Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
07-02-2023 17:14
Static task
static1
Behavioral task
behavioral1
Sample
RFQ -F7 AIRCRAFT.js
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
RFQ -F7 AIRCRAFT.js
Resource
win10v2004-20220812-en
General
-
Target
RFQ -F7 AIRCRAFT.js
-
Size
5.5MB
-
MD5
5f8b36eb5344031a80d596979dfa752c
-
SHA1
d9490cf67b33b741237efc63ff56e1b0d8ea36a8
-
SHA256
5b7fea2fca7f3dfb0e55d4bd6c2c6bfaecdb27c02b2f4e17ddac4985278571d7
-
SHA512
7fc20d4bd25a0c14402325efa3e04d5458933f5211350665bfff4b93c47c5b0c35623b2ab90f016f0279b5e923bba5fe609cf0fe494c4ed85a815cef3555366a
-
SSDEEP
6144:K41FAmzRqqfadNrdpM66w8yZKTnDC/K3jKkAw41Ue/3tzs/BXACA+HxZjD3I/SVc:/dLyNrdaMvk46efBs5wCxBDTDVCg3vb8
Malware Config
Extracted
wshrat
http://45.139.105.174:1604
Signatures
-
Blocklisted process makes network request 57 IoCs
Processes:
wscript.exewscript.exewscript.exeflow pid process 9 992 wscript.exe 10 980 wscript.exe 11 1508 wscript.exe 12 1508 wscript.exe 15 980 wscript.exe 16 992 wscript.exe 17 1508 wscript.exe 20 1508 wscript.exe 23 980 wscript.exe 24 992 wscript.exe 28 1508 wscript.exe 30 980 wscript.exe 32 992 wscript.exe 33 1508 wscript.exe 36 1508 wscript.exe 39 980 wscript.exe 40 992 wscript.exe 41 1508 wscript.exe 43 980 wscript.exe 46 1508 wscript.exe 48 992 wscript.exe 51 1508 wscript.exe 53 992 wscript.exe 54 980 wscript.exe 57 1508 wscript.exe 59 1508 wscript.exe 61 992 wscript.exe 62 980 wscript.exe 64 1508 wscript.exe 66 992 wscript.exe 68 980 wscript.exe 69 1508 wscript.exe 73 1508 wscript.exe 76 980 wscript.exe 78 992 wscript.exe 79 1508 wscript.exe 81 1508 wscript.exe 83 992 wscript.exe 84 980 wscript.exe 86 1508 wscript.exe 89 992 wscript.exe 90 980 wscript.exe 93 1508 wscript.exe 96 1508 wscript.exe 98 992 wscript.exe 99 980 wscript.exe 101 1508 wscript.exe 104 1508 wscript.exe 106 992 wscript.exe 108 980 wscript.exe 109 1508 wscript.exe 111 992 wscript.exe 113 980 wscript.exe 115 1508 wscript.exe 119 1508 wscript.exe 121 992 wscript.exe 122 980 wscript.exe -
Drops startup file 5 IoCs
Processes:
wscript.exewscript.exewscript.exewscript.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RFQ -F7 AIRCRAFT.js wscript.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NYffBUOPQw.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NYffBUOPQw.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RFQ -F7 AIRCRAFT.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NYffBUOPQw.js wscript.exe -
Adds Run key to start application 2 TTPs 8 IoCs
Processes:
wscript.exewscript.exedescription ioc process Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RFQ -F7 AIRCRAFT = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\RFQ -F7 AIRCRAFT.js\"" wscript.exe Key created \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\RFQ -F7 AIRCRAFT = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\RFQ -F7 AIRCRAFT.js\"" wscript.exe Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RFQ -F7 AIRCRAFT = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\RFQ -F7 AIRCRAFT.js\"" wscript.exe Key created \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\RFQ -F7 AIRCRAFT = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\RFQ -F7 AIRCRAFT.js\"" wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Script User-Agent 25 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 20 WSHRAT|DC37C744|SABDUHNY|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 7/2/2023|JavaScript HTTP User-Agent header 33 WSHRAT|DC37C744|SABDUHNY|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 7/2/2023|JavaScript HTTP User-Agent header 46 WSHRAT|DC37C744|SABDUHNY|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 7/2/2023|JavaScript HTTP User-Agent header 51 WSHRAT|DC37C744|SABDUHNY|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 7/2/2023|JavaScript HTTP User-Agent header 59 WSHRAT|DC37C744|SABDUHNY|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 7/2/2023|JavaScript HTTP User-Agent header 69 WSHRAT|DC37C744|SABDUHNY|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 7/2/2023|JavaScript HTTP User-Agent header 119 WSHRAT|DC37C744|SABDUHNY|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 7/2/2023|JavaScript HTTP User-Agent header 17 WSHRAT|DC37C744|SABDUHNY|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 7/2/2023|JavaScript HTTP User-Agent header 12 WSHRAT|DC37C744|SABDUHNY|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 7/2/2023|JavaScript HTTP User-Agent header 41 WSHRAT|DC37C744|SABDUHNY|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 7/2/2023|JavaScript HTTP User-Agent header 73 WSHRAT|DC37C744|SABDUHNY|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 7/2/2023|JavaScript HTTP User-Agent header 96 WSHRAT|DC37C744|SABDUHNY|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 7/2/2023|JavaScript HTTP User-Agent header 101 WSHRAT|DC37C744|SABDUHNY|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 7/2/2023|JavaScript HTTP User-Agent header 115 WSHRAT|DC37C744|SABDUHNY|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 7/2/2023|JavaScript HTTP User-Agent header 11 WSHRAT|DC37C744|SABDUHNY|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 7/2/2023|JavaScript HTTP User-Agent header 36 WSHRAT|DC37C744|SABDUHNY|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 7/2/2023|JavaScript HTTP User-Agent header 64 WSHRAT|DC37C744|SABDUHNY|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 7/2/2023|JavaScript HTTP User-Agent header 79 WSHRAT|DC37C744|SABDUHNY|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 7/2/2023|JavaScript HTTP User-Agent header 109 WSHRAT|DC37C744|SABDUHNY|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 7/2/2023|JavaScript HTTP User-Agent header 28 WSHRAT|DC37C744|SABDUHNY|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 7/2/2023|JavaScript HTTP User-Agent header 81 WSHRAT|DC37C744|SABDUHNY|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 7/2/2023|JavaScript HTTP User-Agent header 86 WSHRAT|DC37C744|SABDUHNY|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 7/2/2023|JavaScript HTTP User-Agent header 93 WSHRAT|DC37C744|SABDUHNY|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 7/2/2023|JavaScript HTTP User-Agent header 104 WSHRAT|DC37C744|SABDUHNY|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 7/2/2023|JavaScript HTTP User-Agent header 57 WSHRAT|DC37C744|SABDUHNY|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 7/2/2023|JavaScript -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
wscript.exewscript.exedescription pid process target process PID 1112 wrote to memory of 980 1112 wscript.exe wscript.exe PID 1112 wrote to memory of 980 1112 wscript.exe wscript.exe PID 1112 wrote to memory of 980 1112 wscript.exe wscript.exe PID 1112 wrote to memory of 1508 1112 wscript.exe wscript.exe PID 1112 wrote to memory of 1508 1112 wscript.exe wscript.exe PID 1112 wrote to memory of 1508 1112 wscript.exe wscript.exe PID 1508 wrote to memory of 992 1508 wscript.exe wscript.exe PID 1508 wrote to memory of 992 1508 wscript.exe wscript.exe PID 1508 wrote to memory of 992 1508 wscript.exe wscript.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe "C:\Users\Admin\AppData\Local\Temp\RFQ -F7 AIRCRAFT.js"1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\NYffBUOPQw.js"2⤵
- Blocklisted process makes network request
- Drops startup file
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\RFQ -F7 AIRCRAFT.js"2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\NYffBUOPQw.js"3⤵
- Blocklisted process makes network request
- Drops startup file
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NYffBUOPQw.jsFilesize
346KB
MD5f84df0a06b9da5301c5f2e22dfbf7b4a
SHA1e1b5db7ad5a714e7df7c35448530de01880a69ed
SHA25661a59901043ee5bb3a1ad03cdfa6bf837c9d190a4feacc4d440c56e05ed5121e
SHA512e21f3981df47d94e7a5bc4575bb8e3354be91ccdbeafcf49512221ece748fcdc308b316fa045ffb324ddd5c75c143c9f53578d914f7ec89f4773a8e8dec434bd
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RFQ -F7 AIRCRAFT.jsFilesize
5.5MB
MD55f8b36eb5344031a80d596979dfa752c
SHA1d9490cf67b33b741237efc63ff56e1b0d8ea36a8
SHA2565b7fea2fca7f3dfb0e55d4bd6c2c6bfaecdb27c02b2f4e17ddac4985278571d7
SHA5127fc20d4bd25a0c14402325efa3e04d5458933f5211350665bfff4b93c47c5b0c35623b2ab90f016f0279b5e923bba5fe609cf0fe494c4ed85a815cef3555366a
-
C:\Users\Admin\AppData\Roaming\NYffBUOPQw.jsFilesize
346KB
MD5f84df0a06b9da5301c5f2e22dfbf7b4a
SHA1e1b5db7ad5a714e7df7c35448530de01880a69ed
SHA25661a59901043ee5bb3a1ad03cdfa6bf837c9d190a4feacc4d440c56e05ed5121e
SHA512e21f3981df47d94e7a5bc4575bb8e3354be91ccdbeafcf49512221ece748fcdc308b316fa045ffb324ddd5c75c143c9f53578d914f7ec89f4773a8e8dec434bd
-
C:\Users\Admin\AppData\Roaming\NYffBUOPQw.jsFilesize
346KB
MD5f84df0a06b9da5301c5f2e22dfbf7b4a
SHA1e1b5db7ad5a714e7df7c35448530de01880a69ed
SHA25661a59901043ee5bb3a1ad03cdfa6bf837c9d190a4feacc4d440c56e05ed5121e
SHA512e21f3981df47d94e7a5bc4575bb8e3354be91ccdbeafcf49512221ece748fcdc308b316fa045ffb324ddd5c75c143c9f53578d914f7ec89f4773a8e8dec434bd
-
C:\Users\Admin\AppData\Roaming\RFQ -F7 AIRCRAFT.jsFilesize
5.5MB
MD55f8b36eb5344031a80d596979dfa752c
SHA1d9490cf67b33b741237efc63ff56e1b0d8ea36a8
SHA2565b7fea2fca7f3dfb0e55d4bd6c2c6bfaecdb27c02b2f4e17ddac4985278571d7
SHA5127fc20d4bd25a0c14402325efa3e04d5458933f5211350665bfff4b93c47c5b0c35623b2ab90f016f0279b5e923bba5fe609cf0fe494c4ed85a815cef3555366a
-
memory/980-54-0x0000000000000000-mapping.dmp
-
memory/992-58-0x0000000000000000-mapping.dmp
-
memory/1508-56-0x0000000000000000-mapping.dmp