Analysis
-
max time kernel
142s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
31-10-2022 08:06
Static task
static1
Behavioral task
behavioral1
Sample
Invoice #487135.vbs
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
Invoice #487135.vbs
Resource
win10v2004-20220812-en
General
-
Target
Invoice #487135.vbs
-
Size
240KB
-
MD5
de2cc767fcef3cd77ef0defdac9cba9a
-
SHA1
d2cb01e29f580276224d003157889fcd1c38a1cc
-
SHA256
ae0266271439504c17743067129b4d9a969cd643720bfe51ee1955b0c9f18cc5
-
SHA512
a840f3679644212b7f197081f36e800ffb9edabc654ab60e7f7646e3bbc496f7fb2a23dc05a89d664b2b0c77f47ecc8c1a55f1a9bb6167136f26f6c15df59538
-
SSDEEP
6144:5OvNErKf2keySscTM4vr2sn513CrFKQ0k7:Uk+e3R2c3Vy
Malware Config
Extracted
wshrat
http://snkcyp.duckdns.org:3369
Signatures
-
Blocklisted process makes network request 4 IoCs
flow pid Process 5 5088 wscript.exe 13 5088 wscript.exe 42 5088 wscript.exe 51 5088 wscript.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation wscript.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Invoice #487135.vbs WScript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Invoice #487135.vbs wscript.exe -
Adds Run key to start application 2 TTPs 8 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Invoice #487135 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Invoice #487135.vbs\"" WScript.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Invoice #487135 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Invoice #487135.vbs\"" wscript.exe Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Invoice #487135 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Invoice #487135.vbs\"" wscript.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\software\microsoft\windows\currentversion\run WScript.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Invoice #487135 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Invoice #487135.vbs\"" WScript.exe Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run WScript.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 4 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 764 wrote to memory of 1988 764 WScript.exe 79 PID 764 wrote to memory of 1988 764 WScript.exe 79 PID 764 wrote to memory of 5088 764 WScript.exe 80 PID 764 wrote to memory of 5088 764 WScript.exe 80 PID 5088 wrote to memory of 4300 5088 wscript.exe 81 PID 5088 wrote to memory of 4300 5088 wscript.exe 81
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Invoice #487135.vbs"1⤵
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:764 -
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\kFRSBBXvyY.vbs"2⤵PID:1988
-
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\Invoice #487135.vbs"2⤵
- Blocklisted process makes network request
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:5088 -
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\kFRSBBXvyY.vbs"3⤵PID:4300
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
240KB
MD5de2cc767fcef3cd77ef0defdac9cba9a
SHA1d2cb01e29f580276224d003157889fcd1c38a1cc
SHA256ae0266271439504c17743067129b4d9a969cd643720bfe51ee1955b0c9f18cc5
SHA512a840f3679644212b7f197081f36e800ffb9edabc654ab60e7f7646e3bbc496f7fb2a23dc05a89d664b2b0c77f47ecc8c1a55f1a9bb6167136f26f6c15df59538
-
Filesize
240KB
MD5de2cc767fcef3cd77ef0defdac9cba9a
SHA1d2cb01e29f580276224d003157889fcd1c38a1cc
SHA256ae0266271439504c17743067129b4d9a969cd643720bfe51ee1955b0c9f18cc5
SHA512a840f3679644212b7f197081f36e800ffb9edabc654ab60e7f7646e3bbc496f7fb2a23dc05a89d664b2b0c77f47ecc8c1a55f1a9bb6167136f26f6c15df59538
-
Filesize
1KB
MD5b980eced62f980d79060ee415e6ce652
SHA13f585f85195a841c0dfab80bf50469de54f913d6
SHA256a6df4ba5f7612f89e91562bc7fa068e55c457318a04c7e1f02121769568daf2e
SHA51286e6201394bead64a402a4d2346ddd1083aa84e88d76954d639849f90c8a06a120b7e52b96e4b16de9fa03d752e3eb7f1696ef1dd32cb12f4fc744635c3acd88
-
Filesize
1KB
MD5b980eced62f980d79060ee415e6ce652
SHA13f585f85195a841c0dfab80bf50469de54f913d6
SHA256a6df4ba5f7612f89e91562bc7fa068e55c457318a04c7e1f02121769568daf2e
SHA51286e6201394bead64a402a4d2346ddd1083aa84e88d76954d639849f90c8a06a120b7e52b96e4b16de9fa03d752e3eb7f1696ef1dd32cb12f4fc744635c3acd88