Analysis
-
max time kernel
150s -
max time network
154s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
31-10-2022 17:06
Static task
static1
Behavioral task
behavioral1
Sample
PO. AND FULL COMPANY DETAILS.js
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
PO. AND FULL COMPANY DETAILS.js
Resource
win10v2004-20220812-en
General
-
Target
PO. AND FULL COMPANY DETAILS.js
-
Size
52KB
-
MD5
8bc16b0d732b50f86fedb1f18bb0a49a
-
SHA1
3f0fc1ebce788f408926e5776e290374f380e072
-
SHA256
22f2f984996706f3bfdfaa95016c163d00764601cfef3a0ee7691f361f1b0bed
-
SHA512
9f4001740b63e8b4a53655b84c5b432f1d07f82eae60062d244ff25a43699b64bb1c9d4675ef97e2db50ab66dfac27b6e1ea7013527bac48566e7a22ebfb5d1e
-
SSDEEP
1536:jFeQf26nBIldsK9GyP18QyEy4j1vnsrXK:jrzQ7L
Malware Config
Extracted
wshrat
http://91.193.75.135:2120
Signatures
-
Blocklisted process makes network request 37 IoCs
flow pid Process 9 2016 wscript.exe 10 1548 wscript.exe 11 1684 wscript.exe 12 1684 wscript.exe 14 1684 wscript.exe 16 1684 wscript.exe 19 1684 wscript.exe 21 1684 wscript.exe 24 2016 wscript.exe 26 1548 wscript.exe 27 1684 wscript.exe 30 1684 wscript.exe 33 1684 wscript.exe 35 1684 wscript.exe 38 1684 wscript.exe 40 2016 wscript.exe 41 1548 wscript.exe 43 1684 wscript.exe 46 1684 wscript.exe 48 1684 wscript.exe 50 1684 wscript.exe 54 1684 wscript.exe 58 1684 wscript.exe 60 2016 wscript.exe 62 1548 wscript.exe 63 1684 wscript.exe 66 1684 wscript.exe 68 1684 wscript.exe 70 1684 wscript.exe 75 1684 wscript.exe 76 1548 wscript.exe 78 2016 wscript.exe 79 1684 wscript.exe 81 1684 wscript.exe 85 1684 wscript.exe 86 1684 wscript.exe 88 1684 wscript.exe -
Drops startup file 5 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KkAJQFWrPZ.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KkAJQFWrPZ.js wscript.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PO. AND FULL COMPANY DETAILS.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PO. AND FULL COMPANY DETAILS.js wscript.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KkAJQFWrPZ.js wscript.exe -
Adds Run key to start application 2 TTPs 8 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\PO = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\PO. AND FULL COMPANY DETAILS.js\"" wscript.exe Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PO = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\PO. AND FULL COMPANY DETAILS.js\"" wscript.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\PO = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\PO. AND FULL COMPANY DETAILS.js\"" wscript.exe Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PO = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\PO. AND FULL COMPANY DETAILS.js\"" wscript.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\software\microsoft\windows\currentversion\run wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Script User-Agent 27 IoCs
Uses user-agent string associated with script host/environment.
description flow ioc HTTP User-Agent header 14 WSHRAT|94A7BB46|RYNKSFQE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 31/10/2022|JavaScript HTTP User-Agent header 27 WSHRAT|94A7BB46|RYNKSFQE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 31/10/2022|JavaScript HTTP User-Agent header 30 WSHRAT|94A7BB46|RYNKSFQE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 31/10/2022|JavaScript HTTP User-Agent header 43 WSHRAT|94A7BB46|RYNKSFQE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 31/10/2022|JavaScript HTTP User-Agent header 79 WSHRAT|94A7BB46|RYNKSFQE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 31/10/2022|JavaScript HTTP User-Agent header 85 WSHRAT|94A7BB46|RYNKSFQE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 31/10/2022|JavaScript HTTP User-Agent header 48 WSHRAT|94A7BB46|RYNKSFQE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 31/10/2022|JavaScript HTTP User-Agent header 75 WSHRAT|94A7BB46|RYNKSFQE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 31/10/2022|JavaScript HTTP User-Agent header 11 WSHRAT|94A7BB46|RYNKSFQE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 31/10/2022|JavaScript HTTP User-Agent header 16 WSHRAT|94A7BB46|RYNKSFQE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 31/10/2022|JavaScript HTTP User-Agent header 38 WSHRAT|94A7BB46|RYNKSFQE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 31/10/2022|JavaScript HTTP User-Agent header 50 WSHRAT|94A7BB46|RYNKSFQE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 31/10/2022|JavaScript HTTP User-Agent header 54 WSHRAT|94A7BB46|RYNKSFQE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 31/10/2022|JavaScript HTTP User-Agent header 68 WSHRAT|94A7BB46|RYNKSFQE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 31/10/2022|JavaScript HTTP User-Agent header 46 WSHRAT|94A7BB46|RYNKSFQE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 31/10/2022|JavaScript HTTP User-Agent header 66 WSHRAT|94A7BB46|RYNKSFQE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 31/10/2022|JavaScript HTTP User-Agent header 81 WSHRAT|94A7BB46|RYNKSFQE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 31/10/2022|JavaScript HTTP User-Agent header 88 WSHRAT|94A7BB46|RYNKSFQE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 31/10/2022|JavaScript HTTP User-Agent header 12 WSHRAT|94A7BB46|RYNKSFQE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 31/10/2022|JavaScript HTTP User-Agent header 19 WSHRAT|94A7BB46|RYNKSFQE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 31/10/2022|JavaScript HTTP User-Agent header 33 WSHRAT|94A7BB46|RYNKSFQE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 31/10/2022|JavaScript HTTP User-Agent header 58 WSHRAT|94A7BB46|RYNKSFQE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 31/10/2022|JavaScript HTTP User-Agent header 70 WSHRAT|94A7BB46|RYNKSFQE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 31/10/2022|JavaScript HTTP User-Agent header 86 WSHRAT|94A7BB46|RYNKSFQE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 31/10/2022|JavaScript HTTP User-Agent header 63 WSHRAT|94A7BB46|RYNKSFQE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 31/10/2022|JavaScript HTTP User-Agent header 21 WSHRAT|94A7BB46|RYNKSFQE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 31/10/2022|JavaScript HTTP User-Agent header 35 WSHRAT|94A7BB46|RYNKSFQE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 31/10/2022|JavaScript -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 1408 wrote to memory of 2016 1408 wscript.exe 27 PID 1408 wrote to memory of 2016 1408 wscript.exe 27 PID 1408 wrote to memory of 2016 1408 wscript.exe 27 PID 1408 wrote to memory of 1684 1408 wscript.exe 28 PID 1408 wrote to memory of 1684 1408 wscript.exe 28 PID 1408 wrote to memory of 1684 1408 wscript.exe 28 PID 1684 wrote to memory of 1548 1684 wscript.exe 30 PID 1684 wrote to memory of 1548 1684 wscript.exe 30 PID 1684 wrote to memory of 1548 1684 wscript.exe 30
Processes
-
C:\Windows\system32\wscript.exewscript.exe "C:\Users\Admin\AppData\Local\Temp\PO. AND FULL COMPANY DETAILS.js"1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1408 -
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\KkAJQFWrPZ.js"2⤵
- Blocklisted process makes network request
- Drops startup file
PID:2016
-
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\PO. AND FULL COMPANY DETAILS.js"2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1684 -
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\KkAJQFWrPZ.js"3⤵
- Blocklisted process makes network request
- Drops startup file
PID:1548
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
10KB
MD555e53bf999e8da52880af2e3eb145dd7
SHA1eb3cb8113ac5bdbd28884a5ec8f8486ab1579ea7
SHA256ce43f09fa4934454576496833efc115ca2872e0163e0a7cba1a20ed8b1af1a06
SHA5129141ce714b512f497355d1ce7fce407a47d6dad5434ae05311cc2a745cc84f7394eeb5ce1750b5831ca772e3486a446470cba66ecfd62f77299da6cd06616eda
-
Filesize
10KB
MD555e53bf999e8da52880af2e3eb145dd7
SHA1eb3cb8113ac5bdbd28884a5ec8f8486ab1579ea7
SHA256ce43f09fa4934454576496833efc115ca2872e0163e0a7cba1a20ed8b1af1a06
SHA5129141ce714b512f497355d1ce7fce407a47d6dad5434ae05311cc2a745cc84f7394eeb5ce1750b5831ca772e3486a446470cba66ecfd62f77299da6cd06616eda
-
Filesize
10KB
MD555e53bf999e8da52880af2e3eb145dd7
SHA1eb3cb8113ac5bdbd28884a5ec8f8486ab1579ea7
SHA256ce43f09fa4934454576496833efc115ca2872e0163e0a7cba1a20ed8b1af1a06
SHA5129141ce714b512f497355d1ce7fce407a47d6dad5434ae05311cc2a745cc84f7394eeb5ce1750b5831ca772e3486a446470cba66ecfd62f77299da6cd06616eda
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PO. AND FULL COMPANY DETAILS.js
Filesize52KB
MD58bc16b0d732b50f86fedb1f18bb0a49a
SHA13f0fc1ebce788f408926e5776e290374f380e072
SHA25622f2f984996706f3bfdfaa95016c163d00764601cfef3a0ee7691f361f1b0bed
SHA5129f4001740b63e8b4a53655b84c5b432f1d07f82eae60062d244ff25a43699b64bb1c9d4675ef97e2db50ab66dfac27b6e1ea7013527bac48566e7a22ebfb5d1e
-
Filesize
52KB
MD58bc16b0d732b50f86fedb1f18bb0a49a
SHA13f0fc1ebce788f408926e5776e290374f380e072
SHA25622f2f984996706f3bfdfaa95016c163d00764601cfef3a0ee7691f361f1b0bed
SHA5129f4001740b63e8b4a53655b84c5b432f1d07f82eae60062d244ff25a43699b64bb1c9d4675ef97e2db50ab66dfac27b6e1ea7013527bac48566e7a22ebfb5d1e