Analysis
-
max time kernel
149s -
max time network
155s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
28-03-2023 07:04
Static task
static1
Behavioral task
behavioral1
Sample
AWB#00756543.pdf.js
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
AWB#00756543.pdf.js
Resource
win10v2004-20230220-en
General
-
Target
AWB#00756543.pdf.js
-
Size
3.6MB
-
MD5
7bfa30c168b4a5dda79908ba88afb1f4
-
SHA1
5baf4ac9e0803e69add06a558dc2e5de9d2b9cb5
-
SHA256
2141c93c89f63436f7408c446303f12a1cb9607b7d6d32f1a80e2bdc2d02defd
-
SHA512
0af7774c5a4d06cbe890fa94d3a7d7b1bf135372cd2bcc91e7018b4542c5eae86f82245189b7c9798f50d2604908e75b556fe2f18b692dc8585d4139f36630ca
-
SSDEEP
24576:3KbnF5Tsf5pjWDTxVMSTZ2g1oecJ6ZFRUS8jBZv8LlSiKSmCz+nOig2gy4dR6xqT:ixX
Malware Config
Extracted
wshrat
http://rookfellas.mrbasic.com:9202
Signatures
-
Blocklisted process makes network request 20 IoCs
Processes:
wscript.exewscript.exeflow pid process 7 1712 wscript.exe 8 324 wscript.exe 9 324 wscript.exe 12 324 wscript.exe 15 324 wscript.exe 17 1712 wscript.exe 18 324 wscript.exe 21 324 wscript.exe 24 324 wscript.exe 25 1712 wscript.exe 26 324 wscript.exe 29 324 wscript.exe 32 324 wscript.exe 34 1712 wscript.exe 35 324 wscript.exe 38 324 wscript.exe 40 324 wscript.exe 42 1712 wscript.exe 43 324 wscript.exe 45 324 wscript.exe -
Drops startup file 4 IoCs
Processes:
wscript.exewscript.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AWB#00756543.pdf.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AWB#00756543.pdf.js wscript.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\yrZYEAjDyF.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\yrZYEAjDyF.js wscript.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
wscript.exedescription ioc process Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AWB#00756543 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\AWB#00756543.pdf.js\"" wscript.exe Key created \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Windows\CurrentVersion\Run\AWB#00756543 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\AWB#00756543.pdf.js\"" wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Script User-Agent 5 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 7 WSHRAT|706EFC06|TMRJMUQF|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 28/3/2023|JavaScript HTTP User-Agent header 17 WSHRAT|706EFC06|TMRJMUQF|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 28/3/2023|JavaScript HTTP User-Agent header 25 WSHRAT|706EFC06|TMRJMUQF|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 28/3/2023|JavaScript HTTP User-Agent header 34 WSHRAT|706EFC06|TMRJMUQF|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 28/3/2023|JavaScript HTTP User-Agent header 42 WSHRAT|706EFC06|TMRJMUQF|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 28/3/2023|JavaScript -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
wscript.exedescription pid process target process PID 1712 wrote to memory of 324 1712 wscript.exe wscript.exe PID 1712 wrote to memory of 324 1712 wscript.exe wscript.exe PID 1712 wrote to memory of 324 1712 wscript.exe wscript.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\AWB#00756543.pdf.js1⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1712 -
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\yrZYEAjDyF.js"2⤵
- Blocklisted process makes network request
- Drops startup file
PID:324
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD57bfa30c168b4a5dda79908ba88afb1f4
SHA15baf4ac9e0803e69add06a558dc2e5de9d2b9cb5
SHA2562141c93c89f63436f7408c446303f12a1cb9607b7d6d32f1a80e2bdc2d02defd
SHA5120af7774c5a4d06cbe890fa94d3a7d7b1bf135372cd2bcc91e7018b4542c5eae86f82245189b7c9798f50d2604908e75b556fe2f18b692dc8585d4139f36630ca
-
Filesize
346KB
MD54e08cafb44979a23ed156eb84253251f
SHA1f5b099091b50cae50afc3c857aaa52c74a73ed8d
SHA256f99e8a6ec4548cb1b24be2e2179926d113d17a1645f95f95211bcded86c3a9df
SHA51224a4dc0f1526a21585b12a33caddce44b2f4bd0de55c2ae32ada292dab022cd2070eefd3955f6b4b2e70955caafdf6bba96add5a1d2b7d17189f9d32848a9235