Analysis
-
max time kernel
151s -
max time network
156s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
31-10-2022 06:21
Static task
static1
Behavioral task
behavioral1
Sample
Scanned copies.js
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
Scanned copies.js
Resource
win10v2004-20220812-en
General
-
Target
Scanned copies.js
-
Size
52KB
-
MD5
49b13da43564fd53f17eb0a803a92a09
-
SHA1
ed74e4ea8cb53499dc36335814d82ac31cc6d0c7
-
SHA256
ccfaa79a104470403d9a10a38f44afab9a5038860d32505f66cf891a02c3e804
-
SHA512
a58239e5320361022ed9d5d63831029f1589e9e29132f676bba796157b3d2c1c1a1509635cddfd12ba8b6ad37744115039bdf95632ceec481621c5639b713d31
-
SSDEEP
768:1zPm7PWaktoJJVRurezocS9ZZtfOuuF1wivT7VYJw9Yc0Sa0Z8K:1DqJJ7urem9Z7fxE1wivT7V+c0SaQ8K
Malware Config
Extracted
wshrat
http://185.252.178.17:5050
Signatures
-
Blocklisted process makes network request 17 IoCs
flow pid Process 9 564 wscript.exe 10 972 wscript.exe 11 1232 wscript.exe 16 1232 wscript.exe 18 564 wscript.exe 19 972 wscript.exe 21 1232 wscript.exe 24 972 wscript.exe 25 564 wscript.exe 27 1232 wscript.exe 33 1232 wscript.exe 34 972 wscript.exe 35 564 wscript.exe 39 1232 wscript.exe 40 972 wscript.exe 41 564 wscript.exe 44 1232 wscript.exe -
Drops startup file 5 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HdtXkspDNv.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Scanned copies.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HdtXkspDNv.js wscript.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Scanned copies.js wscript.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HdtXkspDNv.js wscript.exe -
Adds Run key to start application 2 TTPs 8 IoCs
description ioc Process Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Scanned copies = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Scanned copies.js\"" wscript.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\Scanned copies = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Scanned copies.js\"" wscript.exe Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Scanned copies = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Scanned copies.js\"" wscript.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\Scanned copies = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Scanned copies.js\"" wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Script User-Agent 2 IoCs
Uses user-agent string associated with script host/environment.
description flow ioc HTTP User-Agent header 21 WSHRAT|5C41F0CB|ZERMMMDR|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 31/10/2022|JavaScript HTTP User-Agent header 44 WSHRAT|5C41F0CB|ZERMMMDR|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 31/10/2022|JavaScript -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 1960 wrote to memory of 972 1960 wscript.exe 28 PID 1960 wrote to memory of 972 1960 wscript.exe 28 PID 1960 wrote to memory of 972 1960 wscript.exe 28 PID 1960 wrote to memory of 1232 1960 wscript.exe 29 PID 1960 wrote to memory of 1232 1960 wscript.exe 29 PID 1960 wrote to memory of 1232 1960 wscript.exe 29 PID 1232 wrote to memory of 564 1232 wscript.exe 31 PID 1232 wrote to memory of 564 1232 wscript.exe 31 PID 1232 wrote to memory of 564 1232 wscript.exe 31
Processes
-
C:\Windows\system32\wscript.exewscript.exe "C:\Users\Admin\AppData\Local\Temp\Scanned copies.js"1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1960 -
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\HdtXkspDNv.js"2⤵
- Blocklisted process makes network request
- Drops startup file
PID:972
-
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\Scanned copies.js"2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1232 -
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\HdtXkspDNv.js"3⤵
- Blocklisted process makes network request
- Drops startup file
PID:564
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
10KB
MD50b3fb1c1e7a5cfdc66b4d3985815e6ff
SHA12bdade957c852dee5c052729e2a464bbd2454082
SHA256b92a038dd2b2a329c201677af46b4269ca638c4a19f5ee164cf8c14e80ce488e
SHA5124bc41bf95c80f657b68f7236c741336b71e5cc460003b52eb5b817a14411babe357c413d0f45751f02d82915a63a67f132a022d376fb6ed3df6c8e509e31abea
-
Filesize
10KB
MD50b3fb1c1e7a5cfdc66b4d3985815e6ff
SHA12bdade957c852dee5c052729e2a464bbd2454082
SHA256b92a038dd2b2a329c201677af46b4269ca638c4a19f5ee164cf8c14e80ce488e
SHA5124bc41bf95c80f657b68f7236c741336b71e5cc460003b52eb5b817a14411babe357c413d0f45751f02d82915a63a67f132a022d376fb6ed3df6c8e509e31abea
-
Filesize
10KB
MD50b3fb1c1e7a5cfdc66b4d3985815e6ff
SHA12bdade957c852dee5c052729e2a464bbd2454082
SHA256b92a038dd2b2a329c201677af46b4269ca638c4a19f5ee164cf8c14e80ce488e
SHA5124bc41bf95c80f657b68f7236c741336b71e5cc460003b52eb5b817a14411babe357c413d0f45751f02d82915a63a67f132a022d376fb6ed3df6c8e509e31abea
-
Filesize
52KB
MD549b13da43564fd53f17eb0a803a92a09
SHA1ed74e4ea8cb53499dc36335814d82ac31cc6d0c7
SHA256ccfaa79a104470403d9a10a38f44afab9a5038860d32505f66cf891a02c3e804
SHA512a58239e5320361022ed9d5d63831029f1589e9e29132f676bba796157b3d2c1c1a1509635cddfd12ba8b6ad37744115039bdf95632ceec481621c5639b713d31
-
Filesize
52KB
MD549b13da43564fd53f17eb0a803a92a09
SHA1ed74e4ea8cb53499dc36335814d82ac31cc6d0c7
SHA256ccfaa79a104470403d9a10a38f44afab9a5038860d32505f66cf891a02c3e804
SHA512a58239e5320361022ed9d5d63831029f1589e9e29132f676bba796157b3d2c1c1a1509635cddfd12ba8b6ad37744115039bdf95632ceec481621c5639b713d31