Analysis Overview
SHA256
ae0266271439504c17743067129b4d9a969cd643720bfe51ee1955b0c9f18cc5
Threat Level: Known bad
The file Invoice #487135.vbs was found to be: Known bad.
Malicious Activity Summary
WSHRAT
Blocklisted process makes network request
Checks computer location settings
Drops startup file
Adds Run key to start application
Looks up external IP address via web service
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-10-31 08:06
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-10-31 08:06
Reported
2022-10-31 08:08
Platform
win7-20220812-en
Max time kernel
120s
Max time network
125s
Command Line
Signatures
WSHRAT
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Invoice #487135.vbs | C:\Windows\System32\wscript.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Invoice #487135.vbs | C:\Windows\System32\wscript.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Invoice #487135.vbs | C:\Windows\System32\WScript.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Invoice #487135 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Invoice #487135.vbs\"" | C:\Windows\System32\wscript.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\software\microsoft\windows\currentversion\run | C:\Windows\System32\WScript.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\Invoice #487135 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Invoice #487135.vbs\"" | C:\Windows\System32\WScript.exe | N/A |
| Key created | \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run | C:\Windows\System32\WScript.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Invoice #487135 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Invoice #487135.vbs\"" | C:\Windows\System32\WScript.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\software\microsoft\windows\currentversion\run | C:\Windows\System32\wscript.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\Invoice #487135 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Invoice #487135.vbs\"" | C:\Windows\System32\wscript.exe | N/A |
| Key created | \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run | C:\Windows\System32\wscript.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1488 wrote to memory of 984 | N/A | C:\Windows\System32\WScript.exe | C:\Windows\System32\wscript.exe |
| PID 1488 wrote to memory of 984 | N/A | C:\Windows\System32\WScript.exe | C:\Windows\System32\wscript.exe |
| PID 1488 wrote to memory of 984 | N/A | C:\Windows\System32\WScript.exe | C:\Windows\System32\wscript.exe |
| PID 1488 wrote to memory of 1416 | N/A | C:\Windows\System32\WScript.exe | C:\Windows\System32\wscript.exe |
| PID 1488 wrote to memory of 1416 | N/A | C:\Windows\System32\WScript.exe | C:\Windows\System32\wscript.exe |
| PID 1488 wrote to memory of 1416 | N/A | C:\Windows\System32\WScript.exe | C:\Windows\System32\wscript.exe |
| PID 1416 wrote to memory of 324 | N/A | C:\Windows\System32\wscript.exe | C:\Windows\System32\wscript.exe |
| PID 1416 wrote to memory of 324 | N/A | C:\Windows\System32\wscript.exe | C:\Windows\System32\wscript.exe |
| PID 1416 wrote to memory of 324 | N/A | C:\Windows\System32\wscript.exe | C:\Windows\System32\wscript.exe |
Processes
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Invoice #487135.vbs"
C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\kFRSBBXvyY.vbs"
C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\Invoice #487135.vbs"
C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\kFRSBBXvyY.vbs"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | snkcyp.duckdns.org | udp |
| NL | 84.38.133.111:3369 | snkcyp.duckdns.org | tcp |
| NL | 84.38.133.111:3369 | snkcyp.duckdns.org | tcp |
| NL | 84.38.133.111:3369 | snkcyp.duckdns.org | tcp |
Files
memory/1488-54-0x000007FEFC001000-0x000007FEFC003000-memory.dmp
memory/984-55-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\kFRSBBXvyY.vbs
| MD5 | b980eced62f980d79060ee415e6ce652 |
| SHA1 | 3f585f85195a841c0dfab80bf50469de54f913d6 |
| SHA256 | a6df4ba5f7612f89e91562bc7fa068e55c457318a04c7e1f02121769568daf2e |
| SHA512 | 86e6201394bead64a402a4d2346ddd1083aa84e88d76954d639849f90c8a06a120b7e52b96e4b16de9fa03d752e3eb7f1696ef1dd32cb12f4fc744635c3acd88 |
memory/1416-57-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Invoice #487135.vbs
| MD5 | de2cc767fcef3cd77ef0defdac9cba9a |
| SHA1 | d2cb01e29f580276224d003157889fcd1c38a1cc |
| SHA256 | ae0266271439504c17743067129b4d9a969cd643720bfe51ee1955b0c9f18cc5 |
| SHA512 | a840f3679644212b7f197081f36e800ffb9edabc654ab60e7f7646e3bbc496f7fb2a23dc05a89d664b2b0c77f47ecc8c1a55f1a9bb6167136f26f6c15df59538 |
memory/324-60-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\kFRSBBXvyY.vbs
| MD5 | b980eced62f980d79060ee415e6ce652 |
| SHA1 | 3f585f85195a841c0dfab80bf50469de54f913d6 |
| SHA256 | a6df4ba5f7612f89e91562bc7fa068e55c457318a04c7e1f02121769568daf2e |
| SHA512 | 86e6201394bead64a402a4d2346ddd1083aa84e88d76954d639849f90c8a06a120b7e52b96e4b16de9fa03d752e3eb7f1696ef1dd32cb12f4fc744635c3acd88 |
C:\Users\Admin\AppData\Roaming\Invoice #487135.vbs
| MD5 | de2cc767fcef3cd77ef0defdac9cba9a |
| SHA1 | d2cb01e29f580276224d003157889fcd1c38a1cc |
| SHA256 | ae0266271439504c17743067129b4d9a969cd643720bfe51ee1955b0c9f18cc5 |
| SHA512 | a840f3679644212b7f197081f36e800ffb9edabc654ab60e7f7646e3bbc496f7fb2a23dc05a89d664b2b0c77f47ecc8c1a55f1a9bb6167136f26f6c15df59538 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Invoice #487135.vbs
| MD5 | de2cc767fcef3cd77ef0defdac9cba9a |
| SHA1 | d2cb01e29f580276224d003157889fcd1c38a1cc |
| SHA256 | ae0266271439504c17743067129b4d9a969cd643720bfe51ee1955b0c9f18cc5 |
| SHA512 | a840f3679644212b7f197081f36e800ffb9edabc654ab60e7f7646e3bbc496f7fb2a23dc05a89d664b2b0c77f47ecc8c1a55f1a9bb6167136f26f6c15df59538 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Invoice #487135.vbs
| MD5 | de2cc767fcef3cd77ef0defdac9cba9a |
| SHA1 | d2cb01e29f580276224d003157889fcd1c38a1cc |
| SHA256 | ae0266271439504c17743067129b4d9a969cd643720bfe51ee1955b0c9f18cc5 |
| SHA512 | a840f3679644212b7f197081f36e800ffb9edabc654ab60e7f7646e3bbc496f7fb2a23dc05a89d664b2b0c77f47ecc8c1a55f1a9bb6167136f26f6c15df59538 |
Analysis: behavioral2
Detonation Overview
Submitted
2022-10-31 08:06
Reported
2022-10-31 08:08
Platform
win10v2004-20220812-en
Max time kernel
142s
Max time network
149s
Command Line
Signatures
WSHRAT
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation | C:\Windows\System32\WScript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation | C:\Windows\System32\wscript.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Invoice #487135.vbs | C:\Windows\System32\WScript.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Invoice #487135.vbs | C:\Windows\System32\wscript.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Invoice #487135 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Invoice #487135.vbs\"" | C:\Windows\System32\WScript.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\software\microsoft\windows\currentversion\run | C:\Windows\System32\wscript.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Invoice #487135 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Invoice #487135.vbs\"" | C:\Windows\System32\wscript.exe | N/A |
| Key created | \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run | C:\Windows\System32\wscript.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Invoice #487135 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Invoice #487135.vbs\"" | C:\Windows\System32\wscript.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\software\microsoft\windows\currentversion\run | C:\Windows\System32\WScript.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Invoice #487135 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Invoice #487135.vbs\"" | C:\Windows\System32\WScript.exe | N/A |
| Key created | \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run | C:\Windows\System32\WScript.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 764 wrote to memory of 1988 | N/A | C:\Windows\System32\WScript.exe | C:\Windows\System32\wscript.exe |
| PID 764 wrote to memory of 1988 | N/A | C:\Windows\System32\WScript.exe | C:\Windows\System32\wscript.exe |
| PID 764 wrote to memory of 5088 | N/A | C:\Windows\System32\WScript.exe | C:\Windows\System32\wscript.exe |
| PID 764 wrote to memory of 5088 | N/A | C:\Windows\System32\WScript.exe | C:\Windows\System32\wscript.exe |
| PID 5088 wrote to memory of 4300 | N/A | C:\Windows\System32\wscript.exe | C:\Windows\System32\wscript.exe |
| PID 5088 wrote to memory of 4300 | N/A | C:\Windows\System32\wscript.exe | C:\Windows\System32\wscript.exe |
Processes
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Invoice #487135.vbs"
C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\kFRSBBXvyY.vbs"
C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\Invoice #487135.vbs"
C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\kFRSBBXvyY.vbs"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | snkcyp.duckdns.org | udp |
| US | 8.8.8.8:53 | snkcyp.duckdns.org | udp |
| NL | 84.38.133.111:3369 | snkcyp.duckdns.org | tcp |
| US | 20.42.72.131:443 | tcp | |
| US | 8.253.135.241:80 | tcp | |
| US | 209.197.3.8:80 | tcp | |
| US | 209.197.3.8:80 | tcp | |
| US | 8.253.135.241:80 | tcp | |
| US | 8.8.8.8:53 | 15.89.54.20.in-addr.arpa | udp |
| NL | 84.38.133.111:3369 | snkcyp.duckdns.org | tcp |
| US | 8.8.8.8:53 | 106.89.54.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.e.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.0.0.0.4.0.c.0.0.3.0.1.3.0.6.2.ip6.arpa | udp |
| NL | 84.38.133.111:3369 | snkcyp.duckdns.org | tcp |
Files
memory/1988-132-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\kFRSBBXvyY.vbs
| MD5 | b980eced62f980d79060ee415e6ce652 |
| SHA1 | 3f585f85195a841c0dfab80bf50469de54f913d6 |
| SHA256 | a6df4ba5f7612f89e91562bc7fa068e55c457318a04c7e1f02121769568daf2e |
| SHA512 | 86e6201394bead64a402a4d2346ddd1083aa84e88d76954d639849f90c8a06a120b7e52b96e4b16de9fa03d752e3eb7f1696ef1dd32cb12f4fc744635c3acd88 |
memory/5088-134-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Invoice #487135.vbs
| MD5 | de2cc767fcef3cd77ef0defdac9cba9a |
| SHA1 | d2cb01e29f580276224d003157889fcd1c38a1cc |
| SHA256 | ae0266271439504c17743067129b4d9a969cd643720bfe51ee1955b0c9f18cc5 |
| SHA512 | a840f3679644212b7f197081f36e800ffb9edabc654ab60e7f7646e3bbc496f7fb2a23dc05a89d664b2b0c77f47ecc8c1a55f1a9bb6167136f26f6c15df59538 |
memory/4300-136-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Invoice #487135.vbs
| MD5 | de2cc767fcef3cd77ef0defdac9cba9a |
| SHA1 | d2cb01e29f580276224d003157889fcd1c38a1cc |
| SHA256 | ae0266271439504c17743067129b4d9a969cd643720bfe51ee1955b0c9f18cc5 |
| SHA512 | a840f3679644212b7f197081f36e800ffb9edabc654ab60e7f7646e3bbc496f7fb2a23dc05a89d664b2b0c77f47ecc8c1a55f1a9bb6167136f26f6c15df59538 |
C:\Users\Admin\AppData\Roaming\kFRSBBXvyY.vbs
| MD5 | b980eced62f980d79060ee415e6ce652 |
| SHA1 | 3f585f85195a841c0dfab80bf50469de54f913d6 |
| SHA256 | a6df4ba5f7612f89e91562bc7fa068e55c457318a04c7e1f02121769568daf2e |
| SHA512 | 86e6201394bead64a402a4d2346ddd1083aa84e88d76954d639849f90c8a06a120b7e52b96e4b16de9fa03d752e3eb7f1696ef1dd32cb12f4fc744635c3acd88 |