Analysis
-
max time kernel
150s -
max time network
154s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
25-11-2022 07:15
Static task
static1
Behavioral task
behavioral1
Sample
KkzkKniBww_movar.js
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
KkzkKniBww_movar.js
Resource
win10v2004-20220812-en
General
-
Target
KkzkKniBww_movar.js
-
Size
63KB
-
MD5
f26c46d819119f4ccca8d143f93289b7
-
SHA1
c84db01b0f8406979f8fabc7d73567bb9a5aa90e
-
SHA256
bc2f42a0cf94f85af568cda4c54cacdfa0934112691c466bd5c6e66c1f027bf8
-
SHA512
f1280d48ea7eda1617c9091b31f24d73d491b58c9c5cdabeb3fde96642f9c127c4a7a901a43cc8bbfe7a59b2d7fcc762b8cda8c98e3e3fa69483d3411ba210db
-
SSDEEP
1536:XZqpqIKrA7C/AXx2BqDLECc5tfOsKsLMYOsor:XZLSbUTf1dLM1
Malware Config
Extracted
wshrat
http://45.139.105.174:7670
Signatures
-
Blocklisted process makes network request 35 IoCs
Processes:
wscript.exewscript.exewscript.exeflow pid process 9 944 wscript.exe 10 1344 wscript.exe 11 2024 wscript.exe 12 2024 wscript.exe 13 2024 wscript.exe 15 2024 wscript.exe 16 2024 wscript.exe 18 1344 wscript.exe 20 944 wscript.exe 21 2024 wscript.exe 24 2024 wscript.exe 25 2024 wscript.exe 26 2024 wscript.exe 30 2024 wscript.exe 31 944 wscript.exe 34 1344 wscript.exe 35 2024 wscript.exe 36 2024 wscript.exe 38 2024 wscript.exe 39 2024 wscript.exe 42 2024 wscript.exe 45 1344 wscript.exe 47 944 wscript.exe 48 2024 wscript.exe 49 2024 wscript.exe 50 2024 wscript.exe 52 2024 wscript.exe 55 2024 wscript.exe 57 944 wscript.exe 58 1344 wscript.exe 60 2024 wscript.exe 62 2024 wscript.exe 63 2024 wscript.exe 64 2024 wscript.exe 68 2024 wscript.exe -
Drops startup file 5 IoCs
Processes:
wscript.exewscript.exewscript.exewscript.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KkzkKniBww_movar.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\JCuRXrwISa.js wscript.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KkzkKniBww_movar.js wscript.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\JCuRXrwISa.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\JCuRXrwISa.js wscript.exe -
Adds Run key to start application 2 TTPs 8 IoCs
Processes:
wscript.exewscript.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\KkzkKniBww_movar = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\KkzkKniBww_movar.js\"" wscript.exe Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KkzkKniBww_movar = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\KkzkKniBww_movar.js\"" wscript.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\KkzkKniBww_movar = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\KkzkKniBww_movar.js\"" wscript.exe Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KkzkKniBww_movar = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\KkzkKniBww_movar.js\"" wscript.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\software\microsoft\windows\currentversion\run wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Script User-Agent 24 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 11 WSHRAT|BC40DA2B|GRXNNIIE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 25/11/2022|JavaScript HTTP User-Agent header 21 WSHRAT|BC40DA2B|GRXNNIIE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 25/11/2022|JavaScript HTTP User-Agent header 24 WSHRAT|BC40DA2B|GRXNNIIE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 25/11/2022|JavaScript HTTP User-Agent header 50 WSHRAT|BC40DA2B|GRXNNIIE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 25/11/2022|JavaScript HTTP User-Agent header 55 WSHRAT|BC40DA2B|GRXNNIIE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 25/11/2022|JavaScript HTTP User-Agent header 62 WSHRAT|BC40DA2B|GRXNNIIE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 25/11/2022|JavaScript HTTP User-Agent header 13 WSHRAT|BC40DA2B|GRXNNIIE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 25/11/2022|JavaScript HTTP User-Agent header 16 WSHRAT|BC40DA2B|GRXNNIIE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 25/11/2022|JavaScript HTTP User-Agent header 25 WSHRAT|BC40DA2B|GRXNNIIE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 25/11/2022|JavaScript HTTP User-Agent header 30 WSHRAT|BC40DA2B|GRXNNIIE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 25/11/2022|JavaScript HTTP User-Agent header 35 WSHRAT|BC40DA2B|GRXNNIIE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 25/11/2022|JavaScript HTTP User-Agent header 60 WSHRAT|BC40DA2B|GRXNNIIE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 25/11/2022|JavaScript HTTP User-Agent header 39 WSHRAT|BC40DA2B|GRXNNIIE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 25/11/2022|JavaScript HTTP User-Agent header 52 WSHRAT|BC40DA2B|GRXNNIIE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 25/11/2022|JavaScript HTTP User-Agent header 64 WSHRAT|BC40DA2B|GRXNNIIE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 25/11/2022|JavaScript HTTP User-Agent header 48 WSHRAT|BC40DA2B|GRXNNIIE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 25/11/2022|JavaScript HTTP User-Agent header 49 WSHRAT|BC40DA2B|GRXNNIIE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 25/11/2022|JavaScript HTTP User-Agent header 12 WSHRAT|BC40DA2B|GRXNNIIE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 25/11/2022|JavaScript HTTP User-Agent header 15 WSHRAT|BC40DA2B|GRXNNIIE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 25/11/2022|JavaScript HTTP User-Agent header 26 WSHRAT|BC40DA2B|GRXNNIIE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 25/11/2022|JavaScript HTTP User-Agent header 36 WSHRAT|BC40DA2B|GRXNNIIE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 25/11/2022|JavaScript HTTP User-Agent header 38 WSHRAT|BC40DA2B|GRXNNIIE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 25/11/2022|JavaScript HTTP User-Agent header 42 WSHRAT|BC40DA2B|GRXNNIIE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 25/11/2022|JavaScript HTTP User-Agent header 63 WSHRAT|BC40DA2B|GRXNNIIE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 25/11/2022|JavaScript -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
wscript.exewscript.exedescription pid process target process PID 1504 wrote to memory of 944 1504 wscript.exe wscript.exe PID 1504 wrote to memory of 944 1504 wscript.exe wscript.exe PID 1504 wrote to memory of 944 1504 wscript.exe wscript.exe PID 1504 wrote to memory of 2024 1504 wscript.exe wscript.exe PID 1504 wrote to memory of 2024 1504 wscript.exe wscript.exe PID 1504 wrote to memory of 2024 1504 wscript.exe wscript.exe PID 2024 wrote to memory of 1344 2024 wscript.exe wscript.exe PID 2024 wrote to memory of 1344 2024 wscript.exe wscript.exe PID 2024 wrote to memory of 1344 2024 wscript.exe wscript.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\KkzkKniBww_movar.js1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\JCuRXrwISa.js"2⤵
- Blocklisted process makes network request
- Drops startup file
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\KkzkKniBww_movar.js"2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\JCuRXrwISa.js"3⤵
- Blocklisted process makes network request
- Drops startup file
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\JCuRXrwISa.jsFilesize
14KB
MD5c06f22190b4bf0b931057f80c1f3c97d
SHA1e9ae59294ceef2115e78d6fb1e92e4374fd1c699
SHA25625d1fc1a5e11d2a7400e0fa379f9779474f73f2894c3d5ad4101999a209f9a13
SHA5126158fb4a7606716f62eaa18c39a6221f8ab7f728a63e2cc37ad6b5346f0d6040c51ad21358cab3a3e70e4f5d8bfb0f6726abd85ba578915a275c14074d3cdfcd
-
C:\Users\Admin\AppData\Roaming\JCuRXrwISa.jsFilesize
14KB
MD5c06f22190b4bf0b931057f80c1f3c97d
SHA1e9ae59294ceef2115e78d6fb1e92e4374fd1c699
SHA25625d1fc1a5e11d2a7400e0fa379f9779474f73f2894c3d5ad4101999a209f9a13
SHA5126158fb4a7606716f62eaa18c39a6221f8ab7f728a63e2cc37ad6b5346f0d6040c51ad21358cab3a3e70e4f5d8bfb0f6726abd85ba578915a275c14074d3cdfcd
-
C:\Users\Admin\AppData\Roaming\KkzkKniBww_movar.jsFilesize
63KB
MD5f26c46d819119f4ccca8d143f93289b7
SHA1c84db01b0f8406979f8fabc7d73567bb9a5aa90e
SHA256bc2f42a0cf94f85af568cda4c54cacdfa0934112691c466bd5c6e66c1f027bf8
SHA512f1280d48ea7eda1617c9091b31f24d73d491b58c9c5cdabeb3fde96642f9c127c4a7a901a43cc8bbfe7a59b2d7fcc762b8cda8c98e3e3fa69483d3411ba210db
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\JCuRXrwISa.jsFilesize
14KB
MD5c06f22190b4bf0b931057f80c1f3c97d
SHA1e9ae59294ceef2115e78d6fb1e92e4374fd1c699
SHA25625d1fc1a5e11d2a7400e0fa379f9779474f73f2894c3d5ad4101999a209f9a13
SHA5126158fb4a7606716f62eaa18c39a6221f8ab7f728a63e2cc37ad6b5346f0d6040c51ad21358cab3a3e70e4f5d8bfb0f6726abd85ba578915a275c14074d3cdfcd
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KkzkKniBww_movar.jsFilesize
63KB
MD5f26c46d819119f4ccca8d143f93289b7
SHA1c84db01b0f8406979f8fabc7d73567bb9a5aa90e
SHA256bc2f42a0cf94f85af568cda4c54cacdfa0934112691c466bd5c6e66c1f027bf8
SHA512f1280d48ea7eda1617c9091b31f24d73d491b58c9c5cdabeb3fde96642f9c127c4a7a901a43cc8bbfe7a59b2d7fcc762b8cda8c98e3e3fa69483d3411ba210db
-
memory/944-55-0x0000000000000000-mapping.dmp
-
memory/1344-62-0x0000000000000000-mapping.dmp
-
memory/1504-54-0x000007FEFC291000-0x000007FEFC293000-memory.dmpFilesize
8KB
-
memory/2024-57-0x0000000000000000-mapping.dmp