Analysis
-
max time kernel
147s -
max time network
159s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
31-10-2022 06:21
Static task
static1
Behavioral task
behavioral1
Sample
Scanned copies.js
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
Scanned copies.js
Resource
win10v2004-20220812-en
General
-
Target
Scanned copies.js
-
Size
52KB
-
MD5
49b13da43564fd53f17eb0a803a92a09
-
SHA1
ed74e4ea8cb53499dc36335814d82ac31cc6d0c7
-
SHA256
ccfaa79a104470403d9a10a38f44afab9a5038860d32505f66cf891a02c3e804
-
SHA512
a58239e5320361022ed9d5d63831029f1589e9e29132f676bba796157b3d2c1c1a1509635cddfd12ba8b6ad37744115039bdf95632ceec481621c5639b713d31
-
SSDEEP
768:1zPm7PWaktoJJVRurezocS9ZZtfOuuF1wivT7VYJw9Yc0Sa0Z8K:1DqJJ7urem9Z7fxE1wivT7V+c0SaQ8K
Malware Config
Extracted
wshrat
http://185.252.178.17:5050
Signatures
-
Blocklisted process makes network request 24 IoCs
flow pid Process 8 4280 wscript.exe 9 1304 wscript.exe 10 5016 wscript.exe 14 4280 wscript.exe 27 1304 wscript.exe 28 5016 wscript.exe 29 4280 wscript.exe 34 4280 wscript.exe 41 1304 wscript.exe 42 5016 wscript.exe 45 4280 wscript.exe 51 4280 wscript.exe 52 1304 wscript.exe 53 5016 wscript.exe 54 4280 wscript.exe 55 4280 wscript.exe 56 1304 wscript.exe 57 5016 wscript.exe 58 4280 wscript.exe 59 4280 wscript.exe 60 4280 wscript.exe 61 1304 wscript.exe 62 5016 wscript.exe 63 4280 wscript.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation wscript.exe Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation wscript.exe -
Drops startup file 5 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Scanned copies.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Scanned copies.js wscript.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HdtXkspDNv.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HdtXkspDNv.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HdtXkspDNv.js wscript.exe -
Adds Run key to start application 2 TTPs 8 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Scanned copies = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Scanned copies.js\"" wscript.exe Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Scanned copies = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Scanned copies.js\"" wscript.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Scanned copies = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Scanned copies.js\"" wscript.exe Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Scanned copies = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Scanned copies.js\"" wscript.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\software\microsoft\windows\currentversion\run wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Script User-Agent 11 IoCs
Uses user-agent string associated with script host/environment.
description flow ioc HTTP User-Agent header 60 WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 31/10/2022|JavaScript HTTP User-Agent header 14 WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 31/10/2022|JavaScript HTTP User-Agent header 29 WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 31/10/2022|JavaScript HTTP User-Agent header 45 WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 31/10/2022|JavaScript HTTP User-Agent header 54 WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 31/10/2022|JavaScript HTTP User-Agent header 59 WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 31/10/2022|JavaScript HTTP User-Agent header 8 WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 31/10/2022|JavaScript HTTP User-Agent header 51 WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 31/10/2022|JavaScript HTTP User-Agent header 55 WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 31/10/2022|JavaScript HTTP User-Agent header 58 WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 31/10/2022|JavaScript HTTP User-Agent header 63 WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 31/10/2022|JavaScript -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 676 wrote to memory of 1304 676 wscript.exe 82 PID 676 wrote to memory of 1304 676 wscript.exe 82 PID 676 wrote to memory of 4280 676 wscript.exe 83 PID 676 wrote to memory of 4280 676 wscript.exe 83 PID 4280 wrote to memory of 5016 4280 wscript.exe 84 PID 4280 wrote to memory of 5016 4280 wscript.exe 84
Processes
-
C:\Windows\system32\wscript.exewscript.exe "C:\Users\Admin\AppData\Local\Temp\Scanned copies.js"1⤵
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:676 -
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\HdtXkspDNv.js"2⤵
- Blocklisted process makes network request
- Drops startup file
PID:1304
-
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\Scanned copies.js"2⤵
- Blocklisted process makes network request
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4280 -
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\HdtXkspDNv.js"3⤵
- Blocklisted process makes network request
- Drops startup file
PID:5016
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
10KB
MD50b3fb1c1e7a5cfdc66b4d3985815e6ff
SHA12bdade957c852dee5c052729e2a464bbd2454082
SHA256b92a038dd2b2a329c201677af46b4269ca638c4a19f5ee164cf8c14e80ce488e
SHA5124bc41bf95c80f657b68f7236c741336b71e5cc460003b52eb5b817a14411babe357c413d0f45751f02d82915a63a67f132a022d376fb6ed3df6c8e509e31abea
-
Filesize
10KB
MD50b3fb1c1e7a5cfdc66b4d3985815e6ff
SHA12bdade957c852dee5c052729e2a464bbd2454082
SHA256b92a038dd2b2a329c201677af46b4269ca638c4a19f5ee164cf8c14e80ce488e
SHA5124bc41bf95c80f657b68f7236c741336b71e5cc460003b52eb5b817a14411babe357c413d0f45751f02d82915a63a67f132a022d376fb6ed3df6c8e509e31abea
-
Filesize
10KB
MD50b3fb1c1e7a5cfdc66b4d3985815e6ff
SHA12bdade957c852dee5c052729e2a464bbd2454082
SHA256b92a038dd2b2a329c201677af46b4269ca638c4a19f5ee164cf8c14e80ce488e
SHA5124bc41bf95c80f657b68f7236c741336b71e5cc460003b52eb5b817a14411babe357c413d0f45751f02d82915a63a67f132a022d376fb6ed3df6c8e509e31abea
-
Filesize
52KB
MD549b13da43564fd53f17eb0a803a92a09
SHA1ed74e4ea8cb53499dc36335814d82ac31cc6d0c7
SHA256ccfaa79a104470403d9a10a38f44afab9a5038860d32505f66cf891a02c3e804
SHA512a58239e5320361022ed9d5d63831029f1589e9e29132f676bba796157b3d2c1c1a1509635cddfd12ba8b6ad37744115039bdf95632ceec481621c5639b713d31
-
Filesize
52KB
MD549b13da43564fd53f17eb0a803a92a09
SHA1ed74e4ea8cb53499dc36335814d82ac31cc6d0c7
SHA256ccfaa79a104470403d9a10a38f44afab9a5038860d32505f66cf891a02c3e804
SHA512a58239e5320361022ed9d5d63831029f1589e9e29132f676bba796157b3d2c1c1a1509635cddfd12ba8b6ad37744115039bdf95632ceec481621c5639b713d31