Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
24-01-2023 14:11
Static task
static1
Behavioral task
behavioral1
Sample
Solicitation#E62-359.pdf.js
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
Solicitation#E62-359.pdf.js
Resource
win10v2004-20220812-en
General
-
Target
Solicitation#E62-359.pdf.js
-
Size
984KB
-
MD5
4e2d729e9c8329faf413b544c6e3e142
-
SHA1
a2e1e676ef6be73c851acbaf46b00eb8635fb875
-
SHA256
069428da73eef276063d954b097054ff9a31b9265d1472fc6e067d88f5be2a87
-
SHA512
24f0eeec9c97dbd77601c46bf2cd4ae02ebfc23f291367d1308a369df8b5f48794a11ec5720853e8507a1fa576d4b9164231ca65a4c7fa12fc7219d3ed86917f
-
SSDEEP
6144:eQfPBx5q0sQ1o7rsbHC01mDBpNW2mTMSbpuV8zeLoJFl7BU/J:eQ3B7qgpkLoU
Malware Config
Extracted
wshrat
http://bona.kasowiitz.com:50125
Signatures
-
Blocklisted process makes network request 58 IoCs
Processes:
wscript.exewscript.exewscript.exeflow pid process 10 1304 wscript.exe 11 568 wscript.exe 12 336 wscript.exe 13 568 wscript.exe 16 336 wscript.exe 17 1304 wscript.exe 18 568 wscript.exe 21 568 wscript.exe 23 1304 wscript.exe 25 336 wscript.exe 29 568 wscript.exe 31 1304 wscript.exe 33 568 wscript.exe 34 336 wscript.exe 37 568 wscript.exe 39 1304 wscript.exe 41 336 wscript.exe 42 568 wscript.exe 44 568 wscript.exe 46 1304 wscript.exe 48 336 wscript.exe 51 568 wscript.exe 53 1304 wscript.exe 54 336 wscript.exe 56 568 wscript.exe 58 568 wscript.exe 61 1304 wscript.exe 62 336 wscript.exe 64 568 wscript.exe 67 568 wscript.exe 68 1304 wscript.exe 69 336 wscript.exe 74 568 wscript.exe 76 1304 wscript.exe 77 336 wscript.exe 80 568 wscript.exe 82 568 wscript.exe 83 1304 wscript.exe 85 336 wscript.exe 86 568 wscript.exe 89 1304 wscript.exe 91 568 wscript.exe 92 336 wscript.exe 96 568 wscript.exe 98 1304 wscript.exe 100 336 wscript.exe 101 568 wscript.exe 104 568 wscript.exe 106 1304 wscript.exe 108 336 wscript.exe 109 568 wscript.exe 111 1304 wscript.exe 112 568 wscript.exe 117 336 wscript.exe 119 568 wscript.exe 121 1304 wscript.exe 122 336 wscript.exe 124 568 wscript.exe -
Drops startup file 5 IoCs
Processes:
wscript.exewscript.exewscript.exewscript.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Solicitation#E62-359.pdf.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Solicitation#E62-359.pdf.js wscript.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\oRBIbMCDGn.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\oRBIbMCDGn.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\oRBIbMCDGn.js wscript.exe -
Adds Run key to start application 2 TTPs 8 IoCs
Processes:
wscript.exewscript.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\Solicitation#E62-359 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Solicitation#E62-359.pdf.js\"" wscript.exe Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Solicitation#E62-359 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Solicitation#E62-359.pdf.js\"" wscript.exe Key created \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\Solicitation#E62-359 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Solicitation#E62-359.pdf.js\"" wscript.exe Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Solicitation#E62-359 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Solicitation#E62-359.pdf.js\"" wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Script User-Agent 26 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 67 WSHRAT|DC37C744|SABDUHNY|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 24/1/2023|JavaScript HTTP User-Agent header 80 WSHRAT|DC37C744|SABDUHNY|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 24/1/2023|JavaScript HTTP User-Agent header 96 WSHRAT|DC37C744|SABDUHNY|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 24/1/2023|JavaScript HTTP User-Agent header 11 WSHRAT|DC37C744|SABDUHNY|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 24/1/2023|JavaScript HTTP User-Agent header 21 WSHRAT|DC37C744|SABDUHNY|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 24/1/2023|JavaScript HTTP User-Agent header 29 WSHRAT|DC37C744|SABDUHNY|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 24/1/2023|JavaScript HTTP User-Agent header 37 WSHRAT|DC37C744|SABDUHNY|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 24/1/2023|JavaScript HTTP User-Agent header 51 WSHRAT|DC37C744|SABDUHNY|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 24/1/2023|JavaScript HTTP User-Agent header 112 WSHRAT|DC37C744|SABDUHNY|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 24/1/2023|JavaScript HTTP User-Agent header 109 WSHRAT|DC37C744|SABDUHNY|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 24/1/2023|JavaScript HTTP User-Agent header 124 WSHRAT|DC37C744|SABDUHNY|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 24/1/2023|JavaScript HTTP User-Agent header 18 WSHRAT|DC37C744|SABDUHNY|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 24/1/2023|JavaScript HTTP User-Agent header 33 WSHRAT|DC37C744|SABDUHNY|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 24/1/2023|JavaScript HTTP User-Agent header 42 WSHRAT|DC37C744|SABDUHNY|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 24/1/2023|JavaScript HTTP User-Agent header 44 WSHRAT|DC37C744|SABDUHNY|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 24/1/2023|JavaScript HTTP User-Agent header 74 WSHRAT|DC37C744|SABDUHNY|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 24/1/2023|JavaScript HTTP User-Agent header 13 WSHRAT|DC37C744|SABDUHNY|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 24/1/2023|JavaScript HTTP User-Agent header 58 WSHRAT|DC37C744|SABDUHNY|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 24/1/2023|JavaScript HTTP User-Agent header 82 WSHRAT|DC37C744|SABDUHNY|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 24/1/2023|JavaScript HTTP User-Agent header 91 WSHRAT|DC37C744|SABDUHNY|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 24/1/2023|JavaScript HTTP User-Agent header 104 WSHRAT|DC37C744|SABDUHNY|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 24/1/2023|JavaScript HTTP User-Agent header 56 WSHRAT|DC37C744|SABDUHNY|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 24/1/2023|JavaScript HTTP User-Agent header 64 WSHRAT|DC37C744|SABDUHNY|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 24/1/2023|JavaScript HTTP User-Agent header 86 WSHRAT|DC37C744|SABDUHNY|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 24/1/2023|JavaScript HTTP User-Agent header 101 WSHRAT|DC37C744|SABDUHNY|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 24/1/2023|JavaScript HTTP User-Agent header 119 WSHRAT|DC37C744|SABDUHNY|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 24/1/2023|JavaScript -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
wscript.exewscript.exedescription pid process target process PID 1504 wrote to memory of 1304 1504 wscript.exe wscript.exe PID 1504 wrote to memory of 1304 1504 wscript.exe wscript.exe PID 1504 wrote to memory of 1304 1504 wscript.exe wscript.exe PID 1504 wrote to memory of 568 1504 wscript.exe wscript.exe PID 1504 wrote to memory of 568 1504 wscript.exe wscript.exe PID 1504 wrote to memory of 568 1504 wscript.exe wscript.exe PID 568 wrote to memory of 336 568 wscript.exe wscript.exe PID 568 wrote to memory of 336 568 wscript.exe wscript.exe PID 568 wrote to memory of 336 568 wscript.exe wscript.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\Solicitation#E62-359.pdf.js1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\oRBIbMCDGn.js"2⤵
- Blocklisted process makes network request
- Drops startup file
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\Solicitation#E62-359.pdf.js"2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\oRBIbMCDGn.js"3⤵
- Blocklisted process makes network request
- Drops startup file
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Solicitation#E62-359.pdf.jsFilesize
984KB
MD54e2d729e9c8329faf413b544c6e3e142
SHA1a2e1e676ef6be73c851acbaf46b00eb8635fb875
SHA256069428da73eef276063d954b097054ff9a31b9265d1472fc6e067d88f5be2a87
SHA51224f0eeec9c97dbd77601c46bf2cd4ae02ebfc23f291367d1308a369df8b5f48794a11ec5720853e8507a1fa576d4b9164231ca65a4c7fa12fc7219d3ed86917f
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\oRBIbMCDGn.jsFilesize
346KB
MD5feb390b3400f155e4df8ddb4c2e6a121
SHA10c12b706f2b3b1a2db0a2693a8942e14176f56db
SHA256ab755cf1ba6577b20e2a366910a2bfc9b20cd75c6ac0f4afacb5936e43598902
SHA512abd24d26576fe88d013e90521d533b182cdcce0085e238d5312840747bd3d854abfc5c218c5ef4e6c8a14e35ba61ac45db8d05ec9a8f73eb7d711c901caa9b0a
-
C:\Users\Admin\AppData\Roaming\Solicitation#E62-359.pdf.jsFilesize
984KB
MD54e2d729e9c8329faf413b544c6e3e142
SHA1a2e1e676ef6be73c851acbaf46b00eb8635fb875
SHA256069428da73eef276063d954b097054ff9a31b9265d1472fc6e067d88f5be2a87
SHA51224f0eeec9c97dbd77601c46bf2cd4ae02ebfc23f291367d1308a369df8b5f48794a11ec5720853e8507a1fa576d4b9164231ca65a4c7fa12fc7219d3ed86917f
-
C:\Users\Admin\AppData\Roaming\oRBIbMCDGn.jsFilesize
346KB
MD5feb390b3400f155e4df8ddb4c2e6a121
SHA10c12b706f2b3b1a2db0a2693a8942e14176f56db
SHA256ab755cf1ba6577b20e2a366910a2bfc9b20cd75c6ac0f4afacb5936e43598902
SHA512abd24d26576fe88d013e90521d533b182cdcce0085e238d5312840747bd3d854abfc5c218c5ef4e6c8a14e35ba61ac45db8d05ec9a8f73eb7d711c901caa9b0a
-
C:\Users\Admin\AppData\Roaming\oRBIbMCDGn.jsFilesize
346KB
MD5feb390b3400f155e4df8ddb4c2e6a121
SHA10c12b706f2b3b1a2db0a2693a8942e14176f56db
SHA256ab755cf1ba6577b20e2a366910a2bfc9b20cd75c6ac0f4afacb5936e43598902
SHA512abd24d26576fe88d013e90521d533b182cdcce0085e238d5312840747bd3d854abfc5c218c5ef4e6c8a14e35ba61ac45db8d05ec9a8f73eb7d711c901caa9b0a
-
memory/336-58-0x0000000000000000-mapping.dmp
-
memory/568-56-0x0000000000000000-mapping.dmp
-
memory/1304-54-0x0000000000000000-mapping.dmp