Analysis
-
max time kernel
141s -
max time network
152s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
31-10-2022 06:21
Static task
static1
Behavioral task
behavioral1
Sample
Scanned copies.js
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
Scanned copies.js
Resource
win10v2004-20220812-en
General
-
Target
Scanned copies.js
-
Size
52KB
-
MD5
49b13da43564fd53f17eb0a803a92a09
-
SHA1
ed74e4ea8cb53499dc36335814d82ac31cc6d0c7
-
SHA256
ccfaa79a104470403d9a10a38f44afab9a5038860d32505f66cf891a02c3e804
-
SHA512
a58239e5320361022ed9d5d63831029f1589e9e29132f676bba796157b3d2c1c1a1509635cddfd12ba8b6ad37744115039bdf95632ceec481621c5639b713d31
-
SSDEEP
768:1zPm7PWaktoJJVRurezocS9ZZtfOuuF1wivT7VYJw9Yc0Sa0Z8K:1DqJJ7urem9Z7fxE1wivT7V+c0SaQ8K
Malware Config
Extracted
wshrat
http://185.252.178.17:5050
Signatures
-
Blocklisted process makes network request 23 IoCs
flow pid Process 9 1340 wscript.exe 10 688 wscript.exe 11 1372 wscript.exe 13 1372 wscript.exe 14 1372 wscript.exe 16 1372 wscript.exe 19 1340 wscript.exe 20 688 wscript.exe 23 1372 wscript.exe 25 1372 wscript.exe 29 1372 wscript.exe 30 688 wscript.exe 32 1340 wscript.exe 34 1372 wscript.exe 36 1372 wscript.exe 41 1372 wscript.exe 42 688 wscript.exe 44 1340 wscript.exe 46 1372 wscript.exe 49 1372 wscript.exe 50 688 wscript.exe 52 1340 wscript.exe 54 1372 wscript.exe -
Drops startup file 5 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Scanned copies.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Scanned copies.js wscript.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HdtXkspDNv.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HdtXkspDNv.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HdtXkspDNv.js wscript.exe -
Adds Run key to start application 2 TTPs 8 IoCs
description ioc Process Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Scanned copies = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Scanned copies.js\"" wscript.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\Scanned copies = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Scanned copies.js\"" wscript.exe Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Scanned copies = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Scanned copies.js\"" wscript.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\Scanned copies = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Scanned copies.js\"" wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Script User-Agent 13 IoCs
Uses user-agent string associated with script host/environment.
description flow ioc HTTP User-Agent header 14 WSHRAT|BC40DA2B|GRXNNIIE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 31/10/2022|JavaScript HTTP User-Agent header 34 WSHRAT|BC40DA2B|GRXNNIIE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 31/10/2022|JavaScript HTTP User-Agent header 49 WSHRAT|BC40DA2B|GRXNNIIE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 31/10/2022|JavaScript HTTP User-Agent header 29 WSHRAT|BC40DA2B|GRXNNIIE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 31/10/2022|JavaScript HTTP User-Agent header 36 WSHRAT|BC40DA2B|GRXNNIIE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 31/10/2022|JavaScript HTTP User-Agent header 41 WSHRAT|BC40DA2B|GRXNNIIE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 31/10/2022|JavaScript HTTP User-Agent header 11 WSHRAT|BC40DA2B|GRXNNIIE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 31/10/2022|JavaScript HTTP User-Agent header 13 WSHRAT|BC40DA2B|GRXNNIIE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 31/10/2022|JavaScript HTTP User-Agent header 16 WSHRAT|BC40DA2B|GRXNNIIE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 31/10/2022|JavaScript HTTP User-Agent header 23 WSHRAT|BC40DA2B|GRXNNIIE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 31/10/2022|JavaScript HTTP User-Agent header 25 WSHRAT|BC40DA2B|GRXNNIIE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 31/10/2022|JavaScript HTTP User-Agent header 46 WSHRAT|BC40DA2B|GRXNNIIE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 31/10/2022|JavaScript HTTP User-Agent header 54 WSHRAT|BC40DA2B|GRXNNIIE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 31/10/2022|JavaScript -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 360 wrote to memory of 1340 360 wscript.exe 27 PID 360 wrote to memory of 1340 360 wscript.exe 27 PID 360 wrote to memory of 1340 360 wscript.exe 27 PID 360 wrote to memory of 1372 360 wscript.exe 29 PID 360 wrote to memory of 1372 360 wscript.exe 29 PID 360 wrote to memory of 1372 360 wscript.exe 29 PID 1372 wrote to memory of 688 1372 wscript.exe 30 PID 1372 wrote to memory of 688 1372 wscript.exe 30 PID 1372 wrote to memory of 688 1372 wscript.exe 30
Processes
-
C:\Windows\system32\wscript.exewscript.exe "C:\Users\Admin\AppData\Local\Temp\Scanned copies.js"1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:360 -
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\HdtXkspDNv.js"2⤵
- Blocklisted process makes network request
- Drops startup file
PID:1340
-
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\Scanned copies.js"2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1372 -
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\HdtXkspDNv.js"3⤵
- Blocklisted process makes network request
- Drops startup file
PID:688
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
10KB
MD50b3fb1c1e7a5cfdc66b4d3985815e6ff
SHA12bdade957c852dee5c052729e2a464bbd2454082
SHA256b92a038dd2b2a329c201677af46b4269ca638c4a19f5ee164cf8c14e80ce488e
SHA5124bc41bf95c80f657b68f7236c741336b71e5cc460003b52eb5b817a14411babe357c413d0f45751f02d82915a63a67f132a022d376fb6ed3df6c8e509e31abea
-
Filesize
10KB
MD50b3fb1c1e7a5cfdc66b4d3985815e6ff
SHA12bdade957c852dee5c052729e2a464bbd2454082
SHA256b92a038dd2b2a329c201677af46b4269ca638c4a19f5ee164cf8c14e80ce488e
SHA5124bc41bf95c80f657b68f7236c741336b71e5cc460003b52eb5b817a14411babe357c413d0f45751f02d82915a63a67f132a022d376fb6ed3df6c8e509e31abea
-
Filesize
10KB
MD50b3fb1c1e7a5cfdc66b4d3985815e6ff
SHA12bdade957c852dee5c052729e2a464bbd2454082
SHA256b92a038dd2b2a329c201677af46b4269ca638c4a19f5ee164cf8c14e80ce488e
SHA5124bc41bf95c80f657b68f7236c741336b71e5cc460003b52eb5b817a14411babe357c413d0f45751f02d82915a63a67f132a022d376fb6ed3df6c8e509e31abea
-
Filesize
52KB
MD549b13da43564fd53f17eb0a803a92a09
SHA1ed74e4ea8cb53499dc36335814d82ac31cc6d0c7
SHA256ccfaa79a104470403d9a10a38f44afab9a5038860d32505f66cf891a02c3e804
SHA512a58239e5320361022ed9d5d63831029f1589e9e29132f676bba796157b3d2c1c1a1509635cddfd12ba8b6ad37744115039bdf95632ceec481621c5639b713d31
-
Filesize
52KB
MD549b13da43564fd53f17eb0a803a92a09
SHA1ed74e4ea8cb53499dc36335814d82ac31cc6d0c7
SHA256ccfaa79a104470403d9a10a38f44afab9a5038860d32505f66cf891a02c3e804
SHA512a58239e5320361022ed9d5d63831029f1589e9e29132f676bba796157b3d2c1c1a1509635cddfd12ba8b6ad37744115039bdf95632ceec481621c5639b713d31