Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
30-09-2022 08:27
Static task
static1
Behavioral task
behavioral1
Sample
CREDIT NOTE.js
Resource
win7-20220812-en
General
-
Target
CREDIT NOTE.js
-
Size
47KB
-
MD5
771ee97bd2e61801d47f37b60a69d1c8
-
SHA1
b77ea83d939bc5ce8ceff9668488f8045ba58a0b
-
SHA256
25027a9677193ee152a6621382d40fcf31437b4366f6566d369f24d93f52f56d
-
SHA512
2ac19e006117d449467ec49f4b600293775bdbb0f03869a6e7c914449fb522d22f74ab060d0086ef1a033c91d987c38ddd97e258a7575581e95d68b1657737b1
-
SSDEEP
768:bH5hjkXAZJMdHG7TH8eA0oWz6nSwsmjX1uMW7/1W8eXBnKX2CzHsPOux4GsPje//:bH5hIwZ+dHk8n0ISwXZ8OBKX2yKCXlgT
Malware Config
Extracted
wshrat
http://3lv15.duckdns.org:6697
Signatures
-
Blocklisted process makes network request 32 IoCs
Processes:
wscript.exewscript.exeflow pid process 7 1272 wscript.exe 8 1744 wscript.exe 9 1272 wscript.exe 10 1272 wscript.exe 13 1272 wscript.exe 14 1272 wscript.exe 16 1272 wscript.exe 18 1744 wscript.exe 20 1272 wscript.exe 23 1272 wscript.exe 24 1272 wscript.exe 27 1272 wscript.exe 29 1272 wscript.exe 31 1272 wscript.exe 34 1744 wscript.exe 35 1272 wscript.exe 37 1272 wscript.exe 40 1272 wscript.exe 42 1272 wscript.exe 45 1272 wscript.exe 47 1744 wscript.exe 48 1272 wscript.exe 52 1272 wscript.exe 53 1272 wscript.exe 56 1272 wscript.exe 58 1272 wscript.exe 60 1272 wscript.exe 62 1744 wscript.exe 64 1272 wscript.exe 66 1272 wscript.exe 68 1272 wscript.exe 70 1272 wscript.exe -
Drops startup file 4 IoCs
Processes:
wscript.exewscript.exewscript.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CREDIT NOTE.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CREDIT NOTE.js wscript.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WjUZyzILPd.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WjUZyzILPd.js wscript.exe -
Adds Run key to start application 2 TTPs 8 IoCs
Processes:
wscript.exewscript.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CREDIT NOTE = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\CREDIT NOTE.js\"" wscript.exe Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\CREDIT NOTE = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\CREDIT NOTE.js\"" wscript.exe Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CREDIT NOTE = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\CREDIT NOTE.js\"" wscript.exe Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\CREDIT NOTE = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\CREDIT NOTE.js\"" wscript.exe Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Script User-Agent 27 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 23 WSHRAT|D44DAEDB|ORXGKKZC|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 30/9/2022|JavaScript HTTP User-Agent header 7 WSHRAT|D44DAEDB|ORXGKKZC|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 30/9/2022|JavaScript HTTP User-Agent header 70 WSHRAT|D44DAEDB|ORXGKKZC|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 30/9/2022|JavaScript HTTP User-Agent header 31 WSHRAT|D44DAEDB|ORXGKKZC|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 30/9/2022|JavaScript HTTP User-Agent header 35 WSHRAT|D44DAEDB|ORXGKKZC|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 30/9/2022|JavaScript HTTP User-Agent header 58 WSHRAT|D44DAEDB|ORXGKKZC|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 30/9/2022|JavaScript HTTP User-Agent header 60 WSHRAT|D44DAEDB|ORXGKKZC|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 30/9/2022|JavaScript HTTP User-Agent header 66 WSHRAT|D44DAEDB|ORXGKKZC|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 30/9/2022|JavaScript HTTP User-Agent header 24 WSHRAT|D44DAEDB|ORXGKKZC|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 30/9/2022|JavaScript HTTP User-Agent header 10 WSHRAT|D44DAEDB|ORXGKKZC|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 30/9/2022|JavaScript HTTP User-Agent header 13 WSHRAT|D44DAEDB|ORXGKKZC|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 30/9/2022|JavaScript HTTP User-Agent header 14 WSHRAT|D44DAEDB|ORXGKKZC|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 30/9/2022|JavaScript HTTP User-Agent header 20 WSHRAT|D44DAEDB|ORXGKKZC|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 30/9/2022|JavaScript HTTP User-Agent header 27 WSHRAT|D44DAEDB|ORXGKKZC|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 30/9/2022|JavaScript HTTP User-Agent header 37 WSHRAT|D44DAEDB|ORXGKKZC|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 30/9/2022|JavaScript HTTP User-Agent header 52 WSHRAT|D44DAEDB|ORXGKKZC|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 30/9/2022|JavaScript HTTP User-Agent header 45 WSHRAT|D44DAEDB|ORXGKKZC|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 30/9/2022|JavaScript HTTP User-Agent header 48 WSHRAT|D44DAEDB|ORXGKKZC|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 30/9/2022|JavaScript HTTP User-Agent header 53 WSHRAT|D44DAEDB|ORXGKKZC|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 30/9/2022|JavaScript HTTP User-Agent header 64 WSHRAT|D44DAEDB|ORXGKKZC|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 30/9/2022|JavaScript HTTP User-Agent header 42 WSHRAT|D44DAEDB|ORXGKKZC|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 30/9/2022|JavaScript HTTP User-Agent header 16 WSHRAT|D44DAEDB|ORXGKKZC|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 30/9/2022|JavaScript HTTP User-Agent header 29 WSHRAT|D44DAEDB|ORXGKKZC|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 30/9/2022|JavaScript HTTP User-Agent header 40 WSHRAT|D44DAEDB|ORXGKKZC|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 30/9/2022|JavaScript HTTP User-Agent header 56 WSHRAT|D44DAEDB|ORXGKKZC|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 30/9/2022|JavaScript HTTP User-Agent header 68 WSHRAT|D44DAEDB|ORXGKKZC|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 30/9/2022|JavaScript HTTP User-Agent header 9 WSHRAT|D44DAEDB|ORXGKKZC|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 30/9/2022|JavaScript -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
wscript.exewscript.exedescription pid process target process PID 1628 wrote to memory of 1744 1628 wscript.exe wscript.exe PID 1628 wrote to memory of 1744 1628 wscript.exe wscript.exe PID 1628 wrote to memory of 1744 1628 wscript.exe wscript.exe PID 1628 wrote to memory of 1272 1628 wscript.exe wscript.exe PID 1628 wrote to memory of 1272 1628 wscript.exe wscript.exe PID 1628 wrote to memory of 1272 1628 wscript.exe wscript.exe PID 1272 wrote to memory of 1812 1272 wscript.exe wscript.exe PID 1272 wrote to memory of 1812 1272 wscript.exe wscript.exe PID 1272 wrote to memory of 1812 1272 wscript.exe wscript.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe "C:\Users\Admin\AppData\Local\Temp\CREDIT NOTE.js"1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\WjUZyzILPd.js"2⤵
- Blocklisted process makes network request
- Drops startup file
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\CREDIT NOTE.js"2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\WjUZyzILPd.js"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\CREDIT NOTE.jsFilesize
47KB
MD5771ee97bd2e61801d47f37b60a69d1c8
SHA1b77ea83d939bc5ce8ceff9668488f8045ba58a0b
SHA25625027a9677193ee152a6621382d40fcf31437b4366f6566d369f24d93f52f56d
SHA5122ac19e006117d449467ec49f4b600293775bdbb0f03869a6e7c914449fb522d22f74ab060d0086ef1a033c91d987c38ddd97e258a7575581e95d68b1657737b1
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CREDIT NOTE.jsFilesize
47KB
MD5771ee97bd2e61801d47f37b60a69d1c8
SHA1b77ea83d939bc5ce8ceff9668488f8045ba58a0b
SHA25625027a9677193ee152a6621382d40fcf31437b4366f6566d369f24d93f52f56d
SHA5122ac19e006117d449467ec49f4b600293775bdbb0f03869a6e7c914449fb522d22f74ab060d0086ef1a033c91d987c38ddd97e258a7575581e95d68b1657737b1
-
C:\Users\Admin\AppData\Roaming\WjUZyzILPd.jsFilesize
8KB
MD52f2198533289a4dac6f4406539f5b0f5
SHA1f37eef69eb03c33e41a0cbe2e3fcfb68070ccb58
SHA2562c9f6f3a3ee784722c588ff9bc72259461acc1084629364e44d479792c381bb4
SHA512cf791618aafeef05a5dd167e32746384f1ec8bb693735bcd7b1538e0ee988c76d4cd0235c951f24675045dcaebcf7d19fb3b8cb9d9ae76a4a1c695de23e612a5
-
C:\Users\Admin\AppData\Roaming\WjUZyzILPd.jsFilesize
8KB
MD52f2198533289a4dac6f4406539f5b0f5
SHA1f37eef69eb03c33e41a0cbe2e3fcfb68070ccb58
SHA2562c9f6f3a3ee784722c588ff9bc72259461acc1084629364e44d479792c381bb4
SHA512cf791618aafeef05a5dd167e32746384f1ec8bb693735bcd7b1538e0ee988c76d4cd0235c951f24675045dcaebcf7d19fb3b8cb9d9ae76a4a1c695de23e612a5
-
memory/1272-57-0x0000000000000000-mapping.dmp
-
memory/1628-54-0x000007FEFB761000-0x000007FEFB763000-memory.dmpFilesize
8KB
-
memory/1744-55-0x0000000000000000-mapping.dmp
-
memory/1812-60-0x0000000000000000-mapping.dmp