Analysis
-
max time kernel
120s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
31-10-2022 08:06
Static task
static1
Behavioral task
behavioral1
Sample
Invoice #487135.vbs
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
Invoice #487135.vbs
Resource
win10v2004-20220812-en
General
-
Target
Invoice #487135.vbs
-
Size
240KB
-
MD5
de2cc767fcef3cd77ef0defdac9cba9a
-
SHA1
d2cb01e29f580276224d003157889fcd1c38a1cc
-
SHA256
ae0266271439504c17743067129b4d9a969cd643720bfe51ee1955b0c9f18cc5
-
SHA512
a840f3679644212b7f197081f36e800ffb9edabc654ab60e7f7646e3bbc496f7fb2a23dc05a89d664b2b0c77f47ecc8c1a55f1a9bb6167136f26f6c15df59538
-
SSDEEP
6144:5OvNErKf2keySscTM4vr2sn513CrFKQ0k7:Uk+e3R2c3Vy
Malware Config
Extracted
wshrat
http://snkcyp.duckdns.org:3369
Signatures
-
Blocklisted process makes network request 4 IoCs
flow pid Process 4 1416 wscript.exe 6 1416 wscript.exe 8 1416 wscript.exe 9 1416 wscript.exe -
Drops startup file 3 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Invoice #487135.vbs wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Invoice #487135.vbs wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Invoice #487135.vbs WScript.exe -
Adds Run key to start application 2 TTPs 8 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Invoice #487135 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Invoice #487135.vbs\"" wscript.exe Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\software\microsoft\windows\currentversion\run WScript.exe Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\Invoice #487135 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Invoice #487135.vbs\"" WScript.exe Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run WScript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Invoice #487135 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Invoice #487135.vbs\"" WScript.exe Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\Invoice #487135 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Invoice #487135.vbs\"" wscript.exe Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run wscript.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 3 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 1488 wrote to memory of 984 1488 WScript.exe 27 PID 1488 wrote to memory of 984 1488 WScript.exe 27 PID 1488 wrote to memory of 984 1488 WScript.exe 27 PID 1488 wrote to memory of 1416 1488 WScript.exe 28 PID 1488 wrote to memory of 1416 1488 WScript.exe 28 PID 1488 wrote to memory of 1416 1488 WScript.exe 28 PID 1416 wrote to memory of 324 1416 wscript.exe 29 PID 1416 wrote to memory of 324 1416 wscript.exe 29 PID 1416 wrote to memory of 324 1416 wscript.exe 29
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Invoice #487135.vbs"1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1488 -
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\kFRSBBXvyY.vbs"2⤵PID:984
-
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\Invoice #487135.vbs"2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1416 -
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\kFRSBBXvyY.vbs"3⤵PID:324
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
240KB
MD5de2cc767fcef3cd77ef0defdac9cba9a
SHA1d2cb01e29f580276224d003157889fcd1c38a1cc
SHA256ae0266271439504c17743067129b4d9a969cd643720bfe51ee1955b0c9f18cc5
SHA512a840f3679644212b7f197081f36e800ffb9edabc654ab60e7f7646e3bbc496f7fb2a23dc05a89d664b2b0c77f47ecc8c1a55f1a9bb6167136f26f6c15df59538
-
Filesize
240KB
MD5de2cc767fcef3cd77ef0defdac9cba9a
SHA1d2cb01e29f580276224d003157889fcd1c38a1cc
SHA256ae0266271439504c17743067129b4d9a969cd643720bfe51ee1955b0c9f18cc5
SHA512a840f3679644212b7f197081f36e800ffb9edabc654ab60e7f7646e3bbc496f7fb2a23dc05a89d664b2b0c77f47ecc8c1a55f1a9bb6167136f26f6c15df59538
-
Filesize
240KB
MD5de2cc767fcef3cd77ef0defdac9cba9a
SHA1d2cb01e29f580276224d003157889fcd1c38a1cc
SHA256ae0266271439504c17743067129b4d9a969cd643720bfe51ee1955b0c9f18cc5
SHA512a840f3679644212b7f197081f36e800ffb9edabc654ab60e7f7646e3bbc496f7fb2a23dc05a89d664b2b0c77f47ecc8c1a55f1a9bb6167136f26f6c15df59538
-
Filesize
240KB
MD5de2cc767fcef3cd77ef0defdac9cba9a
SHA1d2cb01e29f580276224d003157889fcd1c38a1cc
SHA256ae0266271439504c17743067129b4d9a969cd643720bfe51ee1955b0c9f18cc5
SHA512a840f3679644212b7f197081f36e800ffb9edabc654ab60e7f7646e3bbc496f7fb2a23dc05a89d664b2b0c77f47ecc8c1a55f1a9bb6167136f26f6c15df59538
-
Filesize
1KB
MD5b980eced62f980d79060ee415e6ce652
SHA13f585f85195a841c0dfab80bf50469de54f913d6
SHA256a6df4ba5f7612f89e91562bc7fa068e55c457318a04c7e1f02121769568daf2e
SHA51286e6201394bead64a402a4d2346ddd1083aa84e88d76954d639849f90c8a06a120b7e52b96e4b16de9fa03d752e3eb7f1696ef1dd32cb12f4fc744635c3acd88
-
Filesize
1KB
MD5b980eced62f980d79060ee415e6ce652
SHA13f585f85195a841c0dfab80bf50469de54f913d6
SHA256a6df4ba5f7612f89e91562bc7fa068e55c457318a04c7e1f02121769568daf2e
SHA51286e6201394bead64a402a4d2346ddd1083aa84e88d76954d639849f90c8a06a120b7e52b96e4b16de9fa03d752e3eb7f1696ef1dd32cb12f4fc744635c3acd88