Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
03-11-2022 12:21
Static task
static1
Behavioral task
behavioral1
Sample
63ada20c4214f2995f841de3cffabfc465d5bff1b4bee0cf4ebac7be643fb67e.js
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
63ada20c4214f2995f841de3cffabfc465d5bff1b4bee0cf4ebac7be643fb67e.js
Resource
win10v2004-20220812-en
General
-
Target
63ada20c4214f2995f841de3cffabfc465d5bff1b4bee0cf4ebac7be643fb67e.js
-
Size
51KB
-
MD5
0d0b5b04e14fcc092409742a84532f26
-
SHA1
7d978a6f7f07629eb04a126d7a94a19662d0951f
-
SHA256
63ada20c4214f2995f841de3cffabfc465d5bff1b4bee0cf4ebac7be643fb67e
-
SHA512
b8cdb6164ccd45ad4ca94a3a5491e8d9a0b6a3e3aed56439994a59293141ae9ff3e80cecb4507373bb0ead9e796a83a381e2873f269bc3a100be365ef3c20c4f
-
SSDEEP
768:5Kk5HT1xsHylPCTBp0Jv8BD3DQ7vGOAX1OsIWgCX56nu1CPL2lssQ:ZPzwBSvcTQ7+OAX1O3CX56n4GL2lssQ
Malware Config
Extracted
wshrat
http://harold.jetos.com:1604
Signatures
-
Blocklisted process makes network request 28 IoCs
flow pid Process 10 1240 wscript.exe 11 268 wscript.exe 12 960 wscript.exe 13 1240 wscript.exe 14 1240 wscript.exe 18 1240 wscript.exe 21 960 wscript.exe 22 1240 wscript.exe 24 268 wscript.exe 26 1240 wscript.exe 29 1240 wscript.exe 32 1240 wscript.exe 35 268 wscript.exe 36 960 wscript.exe 37 1240 wscript.exe 40 1240 wscript.exe 42 1240 wscript.exe 47 1240 wscript.exe 50 268 wscript.exe 51 960 wscript.exe 53 1240 wscript.exe 55 1240 wscript.exe 57 1240 wscript.exe 61 1240 wscript.exe 63 268 wscript.exe 64 960 wscript.exe 66 1240 wscript.exe 68 1240 wscript.exe -
Drops startup file 5 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EsgAyEJrOf.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EsgAyEJrOf.js wscript.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\63ada20c4214f2995f841de3cffabfc465d5bff1b4bee0cf4ebac7be643fb67e.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\63ada20c4214f2995f841de3cffabfc465d5bff1b4bee0cf4ebac7be643fb67e.js wscript.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EsgAyEJrOf.js wscript.exe -
Adds Run key to start application 2 TTPs 8 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\63ada20c4214f2995f841de3cffabfc465d5bff1b4bee0cf4ebac7be643fb67e = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\63ada20c4214f2995f841de3cffabfc465d5bff1b4bee0cf4ebac7be643fb67e.js\"" wscript.exe Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\63ada20c4214f2995f841de3cffabfc465d5bff1b4bee0cf4ebac7be643fb67e = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\63ada20c4214f2995f841de3cffabfc465d5bff1b4bee0cf4ebac7be643fb67e.js\"" wscript.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\63ada20c4214f2995f841de3cffabfc465d5bff1b4bee0cf4ebac7be643fb67e = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\63ada20c4214f2995f841de3cffabfc465d5bff1b4bee0cf4ebac7be643fb67e.js\"" wscript.exe Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\63ada20c4214f2995f841de3cffabfc465d5bff1b4bee0cf4ebac7be643fb67e = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\63ada20c4214f2995f841de3cffabfc465d5bff1b4bee0cf4ebac7be643fb67e.js\"" wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Script User-Agent 18 IoCs
Uses user-agent string associated with script host/environment.
description flow ioc HTTP User-Agent header 18 WSHRAT|BC40DA2B|GRXNNIIE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 3/11/2022|JavaScript HTTP User-Agent header 26 WSHRAT|BC40DA2B|GRXNNIIE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 3/11/2022|JavaScript HTTP User-Agent header 37 WSHRAT|BC40DA2B|GRXNNIIE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 3/11/2022|JavaScript HTTP User-Agent header 13 WSHRAT|BC40DA2B|GRXNNIIE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 3/11/2022|JavaScript HTTP User-Agent header 29 WSHRAT|BC40DA2B|GRXNNIIE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 3/11/2022|JavaScript HTTP User-Agent header 40 WSHRAT|BC40DA2B|GRXNNIIE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 3/11/2022|JavaScript HTTP User-Agent header 57 WSHRAT|BC40DA2B|GRXNNIIE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 3/11/2022|JavaScript HTTP User-Agent header 22 WSHRAT|BC40DA2B|GRXNNIIE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 3/11/2022|JavaScript HTTP User-Agent header 32 WSHRAT|BC40DA2B|GRXNNIIE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 3/11/2022|JavaScript HTTP User-Agent header 42 WSHRAT|BC40DA2B|GRXNNIIE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 3/11/2022|JavaScript HTTP User-Agent header 47 WSHRAT|BC40DA2B|GRXNNIIE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 3/11/2022|JavaScript HTTP User-Agent header 53 WSHRAT|BC40DA2B|GRXNNIIE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 3/11/2022|JavaScript HTTP User-Agent header 66 WSHRAT|BC40DA2B|GRXNNIIE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 3/11/2022|JavaScript HTTP User-Agent header 10 WSHRAT|BC40DA2B|GRXNNIIE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 3/11/2022|JavaScript HTTP User-Agent header 14 WSHRAT|BC40DA2B|GRXNNIIE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 3/11/2022|JavaScript HTTP User-Agent header 55 WSHRAT|BC40DA2B|GRXNNIIE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 3/11/2022|JavaScript HTTP User-Agent header 61 WSHRAT|BC40DA2B|GRXNNIIE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 3/11/2022|JavaScript HTTP User-Agent header 68 WSHRAT|BC40DA2B|GRXNNIIE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 3/11/2022|JavaScript -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 1836 wrote to memory of 960 1836 wscript.exe 27 PID 1836 wrote to memory of 960 1836 wscript.exe 27 PID 1836 wrote to memory of 960 1836 wscript.exe 27 PID 1836 wrote to memory of 1240 1836 wscript.exe 28 PID 1836 wrote to memory of 1240 1836 wscript.exe 28 PID 1836 wrote to memory of 1240 1836 wscript.exe 28 PID 1240 wrote to memory of 268 1240 wscript.exe 30 PID 1240 wrote to memory of 268 1240 wscript.exe 30 PID 1240 wrote to memory of 268 1240 wscript.exe 30
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\63ada20c4214f2995f841de3cffabfc465d5bff1b4bee0cf4ebac7be643fb67e.js1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1836 -
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\EsgAyEJrOf.js"2⤵
- Blocklisted process makes network request
- Drops startup file
PID:960
-
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\63ada20c4214f2995f841de3cffabfc465d5bff1b4bee0cf4ebac7be643fb67e.js"2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1240 -
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\EsgAyEJrOf.js"3⤵
- Blocklisted process makes network request
- Drops startup file
PID:268
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
51KB
MD50d0b5b04e14fcc092409742a84532f26
SHA17d978a6f7f07629eb04a126d7a94a19662d0951f
SHA25663ada20c4214f2995f841de3cffabfc465d5bff1b4bee0cf4ebac7be643fb67e
SHA512b8cdb6164ccd45ad4ca94a3a5491e8d9a0b6a3e3aed56439994a59293141ae9ff3e80cecb4507373bb0ead9e796a83a381e2873f269bc3a100be365ef3c20c4f
-
Filesize
10KB
MD569231c3446c45e0863b0f2ce4ca548ee
SHA1aa1b5083657f41f604bb5682e52f5016b434f929
SHA2562d587addbe7f7cbe295ed2364fac0ed6d4d95cc4528672d46067ae0f5cf64535
SHA512a1626d532d85d703e2e7aca73f51f1bca448e985a060d7c419bf56235fc69cbc007d4e0c2606e2d951a799d8de3f51c8c0c3333da3edc2f00f31dd5beb3c515b
-
Filesize
10KB
MD569231c3446c45e0863b0f2ce4ca548ee
SHA1aa1b5083657f41f604bb5682e52f5016b434f929
SHA2562d587addbe7f7cbe295ed2364fac0ed6d4d95cc4528672d46067ae0f5cf64535
SHA512a1626d532d85d703e2e7aca73f51f1bca448e985a060d7c419bf56235fc69cbc007d4e0c2606e2d951a799d8de3f51c8c0c3333da3edc2f00f31dd5beb3c515b
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\63ada20c4214f2995f841de3cffabfc465d5bff1b4bee0cf4ebac7be643fb67e.js
Filesize51KB
MD50d0b5b04e14fcc092409742a84532f26
SHA17d978a6f7f07629eb04a126d7a94a19662d0951f
SHA25663ada20c4214f2995f841de3cffabfc465d5bff1b4bee0cf4ebac7be643fb67e
SHA512b8cdb6164ccd45ad4ca94a3a5491e8d9a0b6a3e3aed56439994a59293141ae9ff3e80cecb4507373bb0ead9e796a83a381e2873f269bc3a100be365ef3c20c4f
-
Filesize
10KB
MD569231c3446c45e0863b0f2ce4ca548ee
SHA1aa1b5083657f41f604bb5682e52f5016b434f929
SHA2562d587addbe7f7cbe295ed2364fac0ed6d4d95cc4528672d46067ae0f5cf64535
SHA512a1626d532d85d703e2e7aca73f51f1bca448e985a060d7c419bf56235fc69cbc007d4e0c2606e2d951a799d8de3f51c8c0c3333da3edc2f00f31dd5beb3c515b