Analysis
-
max time kernel
150s -
max time network
178s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
31-10-2022 17:06
Static task
static1
Behavioral task
behavioral1
Sample
PO. AND FULL COMPANY DETAILS.js
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
PO. AND FULL COMPANY DETAILS.js
Resource
win10v2004-20220901-en
General
-
Target
PO. AND FULL COMPANY DETAILS.js
-
Size
52KB
-
MD5
8bc16b0d732b50f86fedb1f18bb0a49a
-
SHA1
3f0fc1ebce788f408926e5776e290374f380e072
-
SHA256
22f2f984996706f3bfdfaa95016c163d00764601cfef3a0ee7691f361f1b0bed
-
SHA512
9f4001740b63e8b4a53655b84c5b432f1d07f82eae60062d244ff25a43699b64bb1c9d4675ef97e2db50ab66dfac27b6e1ea7013527bac48566e7a22ebfb5d1e
-
SSDEEP
1536:jFeQf26nBIldsK9GyP18QyEy4j1vnsrXK:jrzQ7L
Malware Config
Extracted
wshrat
http://91.193.75.135:2120
Signatures
-
Blocklisted process makes network request 33 IoCs
flow pid Process 10 1752 wscript.exe 11 1764 wscript.exe 12 1992 wscript.exe 13 1992 wscript.exe 16 1992 wscript.exe 18 1992 wscript.exe 19 1992 wscript.exe 20 1992 wscript.exe 23 1752 wscript.exe 25 1764 wscript.exe 26 1992 wscript.exe 27 1992 wscript.exe 28 1992 wscript.exe 30 1992 wscript.exe 33 1992 wscript.exe 35 1764 wscript.exe 37 1752 wscript.exe 38 1992 wscript.exe 40 1992 wscript.exe 41 1992 wscript.exe 42 1992 wscript.exe 48 1992 wscript.exe 49 1992 wscript.exe 51 1764 wscript.exe 52 1752 wscript.exe 54 1992 wscript.exe 56 1992 wscript.exe 57 1992 wscript.exe 58 1992 wscript.exe 62 1992 wscript.exe 64 1752 wscript.exe 66 1764 wscript.exe 67 1992 wscript.exe -
Drops startup file 5 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PO. AND FULL COMPANY DETAILS.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PO. AND FULL COMPANY DETAILS.js wscript.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KkAJQFWrPZ.js wscript.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KkAJQFWrPZ.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KkAJQFWrPZ.js wscript.exe -
Adds Run key to start application 2 TTPs 8 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PO = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\PO. AND FULL COMPANY DETAILS.js\"" wscript.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\PO = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\PO. AND FULL COMPANY DETAILS.js\"" wscript.exe Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PO = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\PO. AND FULL COMPANY DETAILS.js\"" wscript.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\PO = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\PO. AND FULL COMPANY DETAILS.js\"" wscript.exe Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Script User-Agent 23 IoCs
Uses user-agent string associated with script host/environment.
description flow ioc HTTP User-Agent header 12 WSHRAT|5C41F0CB|ZERMMMDR|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 31/10/2022|JavaScript HTTP User-Agent header 20 WSHRAT|5C41F0CB|ZERMMMDR|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 31/10/2022|JavaScript HTTP User-Agent header 38 WSHRAT|5C41F0CB|ZERMMMDR|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 31/10/2022|JavaScript HTTP User-Agent header 42 WSHRAT|5C41F0CB|ZERMMMDR|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 31/10/2022|JavaScript HTTP User-Agent header 58 WSHRAT|5C41F0CB|ZERMMMDR|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 31/10/2022|JavaScript HTTP User-Agent header 67 WSHRAT|5C41F0CB|ZERMMMDR|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 31/10/2022|JavaScript HTTP User-Agent header 16 WSHRAT|5C41F0CB|ZERMMMDR|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 31/10/2022|JavaScript HTTP User-Agent header 26 WSHRAT|5C41F0CB|ZERMMMDR|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 31/10/2022|JavaScript HTTP User-Agent header 30 WSHRAT|5C41F0CB|ZERMMMDR|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 31/10/2022|JavaScript HTTP User-Agent header 33 WSHRAT|5C41F0CB|ZERMMMDR|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 31/10/2022|JavaScript HTTP User-Agent header 54 WSHRAT|5C41F0CB|ZERMMMDR|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 31/10/2022|JavaScript HTTP User-Agent header 62 WSHRAT|5C41F0CB|ZERMMMDR|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 31/10/2022|JavaScript HTTP User-Agent header 13 WSHRAT|5C41F0CB|ZERMMMDR|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 31/10/2022|JavaScript HTTP User-Agent header 27 WSHRAT|5C41F0CB|ZERMMMDR|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 31/10/2022|JavaScript HTTP User-Agent header 40 WSHRAT|5C41F0CB|ZERMMMDR|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 31/10/2022|JavaScript HTTP User-Agent header 41 WSHRAT|5C41F0CB|ZERMMMDR|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 31/10/2022|JavaScript HTTP User-Agent header 49 WSHRAT|5C41F0CB|ZERMMMDR|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 31/10/2022|JavaScript HTTP User-Agent header 18 WSHRAT|5C41F0CB|ZERMMMDR|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 31/10/2022|JavaScript HTTP User-Agent header 19 WSHRAT|5C41F0CB|ZERMMMDR|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 31/10/2022|JavaScript HTTP User-Agent header 28 WSHRAT|5C41F0CB|ZERMMMDR|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 31/10/2022|JavaScript HTTP User-Agent header 48 WSHRAT|5C41F0CB|ZERMMMDR|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 31/10/2022|JavaScript HTTP User-Agent header 56 WSHRAT|5C41F0CB|ZERMMMDR|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 31/10/2022|JavaScript HTTP User-Agent header 57 WSHRAT|5C41F0CB|ZERMMMDR|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 31/10/2022|JavaScript -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 904 wrote to memory of 1752 904 wscript.exe 27 PID 904 wrote to memory of 1752 904 wscript.exe 27 PID 904 wrote to memory of 1752 904 wscript.exe 27 PID 904 wrote to memory of 1992 904 wscript.exe 28 PID 904 wrote to memory of 1992 904 wscript.exe 28 PID 904 wrote to memory of 1992 904 wscript.exe 28 PID 1992 wrote to memory of 1764 1992 wscript.exe 30 PID 1992 wrote to memory of 1764 1992 wscript.exe 30 PID 1992 wrote to memory of 1764 1992 wscript.exe 30
Processes
-
C:\Windows\system32\wscript.exewscript.exe "C:\Users\Admin\AppData\Local\Temp\PO. AND FULL COMPANY DETAILS.js"1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:904 -
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\KkAJQFWrPZ.js"2⤵
- Blocklisted process makes network request
- Drops startup file
PID:1752
-
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\PO. AND FULL COMPANY DETAILS.js"2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1992 -
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\KkAJQFWrPZ.js"3⤵
- Blocklisted process makes network request
- Drops startup file
PID:1764
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
10KB
MD555e53bf999e8da52880af2e3eb145dd7
SHA1eb3cb8113ac5bdbd28884a5ec8f8486ab1579ea7
SHA256ce43f09fa4934454576496833efc115ca2872e0163e0a7cba1a20ed8b1af1a06
SHA5129141ce714b512f497355d1ce7fce407a47d6dad5434ae05311cc2a745cc84f7394eeb5ce1750b5831ca772e3486a446470cba66ecfd62f77299da6cd06616eda
-
Filesize
10KB
MD555e53bf999e8da52880af2e3eb145dd7
SHA1eb3cb8113ac5bdbd28884a5ec8f8486ab1579ea7
SHA256ce43f09fa4934454576496833efc115ca2872e0163e0a7cba1a20ed8b1af1a06
SHA5129141ce714b512f497355d1ce7fce407a47d6dad5434ae05311cc2a745cc84f7394eeb5ce1750b5831ca772e3486a446470cba66ecfd62f77299da6cd06616eda
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PO. AND FULL COMPANY DETAILS.js
Filesize52KB
MD58bc16b0d732b50f86fedb1f18bb0a49a
SHA13f0fc1ebce788f408926e5776e290374f380e072
SHA25622f2f984996706f3bfdfaa95016c163d00764601cfef3a0ee7691f361f1b0bed
SHA5129f4001740b63e8b4a53655b84c5b432f1d07f82eae60062d244ff25a43699b64bb1c9d4675ef97e2db50ab66dfac27b6e1ea7013527bac48566e7a22ebfb5d1e
-
Filesize
52KB
MD58bc16b0d732b50f86fedb1f18bb0a49a
SHA13f0fc1ebce788f408926e5776e290374f380e072
SHA25622f2f984996706f3bfdfaa95016c163d00764601cfef3a0ee7691f361f1b0bed
SHA5129f4001740b63e8b4a53655b84c5b432f1d07f82eae60062d244ff25a43699b64bb1c9d4675ef97e2db50ab66dfac27b6e1ea7013527bac48566e7a22ebfb5d1e