Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20230831-en -
resource tags
arch:x64arch:x86image:win10v2004-20230831-enlocale:en-usos:windows10-2004-x64system -
submitted
12/09/2023, 20:48
Static task
static1
Behavioral task
behavioral1
Sample
SoftbankNDA.js
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
SoftbankNDA.js
Resource
win10v2004-20230831-en
General
-
Target
SoftbankNDA.js
-
Size
21KB
-
MD5
c8f19fa9f346f7409e3bba98c1e3f058
-
SHA1
d857192d59c0ce2196925ce59436e0e36d94b6ee
-
SHA256
645074638e8c896237a2340918cb99558103c717bbcb20a483651e6e242c5808
-
SHA512
cf214cd1c41ee8b42e1f1ea55d61802a1f35d89626406e02bed1874dfae15ccd24629c7ec2bf0686131691fdd8efefd4d91833afad6c3976fb908c69c4f2f326
-
SSDEEP
384:n/+tc8v+YhrKZKZXeX5U7CP9fD0eX5GrnB63vQOaSDsvkysjqFJ8TatW8TaUxTam:n/+tbv+YhdZXeXic9fD0eXknB6Y6Dsv7
Malware Config
Extracted
wshrat
http://homesafe1000.duckdns.org:1604
Signatures
-
Blocklisted process makes network request 30 IoCs
flow pid Process 13 4412 wscript.exe 40 4412 wscript.exe 41 4412 wscript.exe 56 4412 wscript.exe 57 4412 wscript.exe 58 4412 wscript.exe 66 4412 wscript.exe 73 4412 wscript.exe 74 4412 wscript.exe 75 4412 wscript.exe 76 4412 wscript.exe 77 4412 wscript.exe 78 4412 wscript.exe 79 4412 wscript.exe 80 4412 wscript.exe 81 4412 wscript.exe 82 4412 wscript.exe 83 4412 wscript.exe 84 4412 wscript.exe 85 4412 wscript.exe 86 4412 wscript.exe 87 4412 wscript.exe 88 4412 wscript.exe 89 4412 wscript.exe 90 4412 wscript.exe 91 4412 wscript.exe 92 4412 wscript.exe 93 4412 wscript.exe 97 4412 wscript.exe 98 4412 wscript.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4078585466-1563564224-3678410669-1000\Control Panel\International\Geo\Nation wscript.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SoftbankNDA.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SoftbankNDA.js wscript.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4078585466-1563564224-3678410669-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SoftbankNDA = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\SoftbankNDA.js\"" wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SoftbankNDA = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\SoftbankNDA.js\"" wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-4078585466-1563564224-3678410669-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SoftbankNDA = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\SoftbankNDA.js\"" wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SoftbankNDA = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\SoftbankNDA.js\"" wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Script User-Agent 30 IoCs
Uses user-agent string associated with script host/environment.
description flow ioc HTTP User-Agent header 73 WSHRAT|AA342AE5|NVYNMMTR|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 12/9/2023|JavaScript HTTP User-Agent header 89 WSHRAT|AA342AE5|NVYNMMTR|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 12/9/2023|JavaScript HTTP User-Agent header 91 WSHRAT|AA342AE5|NVYNMMTR|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 12/9/2023|JavaScript HTTP User-Agent header 92 WSHRAT|AA342AE5|NVYNMMTR|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 12/9/2023|JavaScript HTTP User-Agent header 57 WSHRAT|AA342AE5|NVYNMMTR|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 12/9/2023|JavaScript HTTP User-Agent header 75 WSHRAT|AA342AE5|NVYNMMTR|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 12/9/2023|JavaScript HTTP User-Agent header 77 WSHRAT|AA342AE5|NVYNMMTR|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 12/9/2023|JavaScript HTTP User-Agent header 90 WSHRAT|AA342AE5|NVYNMMTR|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 12/9/2023|JavaScript HTTP User-Agent header 97 WSHRAT|AA342AE5|NVYNMMTR|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 12/9/2023|JavaScript HTTP User-Agent header 58 WSHRAT|AA342AE5|NVYNMMTR|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 12/9/2023|JavaScript HTTP User-Agent header 76 WSHRAT|AA342AE5|NVYNMMTR|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 12/9/2023|JavaScript HTTP User-Agent header 80 WSHRAT|AA342AE5|NVYNMMTR|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 12/9/2023|JavaScript HTTP User-Agent header 82 WSHRAT|AA342AE5|NVYNMMTR|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 12/9/2023|JavaScript HTTP User-Agent header 41 WSHRAT|AA342AE5|NVYNMMTR|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 12/9/2023|JavaScript HTTP User-Agent header 81 WSHRAT|AA342AE5|NVYNMMTR|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 12/9/2023|JavaScript HTTP User-Agent header 85 WSHRAT|AA342AE5|NVYNMMTR|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 12/9/2023|JavaScript HTTP User-Agent header 86 WSHRAT|AA342AE5|NVYNMMTR|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 12/9/2023|JavaScript HTTP User-Agent header 88 WSHRAT|AA342AE5|NVYNMMTR|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 12/9/2023|JavaScript HTTP User-Agent header 40 WSHRAT|AA342AE5|NVYNMMTR|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 12/9/2023|JavaScript HTTP User-Agent header 66 WSHRAT|AA342AE5|NVYNMMTR|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 12/9/2023|JavaScript HTTP User-Agent header 74 WSHRAT|AA342AE5|NVYNMMTR|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 12/9/2023|JavaScript HTTP User-Agent header 78 WSHRAT|AA342AE5|NVYNMMTR|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 12/9/2023|JavaScript HTTP User-Agent header 93 WSHRAT|AA342AE5|NVYNMMTR|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 12/9/2023|JavaScript HTTP User-Agent header 98 WSHRAT|AA342AE5|NVYNMMTR|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 12/9/2023|JavaScript HTTP User-Agent header 56 WSHRAT|AA342AE5|NVYNMMTR|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 12/9/2023|JavaScript HTTP User-Agent header 13 WSHRAT|AA342AE5|NVYNMMTR|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 12/9/2023|JavaScript HTTP User-Agent header 79 WSHRAT|AA342AE5|NVYNMMTR|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 12/9/2023|JavaScript HTTP User-Agent header 83 WSHRAT|AA342AE5|NVYNMMTR|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 12/9/2023|JavaScript HTTP User-Agent header 84 WSHRAT|AA342AE5|NVYNMMTR|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 12/9/2023|JavaScript HTTP User-Agent header 87 WSHRAT|AA342AE5|NVYNMMTR|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 12/9/2023|JavaScript -
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 2572 wrote to memory of 4412 2572 wscript.exe 85 PID 2572 wrote to memory of 4412 2572 wscript.exe 85
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\SoftbankNDA.js1⤵
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2572 -
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\SoftbankNDA.js"2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
PID:4412
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
21KB
MD55d236290513aee2790a35493f660fffb
SHA14f611b6dfeaa13e996259db6358c754f7a862b1b
SHA256273e16331b1c3f3dd6992ff552f846744f3f00a5ab920f8e0873130cb601ca27
SHA51256f09239a9dcdf2995a9b382c2f4a89a5673ee4086324370e1f892e39ba0523be5abbaf5d5a4139b09b7bd2517ca401198ee787ca1845fafcac28f6c8499152e
-
Filesize
21KB
MD5c8f19fa9f346f7409e3bba98c1e3f058
SHA1d857192d59c0ce2196925ce59436e0e36d94b6ee
SHA256645074638e8c896237a2340918cb99558103c717bbcb20a483651e6e242c5808
SHA512cf214cd1c41ee8b42e1f1ea55d61802a1f35d89626406e02bed1874dfae15ccd24629c7ec2bf0686131691fdd8efefd4d91833afad6c3976fb908c69c4f2f326
-
Filesize
21KB
MD5c8f19fa9f346f7409e3bba98c1e3f058
SHA1d857192d59c0ce2196925ce59436e0e36d94b6ee
SHA256645074638e8c896237a2340918cb99558103c717bbcb20a483651e6e242c5808
SHA512cf214cd1c41ee8b42e1f1ea55d61802a1f35d89626406e02bed1874dfae15ccd24629c7ec2bf0686131691fdd8efefd4d91833afad6c3976fb908c69c4f2f326