Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
31-01-2023 10:16
Static task
static1
Behavioral task
behavioral1
Sample
3e1b30de-f946-42cd-85a4-cc60c6337553.js
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
3e1b30de-f946-42cd-85a4-cc60c6337553.js
Resource
win10v2004-20220812-en
General
-
Target
3e1b30de-f946-42cd-85a4-cc60c6337553.js
-
Size
994KB
-
MD5
3e24fff43158556e25533e4b9ad50ffa
-
SHA1
0f681b9867dd9d2db193ffe668c6e401a95aa089
-
SHA256
723df9facfa6a4b8f4107a7dd238f7ef2b467fe995c103de7c9edd1692e9b25f
-
SHA512
0ce28b4ea4178b9cf9ee013227301bfb55c9f3d5b90152d180152975d271de637bed04dd2642b4aa412edcb7bf48f5c35d0ea8db78ce1957967709239910c797
-
SSDEEP
6144:eQfPBx5q0sQ1o7rsbHC01mDBpNW2mTMSbpuV8bubfQI+IGBYJje:eQ3B7qgpUbfo7
Malware Config
Extracted
wshrat
http://oyo.powrkenken.info:46077
Signatures
-
Blocklisted process makes network request 55 IoCs
Processes:
wscript.exewscript.exewscript.exeflow pid process 10 1120 wscript.exe 11 328 wscript.exe 12 556 wscript.exe 13 556 wscript.exe 15 328 wscript.exe 17 1120 wscript.exe 19 556 wscript.exe 20 1120 wscript.exe 21 328 wscript.exe 23 556 wscript.exe 29 556 wscript.exe 32 328 wscript.exe 33 1120 wscript.exe 34 556 wscript.exe 36 1120 wscript.exe 38 328 wscript.exe 39 556 wscript.exe 42 556 wscript.exe 44 1120 wscript.exe 46 328 wscript.exe 49 556 wscript.exe 51 328 wscript.exe 53 1120 wscript.exe 54 556 wscript.exe 58 556 wscript.exe 59 328 wscript.exe 61 1120 wscript.exe 62 556 wscript.exe 65 328 wscript.exe 66 1120 wscript.exe 68 556 wscript.exe 72 556 wscript.exe 74 1120 wscript.exe 76 328 wscript.exe 77 556 wscript.exe 79 328 wscript.exe 81 1120 wscript.exe 82 556 wscript.exe 85 556 wscript.exe 87 328 wscript.exe 89 1120 wscript.exe 92 556 wscript.exe 94 328 wscript.exe 96 1120 wscript.exe 98 556 wscript.exe 101 556 wscript.exe 103 328 wscript.exe 104 1120 wscript.exe 105 556 wscript.exe 108 328 wscript.exe 109 556 wscript.exe 111 1120 wscript.exe 115 556 wscript.exe 117 328 wscript.exe 119 1120 wscript.exe -
Drops startup file 5 IoCs
Processes:
wscript.exewscript.exewscript.exewscript.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\3e1b30de-f946-42cd-85a4-cc60c6337553.js wscript.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pBCXlynutq.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pBCXlynutq.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pBCXlynutq.js wscript.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\3e1b30de-f946-42cd-85a4-cc60c6337553.js wscript.exe -
Adds Run key to start application 2 TTPs 8 IoCs
Processes:
wscript.exewscript.exedescription ioc process Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\3e1b30de-f946-42cd-85a4-cc60c6337553 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\3e1b30de-f946-42cd-85a4-cc60c6337553.js\"" wscript.exe Key created \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\3e1b30de-f946-42cd-85a4-cc60c6337553 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\3e1b30de-f946-42cd-85a4-cc60c6337553.js\"" wscript.exe Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\3e1b30de-f946-42cd-85a4-cc60c6337553 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\3e1b30de-f946-42cd-85a4-cc60c6337553.js\"" wscript.exe Key created \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\3e1b30de-f946-42cd-85a4-cc60c6337553 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\3e1b30de-f946-42cd-85a4-cc60c6337553.js\"" wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Script User-Agent 23 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 109 WSHRAT|B07A99DC|VDWSWJJD|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 31/1/2023|JavaScript HTTP User-Agent header 13 WSHRAT|B07A99DC|VDWSWJJD|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 31/1/2023|JavaScript HTTP User-Agent header 49 WSHRAT|B07A99DC|VDWSWJJD|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 31/1/2023|JavaScript HTTP User-Agent header 54 WSHRAT|B07A99DC|VDWSWJJD|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 31/1/2023|JavaScript HTTP User-Agent header 68 WSHRAT|B07A99DC|VDWSWJJD|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 31/1/2023|JavaScript HTTP User-Agent header 101 WSHRAT|B07A99DC|VDWSWJJD|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 31/1/2023|JavaScript HTTP User-Agent header 105 WSHRAT|B07A99DC|VDWSWJJD|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 31/1/2023|JavaScript HTTP User-Agent header 23 WSHRAT|B07A99DC|VDWSWJJD|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 31/1/2023|JavaScript HTTP User-Agent header 39 WSHRAT|B07A99DC|VDWSWJJD|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 31/1/2023|JavaScript HTTP User-Agent header 42 WSHRAT|B07A99DC|VDWSWJJD|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 31/1/2023|JavaScript HTTP User-Agent header 92 WSHRAT|B07A99DC|VDWSWJJD|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 31/1/2023|JavaScript HTTP User-Agent header 12 WSHRAT|B07A99DC|VDWSWJJD|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 31/1/2023|JavaScript HTTP User-Agent header 82 WSHRAT|B07A99DC|VDWSWJJD|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 31/1/2023|JavaScript HTTP User-Agent header 85 WSHRAT|B07A99DC|VDWSWJJD|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 31/1/2023|JavaScript HTTP User-Agent header 98 WSHRAT|B07A99DC|VDWSWJJD|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 31/1/2023|JavaScript HTTP User-Agent header 77 WSHRAT|B07A99DC|VDWSWJJD|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 31/1/2023|JavaScript HTTP User-Agent header 115 WSHRAT|B07A99DC|VDWSWJJD|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 31/1/2023|JavaScript HTTP User-Agent header 19 WSHRAT|B07A99DC|VDWSWJJD|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 31/1/2023|JavaScript HTTP User-Agent header 29 WSHRAT|B07A99DC|VDWSWJJD|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 31/1/2023|JavaScript HTTP User-Agent header 34 WSHRAT|B07A99DC|VDWSWJJD|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 31/1/2023|JavaScript HTTP User-Agent header 58 WSHRAT|B07A99DC|VDWSWJJD|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 31/1/2023|JavaScript HTTP User-Agent header 62 WSHRAT|B07A99DC|VDWSWJJD|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 31/1/2023|JavaScript HTTP User-Agent header 72 WSHRAT|B07A99DC|VDWSWJJD|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 31/1/2023|JavaScript -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
wscript.exewscript.exedescription pid process target process PID 1464 wrote to memory of 1120 1464 wscript.exe wscript.exe PID 1464 wrote to memory of 1120 1464 wscript.exe wscript.exe PID 1464 wrote to memory of 1120 1464 wscript.exe wscript.exe PID 1464 wrote to memory of 556 1464 wscript.exe wscript.exe PID 1464 wrote to memory of 556 1464 wscript.exe wscript.exe PID 1464 wrote to memory of 556 1464 wscript.exe wscript.exe PID 556 wrote to memory of 328 556 wscript.exe wscript.exe PID 556 wrote to memory of 328 556 wscript.exe wscript.exe PID 556 wrote to memory of 328 556 wscript.exe wscript.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\3e1b30de-f946-42cd-85a4-cc60c6337553.js1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\pBCXlynutq.js"2⤵
- Blocklisted process makes network request
- Drops startup file
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\3e1b30de-f946-42cd-85a4-cc60c6337553.js"2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\pBCXlynutq.js"3⤵
- Blocklisted process makes network request
- Drops startup file
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\3e1b30de-f946-42cd-85a4-cc60c6337553.jsFilesize
994KB
MD53e24fff43158556e25533e4b9ad50ffa
SHA10f681b9867dd9d2db193ffe668c6e401a95aa089
SHA256723df9facfa6a4b8f4107a7dd238f7ef2b467fe995c103de7c9edd1692e9b25f
SHA5120ce28b4ea4178b9cf9ee013227301bfb55c9f3d5b90152d180152975d271de637bed04dd2642b4aa412edcb7bf48f5c35d0ea8db78ce1957967709239910c797
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\3e1b30de-f946-42cd-85a4-cc60c6337553.jsFilesize
994KB
MD53e24fff43158556e25533e4b9ad50ffa
SHA10f681b9867dd9d2db193ffe668c6e401a95aa089
SHA256723df9facfa6a4b8f4107a7dd238f7ef2b467fe995c103de7c9edd1692e9b25f
SHA5120ce28b4ea4178b9cf9ee013227301bfb55c9f3d5b90152d180152975d271de637bed04dd2642b4aa412edcb7bf48f5c35d0ea8db78ce1957967709239910c797
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pBCXlynutq.jsFilesize
346KB
MD5332f3d9969e8d9eb6affc2082767c7a9
SHA1b1b5a15f54cf685f8447a28df41aa27924f296fb
SHA2569417aeaf164db1b0d8449a7b9e9643eb657ba9f80c0ae6c7b8028ad493a17491
SHA5129333a4223cb1ad13344d08084dfa87cf6943aefc9c04422938493df61895fcddd716b6f9474db07c86e0813a444984609e385837d4ddc54b14b7aa102bc49fe3
-
C:\Users\Admin\AppData\Roaming\pBCXlynutq.jsFilesize
346KB
MD5332f3d9969e8d9eb6affc2082767c7a9
SHA1b1b5a15f54cf685f8447a28df41aa27924f296fb
SHA2569417aeaf164db1b0d8449a7b9e9643eb657ba9f80c0ae6c7b8028ad493a17491
SHA5129333a4223cb1ad13344d08084dfa87cf6943aefc9c04422938493df61895fcddd716b6f9474db07c86e0813a444984609e385837d4ddc54b14b7aa102bc49fe3
-
C:\Users\Admin\AppData\Roaming\pBCXlynutq.jsFilesize
346KB
MD5332f3d9969e8d9eb6affc2082767c7a9
SHA1b1b5a15f54cf685f8447a28df41aa27924f296fb
SHA2569417aeaf164db1b0d8449a7b9e9643eb657ba9f80c0ae6c7b8028ad493a17491
SHA5129333a4223cb1ad13344d08084dfa87cf6943aefc9c04422938493df61895fcddd716b6f9474db07c86e0813a444984609e385837d4ddc54b14b7aa102bc49fe3
-
memory/328-58-0x0000000000000000-mapping.dmp
-
memory/556-56-0x0000000000000000-mapping.dmp
-
memory/1120-54-0x0000000000000000-mapping.dmp