Analysis
-
max time kernel
236s -
max time network
319s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
25-11-2022 07:15
Static task
static1
Behavioral task
behavioral1
Sample
LPO-17-006AD.js
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
LPO-17-006AD.js
Resource
win10v2004-20220812-en
General
-
Target
LPO-17-006AD.js
-
Size
46KB
-
MD5
39ebb40e7ee6c296d7b1a9bbb4bbbcd0
-
SHA1
5f902618378e2b6b8de9248cc5b66fb97dc9c597
-
SHA256
1f8960fefec1f88953f7a39c21724c732a257554a93c875d42bc1c45f1bae824
-
SHA512
87828b59c8c2dd03199ae4da5832203ba27d9662ebeb69e8a6300ae9d21df658424ba465ec13e17a04b772ce6fa89190c78dd9ca765cd538297f4378aaa3077d
-
SSDEEP
768:NZLtbhEL68CUNTwpDfBDSQgl99Yi2e69KfDake7sgQGjnS/6IJnXBn0iNtY:5+e8/CDfBDBaJg9XkSsSYBns
Malware Config
Extracted
wshrat
http://45.139.105.174:2070
Signatures
-
Blocklisted process makes network request 18 IoCs
Processes:
wscript.exewscript.exewscript.exeflow pid process 10 516 wscript.exe 11 1244 wscript.exe 12 1104 wscript.exe 17 1104 wscript.exe 19 516 wscript.exe 21 1244 wscript.exe 22 1104 wscript.exe 23 1104 wscript.exe 26 1244 wscript.exe 30 516 wscript.exe 31 1104 wscript.exe 36 1104 wscript.exe 38 1244 wscript.exe 39 516 wscript.exe 43 1104 wscript.exe 45 1244 wscript.exe 47 516 wscript.exe 48 1104 wscript.exe -
Drops startup file 5 IoCs
Processes:
wscript.exewscript.exewscript.exewscript.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uGIeVawdbu.js wscript.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LPO-17-006AD.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LPO-17-006AD.js wscript.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uGIeVawdbu.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uGIeVawdbu.js wscript.exe -
Adds Run key to start application 2 TTPs 8 IoCs
Processes:
wscript.exewscript.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\LPO-17-006AD = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\LPO-17-006AD.js\"" wscript.exe Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\LPO-17-006AD = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\LPO-17-006AD.js\"" wscript.exe Key created \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\LPO-17-006AD = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\LPO-17-006AD.js\"" wscript.exe Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\LPO-17-006AD = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\LPO-17-006AD.js\"" wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Script User-Agent 4 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 17 WSHRAT|B07A99DC|VDWSWJJD|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 25/11/2022|JavaScript HTTP User-Agent header 22 WSHRAT|B07A99DC|VDWSWJJD|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 25/11/2022|JavaScript HTTP User-Agent header 43 WSHRAT|B07A99DC|VDWSWJJD|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 25/11/2022|JavaScript HTTP User-Agent header 48 WSHRAT|B07A99DC|VDWSWJJD|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 25/11/2022|JavaScript -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
wscript.exewscript.exedescription pid process target process PID 944 wrote to memory of 516 944 wscript.exe wscript.exe PID 944 wrote to memory of 516 944 wscript.exe wscript.exe PID 944 wrote to memory of 516 944 wscript.exe wscript.exe PID 944 wrote to memory of 1104 944 wscript.exe wscript.exe PID 944 wrote to memory of 1104 944 wscript.exe wscript.exe PID 944 wrote to memory of 1104 944 wscript.exe wscript.exe PID 1104 wrote to memory of 1244 1104 wscript.exe wscript.exe PID 1104 wrote to memory of 1244 1104 wscript.exe wscript.exe PID 1104 wrote to memory of 1244 1104 wscript.exe wscript.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\LPO-17-006AD.js1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\uGIeVawdbu.js"2⤵
- Blocklisted process makes network request
- Drops startup file
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\LPO-17-006AD.js"2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\uGIeVawdbu.js"3⤵
- Blocklisted process makes network request
- Drops startup file
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\LPO-17-006AD.jsFilesize
46KB
MD539ebb40e7ee6c296d7b1a9bbb4bbbcd0
SHA15f902618378e2b6b8de9248cc5b66fb97dc9c597
SHA2561f8960fefec1f88953f7a39c21724c732a257554a93c875d42bc1c45f1bae824
SHA51287828b59c8c2dd03199ae4da5832203ba27d9662ebeb69e8a6300ae9d21df658424ba465ec13e17a04b772ce6fa89190c78dd9ca765cd538297f4378aaa3077d
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LPO-17-006AD.jsFilesize
46KB
MD539ebb40e7ee6c296d7b1a9bbb4bbbcd0
SHA15f902618378e2b6b8de9248cc5b66fb97dc9c597
SHA2561f8960fefec1f88953f7a39c21724c732a257554a93c875d42bc1c45f1bae824
SHA51287828b59c8c2dd03199ae4da5832203ba27d9662ebeb69e8a6300ae9d21df658424ba465ec13e17a04b772ce6fa89190c78dd9ca765cd538297f4378aaa3077d
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uGIeVawdbu.jsFilesize
8KB
MD5268abf03dff015d5b801bc33fab3b6f7
SHA105d4f1a10b0766bbe7a1a9ebe4e638f967e60262
SHA256e6df3496dd4b4eae8495fbf1456e3a32bbe85b844d1c2a8e8d129bab242bf9cc
SHA5124eeea7fbf65f3e55271212bbae3d0d26ccb2dbdaea2eeda5110480687777e740befd482d0c4c5e69320c7ca4833508538bce3301c89208410f925093453249fd
-
C:\Users\Admin\AppData\Roaming\uGIeVawdbu.jsFilesize
8KB
MD5ea0d77b36ac9cf8c6cdc5b6036926b2d
SHA10e57942ff644e2fd66aa94c1cf0f8007f0fd57a5
SHA25643038d29162c4df4f2e0aedb0c0ecde9b16ce3fe85c248c45ee215b6cee5b776
SHA5129328bdeb68046519d74c46c321a496832fe601b1d7ee853e160db2042e1a88b7cbfd0eee8474e262a5a5c0f28f9bdf97bf7eefb07265123ce6e0e1874eada887
-
C:\Users\Admin\AppData\Roaming\uGIeVawdbu.jsFilesize
8KB
MD5ea0d77b36ac9cf8c6cdc5b6036926b2d
SHA10e57942ff644e2fd66aa94c1cf0f8007f0fd57a5
SHA25643038d29162c4df4f2e0aedb0c0ecde9b16ce3fe85c248c45ee215b6cee5b776
SHA5129328bdeb68046519d74c46c321a496832fe601b1d7ee853e160db2042e1a88b7cbfd0eee8474e262a5a5c0f28f9bdf97bf7eefb07265123ce6e0e1874eada887
-
memory/516-55-0x0000000000000000-mapping.dmp
-
memory/944-54-0x000007FEFBB31000-0x000007FEFBB33000-memory.dmpFilesize
8KB
-
memory/1104-57-0x0000000000000000-mapping.dmp
-
memory/1244-60-0x0000000000000000-mapping.dmp