Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
28-06-2022 20:23
Static task
static1
Behavioral task
behavioral1
Sample
E-receipt #8992-WSH-276020222.js
Resource
win7-20220414-en
General
-
Target
E-receipt #8992-WSH-276020222.js
-
Size
37KB
-
MD5
85f9be3cfbb0cebf7a3f87530dce3297
-
SHA1
af0fe8f3ef7d964ddbe723106e54244d92b2f5e6
-
SHA256
7ea3bad5df5eacdf31f9bef34b6486c6e709feb5a796f582e6cafe5aea773940
-
SHA512
c1b60ec0aabaec7df0e6b37550c2811d43fe4ca6313c1462b14c434e85ec64c270d5ad03c274e0b131374cd58d166fe8764b615e935a8e26006800751014fe84
Malware Config
Extracted
wshrat
http://37.0.8.115:8992
Signatures
-
suricata: ET MALWARE WSHRAT CnC Checkin
suricata: ET MALWARE WSHRAT CnC Checkin
-
suricata: ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1
suricata: ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1
-
Blocklisted process makes network request 62 IoCs
Processes:
wscript.exewscript.exewscript.exeflow pid process 5 756 wscript.exe 6 4036 wscript.exe 7 4792 wscript.exe 11 756 wscript.exe 12 4036 wscript.exe 13 4792 wscript.exe 18 756 wscript.exe 21 756 wscript.exe 22 4792 wscript.exe 23 4036 wscript.exe 27 756 wscript.exe 30 756 wscript.exe 31 4792 wscript.exe 32 4036 wscript.exe 39 756 wscript.exe 41 756 wscript.exe 44 4792 wscript.exe 45 4036 wscript.exe 47 756 wscript.exe 48 756 wscript.exe 49 4792 wscript.exe 50 4036 wscript.exe 53 756 wscript.exe 54 756 wscript.exe 55 4792 wscript.exe 56 4036 wscript.exe 57 756 wscript.exe 59 4792 wscript.exe 60 4036 wscript.exe 61 756 wscript.exe 62 756 wscript.exe 63 4792 wscript.exe 64 4036 wscript.exe 65 756 wscript.exe 66 756 wscript.exe 67 4792 wscript.exe 68 4036 wscript.exe 69 756 wscript.exe 70 756 wscript.exe 71 4792 wscript.exe 72 4036 wscript.exe 73 756 wscript.exe 74 756 wscript.exe 75 4792 wscript.exe 76 4036 wscript.exe 78 756 wscript.exe 79 756 wscript.exe 80 4792 wscript.exe 81 4036 wscript.exe 82 756 wscript.exe 83 4792 wscript.exe 84 4036 wscript.exe 85 756 wscript.exe 86 756 wscript.exe 87 4792 wscript.exe 88 4036 wscript.exe 89 756 wscript.exe 90 756 wscript.exe 91 4792 wscript.exe 92 4036 wscript.exe 93 756 wscript.exe 94 756 wscript.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
wscript.exewscript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation wscript.exe Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation wscript.exe -
Drops startup file 5 IoCs
Processes:
wscript.exewscript.exewscript.exewscript.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\E-receipt #8992-WSH-276020222.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dqVXIXkqsq.js wscript.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\E-receipt #8992-WSH-276020222.js wscript.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dqVXIXkqsq.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dqVXIXkqsq.js wscript.exe -
Adds Run key to start application 2 TTPs 12 IoCs
Processes:
wscript.exewscript.exewscript.exewscript.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\E-receipt #8992-WSH-276020222 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\E-receipt #8992-WSH-276020222.js\"" wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\YVBPFHTJIQ = "\"C:\\Users\\Admin\\AppData\\Roaming\\dqVXIXkqsq.js\"" wscript.exe Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\E-receipt #8992-WSH-276020222 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\E-receipt #8992-WSH-276020222.js\"" wscript.exe Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\E-receipt #8992-WSH-276020222 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\E-receipt #8992-WSH-276020222.js\"" wscript.exe Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Windows\CurrentVersion\Run wscript.exe Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\E-receipt #8992-WSH-276020222 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\E-receipt #8992-WSH-276020222.js\"" wscript.exe Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Windows\CurrentVersion\Run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\YVBPFHTJIQ = "\"C:\\Users\\Admin\\AppData\\Roaming\\dqVXIXkqsq.js\"" wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Script User-Agent 30 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 41 WSHRAT|1A04E476|TLWHJTYB|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 28/6/2022|JavaScript HTTP User-Agent header 61 WSHRAT|1A04E476|TLWHJTYB|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 28/6/2022|JavaScript HTTP User-Agent header 11 WSHRAT|1A04E476|TLWHJTYB|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 28/6/2022|JavaScript HTTP User-Agent header 18 WSHRAT|1A04E476|TLWHJTYB|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 28/6/2022|JavaScript HTTP User-Agent header 30 WSHRAT|1A04E476|TLWHJTYB|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 28/6/2022|JavaScript HTTP User-Agent header 53 WSHRAT|1A04E476|TLWHJTYB|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 28/6/2022|JavaScript HTTP User-Agent header 69 WSHRAT|1A04E476|TLWHJTYB|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 28/6/2022|JavaScript HTTP User-Agent header 89 WSHRAT|1A04E476|TLWHJTYB|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 28/6/2022|JavaScript HTTP User-Agent header 62 WSHRAT|1A04E476|TLWHJTYB|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 28/6/2022|JavaScript HTTP User-Agent header 90 WSHRAT|1A04E476|TLWHJTYB|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 28/6/2022|JavaScript HTTP User-Agent header 94 WSHRAT|1A04E476|TLWHJTYB|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 28/6/2022|JavaScript HTTP User-Agent header 39 WSHRAT|1A04E476|TLWHJTYB|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 28/6/2022|JavaScript HTTP User-Agent header 86 WSHRAT|1A04E476|TLWHJTYB|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 28/6/2022|JavaScript HTTP User-Agent header 70 WSHRAT|1A04E476|TLWHJTYB|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 28/6/2022|JavaScript HTTP User-Agent header 82 WSHRAT|1A04E476|TLWHJTYB|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 28/6/2022|JavaScript HTTP User-Agent header 85 WSHRAT|1A04E476|TLWHJTYB|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 28/6/2022|JavaScript HTTP User-Agent header 47 WSHRAT|1A04E476|TLWHJTYB|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 28/6/2022|JavaScript HTTP User-Agent header 66 WSHRAT|1A04E476|TLWHJTYB|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 28/6/2022|JavaScript HTTP User-Agent header 78 WSHRAT|1A04E476|TLWHJTYB|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 28/6/2022|JavaScript HTTP User-Agent header 65 WSHRAT|1A04E476|TLWHJTYB|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 28/6/2022|JavaScript HTTP User-Agent header 73 WSHRAT|1A04E476|TLWHJTYB|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 28/6/2022|JavaScript HTTP User-Agent header 79 WSHRAT|1A04E476|TLWHJTYB|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 28/6/2022|JavaScript HTTP User-Agent header 21 WSHRAT|1A04E476|TLWHJTYB|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 28/6/2022|JavaScript HTTP User-Agent header 27 WSHRAT|1A04E476|TLWHJTYB|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 28/6/2022|JavaScript HTTP User-Agent header 48 WSHRAT|1A04E476|TLWHJTYB|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 28/6/2022|JavaScript HTTP User-Agent header 74 WSHRAT|1A04E476|TLWHJTYB|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 28/6/2022|JavaScript HTTP User-Agent header 93 WSHRAT|1A04E476|TLWHJTYB|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 28/6/2022|JavaScript HTTP User-Agent header 5 WSHRAT|1A04E476|TLWHJTYB|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 28/6/2022|JavaScript HTTP User-Agent header 54 WSHRAT|1A04E476|TLWHJTYB|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 28/6/2022|JavaScript HTTP User-Agent header 57 WSHRAT|1A04E476|TLWHJTYB|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 28/6/2022|JavaScript -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
wscript.exewscript.exedescription pid process target process PID 3420 wrote to memory of 4036 3420 wscript.exe wscript.exe PID 3420 wrote to memory of 4036 3420 wscript.exe wscript.exe PID 3420 wrote to memory of 756 3420 wscript.exe wscript.exe PID 3420 wrote to memory of 756 3420 wscript.exe wscript.exe PID 756 wrote to memory of 4792 756 wscript.exe wscript.exe PID 756 wrote to memory of 4792 756 wscript.exe wscript.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe "C:\Users\Admin\AppData\Local\Temp\E-receipt #8992-WSH-276020222.js"1⤵
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\dqVXIXkqsq.js"2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\E-receipt #8992-WSH-276020222.js"2⤵
- Blocklisted process makes network request
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\dqVXIXkqsq.js"3⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\E-receipt #8992-WSH-276020222.jsFilesize
37KB
MD585f9be3cfbb0cebf7a3f87530dce3297
SHA1af0fe8f3ef7d964ddbe723106e54244d92b2f5e6
SHA2567ea3bad5df5eacdf31f9bef34b6486c6e709feb5a796f582e6cafe5aea773940
SHA512c1b60ec0aabaec7df0e6b37550c2811d43fe4ca6313c1462b14c434e85ec64c270d5ad03c274e0b131374cd58d166fe8764b615e935a8e26006800751014fe84
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\E-receipt #8992-WSH-276020222.jsFilesize
37KB
MD585f9be3cfbb0cebf7a3f87530dce3297
SHA1af0fe8f3ef7d964ddbe723106e54244d92b2f5e6
SHA2567ea3bad5df5eacdf31f9bef34b6486c6e709feb5a796f582e6cafe5aea773940
SHA512c1b60ec0aabaec7df0e6b37550c2811d43fe4ca6313c1462b14c434e85ec64c270d5ad03c274e0b131374cd58d166fe8764b615e935a8e26006800751014fe84
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dqVXIXkqsq.jsFilesize
5KB
MD547b99c09efd9460d6ca76d2a8075ab2a
SHA1b7c04a21fe1ef56a955b939070b3b06bf11a1f1f
SHA25664c706bf226ea66d774c2ffe5ef5350ed2d80b3832a924155f0379cc41b60d45
SHA51204adcead521d715db4d93214e4b05601418046cf72b76ec36a034b8717db555bdc26c5dd40bcca6fa2fb534306df122d57af6a4d56e906d2cec1cb0ee0557cbe
-
C:\Users\Admin\AppData\Roaming\dqVXIXkqsq.jsFilesize
5KB
MD547b99c09efd9460d6ca76d2a8075ab2a
SHA1b7c04a21fe1ef56a955b939070b3b06bf11a1f1f
SHA25664c706bf226ea66d774c2ffe5ef5350ed2d80b3832a924155f0379cc41b60d45
SHA51204adcead521d715db4d93214e4b05601418046cf72b76ec36a034b8717db555bdc26c5dd40bcca6fa2fb534306df122d57af6a4d56e906d2cec1cb0ee0557cbe
-
C:\Users\Admin\AppData\Roaming\dqVXIXkqsq.jsFilesize
5KB
MD547b99c09efd9460d6ca76d2a8075ab2a
SHA1b7c04a21fe1ef56a955b939070b3b06bf11a1f1f
SHA25664c706bf226ea66d774c2ffe5ef5350ed2d80b3832a924155f0379cc41b60d45
SHA51204adcead521d715db4d93214e4b05601418046cf72b76ec36a034b8717db555bdc26c5dd40bcca6fa2fb534306df122d57af6a4d56e906d2cec1cb0ee0557cbe
-
memory/756-132-0x0000000000000000-mapping.dmp
-
memory/4036-130-0x0000000000000000-mapping.dmp
-
memory/4792-135-0x0000000000000000-mapping.dmp