Analysis
-
max time kernel
148s -
max time network
154s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
31-10-2022 06:21
Static task
static1
Behavioral task
behavioral1
Sample
Scanned copies.js
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
Scanned copies.js
Resource
win10v2004-20220812-en
General
-
Target
Scanned copies.js
-
Size
52KB
-
MD5
49b13da43564fd53f17eb0a803a92a09
-
SHA1
ed74e4ea8cb53499dc36335814d82ac31cc6d0c7
-
SHA256
ccfaa79a104470403d9a10a38f44afab9a5038860d32505f66cf891a02c3e804
-
SHA512
a58239e5320361022ed9d5d63831029f1589e9e29132f676bba796157b3d2c1c1a1509635cddfd12ba8b6ad37744115039bdf95632ceec481621c5639b713d31
-
SSDEEP
768:1zPm7PWaktoJJVRurezocS9ZZtfOuuF1wivT7VYJw9Yc0Sa0Z8K:1DqJJ7urem9Z7fxE1wivT7V+c0SaQ8K
Malware Config
Extracted
wshrat
http://185.252.178.17:5050
Signatures
-
Blocklisted process makes network request 21 IoCs
flow pid Process 9 1664 wscript.exe 10 1756 wscript.exe 11 1472 wscript.exe 12 1472 wscript.exe 16 1472 wscript.exe 19 1664 wscript.exe 20 1756 wscript.exe 22 1472 wscript.exe 26 1472 wscript.exe 28 1756 wscript.exe 29 1664 wscript.exe 30 1472 wscript.exe 36 1664 wscript.exe 37 1756 wscript.exe 39 1472 wscript.exe 41 1472 wscript.exe 44 1472 wscript.exe 46 1664 wscript.exe 48 1756 wscript.exe 49 1472 wscript.exe 51 1472 wscript.exe -
Drops startup file 5 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Scanned copies.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Scanned copies.js wscript.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HdtXkspDNv.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HdtXkspDNv.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HdtXkspDNv.js wscript.exe -
Adds Run key to start application 2 TTPs 8 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\Scanned copies = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Scanned copies.js\"" wscript.exe Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Scanned copies = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Scanned copies.js\"" wscript.exe Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\Scanned copies = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Scanned copies.js\"" wscript.exe Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Scanned copies = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Scanned copies.js\"" wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Script User-Agent 11 IoCs
Uses user-agent string associated with script host/environment.
description flow ioc HTTP User-Agent header 11 WSHRAT|D44DAEDB|ORXGKKZC|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 31/10/2022|JavaScript HTTP User-Agent header 12 WSHRAT|D44DAEDB|ORXGKKZC|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 31/10/2022|JavaScript HTTP User-Agent header 16 WSHRAT|D44DAEDB|ORXGKKZC|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 31/10/2022|JavaScript HTTP User-Agent header 30 WSHRAT|D44DAEDB|ORXGKKZC|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 31/10/2022|JavaScript HTTP User-Agent header 41 WSHRAT|D44DAEDB|ORXGKKZC|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 31/10/2022|JavaScript HTTP User-Agent header 44 WSHRAT|D44DAEDB|ORXGKKZC|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 31/10/2022|JavaScript HTTP User-Agent header 51 WSHRAT|D44DAEDB|ORXGKKZC|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 31/10/2022|JavaScript HTTP User-Agent header 22 WSHRAT|D44DAEDB|ORXGKKZC|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 31/10/2022|JavaScript HTTP User-Agent header 26 WSHRAT|D44DAEDB|ORXGKKZC|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 31/10/2022|JavaScript HTTP User-Agent header 39 WSHRAT|D44DAEDB|ORXGKKZC|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 31/10/2022|JavaScript HTTP User-Agent header 49 WSHRAT|D44DAEDB|ORXGKKZC|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 31/10/2022|JavaScript -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 1988 wrote to memory of 1664 1988 wscript.exe 26 PID 1988 wrote to memory of 1664 1988 wscript.exe 26 PID 1988 wrote to memory of 1664 1988 wscript.exe 26 PID 1988 wrote to memory of 1472 1988 wscript.exe 27 PID 1988 wrote to memory of 1472 1988 wscript.exe 27 PID 1988 wrote to memory of 1472 1988 wscript.exe 27 PID 1472 wrote to memory of 1756 1472 wscript.exe 29 PID 1472 wrote to memory of 1756 1472 wscript.exe 29 PID 1472 wrote to memory of 1756 1472 wscript.exe 29
Processes
-
C:\Windows\system32\wscript.exewscript.exe "C:\Users\Admin\AppData\Local\Temp\Scanned copies.js"1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1988 -
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\HdtXkspDNv.js"2⤵
- Blocklisted process makes network request
- Drops startup file
PID:1664
-
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\Scanned copies.js"2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1472 -
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\HdtXkspDNv.js"3⤵
- Blocklisted process makes network request
- Drops startup file
PID:1756
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
10KB
MD50b3fb1c1e7a5cfdc66b4d3985815e6ff
SHA12bdade957c852dee5c052729e2a464bbd2454082
SHA256b92a038dd2b2a329c201677af46b4269ca638c4a19f5ee164cf8c14e80ce488e
SHA5124bc41bf95c80f657b68f7236c741336b71e5cc460003b52eb5b817a14411babe357c413d0f45751f02d82915a63a67f132a022d376fb6ed3df6c8e509e31abea
-
Filesize
10KB
MD50b3fb1c1e7a5cfdc66b4d3985815e6ff
SHA12bdade957c852dee5c052729e2a464bbd2454082
SHA256b92a038dd2b2a329c201677af46b4269ca638c4a19f5ee164cf8c14e80ce488e
SHA5124bc41bf95c80f657b68f7236c741336b71e5cc460003b52eb5b817a14411babe357c413d0f45751f02d82915a63a67f132a022d376fb6ed3df6c8e509e31abea
-
Filesize
10KB
MD50b3fb1c1e7a5cfdc66b4d3985815e6ff
SHA12bdade957c852dee5c052729e2a464bbd2454082
SHA256b92a038dd2b2a329c201677af46b4269ca638c4a19f5ee164cf8c14e80ce488e
SHA5124bc41bf95c80f657b68f7236c741336b71e5cc460003b52eb5b817a14411babe357c413d0f45751f02d82915a63a67f132a022d376fb6ed3df6c8e509e31abea
-
Filesize
52KB
MD549b13da43564fd53f17eb0a803a92a09
SHA1ed74e4ea8cb53499dc36335814d82ac31cc6d0c7
SHA256ccfaa79a104470403d9a10a38f44afab9a5038860d32505f66cf891a02c3e804
SHA512a58239e5320361022ed9d5d63831029f1589e9e29132f676bba796157b3d2c1c1a1509635cddfd12ba8b6ad37744115039bdf95632ceec481621c5639b713d31
-
Filesize
52KB
MD549b13da43564fd53f17eb0a803a92a09
SHA1ed74e4ea8cb53499dc36335814d82ac31cc6d0c7
SHA256ccfaa79a104470403d9a10a38f44afab9a5038860d32505f66cf891a02c3e804
SHA512a58239e5320361022ed9d5d63831029f1589e9e29132f676bba796157b3d2c1c1a1509635cddfd12ba8b6ad37744115039bdf95632ceec481621c5639b713d31