Analysis

  • max time kernel
    150s
  • max time network
    155s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    03-11-2022 11:36

General

  • Target

    wynmove2.js

  • Size

    24KB

  • MD5

    c786578dbb1fd998f418ed64ea235aaf

  • SHA1

    d4eb6b6dade1b01a016f126989da542718ecc51a

  • SHA256

    273a212f0b2db0d69cf66c7e1270bf9b798078844d20e22986b8670f674bd46b

  • SHA512

    5e88c9208788a4c7be201282e72e0f9827e9a4aecd74fe4b9a4a5f4d67ab88b7c1ae62b9fc317f7a3fc32fb400b2de7f5bfa7596646855068d2b823a2c8c9d74

  • SSDEEP

    384:TkdYmmTE76CKm3xvXreE161NULuRCJMFFk631qf9V9pe9u1EGJgaz02:TQStCJ3hbkRCnl1rJi2

Malware Config

Extracted

Family

wshrat

C2

http://45.139.105.174:7670

http://45.139.105.174:3670

Signatures

  • WSHRAT

    WSHRAT is a variant of Houdini worm and has vbs and js variants.

  • WSHRAT payload 2 IoCs
  • Blocklisted process makes network request 32 IoCs
  • Drops startup file 4 IoCs
  • Adds Run key to start application 2 TTPs 16 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Script User-Agent 31 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe C:\Users\Admin\AppData\Local\Temp\wynmove2.js
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1348
    • C:\Windows\System32\wscript.exe
      "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\wynmove2.js"
      2⤵
      • Blocklisted process makes network request
      • Drops startup file
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:304
      • C:\Windows\System32\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\wynlog02.js"
        3⤵
        • Drops startup file
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:1844
        • C:\Windows\System32\wscript.exe
          "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Local\Temp\wynlog02.js"
          4⤵
          • Blocklisted process makes network request
          • Drops startup file
          • Adds Run key to start application
          PID:1672

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\wynlog02.js

    Filesize

    188KB

    MD5

    159203fbff13320da03487c270bd16c9

    SHA1

    a3f2d4fb77d2c0d08264d40441e5fec872b38b3c

    SHA256

    d2d2d9e5730335867810ac8a3c95a75d36982ababaefd10d197ee4e79ac0fd88

    SHA512

    9bdd4f0d155f0520478e7de55ce31b364882596426399cfdac971d70898528afb112dd0f1972ce58ac2467fad33898e8270f381128c3afa188681b325164a78c

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wynmove2.js

    Filesize

    24KB

    MD5

    c786578dbb1fd998f418ed64ea235aaf

    SHA1

    d4eb6b6dade1b01a016f126989da542718ecc51a

    SHA256

    273a212f0b2db0d69cf66c7e1270bf9b798078844d20e22986b8670f674bd46b

    SHA512

    5e88c9208788a4c7be201282e72e0f9827e9a4aecd74fe4b9a4a5f4d67ab88b7c1ae62b9fc317f7a3fc32fb400b2de7f5bfa7596646855068d2b823a2c8c9d74

  • C:\Users\Admin\AppData\Roaming\wynlog02.js

    Filesize

    188KB

    MD5

    159203fbff13320da03487c270bd16c9

    SHA1

    a3f2d4fb77d2c0d08264d40441e5fec872b38b3c

    SHA256

    d2d2d9e5730335867810ac8a3c95a75d36982ababaefd10d197ee4e79ac0fd88

    SHA512

    9bdd4f0d155f0520478e7de55ce31b364882596426399cfdac971d70898528afb112dd0f1972ce58ac2467fad33898e8270f381128c3afa188681b325164a78c

  • C:\Users\Admin\AppData\Roaming\wynmove2.js

    Filesize

    24KB

    MD5

    c786578dbb1fd998f418ed64ea235aaf

    SHA1

    d4eb6b6dade1b01a016f126989da542718ecc51a

    SHA256

    273a212f0b2db0d69cf66c7e1270bf9b798078844d20e22986b8670f674bd46b

    SHA512

    5e88c9208788a4c7be201282e72e0f9827e9a4aecd74fe4b9a4a5f4d67ab88b7c1ae62b9fc317f7a3fc32fb400b2de7f5bfa7596646855068d2b823a2c8c9d74

  • memory/1348-54-0x000007FEFBAE1000-0x000007FEFBAE3000-memory.dmp

    Filesize

    8KB