Analysis
-
max time kernel
156s -
max time network
161s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
16-06-2022 08:42
Static task
static1
Behavioral task
behavioral1
Sample
Purchase Inquiry AS894 - SG633.js
Resource
win7-20220414-en
General
-
Target
Purchase Inquiry AS894 - SG633.js
-
Size
90KB
-
MD5
ef6bd6f33894ed4aa9dfd7b008fb3848
-
SHA1
f0d5020b90e63e67f8a37619f347c932d35cdd7a
-
SHA256
fe71d2ce160281f80957f5a01d72538a497d305e30aa8fbcdf105fd6034f2d8c
-
SHA512
9452a773fb193724eb1e130d180cc1f0a3c58329badffeeb134db8671df981994058bdce1ab758f5d4289b5c3a7d8bb3465201323fabac43c550199b7404b1ab
Malware Config
Extracted
wshrat
http://62.102.148.154:4044
Signatures
-
suricata: ET MALWARE WSHRAT CnC Checkin
suricata: ET MALWARE WSHRAT CnC Checkin
-
suricata: ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1
suricata: ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1
-
Blocklisted process makes network request 52 IoCs
Processes:
wscript.exewscript.exewscript.exeflow pid process 7 724 wscript.exe 8 3228 wscript.exe 9 2260 wscript.exe 10 724 wscript.exe 16 2260 wscript.exe 17 3228 wscript.exe 18 724 wscript.exe 25 724 wscript.exe 34 3228 wscript.exe 37 3228 wscript.exe 45 2260 wscript.exe 50 724 wscript.exe 51 3228 wscript.exe 52 2260 wscript.exe 53 724 wscript.exe 54 724 wscript.exe 55 3228 wscript.exe 56 2260 wscript.exe 57 724 wscript.exe 60 3228 wscript.exe 61 724 wscript.exe 62 2260 wscript.exe 63 724 wscript.exe 64 3228 wscript.exe 65 2260 wscript.exe 66 724 wscript.exe 68 724 wscript.exe 69 3228 wscript.exe 70 2260 wscript.exe 71 724 wscript.exe 72 3228 wscript.exe 73 724 wscript.exe 74 2260 wscript.exe 75 724 wscript.exe 76 3228 wscript.exe 77 724 wscript.exe 78 2260 wscript.exe 79 724 wscript.exe 80 3228 wscript.exe 81 2260 wscript.exe 82 724 wscript.exe 83 724 wscript.exe 84 3228 wscript.exe 85 2260 wscript.exe 86 724 wscript.exe 87 3228 wscript.exe 88 724 wscript.exe 89 2260 wscript.exe 90 724 wscript.exe 91 3228 wscript.exe 92 2260 wscript.exe 93 724 wscript.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
wscript.exewscript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation wscript.exe Key value queried \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation wscript.exe -
Drops startup file 5 IoCs
Processes:
wscript.exewscript.exewscript.exewscript.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Purchase Inquiry AS894 - SG633.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Purchase Inquiry AS894 - SG633.js wscript.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\atmsLTFoCr.js wscript.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\atmsLTFoCr.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\atmsLTFoCr.js wscript.exe -
Adds Run key to start application 2 TTPs 12 IoCs
Processes:
wscript.exewscript.exewscript.exewscript.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Purchase Inquiry AS894 - SG633 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Purchase Inquiry AS894 - SG633.js\"" wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Purchase Inquiry AS894 - SG633 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Purchase Inquiry AS894 - SG633.js\"" wscript.exe Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Purchase Inquiry AS894 - SG633 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Purchase Inquiry AS894 - SG633.js\"" wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\YVBPFHTJIQ = "\"C:\\Users\\Admin\\AppData\\Roaming\\atmsLTFoCr.js\"" wscript.exe Key created \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Windows\CurrentVersion\Run wscript.exe Key created \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\software\microsoft\windows\currentversion\run wscript.exe Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run wscript.exe Key created \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\software\microsoft\windows\currentversion\run wscript.exe Key created \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Windows\CurrentVersion\Run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\YVBPFHTJIQ = "\"C:\\Users\\Admin\\AppData\\Roaming\\atmsLTFoCr.js\"" wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Purchase Inquiry AS894 - SG633 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Purchase Inquiry AS894 - SG633.js\"" wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Script User-Agent 22 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 75 WSHRAT|2664FCF0|FSHLRPTB|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 16/6/2022|JavaScript HTTP User-Agent header 90 WSHRAT|2664FCF0|FSHLRPTB|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 16/6/2022|JavaScript HTTP User-Agent header 68 WSHRAT|2664FCF0|FSHLRPTB|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 16/6/2022|JavaScript HTTP User-Agent header 73 WSHRAT|2664FCF0|FSHLRPTB|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 16/6/2022|JavaScript HTTP User-Agent header 79 WSHRAT|2664FCF0|FSHLRPTB|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 16/6/2022|JavaScript HTTP User-Agent header 86 WSHRAT|2664FCF0|FSHLRPTB|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 16/6/2022|JavaScript HTTP User-Agent header 7 WSHRAT|2664FCF0|FSHLRPTB|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 16/6/2022|JavaScript HTTP User-Agent header 10 WSHRAT|2664FCF0|FSHLRPTB|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 16/6/2022|JavaScript HTTP User-Agent header 18 WSHRAT|2664FCF0|FSHLRPTB|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 16/6/2022|JavaScript HTTP User-Agent header 57 WSHRAT|2664FCF0|FSHLRPTB|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 16/6/2022|JavaScript HTTP User-Agent header 88 WSHRAT|2664FCF0|FSHLRPTB|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 16/6/2022|JavaScript HTTP User-Agent header 93 WSHRAT|2664FCF0|FSHLRPTB|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 16/6/2022|JavaScript HTTP User-Agent header 61 WSHRAT|2664FCF0|FSHLRPTB|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 16/6/2022|JavaScript HTTP User-Agent header 82 WSHRAT|2664FCF0|FSHLRPTB|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 16/6/2022|JavaScript HTTP User-Agent header 83 WSHRAT|2664FCF0|FSHLRPTB|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 16/6/2022|JavaScript HTTP User-Agent header 66 WSHRAT|2664FCF0|FSHLRPTB|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 16/6/2022|JavaScript HTTP User-Agent header 71 WSHRAT|2664FCF0|FSHLRPTB|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 16/6/2022|JavaScript HTTP User-Agent header 77 WSHRAT|2664FCF0|FSHLRPTB|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 16/6/2022|JavaScript HTTP User-Agent header 50 WSHRAT|2664FCF0|FSHLRPTB|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 16/6/2022|JavaScript HTTP User-Agent header 53 WSHRAT|2664FCF0|FSHLRPTB|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 16/6/2022|JavaScript HTTP User-Agent header 54 WSHRAT|2664FCF0|FSHLRPTB|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 16/6/2022|JavaScript HTTP User-Agent header 63 WSHRAT|2664FCF0|FSHLRPTB|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 16/6/2022|JavaScript -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
wscript.exewscript.exedescription pid process target process PID 1620 wrote to memory of 3228 1620 wscript.exe wscript.exe PID 1620 wrote to memory of 3228 1620 wscript.exe wscript.exe PID 1620 wrote to memory of 724 1620 wscript.exe wscript.exe PID 1620 wrote to memory of 724 1620 wscript.exe wscript.exe PID 724 wrote to memory of 2260 724 wscript.exe wscript.exe PID 724 wrote to memory of 2260 724 wscript.exe wscript.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe "C:\Users\Admin\AppData\Local\Temp\Purchase Inquiry AS894 - SG633.js"1⤵
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1620 -
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\atmsLTFoCr.js"2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
PID:3228 -
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\Purchase Inquiry AS894 - SG633.js"2⤵
- Blocklisted process makes network request
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:724 -
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\atmsLTFoCr.js"3⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
PID:2260
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Purchase Inquiry AS894 - SG633.jsFilesize
90KB
MD5ef6bd6f33894ed4aa9dfd7b008fb3848
SHA1f0d5020b90e63e67f8a37619f347c932d35cdd7a
SHA256fe71d2ce160281f80957f5a01d72538a497d305e30aa8fbcdf105fd6034f2d8c
SHA5129452a773fb193724eb1e130d180cc1f0a3c58329badffeeb134db8671df981994058bdce1ab758f5d4289b5c3a7d8bb3465201323fabac43c550199b7404b1ab
-
C:\Users\Admin\AppData\Roaming\Purchase Inquiry AS894 - SG633.jsFilesize
90KB
MD5ef6bd6f33894ed4aa9dfd7b008fb3848
SHA1f0d5020b90e63e67f8a37619f347c932d35cdd7a
SHA256fe71d2ce160281f80957f5a01d72538a497d305e30aa8fbcdf105fd6034f2d8c
SHA5129452a773fb193724eb1e130d180cc1f0a3c58329badffeeb134db8671df981994058bdce1ab758f5d4289b5c3a7d8bb3465201323fabac43c550199b7404b1ab
-
C:\Users\Admin\AppData\Roaming\atmsLTFoCr.jsFilesize
24KB
MD59ee8cc5691721deb7ab96277349ecd7b
SHA1ccd5c1da84effb50a657fea77d556a737739f1ae
SHA25603c4c01157ef46153a214956db1c45d6f2fa67bbb6ac2e10afe2634c25663505
SHA512ef398c9e8ea9fec4646a7a5b4296f08df8729b83ad38335be33daa4d5349f89aafccd9984d7d980515875a2c09bbb01edd7506f5efeea4cf6ee04f8322ce7c64
-
C:\Users\Admin\AppData\Roaming\atmsLTFoCr.jsFilesize
24KB
MD59ee8cc5691721deb7ab96277349ecd7b
SHA1ccd5c1da84effb50a657fea77d556a737739f1ae
SHA25603c4c01157ef46153a214956db1c45d6f2fa67bbb6ac2e10afe2634c25663505
SHA512ef398c9e8ea9fec4646a7a5b4296f08df8729b83ad38335be33daa4d5349f89aafccd9984d7d980515875a2c09bbb01edd7506f5efeea4cf6ee04f8322ce7c64
-
memory/724-132-0x0000000000000000-mapping.dmp
-
memory/2260-134-0x0000000000000000-mapping.dmp
-
memory/3228-130-0x0000000000000000-mapping.dmp