Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20230703-en -
resource tags
arch:x64arch:x86image:win7-20230703-enlocale:en-usos:windows7-x64system -
submitted
05-07-2023 13:15
Static task
static1
Behavioral task
behavioral1
Sample
Tracking_Number.js
Resource
win7-20230703-en
windows7-x64
17 signatures
150 seconds
Behavioral task
behavioral2
Sample
Tracking_Number.js
Resource
win10v2004-20230703-en
windows10-2004-x64
20 signatures
150 seconds
General
-
Target
Tracking_Number.js
-
Size
2.7MB
-
MD5
19c5045d74bd6d55551c00910f44e3cb
-
SHA1
fa656d4789cc9f0ec6e3cd211b90eda57302c3ef
-
SHA256
1ee08a9037a820ccadbc782796577fb8581c0003d3f53201510fded41788ddd1
-
SHA512
516771d1bc03cfc404d99681472f2cd09c88ebc71c00c083923807154e257d4aca087d7ab9f05a74152259199223de1b2458af0e5aff0a9aea44f86c7fda0433
-
SSDEEP
24576:QoquCbsNf3EdHLEZ8JUvJbXAGetdw8Rwzgys8Pam8Ve7Ylvi+A:AA
Score
10/10
Malware Config
Extracted
Family
wshrat
C2
http://172.93.181.132:4848
Signatures
-
Blocklisted process makes network request 58 IoCs
flow pid Process 6 1680 wscript.exe 9 2092 wscript.exe 10 2292 wscript.exe 12 2292 wscript.exe 13 1680 wscript.exe 14 2092 wscript.exe 16 2292 wscript.exe 19 1680 wscript.exe 20 2292 wscript.exe 22 2092 wscript.exe 27 2292 wscript.exe 29 2292 wscript.exe 30 2292 wscript.exe 31 1680 wscript.exe 32 2092 wscript.exe 34 2292 wscript.exe 36 1680 wscript.exe 38 2092 wscript.exe 40 2292 wscript.exe 43 2292 wscript.exe 45 1680 wscript.exe 49 2092 wscript.exe 51 2292 wscript.exe 56 1680 wscript.exe 57 2292 wscript.exe 59 2092 wscript.exe 62 2292 wscript.exe 66 1680 wscript.exe 69 2092 wscript.exe 71 2292 wscript.exe 74 2292 wscript.exe 77 1680 wscript.exe 80 2092 wscript.exe 83 2292 wscript.exe 86 1680 wscript.exe 89 2292 wscript.exe 92 2092 wscript.exe 95 2292 wscript.exe 97 1680 wscript.exe 99 2092 wscript.exe 102 2292 wscript.exe 104 1680 wscript.exe 105 2292 wscript.exe 110 2092 wscript.exe 114 2292 wscript.exe 117 1680 wscript.exe 119 2092 wscript.exe 122 2292 wscript.exe 124 1680 wscript.exe 126 2292 wscript.exe 129 2092 wscript.exe 132 2292 wscript.exe 135 1680 wscript.exe 136 2092 wscript.exe 141 2292 wscript.exe 144 2292 wscript.exe 147 1680 wscript.exe 149 2092 wscript.exe -
Downloads MZ/PE file
-
Modifies Installed Components in the registry 2 TTPs 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1305762978-1813183296-1799492538-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe -
Drops startup file 5 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sCmQSwcNNH.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Tracking_Number.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sCmQSwcNNH.js wscript.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Tracking_Number.js wscript.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sCmQSwcNNH.js wscript.exe -
Executes dropped EXE 2 IoCs
pid Process 2672 123.exe 2220 123.exe -
Adds Run key to start application 2 TTPs 8 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1305762978-1813183296-1799492538-1000\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-1305762978-1813183296-1799492538-1000\Software\Microsoft\Windows\CurrentVersion\Run\Tracking_Number = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Tracking_Number.js\"" wscript.exe Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Tracking_Number = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Tracking_Number.js\"" wscript.exe Key created \REGISTRY\USER\S-1-5-21-1305762978-1813183296-1799492538-1000\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-1305762978-1813183296-1799492538-1000\Software\Microsoft\Windows\CurrentVersion\Run\Tracking_Number = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Tracking_Number.js\"" wscript.exe Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Tracking_Number = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Tracking_Number.js\"" wscript.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2672 set thread context of 2220 2672 123.exe 39 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 5 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1305762978-1813183296-1799492538-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-1305762978-1813183296-1799492538-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Key created \REGISTRY\USER\S-1-5-21-1305762978-1813183296-1799492538-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-1305762978-1813183296-1799492538-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-1305762978-1813183296-1799492538-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe -
Script User-Agent 26 IoCs
Uses user-agent string associated with script host/environment.
description flow ioc HTTP User-Agent header 30 WSHRAT|18BFC807|CQOQSKLT|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 5/7/2023|JavaScript HTTP User-Agent header 83 WSHRAT|18BFC807|CQOQSKLT|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 5/7/2023|JavaScript HTTP User-Agent header 102 WSHRAT|18BFC807|CQOQSKLT|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 5/7/2023|JavaScript HTTP User-Agent header 114 WSHRAT|18BFC807|CQOQSKLT|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 5/7/2023|JavaScript HTTP User-Agent header 122 WSHRAT|18BFC807|CQOQSKLT|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 5/7/2023|JavaScript HTTP User-Agent header 126 WSHRAT|18BFC807|CQOQSKLT|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 5/7/2023|JavaScript HTTP User-Agent header 132 WSHRAT|18BFC807|CQOQSKLT|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 5/7/2023|JavaScript HTTP User-Agent header 27 WSHRAT|18BFC807|CQOQSKLT|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 5/7/2023|JavaScript HTTP User-Agent header 29 WSHRAT|18BFC807|CQOQSKLT|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 5/7/2023|JavaScript HTTP User-Agent header 62 WSHRAT|18BFC807|CQOQSKLT|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 5/7/2023|JavaScript HTTP User-Agent header 20 WSHRAT|18BFC807|CQOQSKLT|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 5/7/2023|JavaScript HTTP User-Agent header 43 WSHRAT|18BFC807|CQOQSKLT|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 5/7/2023|JavaScript HTTP User-Agent header 51 WSHRAT|18BFC807|CQOQSKLT|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 5/7/2023|JavaScript HTTP User-Agent header 57 WSHRAT|18BFC807|CQOQSKLT|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 5/7/2023|JavaScript HTTP User-Agent header 71 WSHRAT|18BFC807|CQOQSKLT|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 5/7/2023|JavaScript HTTP User-Agent header 89 WSHRAT|18BFC807|CQOQSKLT|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 5/7/2023|JavaScript HTTP User-Agent header 95 WSHRAT|18BFC807|CQOQSKLT|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 5/7/2023|JavaScript HTTP User-Agent header 141 WSHRAT|18BFC807|CQOQSKLT|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 5/7/2023|JavaScript HTTP User-Agent header 16 WSHRAT|18BFC807|CQOQSKLT|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 5/7/2023|JavaScript HTTP User-Agent header 144 WSHRAT|18BFC807|CQOQSKLT|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 5/7/2023|JavaScript HTTP User-Agent header 12 WSHRAT|18BFC807|CQOQSKLT|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 5/7/2023|JavaScript HTTP User-Agent header 34 WSHRAT|18BFC807|CQOQSKLT|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 5/7/2023|JavaScript HTTP User-Agent header 40 WSHRAT|18BFC807|CQOQSKLT|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 5/7/2023|JavaScript HTTP User-Agent header 74 WSHRAT|18BFC807|CQOQSKLT|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 5/7/2023|JavaScript HTTP User-Agent header 105 WSHRAT|18BFC807|CQOQSKLT|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 5/7/2023|JavaScript HTTP User-Agent header 10 WSHRAT|18BFC807|CQOQSKLT|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 5/7/2023|JavaScript -
Suspicious use of AdjustPrivilegeToken 15 IoCs
description pid Process Token: SeShutdownPrivilege 2268 explorer.exe Token: SeShutdownPrivilege 2268 explorer.exe Token: SeShutdownPrivilege 2268 explorer.exe Token: SeShutdownPrivilege 2268 explorer.exe Token: SeShutdownPrivilege 2268 explorer.exe Token: SeShutdownPrivilege 2268 explorer.exe Token: SeShutdownPrivilege 2268 explorer.exe Token: SeShutdownPrivilege 2268 explorer.exe Token: 33 1416 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1416 AUDIODG.EXE Token: 33 1416 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1416 AUDIODG.EXE Token: SeShutdownPrivilege 2268 explorer.exe Token: SeShutdownPrivilege 2268 explorer.exe Token: SeShutdownPrivilege 2268 explorer.exe -
Suspicious use of FindShellTrayWindow 26 IoCs
pid Process 2268 explorer.exe 2268 explorer.exe 2268 explorer.exe 2268 explorer.exe 2268 explorer.exe 2268 explorer.exe 2268 explorer.exe 2268 explorer.exe 2268 explorer.exe 2268 explorer.exe 2268 explorer.exe 2268 explorer.exe 2268 explorer.exe 2268 explorer.exe 2268 explorer.exe 2268 explorer.exe 2268 explorer.exe 2268 explorer.exe 2268 explorer.exe 2268 explorer.exe 2268 explorer.exe 2268 explorer.exe 2268 explorer.exe 2268 explorer.exe 2268 explorer.exe 2268 explorer.exe -
Suspicious use of SendNotifyMessage 53 IoCs
pid Process 2268 explorer.exe 2268 explorer.exe 2268 explorer.exe 2268 explorer.exe 2268 explorer.exe 2268 explorer.exe 2268 explorer.exe 2268 explorer.exe 2268 explorer.exe 2268 explorer.exe 2268 explorer.exe 2268 explorer.exe 2268 explorer.exe 2268 explorer.exe 2268 explorer.exe 2268 explorer.exe 2268 explorer.exe 2268 explorer.exe 2268 explorer.exe 2268 explorer.exe 2268 explorer.exe 2268 explorer.exe 2268 explorer.exe 2268 explorer.exe 2268 explorer.exe 2268 explorer.exe 2268 explorer.exe 2268 explorer.exe 2268 explorer.exe 2268 explorer.exe 2268 explorer.exe 2268 explorer.exe 2268 explorer.exe 2268 explorer.exe 2268 explorer.exe 2268 explorer.exe 2268 explorer.exe 2268 explorer.exe 2268 explorer.exe 2268 explorer.exe 2268 explorer.exe 2268 explorer.exe 2268 explorer.exe 2268 explorer.exe 2268 explorer.exe 2268 explorer.exe 2268 explorer.exe 2268 explorer.exe 2268 explorer.exe 2268 explorer.exe 2268 explorer.exe 2268 explorer.exe 2268 explorer.exe -
Suspicious use of WriteProcessMemory 29 IoCs
description pid Process procid_target PID 1628 wrote to memory of 1680 1628 wscript.exe 28 PID 1628 wrote to memory of 1680 1628 wscript.exe 28 PID 1628 wrote to memory of 1680 1628 wscript.exe 28 PID 1628 wrote to memory of 2292 1628 wscript.exe 29 PID 1628 wrote to memory of 2292 1628 wscript.exe 29 PID 1628 wrote to memory of 2292 1628 wscript.exe 29 PID 2292 wrote to memory of 2092 2292 wscript.exe 31 PID 2292 wrote to memory of 2092 2292 wscript.exe 31 PID 2292 wrote to memory of 2092 2292 wscript.exe 31 PID 2292 wrote to memory of 2672 2292 wscript.exe 35 PID 2292 wrote to memory of 2672 2292 wscript.exe 35 PID 2292 wrote to memory of 2672 2292 wscript.exe 35 PID 2292 wrote to memory of 2672 2292 wscript.exe 35 PID 2672 wrote to memory of 2268 2672 123.exe 36 PID 2672 wrote to memory of 2268 2672 123.exe 36 PID 2672 wrote to memory of 2268 2672 123.exe 36 PID 2672 wrote to memory of 2268 2672 123.exe 36 PID 2268 wrote to memory of 2556 2268 explorer.exe 37 PID 2268 wrote to memory of 2556 2268 explorer.exe 37 PID 2268 wrote to memory of 2556 2268 explorer.exe 37 PID 2672 wrote to memory of 2220 2672 123.exe 39 PID 2672 wrote to memory of 2220 2672 123.exe 39 PID 2672 wrote to memory of 2220 2672 123.exe 39 PID 2672 wrote to memory of 2220 2672 123.exe 39 PID 2672 wrote to memory of 2220 2672 123.exe 39 PID 2672 wrote to memory of 2220 2672 123.exe 39 PID 2672 wrote to memory of 2220 2672 123.exe 39 PID 2672 wrote to memory of 2220 2672 123.exe 39 PID 2672 wrote to memory of 2220 2672 123.exe 39 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\Tracking_Number.js1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1628 -
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\sCmQSwcNNH.js"2⤵
- Blocklisted process makes network request
- Drops startup file
PID:1680
-
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\Tracking_Number.js"2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2292 -
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\sCmQSwcNNH.js"3⤵
- Blocklisted process makes network request
- Drops startup file
PID:2092
-
-
C:\Users\Admin\AppData\Roaming\123.exe"C:\Users\Admin\AppData\Roaming\123.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2672 -
C:\Windows\explorer.exe"C:\Windows\explorer.exe"4⤵
- Modifies Installed Components in the registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2268 -
C:\Windows\system32\ctfmon.exectfmon.exe5⤵PID:2556
-
-
-
C:\Users\Admin\AppData\Roaming\123.exe"C:\Users\Admin\AppData\Roaming\123.exe"4⤵
- Executes dropped EXE
PID:2220
-
-
-
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x5cc1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1416
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
701KB
MD523d41c3c86b454bcda5886fa688d93ec
SHA1ae7b5e74dbe8e0f43eda3532ae85e7e50f84a05d
SHA256832b6a7cbf95224da05cea4a36b37bbde2eece2751d3a385e8a212b0fde4cbb0
SHA512f45418755562d46c402fc66135e744a03dc436a5e493e44201b55e606e79b5a13bd0b8e7bcb062f1f033b15dbd47c3bc31d9b2e3336a181259d90da27f2e1434
-
Filesize
701KB
MD523d41c3c86b454bcda5886fa688d93ec
SHA1ae7b5e74dbe8e0f43eda3532ae85e7e50f84a05d
SHA256832b6a7cbf95224da05cea4a36b37bbde2eece2751d3a385e8a212b0fde4cbb0
SHA512f45418755562d46c402fc66135e744a03dc436a5e493e44201b55e606e79b5a13bd0b8e7bcb062f1f033b15dbd47c3bc31d9b2e3336a181259d90da27f2e1434
-
Filesize
701KB
MD523d41c3c86b454bcda5886fa688d93ec
SHA1ae7b5e74dbe8e0f43eda3532ae85e7e50f84a05d
SHA256832b6a7cbf95224da05cea4a36b37bbde2eece2751d3a385e8a212b0fde4cbb0
SHA512f45418755562d46c402fc66135e744a03dc436a5e493e44201b55e606e79b5a13bd0b8e7bcb062f1f033b15dbd47c3bc31d9b2e3336a181259d90da27f2e1434
-
Filesize
2.7MB
MD519c5045d74bd6d55551c00910f44e3cb
SHA1fa656d4789cc9f0ec6e3cd211b90eda57302c3ef
SHA2561ee08a9037a820ccadbc782796577fb8581c0003d3f53201510fded41788ddd1
SHA512516771d1bc03cfc404d99681472f2cd09c88ebc71c00c083923807154e257d4aca087d7ab9f05a74152259199223de1b2458af0e5aff0a9aea44f86c7fda0433
-
Filesize
2.7MB
MD519c5045d74bd6d55551c00910f44e3cb
SHA1fa656d4789cc9f0ec6e3cd211b90eda57302c3ef
SHA2561ee08a9037a820ccadbc782796577fb8581c0003d3f53201510fded41788ddd1
SHA512516771d1bc03cfc404d99681472f2cd09c88ebc71c00c083923807154e257d4aca087d7ab9f05a74152259199223de1b2458af0e5aff0a9aea44f86c7fda0433
-
Filesize
346KB
MD518aa57ffd7f9968b45cea6ceded1af69
SHA1a5fe5b3bf2ad7ad3f6c801eba60aebb326d068ae
SHA256ea9033d7fc981d1ef5297e3c99b2bffad27941f9675f19cef2e590dc523cb0bd
SHA512d63c7ab681d37dc0a4cc2cd2aa7be9e9724f1f717b477607a0bd8ee716130bfe4d8a141ddb18782be3b771efe0e0c479f622ad2d118020361c0e59583a9e9b70
-
Filesize
2.7MB
MD519c5045d74bd6d55551c00910f44e3cb
SHA1fa656d4789cc9f0ec6e3cd211b90eda57302c3ef
SHA2561ee08a9037a820ccadbc782796577fb8581c0003d3f53201510fded41788ddd1
SHA512516771d1bc03cfc404d99681472f2cd09c88ebc71c00c083923807154e257d4aca087d7ab9f05a74152259199223de1b2458af0e5aff0a9aea44f86c7fda0433
-
Filesize
346KB
MD5ddd86f3f3317db8d3976edbba41483dc
SHA13302b16e470d9d3dff221a9ed63e4b7d6a846d7f
SHA256d1fae4d587ac0ab289ff6ad45d9363c62068f120bc7aa8c88d411aaefdea12d5
SHA5127eacfe75e8f214c11cbdad8ebd0b4dd818717541e191dfcf42fbb736953e350156ec3359e93bd572f93852487a85fa2335edd5256b49f4a7cdf2b20876723e1c
-
Filesize
346KB
MD5ddd86f3f3317db8d3976edbba41483dc
SHA13302b16e470d9d3dff221a9ed63e4b7d6a846d7f
SHA256d1fae4d587ac0ab289ff6ad45d9363c62068f120bc7aa8c88d411aaefdea12d5
SHA5127eacfe75e8f214c11cbdad8ebd0b4dd818717541e191dfcf42fbb736953e350156ec3359e93bd572f93852487a85fa2335edd5256b49f4a7cdf2b20876723e1c