Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
28-06-2022 20:23
Static task
static1
Behavioral task
behavioral1
Sample
E-receipt #8992-WSH-276020222.js
Resource
win7-20220414-en
General
-
Target
E-receipt #8992-WSH-276020222.js
-
Size
37KB
-
MD5
85f9be3cfbb0cebf7a3f87530dce3297
-
SHA1
af0fe8f3ef7d964ddbe723106e54244d92b2f5e6
-
SHA256
7ea3bad5df5eacdf31f9bef34b6486c6e709feb5a796f582e6cafe5aea773940
-
SHA512
c1b60ec0aabaec7df0e6b37550c2811d43fe4ca6313c1462b14c434e85ec64c270d5ad03c274e0b131374cd58d166fe8764b615e935a8e26006800751014fe84
Malware Config
Extracted
wshrat
http://37.0.8.115:8992
Signatures
-
suricata: ET MALWARE WSHRAT CnC Checkin
suricata: ET MALWARE WSHRAT CnC Checkin
-
suricata: ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1
suricata: ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1
-
Blocklisted process makes network request 59 IoCs
Processes:
wscript.exewscript.exewscript.exeflow pid process 9 376 wscript.exe 10 1748 wscript.exe 11 964 wscript.exe 12 964 wscript.exe 14 1748 wscript.exe 15 376 wscript.exe 17 964 wscript.exe 19 964 wscript.exe 21 376 wscript.exe 23 1748 wscript.exe 26 964 wscript.exe 27 1748 wscript.exe 30 376 wscript.exe 31 964 wscript.exe 34 964 wscript.exe 36 376 wscript.exe 37 1748 wscript.exe 39 964 wscript.exe 40 964 wscript.exe 43 376 wscript.exe 45 1748 wscript.exe 48 964 wscript.exe 50 1748 wscript.exe 52 376 wscript.exe 53 964 wscript.exe 54 964 wscript.exe 57 1748 wscript.exe 59 376 wscript.exe 60 964 wscript.exe 61 964 wscript.exe 63 376 wscript.exe 64 1748 wscript.exe 68 964 wscript.exe 70 964 wscript.exe 72 376 wscript.exe 73 1748 wscript.exe 75 964 wscript.exe 76 1748 wscript.exe 78 376 wscript.exe 80 964 wscript.exe 82 964 wscript.exe 84 1748 wscript.exe 86 376 wscript.exe 89 964 wscript.exe 90 964 wscript.exe 93 376 wscript.exe 95 1748 wscript.exe 96 964 wscript.exe 97 376 wscript.exe 99 1748 wscript.exe 101 964 wscript.exe 102 964 wscript.exe 105 376 wscript.exe 107 1748 wscript.exe 109 964 wscript.exe 111 964 wscript.exe 113 376 wscript.exe 115 1748 wscript.exe 116 964 wscript.exe -
Drops startup file 5 IoCs
Processes:
wscript.exewscript.exewscript.exewscript.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\E-receipt #8992-WSH-276020222.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\E-receipt #8992-WSH-276020222.js wscript.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dqVXIXkqsq.js wscript.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dqVXIXkqsq.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dqVXIXkqsq.js wscript.exe -
Adds Run key to start application 2 TTPs 12 IoCs
Processes:
wscript.exewscript.exewscript.exewscript.exedescription ioc process Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\E-receipt #8992-WSH-276020222 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\E-receipt #8992-WSH-276020222.js\"" wscript.exe Key created \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows\CurrentVersion\Run wscript.exe Key created \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows\CurrentVersion\Run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows\CurrentVersion\Run\YVBPFHTJIQ = "\"C:\\Users\\Admin\\AppData\\Roaming\\dqVXIXkqsq.js\"" wscript.exe Key created \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows\CurrentVersion\Run\E-receipt #8992-WSH-276020222 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\E-receipt #8992-WSH-276020222.js\"" wscript.exe Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows\CurrentVersion\Run\YVBPFHTJIQ = "\"C:\\Users\\Admin\\AppData\\Roaming\\dqVXIXkqsq.js\"" wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\E-receipt #8992-WSH-276020222 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\E-receipt #8992-WSH-276020222.js\"" wscript.exe Key created \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows\CurrentVersion\Run\E-receipt #8992-WSH-276020222 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\E-receipt #8992-WSH-276020222.js\"" wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Script User-Agent 27 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 102 WSHRAT|C8D9762D|TVHJCWMH|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 28/6/2022|JavaScript HTTP User-Agent header 17 WSHRAT|C8D9762D|TVHJCWMH|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 28/6/2022|JavaScript HTTP User-Agent header 70 WSHRAT|C8D9762D|TVHJCWMH|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 28/6/2022|JavaScript HTTP User-Agent header 82 WSHRAT|C8D9762D|TVHJCWMH|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 28/6/2022|JavaScript HTTP User-Agent header 111 WSHRAT|C8D9762D|TVHJCWMH|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 28/6/2022|JavaScript HTTP User-Agent header 12 WSHRAT|C8D9762D|TVHJCWMH|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 28/6/2022|JavaScript HTTP User-Agent header 34 WSHRAT|C8D9762D|TVHJCWMH|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 28/6/2022|JavaScript HTTP User-Agent header 19 WSHRAT|C8D9762D|TVHJCWMH|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 28/6/2022|JavaScript HTTP User-Agent header 48 WSHRAT|C8D9762D|TVHJCWMH|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 28/6/2022|JavaScript HTTP User-Agent header 53 WSHRAT|C8D9762D|TVHJCWMH|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 28/6/2022|JavaScript HTTP User-Agent header 89 WSHRAT|C8D9762D|TVHJCWMH|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 28/6/2022|JavaScript HTTP User-Agent header 96 WSHRAT|C8D9762D|TVHJCWMH|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 28/6/2022|JavaScript HTTP User-Agent header 101 WSHRAT|C8D9762D|TVHJCWMH|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 28/6/2022|JavaScript HTTP User-Agent header 31 WSHRAT|C8D9762D|TVHJCWMH|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 28/6/2022|JavaScript HTTP User-Agent header 40 WSHRAT|C8D9762D|TVHJCWMH|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 28/6/2022|JavaScript HTTP User-Agent header 68 WSHRAT|C8D9762D|TVHJCWMH|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 28/6/2022|JavaScript HTTP User-Agent header 75 WSHRAT|C8D9762D|TVHJCWMH|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 28/6/2022|JavaScript HTTP User-Agent header 61 WSHRAT|C8D9762D|TVHJCWMH|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 28/6/2022|JavaScript HTTP User-Agent header 80 WSHRAT|C8D9762D|TVHJCWMH|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 28/6/2022|JavaScript HTTP User-Agent header 26 WSHRAT|C8D9762D|TVHJCWMH|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 28/6/2022|JavaScript HTTP User-Agent header 60 WSHRAT|C8D9762D|TVHJCWMH|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 28/6/2022|JavaScript HTTP User-Agent header 90 WSHRAT|C8D9762D|TVHJCWMH|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 28/6/2022|JavaScript HTTP User-Agent header 116 WSHRAT|C8D9762D|TVHJCWMH|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 28/6/2022|JavaScript HTTP User-Agent header 11 WSHRAT|C8D9762D|TVHJCWMH|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 28/6/2022|JavaScript HTTP User-Agent header 39 WSHRAT|C8D9762D|TVHJCWMH|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 28/6/2022|JavaScript HTTP User-Agent header 54 WSHRAT|C8D9762D|TVHJCWMH|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 28/6/2022|JavaScript HTTP User-Agent header 109 WSHRAT|C8D9762D|TVHJCWMH|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 28/6/2022|JavaScript -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
wscript.exewscript.exedescription pid process target process PID 1400 wrote to memory of 1748 1400 wscript.exe wscript.exe PID 1400 wrote to memory of 1748 1400 wscript.exe wscript.exe PID 1400 wrote to memory of 1748 1400 wscript.exe wscript.exe PID 1400 wrote to memory of 964 1400 wscript.exe wscript.exe PID 1400 wrote to memory of 964 1400 wscript.exe wscript.exe PID 1400 wrote to memory of 964 1400 wscript.exe wscript.exe PID 964 wrote to memory of 376 964 wscript.exe wscript.exe PID 964 wrote to memory of 376 964 wscript.exe wscript.exe PID 964 wrote to memory of 376 964 wscript.exe wscript.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe "C:\Users\Admin\AppData\Local\Temp\E-receipt #8992-WSH-276020222.js"1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\dqVXIXkqsq.js"2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\E-receipt #8992-WSH-276020222.js"2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\dqVXIXkqsq.js"3⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\E-receipt #8992-WSH-276020222.jsFilesize
37KB
MD585f9be3cfbb0cebf7a3f87530dce3297
SHA1af0fe8f3ef7d964ddbe723106e54244d92b2f5e6
SHA2567ea3bad5df5eacdf31f9bef34b6486c6e709feb5a796f582e6cafe5aea773940
SHA512c1b60ec0aabaec7df0e6b37550c2811d43fe4ca6313c1462b14c434e85ec64c270d5ad03c274e0b131374cd58d166fe8764b615e935a8e26006800751014fe84
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\E-receipt #8992-WSH-276020222.jsFilesize
37KB
MD585f9be3cfbb0cebf7a3f87530dce3297
SHA1af0fe8f3ef7d964ddbe723106e54244d92b2f5e6
SHA2567ea3bad5df5eacdf31f9bef34b6486c6e709feb5a796f582e6cafe5aea773940
SHA512c1b60ec0aabaec7df0e6b37550c2811d43fe4ca6313c1462b14c434e85ec64c270d5ad03c274e0b131374cd58d166fe8764b615e935a8e26006800751014fe84
-
C:\Users\Admin\AppData\Roaming\dqVXIXkqsq.jsFilesize
5KB
MD547b99c09efd9460d6ca76d2a8075ab2a
SHA1b7c04a21fe1ef56a955b939070b3b06bf11a1f1f
SHA25664c706bf226ea66d774c2ffe5ef5350ed2d80b3832a924155f0379cc41b60d45
SHA51204adcead521d715db4d93214e4b05601418046cf72b76ec36a034b8717db555bdc26c5dd40bcca6fa2fb534306df122d57af6a4d56e906d2cec1cb0ee0557cbe
-
C:\Users\Admin\AppData\Roaming\dqVXIXkqsq.jsFilesize
5KB
MD547b99c09efd9460d6ca76d2a8075ab2a
SHA1b7c04a21fe1ef56a955b939070b3b06bf11a1f1f
SHA25664c706bf226ea66d774c2ffe5ef5350ed2d80b3832a924155f0379cc41b60d45
SHA51204adcead521d715db4d93214e4b05601418046cf72b76ec36a034b8717db555bdc26c5dd40bcca6fa2fb534306df122d57af6a4d56e906d2cec1cb0ee0557cbe
-
memory/376-60-0x0000000000000000-mapping.dmp
-
memory/964-57-0x0000000000000000-mapping.dmp
-
memory/1400-54-0x000007FEFB851000-0x000007FEFB853000-memory.dmpFilesize
8KB
-
memory/1748-55-0x0000000000000000-mapping.dmp