Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
11-04-2023 01:01
Static task
static1
Behavioral task
behavioral1
Sample
3beb5d47b8a2cf4b5dc8f442445fae8c26898add6427ea86c27c3af2797356bb.js
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
3beb5d47b8a2cf4b5dc8f442445fae8c26898add6427ea86c27c3af2797356bb.js
Resource
win10v2004-20230220-en
General
-
Target
3beb5d47b8a2cf4b5dc8f442445fae8c26898add6427ea86c27c3af2797356bb.js
-
Size
2.7MB
-
MD5
42a42d7b66691e3fff3e691d70703ce5
-
SHA1
9e57f573570d068b964c84b5d7cdbf1fb010e3d9
-
SHA256
3beb5d47b8a2cf4b5dc8f442445fae8c26898add6427ea86c27c3af2797356bb
-
SHA512
bd6691d8853434c30b6e6716d5d2d3bca316bc9ea0b4defface0fd4aaa6fd2bf517db1a53f84ea98d9e16510f27410764adca13a70ba1f0d4707147683949d7d
-
SSDEEP
24576:ydSySTD8C4AeGIfkZP5Xog8NWtQVNmxE/imwx+pBUqyO57ZPUm:nnuLh
Malware Config
Extracted
wshrat
http://graceland.dns05.com:2048
Signatures
-
Blocklisted process makes network request 58 IoCs
Processes:
wscript.exewscript.exewscript.exeflow pid process 6 992 wscript.exe 9 840 wscript.exe 12 1760 wscript.exe 13 840 wscript.exe 14 840 wscript.exe 16 992 wscript.exe 17 1760 wscript.exe 19 840 wscript.exe 22 992 wscript.exe 23 840 wscript.exe 26 1760 wscript.exe 30 840 wscript.exe 32 992 wscript.exe 33 1760 wscript.exe 35 840 wscript.exe 38 840 wscript.exe 40 992 wscript.exe 41 1760 wscript.exe 43 840 wscript.exe 45 992 wscript.exe 47 840 wscript.exe 49 1760 wscript.exe 53 840 wscript.exe 55 992 wscript.exe 56 1760 wscript.exe 58 840 wscript.exe 60 840 wscript.exe 63 992 wscript.exe 65 1760 wscript.exe 67 840 wscript.exe 68 992 wscript.exe 70 840 wscript.exe 72 1760 wscript.exe 75 840 wscript.exe 78 992 wscript.exe 79 1760 wscript.exe 81 840 wscript.exe 83 840 wscript.exe 85 992 wscript.exe 86 1760 wscript.exe 88 840 wscript.exe 90 992 wscript.exe 91 1760 wscript.exe 93 840 wscript.exe 97 840 wscript.exe 99 992 wscript.exe 101 1760 wscript.exe 103 840 wscript.exe 105 840 wscript.exe 107 992 wscript.exe 109 1760 wscript.exe 110 840 wscript.exe 112 992 wscript.exe 113 1760 wscript.exe 115 840 wscript.exe 120 840 wscript.exe 122 992 wscript.exe 124 1760 wscript.exe -
Drops startup file 5 IoCs
Processes:
wscript.exewscript.exewscript.exewscript.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\3beb5d47b8a2cf4b5dc8f442445fae8c26898add6427ea86c27c3af2797356bb.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QziJnhNNpM.js wscript.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\3beb5d47b8a2cf4b5dc8f442445fae8c26898add6427ea86c27c3af2797356bb.js wscript.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QziJnhNNpM.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QziJnhNNpM.js wscript.exe -
Adds Run key to start application 2 TTPs 8 IoCs
Processes:
wscript.exewscript.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\3beb5d47b8a2cf4b5dc8f442445fae8c26898add6427ea86c27c3af2797356bb = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\3beb5d47b8a2cf4b5dc8f442445fae8c26898add6427ea86c27c3af2797356bb.js\"" wscript.exe Key created \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Windows\CurrentVersion\Run\3beb5d47b8a2cf4b5dc8f442445fae8c26898add6427ea86c27c3af2797356bb = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\3beb5d47b8a2cf4b5dc8f442445fae8c26898add6427ea86c27c3af2797356bb.js\"" wscript.exe Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\3beb5d47b8a2cf4b5dc8f442445fae8c26898add6427ea86c27c3af2797356bb = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\3beb5d47b8a2cf4b5dc8f442445fae8c26898add6427ea86c27c3af2797356bb.js\"" wscript.exe Key created \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Windows\CurrentVersion\Run\3beb5d47b8a2cf4b5dc8f442445fae8c26898add6427ea86c27c3af2797356bb = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\3beb5d47b8a2cf4b5dc8f442445fae8c26898add6427ea86c27c3af2797356bb.js\"" wscript.exe Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run wscript.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 8 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Script User-Agent 25 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 110 WSHRAT|C0585B3B|MLXLFKOI|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 11/4/2023|JavaScript-v3.4|IN:India HTTP User-Agent header 115 WSHRAT|C0585B3B|MLXLFKOI|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 11/4/2023|JavaScript-v3.4|IN:India HTTP User-Agent header 19 WSHRAT|C0585B3B|MLXLFKOI|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 11/4/2023|JavaScript-v3.4|IN:India HTTP User-Agent header 38 WSHRAT|C0585B3B|MLXLFKOI|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 11/4/2023|JavaScript-v3.4|IN:India HTTP User-Agent header 58 WSHRAT|C0585B3B|MLXLFKOI|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 11/4/2023|JavaScript-v3.4|IN:India HTTP User-Agent header 75 WSHRAT|C0585B3B|MLXLFKOI|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 11/4/2023|JavaScript-v3.4|IN:India HTTP User-Agent header 93 WSHRAT|C0585B3B|MLXLFKOI|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 11/4/2023|JavaScript-v3.4|IN:India HTTP User-Agent header 120 WSHRAT|C0585B3B|MLXLFKOI|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 11/4/2023|JavaScript-v3.4|IN:India HTTP User-Agent header 30 WSHRAT|C0585B3B|MLXLFKOI|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 11/4/2023|JavaScript-v3.4|IN:India HTTP User-Agent header 67 WSHRAT|C0585B3B|MLXLFKOI|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 11/4/2023|JavaScript-v3.4|IN:India HTTP User-Agent header 70 WSHRAT|C0585B3B|MLXLFKOI|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 11/4/2023|JavaScript-v3.4|IN:India HTTP User-Agent header 81 WSHRAT|C0585B3B|MLXLFKOI|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 11/4/2023|JavaScript-v3.4|IN:India HTTP User-Agent header 105 WSHRAT|C0585B3B|MLXLFKOI|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 11/4/2023|JavaScript-v3.4|IN:India HTTP User-Agent header 60 WSHRAT|C0585B3B|MLXLFKOI|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 11/4/2023|JavaScript-v3.4|IN:India HTTP User-Agent header 88 WSHRAT|C0585B3B|MLXLFKOI|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 11/4/2023|JavaScript-v3.4|IN:India HTTP User-Agent header 13 WSHRAT|C0585B3B|MLXLFKOI|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 11/4/2023|JavaScript-v3.4|IN:India HTTP User-Agent header 23 WSHRAT|C0585B3B|MLXLFKOI|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 11/4/2023|JavaScript-v3.4|IN:India HTTP User-Agent header 35 WSHRAT|C0585B3B|MLXLFKOI|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 11/4/2023|JavaScript-v3.4|IN:India HTTP User-Agent header 43 WSHRAT|C0585B3B|MLXLFKOI|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 11/4/2023|JavaScript-v3.4|IN:India HTTP User-Agent header 53 WSHRAT|C0585B3B|MLXLFKOI|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 11/4/2023|JavaScript-v3.4|IN:India HTTP User-Agent header 14 WSHRAT|C0585B3B|MLXLFKOI|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 11/4/2023|JavaScript-v3.4|IN:India HTTP User-Agent header 47 WSHRAT|C0585B3B|MLXLFKOI|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 11/4/2023|JavaScript-v3.4|IN:India HTTP User-Agent header 83 WSHRAT|C0585B3B|MLXLFKOI|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 11/4/2023|JavaScript-v3.4|IN:India HTTP User-Agent header 97 WSHRAT|C0585B3B|MLXLFKOI|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 11/4/2023|JavaScript-v3.4|IN:India HTTP User-Agent header 103 WSHRAT|C0585B3B|MLXLFKOI|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 11/4/2023|JavaScript-v3.4|IN:India -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
wscript.exewscript.exedescription pid process target process PID 1376 wrote to memory of 992 1376 wscript.exe wscript.exe PID 1376 wrote to memory of 992 1376 wscript.exe wscript.exe PID 1376 wrote to memory of 992 1376 wscript.exe wscript.exe PID 1376 wrote to memory of 840 1376 wscript.exe wscript.exe PID 1376 wrote to memory of 840 1376 wscript.exe wscript.exe PID 1376 wrote to memory of 840 1376 wscript.exe wscript.exe PID 840 wrote to memory of 1760 840 wscript.exe wscript.exe PID 840 wrote to memory of 1760 840 wscript.exe wscript.exe PID 840 wrote to memory of 1760 840 wscript.exe wscript.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\3beb5d47b8a2cf4b5dc8f442445fae8c26898add6427ea86c27c3af2797356bb.js1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\QziJnhNNpM.js"2⤵
- Blocklisted process makes network request
- Drops startup file
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\3beb5d47b8a2cf4b5dc8f442445fae8c26898add6427ea86c27c3af2797356bb.js"2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\QziJnhNNpM.js"3⤵
- Blocklisted process makes network request
- Drops startup file
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\3beb5d47b8a2cf4b5dc8f442445fae8c26898add6427ea86c27c3af2797356bb.jsFilesize
2.7MB
MD542a42d7b66691e3fff3e691d70703ce5
SHA19e57f573570d068b964c84b5d7cdbf1fb010e3d9
SHA2563beb5d47b8a2cf4b5dc8f442445fae8c26898add6427ea86c27c3af2797356bb
SHA512bd6691d8853434c30b6e6716d5d2d3bca316bc9ea0b4defface0fd4aaa6fd2bf517db1a53f84ea98d9e16510f27410764adca13a70ba1f0d4707147683949d7d
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\3beb5d47b8a2cf4b5dc8f442445fae8c26898add6427ea86c27c3af2797356bb.jsFilesize
2.7MB
MD542a42d7b66691e3fff3e691d70703ce5
SHA19e57f573570d068b964c84b5d7cdbf1fb010e3d9
SHA2563beb5d47b8a2cf4b5dc8f442445fae8c26898add6427ea86c27c3af2797356bb
SHA512bd6691d8853434c30b6e6716d5d2d3bca316bc9ea0b4defface0fd4aaa6fd2bf517db1a53f84ea98d9e16510f27410764adca13a70ba1f0d4707147683949d7d
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\3beb5d47b8a2cf4b5dc8f442445fae8c26898add6427ea86c27c3af2797356bb.jsFilesize
2.7MB
MD542a42d7b66691e3fff3e691d70703ce5
SHA19e57f573570d068b964c84b5d7cdbf1fb010e3d9
SHA2563beb5d47b8a2cf4b5dc8f442445fae8c26898add6427ea86c27c3af2797356bb
SHA512bd6691d8853434c30b6e6716d5d2d3bca316bc9ea0b4defface0fd4aaa6fd2bf517db1a53f84ea98d9e16510f27410764adca13a70ba1f0d4707147683949d7d
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QziJnhNNpM.jsFilesize
346KB
MD5c92fd5c5868d3b5074bdafb4d00bdcc0
SHA1e5b37d03eaffa0abd95fee227dbc8430d44897d2
SHA256d97f4e5a8d586a62c824a0a351fa35084a22718cc958897d559625cabc067967
SHA512580fea0230467e4b88d92aac86fcc187e6f1689020f9045080cb9f2481f69c83055e2bb69c3e4e2b5354b8380c81b1aa33dcfbad29a5f898e1ac79c3ea444aab
-
C:\Users\Admin\AppData\Roaming\QziJnhNNpM.jsFilesize
346KB
MD5c92fd5c5868d3b5074bdafb4d00bdcc0
SHA1e5b37d03eaffa0abd95fee227dbc8430d44897d2
SHA256d97f4e5a8d586a62c824a0a351fa35084a22718cc958897d559625cabc067967
SHA512580fea0230467e4b88d92aac86fcc187e6f1689020f9045080cb9f2481f69c83055e2bb69c3e4e2b5354b8380c81b1aa33dcfbad29a5f898e1ac79c3ea444aab
-
C:\Users\Admin\AppData\Roaming\QziJnhNNpM.jsFilesize
346KB
MD5c92fd5c5868d3b5074bdafb4d00bdcc0
SHA1e5b37d03eaffa0abd95fee227dbc8430d44897d2
SHA256d97f4e5a8d586a62c824a0a351fa35084a22718cc958897d559625cabc067967
SHA512580fea0230467e4b88d92aac86fcc187e6f1689020f9045080cb9f2481f69c83055e2bb69c3e4e2b5354b8380c81b1aa33dcfbad29a5f898e1ac79c3ea444aab