscript.exe 115 2024 wscript.exe -
Drops startup file 5 IoCs
Processes:
wscript.exewscript.exewscript.exewscript.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BkhjCIyWPk.js wscript.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Custom Clearance Doc. AWB#5305323204643.js wscript.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BkhjCIyWPk.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BkhjCIyWPk.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Custom Clearance Doc. AWB#5305323204643.js wscript.exe -
Adds Run key to start application 2 TTPs 12 IoCs
Processes:
wscript.exewscript.exewscript.exewscript.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run\YVBPFHTJIQ = "\"C:\\Users\\Admin\\AppData\\Roaming\\BkhjCIyWPk.js\"" wscript.exe Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run\Custom Clearance Doc = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Custom Clearance Doc. AWB#5305323204643.js\"" wscript.exe Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run wscript.exe Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Custom Clearance Doc = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Custom Clearance Doc. AWB#5305323204643.js\"" wscript.exe Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Custom Clearance Doc = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Custom Clearance Doc. AWB#5305323204643.js\"" wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run\YVBPFHTJIQ = "\"C:\\Users\\Admin\\AppData\\Roaming\\BkhjCIyWPk.js\"" wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run\Custom Clearance Doc = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Custom Clearance Doc. AWB#5305323204643.js\"" wscript.exe Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Script User-Agent 26 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 31 WSHRAT|D81A57AE|TBHNEBSE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 21/6/2022|JavaScript HTTP User-Agent header 39 WSHRAT|D81A57AE|TBHNEBSE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 21/6/2022|JavaScript HTTP User-Agent header 54 WSHRAT|D81A57AE|TBHNEBSE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 21/6/2022|JavaScript HTTP User-Agent header 74 WSHRAT|D81A57AE|TBHNEBSE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 21/6/2022|JavaScript HTTP User-Agent header 80 WSHRAT|D81A57AE|TBHNEBSE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 21/6/2022|JavaScript HTTP User-Agent header 88 WSHRAT|D81A57AE|TBHNEBSE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 21/6/2022|JavaScript HTTP User-Agent header 11 WSHRAT|D81A57AE|TBHNEBSE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 21/6/2022|JavaScript HTTP User-Agent header 75 WSHRAT|D81A57AE|TBHNEBSE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 21/6/2022|JavaScript HTTP User-Agent header 100 WSHRAT|D81A57AE|TBHNEBSE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 21/6/2022|JavaScript HTTP User-Agent header 17 WSHRAT|D81A57AE|TBHNEBSE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 21/6/2022|JavaScript HTTP User-Agent header 42 WSHRAT|D81A57AE|TBHNEBSE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 21/6/2022|JavaScript HTTP User-Agent header 48 WSHRAT|D81A57AE|TBHNEBSE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 21/6/2022|JavaScript HTTP User-Agent header 60 WSHRAT|D81A57AE|TBHNEBSE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 21/6/2022|JavaScript HTTP User-Agent header 101 WSHRAT|D81A57AE|TBHNEBSE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 21/6/2022|JavaScript HTTP User-Agent header 108 WSHRAT|D81A57AE|TBHNEBSE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 21/6/2022|JavaScript HTTP User-Agent header 110 WSHRAT|D81A57AE|TBHNEBSE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 21/6/2022|JavaScript HTTP User-Agent header 115 WSHRAT|D81A57AE|TBHNEBSE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 21/6/2022|JavaScript HTTP User-Agent header 12 WSHRAT|D81A57AE|TBHNEBSE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 21/6/2022|JavaScript HTTP User-Agent header 26 WSHRAT|D81A57AE|TBHNEBSE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 21/6/2022|JavaScript HTTP User-Agent header 33 WSHRAT|D81A57AE|TBHNEBSE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 21/6/2022|JavaScript HTTP User-Agent header 53 WSHRAT|D81A57AE|TBHNEBSE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 21/6/2022|JavaScript HTTP User-Agent header 65 WSHRAT|D81A57AE|TBHNEBSE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 21/6/2022|JavaScript HTTP User-Agent header 68 WSHRAT|D81A57AE|TBHNEBSE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 21/6/2022|JavaScript HTTP User-Agent header 89 WSHRAT|D81A57AE|TBHNEBSE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 21/6/2022|JavaScript HTTP User-Agent header 94 WSHRAT|D81A57AE|TBHNEBSE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 21/6/2022|JavaScript HTTP User-Agent header 19 WSHRAT|D81A57AE|TBHNEBSE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 21/6/2022|JavaScript -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
wscript.exewscript.exedescription pid process target process PID 1092 wrote to memory of 1312 1092 wscript.exe wscript.exe PID 1092 wrote to memory of 1312 1092 wscript.exe wscript.exe PID 1092 wrote to memory of 1312 1092 wscript.exe wscript.exe PID 1092 wrote to memory of 2024 1092 wscript.exe wscript.exe PID 1092 wrote to memory of 2024 1092 wscript.exe wscript.exe PID 1092 wrote to memory of 2024 1092 wscript.exe wscript.exe PID 2024 wrote to memory of 288 2024 wscript.exe wscript.exe PID 2024 wrote to memory of 288 2024 wscript.exe wscript.exe PID 2024 wrote to memory of 288 2024 wscript.exe wscript.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe "C:\Users\Admin\AppData\Local\Temp\Custom Clearance Doc. AWB#5305323204643.js"1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1092 -
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\BkhjCIyWPk.js"2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
PID:1312 -
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\Custom Clearance Doc. AWB#5305323204643.js"2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2024 -
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\BkhjCIyWPk.js"3⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
PID:288
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\BkhjCIyWPk.jsFilesize
37KB
MD5863b5a9c6fb45aac728f10cb43fa8a9a
SHA1216392b8a0821a05137229fd38df6af354d9696a
SHA25652374610175d7340729819e2e64a88a5f8a973e9f134280740130341f4ac0ec9
SHA512582db6f1da204e96f892b736e055b40dfd3f5eb5853c01c98c50c8987f7f69007203156341711668ea09126d5d90847c5ec2d1595d2b1ce2fc1dd3255cdb34c1
-
C:\Users\Admin\AppData\Roaming\BkhjCIyWPk.jsFilesize
37KB
MD5863b5a9c6fb45aac728f10cb43fa8a9a
SHA1216392b8a0821a05137229fd38df6af354d9696a
SHA25652374610175d7340729819e2e64a88a5f8a973e9f134280740130341f4ac0ec9
SHA512582db6f1da204e96f892b736e055b40dfd3f5eb5853c01c98c50c8987f7f69007203156341711668ea09126d5d90847c5ec2d1595d2b1ce2fc1dd3255cdb34c1
-
C:\Users\Admin\AppData\Roaming\Custom Clearance Doc. AWB#5305323204643.jsFilesize
127KB
MD5ca725f6c53d5cd93cdec59ea14d8493e
SHA1ca8118f5fa816e134340e114bccf2e2c2c9605b3
SHA256e83a856d7552c65e3a8ad5f411cfb0193a057de503be751ddd5e85ec42ad2b82
SHA5124b40a794761d31a70b48993523f8996130f2b612bdf0f0cbef6216981f41ea5f5cb7513e605b954e631664e414bcbf1ff4992abbe5458a886abc312268e07d9f
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BkhjCIyWPk.jsFilesize
37KB
MD5863b5a9c6fb45aac728f10cb43fa8a9a
SHA1216392b8a0821a05137229fd38df6af354d9696a
SHA25652374610175d7340729819e2e64a88a5f8a973e9f134280740130341f4ac0ec9
SHA512582db6f1da204e96f892b736e055b40dfd3f5eb5853c01c98c50c8987f7f69007203156341711668ea09126d5d90847c5ec2d1595d2b1ce2fc1dd3255cdb34c1
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Custom Clearance Doc. AWB#5305323204643.jsFilesize
127KB
MD5ca725f6c53d5cd93cdec59ea14d8493e
SHA1ca8118f5fa816e134340e114bccf2e2c2c9605b3
SHA256e83a856d7552c65e3a8ad5f411cfb0193a057de503be751ddd5e85ec42ad2b82
SHA5124b40a794761d31a70b48993523f8996130f2b612bdf0f0cbef6216981f41ea5f5cb7513e605b954e631664e414bcbf1ff4992abbe5458a886abc312268e07d9f
-
memory/288-60-0x0000000000000000-mapping.dmp
-
memory/1092-54-0x000007FEFB7C1000-0x000007FEFB7C3000-memory.dmpFilesize
8KB
-
memory/1312-55-0x0000000000000000-mapping.dmp
-
memory/2024-57-0x0000000000000000-mapping.dmp