Analysis
-
max time kernel
236s -
max time network
319s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
-
submitted
25-11-2022 07:15
General
-
Target
LPO-17-006AD.js
-
Size
46KB
-
MD5
39ebb40e7ee6c296d7b1a9bbb4bbbcd0
-
SHA1
5f902618378e2b6b8de9248cc5b66fb97dc9c597
-
SHA256
1f8960fefec1f88953f7a39c21724c732a257554a93c875d42bc1c45f1bae824
-
SHA512
87828b59c8c2dd03199ae4da5832203ba27d9662ebeb69e8a6300ae9d21df658424ba465ec13e17a04b772ce6fa89190c78dd9ca765cd538297f4378aaa3077d
-
SSDEEP
768:NZLtbhEL68CUNTwpDfBDSQgl99Yi2e69KfDake7sgQGjnS/6IJnXBn0iNtY:5+e8/CDfBDBaJg9XkSsSYBns
Malware Config
Extracted
wshrat
http://45.139.105.174:2070
Signatures
-
Vjw0rm
Vjw0rm is a remote access trojan written in JavaScript.
-
WSHRAT
WSHRAT is a variant of Houdini worm and has vbs and js variants.
-
Blocklisted process makes network request 18 IoCs
-
Drops startup file 5 IoCs
-
Adds Run key to start application 2 TTPs 8 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Script User-Agent 4 IoCs
Uses user-agent string associated with script host/environment.
-
Suspicious use of WriteProcessMemory 9 IoCs
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\LPO-17-006AD.js1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\uGIeVawdbu.js"2⤵
- Blocklisted process makes network request
- Drops startup file
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\LPO-17-006AD.js"2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\uGIeVawdbu.js"3⤵
- Blocklisted process makes network request
- Drops startup file
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\LPO-17-006AD.jsFilesize
46KB
MD539ebb40e7ee6c296d7b1a9bbb4bbbcd0
SHA15f902618378e2b6b8de9248cc5b66fb97dc9c597
SHA2561f8960fefec1f88953f7a39c21724c732a257554a93c875d42bc1c45f1bae824
SHA51287828b59c8c2dd03199ae4da5832203ba27d9662ebeb69e8a6300ae9d21df658424ba465ec13e17a04b772ce6fa89190c78dd9ca765cd538297f4378aaa3077d
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LPO-17-006AD.jsFilesize
46KB
MD539ebb40e7ee6c296d7b1a9bbb4bbbcd0
SHA15f902618378e2b6b8de9248cc5b66fb97dc9c597
SHA2561f8960fefec1f88953f7a39c21724c732a257554a93c875d42bc1c45f1bae824
SHA51287828b59c8c2dd03199ae4da5832203ba27d9662ebeb69e8a6300ae9d21df658424ba465ec13e17a04b772ce6fa89190c78dd9ca765cd538297f4378aaa3077d
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uGIeVawdbu.jsFilesize
8KB
MD5268abf03dff015d5b801bc33fab3b6f7
SHA105d4f1a10b0766bbe7a1a9ebe4e638f967e60262
SHA256e6df3496dd4b4eae8495fbf1456e3a32bbe85b844d1c2a8e8d129bab242bf9cc
SHA5124eeea7fbf65f3e55271212bbae3d0d26ccb2dbdaea2eeda5110480687777e740befd482d0c4c5e69320c7ca4833508538bce3301c89208410f925093453249fd
-
C:\Users\Admin\AppData\Roaming\uGIeVawdbu.jsFilesize
8KB
MD5ea0d77b36ac9cf8c6cdc5b6036926b2d
SHA10e57942ff644e2fd66aa94c1cf0f8007f0fd57a5
SHA25643038d29162c4df4f2e0aedb0c0ecde9b16ce3fe85c248c45ee215b6cee5b776
SHA5129328bdeb68046519d74c46c321a496832fe601b1d7ee853e160db2042e1a88b7cbfd0eee8474e262a5a5c0f28f9bdf97bf7eefb07265123ce6e0e1874eada887
-
C:\Users\Admin\AppData\Roaming\uGIeVawdbu.jsFilesize
8KB
MD5ea0d77b36ac9cf8c6cdc5b6036926b2d
SHA10e57942ff644e2fd66aa94c1cf0f8007f0fd57a5
SHA25643038d29162c4df4f2e0aedb0c0ecde9b16ce3fe85c248c45ee215b6cee5b776
SHA5129328bdeb68046519d74c46c321a496832fe601b1d7ee853e160db2042e1a88b7cbfd0eee8474e262a5a5c0f28f9bdf97bf7eefb07265123ce6e0e1874eada887
-
memory/516-55-0x0000000000000000-mapping.dmp
-
memory/944-54-0x000007FEFBB31000-0x000007FEFBB33000-memory.dmpFilesize
8KB
-
memory/1104-57-0x0000000000000000-mapping.dmp
-
memory/1244-60-0x0000000000000000-mapping.dmp