Analysis

  • max time kernel
    150s
  • max time network
    154s
  • platform
    windows7_x64
  • resource
    win7-20220901-en
  • resource tags

    arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
  • submitted
    31-10-2022 17:06

General

  • Target

    PO. AND FULL COMPANY DETAILS.js

  • Size

    52KB

  • MD5

    8bc16b0d732b50f86fedb1f18bb0a49a

  • SHA1

    3f0fc1ebce788f408926e5776e290374f380e072

  • SHA256

    22f2f984996706f3bfdfaa95016c163d00764601cfef3a0ee7691f361f1b0bed

  • SHA512

    9f4001740b63e8b4a53655b84c5b432f1d07f82eae60062d244ff25a43699b64bb1c9d4675ef97e2db50ab66dfac27b6e1ea7013527bac48566e7a22ebfb5d1e

  • SSDEEP

    1536:jFeQf26nBIldsK9GyP18QyEy4j1vnsrXK:jrzQ7L

Malware Config

Extracted

Family

wshrat

C2

http://91.193.75.135:2120

Signatures

  • Vjw0rm

    Vjw0rm is a remote access trojan written in JavaScript.

  • WSHRAT

    WSHRAT is a variant of Houdini worm and has vbs and js variants.

  • Blocklisted process makes network request 37 IoCs
  • Drops startup file 5 IoCs
  • Adds Run key to start application 2 TTPs 8 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Script User-Agent 27 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe "C:\Users\Admin\AppData\Local\Temp\PO. AND FULL COMPANY DETAILS.js"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1408
    • C:\Windows\System32\wscript.exe
      "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\KkAJQFWrPZ.js"
      2⤵
      • Blocklisted process makes network request
      • Drops startup file
      PID:2016
    • C:\Windows\System32\wscript.exe
      "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\PO. AND FULL COMPANY DETAILS.js"
      2⤵
      • Blocklisted process makes network request
      • Drops startup file
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:1684
      • C:\Windows\System32\wscript.exe
        "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\KkAJQFWrPZ.js"
        3⤵
        • Blocklisted process makes network request
        • Drops startup file
        PID:1548

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\KkAJQFWrPZ.js

    Filesize

    10KB

    MD5

    55e53bf999e8da52880af2e3eb145dd7

    SHA1

    eb3cb8113ac5bdbd28884a5ec8f8486ab1579ea7

    SHA256

    ce43f09fa4934454576496833efc115ca2872e0163e0a7cba1a20ed8b1af1a06

    SHA512

    9141ce714b512f497355d1ce7fce407a47d6dad5434ae05311cc2a745cc84f7394eeb5ce1750b5831ca772e3486a446470cba66ecfd62f77299da6cd06616eda

  • C:\Users\Admin\AppData\Roaming\KkAJQFWrPZ.js

    Filesize

    10KB

    MD5

    55e53bf999e8da52880af2e3eb145dd7

    SHA1

    eb3cb8113ac5bdbd28884a5ec8f8486ab1579ea7

    SHA256

    ce43f09fa4934454576496833efc115ca2872e0163e0a7cba1a20ed8b1af1a06

    SHA512

    9141ce714b512f497355d1ce7fce407a47d6dad5434ae05311cc2a745cc84f7394eeb5ce1750b5831ca772e3486a446470cba66ecfd62f77299da6cd06616eda

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KkAJQFWrPZ.js

    Filesize

    10KB

    MD5

    55e53bf999e8da52880af2e3eb145dd7

    SHA1

    eb3cb8113ac5bdbd28884a5ec8f8486ab1579ea7

    SHA256

    ce43f09fa4934454576496833efc115ca2872e0163e0a7cba1a20ed8b1af1a06

    SHA512

    9141ce714b512f497355d1ce7fce407a47d6dad5434ae05311cc2a745cc84f7394eeb5ce1750b5831ca772e3486a446470cba66ecfd62f77299da6cd06616eda

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PO. AND FULL COMPANY DETAILS.js

    Filesize

    52KB

    MD5

    8bc16b0d732b50f86fedb1f18bb0a49a

    SHA1

    3f0fc1ebce788f408926e5776e290374f380e072

    SHA256

    22f2f984996706f3bfdfaa95016c163d00764601cfef3a0ee7691f361f1b0bed

    SHA512

    9f4001740b63e8b4a53655b84c5b432f1d07f82eae60062d244ff25a43699b64bb1c9d4675ef97e2db50ab66dfac27b6e1ea7013527bac48566e7a22ebfb5d1e

  • C:\Users\Admin\AppData\Roaming\PO. AND FULL COMPANY DETAILS.js

    Filesize

    52KB

    MD5

    8bc16b0d732b50f86fedb1f18bb0a49a

    SHA1

    3f0fc1ebce788f408926e5776e290374f380e072

    SHA256

    22f2f984996706f3bfdfaa95016c163d00764601cfef3a0ee7691f361f1b0bed

    SHA512

    9f4001740b63e8b4a53655b84c5b432f1d07f82eae60062d244ff25a43699b64bb1c9d4675ef97e2db50ab66dfac27b6e1ea7013527bac48566e7a22ebfb5d1e

  • memory/1408-54-0x000007FEFB771000-0x000007FEFB773000-memory.dmp

    Filesize

    8KB