Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
07-02-2023 17:14
Static task
static1
Behavioral task
behavioral1
Sample
RFQ -F7 AIRCRAFT.js
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
RFQ -F7 AIRCRAFT.js
Resource
win10v2004-20220812-en
General
-
Target
RFQ -F7 AIRCRAFT.js
-
Size
5.5MB
-
MD5
5f8b36eb5344031a80d596979dfa752c
-
SHA1
d9490cf67b33b741237efc63ff56e1b0d8ea36a8
-
SHA256
5b7fea2fca7f3dfb0e55d4bd6c2c6bfaecdb27c02b2f4e17ddac4985278571d7
-
SHA512
7fc20d4bd25a0c14402325efa3e04d5458933f5211350665bfff4b93c47c5b0c35623b2ab90f016f0279b5e923bba5fe609cf0fe494c4ed85a815cef3555366a
-
SSDEEP
6144:K41FAmzRqqfadNrdpM66w8yZKTnDC/K3jKkAw41Ue/3tzs/BXACA+HxZjD3I/SVc:/dLyNrdaMvk46efBs5wCxBDTDVCg3vb8
Malware Config
Extracted
wshrat
http://45.139.105.174:1604
Signatures
-
Blocklisted process makes network request 50 IoCs
Processes:
wscript.exewscript.exewscript.exeflow pid process 15 540 wscript.exe 16 4836 wscript.exe 17 1124 wscript.exe 18 4836 wscript.exe 19 540 wscript.exe 20 1124 wscript.exe 21 4836 wscript.exe 24 4836 wscript.exe 26 540 wscript.exe 27 1124 wscript.exe 34 540 wscript.exe 37 1124 wscript.exe 47 540 wscript.exe 48 1124 wscript.exe 49 4836 wscript.exe 50 540 wscript.exe 52 4836 wscript.exe 56 1124 wscript.exe 65 4836 wscript.exe 67 540 wscript.exe 73 1124 wscript.exe 75 4836 wscript.exe 77 540 wscript.exe 78 4836 wscript.exe 79 1124 wscript.exe 80 4836 wscript.exe 82 1124 wscript.exe 83 4836 wscript.exe 88 4836 wscript.exe 90 1124 wscript.exe 92 540 wscript.exe 93 1124 wscript.exe 103 540 wscript.exe 104 1124 wscript.exe 105 4836 wscript.exe 106 4836 wscript.exe 107 540 wscript.exe 110 1124 wscript.exe 113 4836 wscript.exe 116 540 wscript.exe 119 4836 wscript.exe 121 1124 wscript.exe 125 4836 wscript.exe 126 540 wscript.exe 127 1124 wscript.exe 128 4836 wscript.exe 130 4836 wscript.exe 149 540 wscript.exe 157 1124 wscript.exe 162 4836 wscript.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
wscript.exewscript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation wscript.exe Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation wscript.exe -
Drops startup file 5 IoCs
Processes:
wscript.exewscript.exewscript.exewscript.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RFQ -F7 AIRCRAFT.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NYffBUOPQw.js wscript.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RFQ -F7 AIRCRAFT.js wscript.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NYffBUOPQw.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NYffBUOPQw.js wscript.exe -
Adds Run key to start application 2 TTPs 8 IoCs
Processes:
wscript.exewscript.exedescription ioc process Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RFQ -F7 AIRCRAFT = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\RFQ -F7 AIRCRAFT.js\"" wscript.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RFQ -F7 AIRCRAFT = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\RFQ -F7 AIRCRAFT.js\"" wscript.exe Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RFQ -F7 AIRCRAFT = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\RFQ -F7 AIRCRAFT.js\"" wscript.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RFQ -F7 AIRCRAFT = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\RFQ -F7 AIRCRAFT.js\"" wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Script User-Agent 18 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 128 WSHRAT|94D95F5C|GBQHURCC|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 7/2/2023|JavaScript HTTP User-Agent header 130 WSHRAT|94D95F5C|GBQHURCC|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 7/2/2023|JavaScript HTTP User-Agent header 65 WSHRAT|94D95F5C|GBQHURCC|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 7/2/2023|JavaScript HTTP User-Agent header 105 WSHRAT|94D95F5C|GBQHURCC|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 7/2/2023|JavaScript HTTP User-Agent header 113 WSHRAT|94D95F5C|GBQHURCC|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 7/2/2023|JavaScript HTTP User-Agent header 75 WSHRAT|94D95F5C|GBQHURCC|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 7/2/2023|JavaScript HTTP User-Agent header 80 WSHRAT|94D95F5C|GBQHURCC|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 7/2/2023|JavaScript HTTP User-Agent header 125 WSHRAT|94D95F5C|GBQHURCC|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 7/2/2023|JavaScript HTTP User-Agent header 18 WSHRAT|94D95F5C|GBQHURCC|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 7/2/2023|JavaScript HTTP User-Agent header 21 WSHRAT|94D95F5C|GBQHURCC|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 7/2/2023|JavaScript HTTP User-Agent header 52 WSHRAT|94D95F5C|GBQHURCC|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 7/2/2023|JavaScript HTTP User-Agent header 119 WSHRAT|94D95F5C|GBQHURCC|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 7/2/2023|JavaScript HTTP User-Agent header 16 WSHRAT|94D95F5C|GBQHURCC|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 7/2/2023|JavaScript HTTP User-Agent header 83 WSHRAT|94D95F5C|GBQHURCC|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 7/2/2023|JavaScript HTTP User-Agent header 106 WSHRAT|94D95F5C|GBQHURCC|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 7/2/2023|JavaScript HTTP User-Agent header 49 WSHRAT|94D95F5C|GBQHURCC|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 7/2/2023|JavaScript HTTP User-Agent header 78 WSHRAT|94D95F5C|GBQHURCC|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 7/2/2023|JavaScript HTTP User-Agent header 162 WSHRAT|94D95F5C|GBQHURCC|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 7/2/2023|JavaScript -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
wscript.exewscript.exedescription pid process target process PID 3144 wrote to memory of 540 3144 wscript.exe wscript.exe PID 3144 wrote to memory of 540 3144 wscript.exe wscript.exe PID 3144 wrote to memory of 4836 3144 wscript.exe wscript.exe PID 3144 wrote to memory of 4836 3144 wscript.exe wscript.exe PID 4836 wrote to memory of 1124 4836 wscript.exe wscript.exe PID 4836 wrote to memory of 1124 4836 wscript.exe wscript.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe "C:\Users\Admin\AppData\Local\Temp\RFQ -F7 AIRCRAFT.js"1⤵
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\NYffBUOPQw.js"2⤵
- Blocklisted process makes network request
- Drops startup file
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\RFQ -F7 AIRCRAFT.js"2⤵
- Blocklisted process makes network request
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\NYffBUOPQw.js"3⤵
- Blocklisted process makes network request
- Drops startup file
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NYffBUOPQw.jsFilesize
346KB
MD5f84df0a06b9da5301c5f2e22dfbf7b4a
SHA1e1b5db7ad5a714e7df7c35448530de01880a69ed
SHA25661a59901043ee5bb3a1ad03cdfa6bf837c9d190a4feacc4d440c56e05ed5121e
SHA512e21f3981df47d94e7a5bc4575bb8e3354be91ccdbeafcf49512221ece748fcdc308b316fa045ffb324ddd5c75c143c9f53578d914f7ec89f4773a8e8dec434bd
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RFQ -F7 AIRCRAFT.jsFilesize
5.5MB
MD55f8b36eb5344031a80d596979dfa752c
SHA1d9490cf67b33b741237efc63ff56e1b0d8ea36a8
SHA2565b7fea2fca7f3dfb0e55d4bd6c2c6bfaecdb27c02b2f4e17ddac4985278571d7
SHA5127fc20d4bd25a0c14402325efa3e04d5458933f5211350665bfff4b93c47c5b0c35623b2ab90f016f0279b5e923bba5fe609cf0fe494c4ed85a815cef3555366a
-
C:\Users\Admin\AppData\Roaming\NYffBUOPQw.jsFilesize
346KB
MD5f84df0a06b9da5301c5f2e22dfbf7b4a
SHA1e1b5db7ad5a714e7df7c35448530de01880a69ed
SHA25661a59901043ee5bb3a1ad03cdfa6bf837c9d190a4feacc4d440c56e05ed5121e
SHA512e21f3981df47d94e7a5bc4575bb8e3354be91ccdbeafcf49512221ece748fcdc308b316fa045ffb324ddd5c75c143c9f53578d914f7ec89f4773a8e8dec434bd
-
C:\Users\Admin\AppData\Roaming\NYffBUOPQw.jsFilesize
346KB
MD5f84df0a06b9da5301c5f2e22dfbf7b4a
SHA1e1b5db7ad5a714e7df7c35448530de01880a69ed
SHA25661a59901043ee5bb3a1ad03cdfa6bf837c9d190a4feacc4d440c56e05ed5121e
SHA512e21f3981df47d94e7a5bc4575bb8e3354be91ccdbeafcf49512221ece748fcdc308b316fa045ffb324ddd5c75c143c9f53578d914f7ec89f4773a8e8dec434bd
-
C:\Users\Admin\AppData\Roaming\RFQ -F7 AIRCRAFT.jsFilesize
5.5MB
MD55f8b36eb5344031a80d596979dfa752c
SHA1d9490cf67b33b741237efc63ff56e1b0d8ea36a8
SHA2565b7fea2fca7f3dfb0e55d4bd6c2c6bfaecdb27c02b2f4e17ddac4985278571d7
SHA5127fc20d4bd25a0c14402325efa3e04d5458933f5211350665bfff4b93c47c5b0c35623b2ab90f016f0279b5e923bba5fe609cf0fe494c4ed85a815cef3555366a
-
memory/540-132-0x0000000000000000-mapping.dmp
-
memory/1124-136-0x0000000000000000-mapping.dmp
-
memory/4836-134-0x0000000000000000-mapping.dmp