Analysis
-
max time kernel
147s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
31-10-2022 06:21
Static task
static1
Behavioral task
behavioral1
Sample
Scanned copies.js
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
Scanned copies.js
Resource
win10v2004-20220812-en
General
-
Target
Scanned copies.js
-
Size
52KB
-
MD5
49b13da43564fd53f17eb0a803a92a09
-
SHA1
ed74e4ea8cb53499dc36335814d82ac31cc6d0c7
-
SHA256
ccfaa79a104470403d9a10a38f44afab9a5038860d32505f66cf891a02c3e804
-
SHA512
a58239e5320361022ed9d5d63831029f1589e9e29132f676bba796157b3d2c1c1a1509635cddfd12ba8b6ad37744115039bdf95632ceec481621c5639b713d31
-
SSDEEP
768:1zPm7PWaktoJJVRurezocS9ZZtfOuuF1wivT7VYJw9Yc0Sa0Z8K:1DqJJ7urem9Z7fxE1wivT7V+c0SaQ8K
Malware Config
Extracted
wshrat
http://185.252.178.17:5050
Signatures
-
Blocklisted process makes network request 21 IoCs
flow pid Process 6 4632 wscript.exe 7 4192 wscript.exe 8 4656 wscript.exe 22 4656 wscript.exe 23 4192 wscript.exe 24 4632 wscript.exe 28 4656 wscript.exe 34 4656 wscript.exe 43 4192 wscript.exe 44 4632 wscript.exe 47 4656 wscript.exe 51 4192 wscript.exe 52 4632 wscript.exe 55 4656 wscript.exe 59 4656 wscript.exe 60 4192 wscript.exe 61 4632 wscript.exe 63 4656 wscript.exe 65 4656 wscript.exe 66 4192 wscript.exe 67 4632 wscript.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation wscript.exe Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation wscript.exe -
Drops startup file 5 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Scanned copies.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Scanned copies.js wscript.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HdtXkspDNv.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HdtXkspDNv.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HdtXkspDNv.js wscript.exe -
Adds Run key to start application 2 TTPs 8 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Scanned copies = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Scanned copies.js\"" wscript.exe Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Scanned copies = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Scanned copies.js\"" wscript.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Scanned copies = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Scanned copies.js\"" wscript.exe Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Scanned copies = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Scanned copies.js\"" wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Script User-Agent 7 IoCs
Uses user-agent string associated with script host/environment.
description flow ioc HTTP User-Agent header 65 WSHRAT|94D95F5C|GBQHURCC|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 31/10/2022|JavaScript HTTP User-Agent header 22 WSHRAT|94D95F5C|GBQHURCC|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 31/10/2022|JavaScript HTTP User-Agent header 28 WSHRAT|94D95F5C|GBQHURCC|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 31/10/2022|JavaScript HTTP User-Agent header 47 WSHRAT|94D95F5C|GBQHURCC|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 31/10/2022|JavaScript HTTP User-Agent header 55 WSHRAT|94D95F5C|GBQHURCC|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 31/10/2022|JavaScript HTTP User-Agent header 59 WSHRAT|94D95F5C|GBQHURCC|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 31/10/2022|JavaScript HTTP User-Agent header 63 WSHRAT|94D95F5C|GBQHURCC|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 31/10/2022|JavaScript -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4648 wrote to memory of 4632 4648 wscript.exe 79 PID 4648 wrote to memory of 4632 4648 wscript.exe 79 PID 4648 wrote to memory of 4656 4648 wscript.exe 80 PID 4648 wrote to memory of 4656 4648 wscript.exe 80 PID 4656 wrote to memory of 4192 4656 wscript.exe 81 PID 4656 wrote to memory of 4192 4656 wscript.exe 81
Processes
-
C:\Windows\system32\wscript.exewscript.exe "C:\Users\Admin\AppData\Local\Temp\Scanned copies.js"1⤵
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4648 -
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\HdtXkspDNv.js"2⤵
- Blocklisted process makes network request
- Drops startup file
PID:4632
-
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\Scanned copies.js"2⤵
- Blocklisted process makes network request
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4656 -
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\HdtXkspDNv.js"3⤵
- Blocklisted process makes network request
- Drops startup file
PID:4192
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
10KB
MD50b3fb1c1e7a5cfdc66b4d3985815e6ff
SHA12bdade957c852dee5c052729e2a464bbd2454082
SHA256b92a038dd2b2a329c201677af46b4269ca638c4a19f5ee164cf8c14e80ce488e
SHA5124bc41bf95c80f657b68f7236c741336b71e5cc460003b52eb5b817a14411babe357c413d0f45751f02d82915a63a67f132a022d376fb6ed3df6c8e509e31abea
-
Filesize
10KB
MD50b3fb1c1e7a5cfdc66b4d3985815e6ff
SHA12bdade957c852dee5c052729e2a464bbd2454082
SHA256b92a038dd2b2a329c201677af46b4269ca638c4a19f5ee164cf8c14e80ce488e
SHA5124bc41bf95c80f657b68f7236c741336b71e5cc460003b52eb5b817a14411babe357c413d0f45751f02d82915a63a67f132a022d376fb6ed3df6c8e509e31abea
-
Filesize
10KB
MD50b3fb1c1e7a5cfdc66b4d3985815e6ff
SHA12bdade957c852dee5c052729e2a464bbd2454082
SHA256b92a038dd2b2a329c201677af46b4269ca638c4a19f5ee164cf8c14e80ce488e
SHA5124bc41bf95c80f657b68f7236c741336b71e5cc460003b52eb5b817a14411babe357c413d0f45751f02d82915a63a67f132a022d376fb6ed3df6c8e509e31abea
-
Filesize
52KB
MD549b13da43564fd53f17eb0a803a92a09
SHA1ed74e4ea8cb53499dc36335814d82ac31cc6d0c7
SHA256ccfaa79a104470403d9a10a38f44afab9a5038860d32505f66cf891a02c3e804
SHA512a58239e5320361022ed9d5d63831029f1589e9e29132f676bba796157b3d2c1c1a1509635cddfd12ba8b6ad37744115039bdf95632ceec481621c5639b713d31
-
Filesize
52KB
MD549b13da43564fd53f17eb0a803a92a09
SHA1ed74e4ea8cb53499dc36335814d82ac31cc6d0c7
SHA256ccfaa79a104470403d9a10a38f44afab9a5038860d32505f66cf891a02c3e804
SHA512a58239e5320361022ed9d5d63831029f1589e9e29132f676bba796157b3d2c1c1a1509635cddfd12ba8b6ad37744115039bdf95632ceec481621c5639b713d31