Analysis
-
max time kernel
170s -
max time network
177s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
31-10-2022 17:06
Static task
static1
Behavioral task
behavioral1
Sample
PO. AND FULL COMPANY DETAILS.js
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
PO. AND FULL COMPANY DETAILS.js
Resource
win10v2004-20220812-en
General
-
Target
PO. AND FULL COMPANY DETAILS.js
-
Size
52KB
-
MD5
8bc16b0d732b50f86fedb1f18bb0a49a
-
SHA1
3f0fc1ebce788f408926e5776e290374f380e072
-
SHA256
22f2f984996706f3bfdfaa95016c163d00764601cfef3a0ee7691f361f1b0bed
-
SHA512
9f4001740b63e8b4a53655b84c5b432f1d07f82eae60062d244ff25a43699b64bb1c9d4675ef97e2db50ab66dfac27b6e1ea7013527bac48566e7a22ebfb5d1e
-
SSDEEP
1536:jFeQf26nBIldsK9GyP18QyEy4j1vnsrXK:jrzQ7L
Malware Config
Extracted
wshrat
http://91.193.75.135:2120
Signatures
-
Blocklisted process makes network request 37 IoCs
flow pid Process 14 1032 wscript.exe 16 2328 wscript.exe 17 1468 wscript.exe 20 1032 wscript.exe 24 1032 wscript.exe 29 1032 wscript.exe 32 1032 wscript.exe 40 1032 wscript.exe 41 1468 wscript.exe 42 2328 wscript.exe 63 1032 wscript.exe 71 1468 wscript.exe 72 2328 wscript.exe 73 1032 wscript.exe 80 1032 wscript.exe 81 1032 wscript.exe 82 1032 wscript.exe 83 1032 wscript.exe 86 1032 wscript.exe 87 2328 wscript.exe 88 1468 wscript.exe 89 1032 wscript.exe 90 1032 wscript.exe 91 1032 wscript.exe 92 1032 wscript.exe 93 1032 wscript.exe 94 2328 wscript.exe 95 1468 wscript.exe 96 1032 wscript.exe 97 1032 wscript.exe 98 1032 wscript.exe 99 1032 wscript.exe 100 1032 wscript.exe 101 1032 wscript.exe 102 1468 wscript.exe 103 2328 wscript.exe 104 1032 wscript.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation wscript.exe Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation wscript.exe -
Drops startup file 5 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PO. AND FULL COMPANY DETAILS.js wscript.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KkAJQFWrPZ.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KkAJQFWrPZ.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PO. AND FULL COMPANY DETAILS.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KkAJQFWrPZ.js wscript.exe -
Adds Run key to start application 2 TTPs 8 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PO = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\PO. AND FULL COMPANY DETAILS.js\"" wscript.exe Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PO = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\PO. AND FULL COMPANY DETAILS.js\"" wscript.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PO = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\PO. AND FULL COMPANY DETAILS.js\"" wscript.exe Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PO = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\PO. AND FULL COMPANY DETAILS.js\"" wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Script User-Agent 24 IoCs
Uses user-agent string associated with script host/environment.
description flow ioc HTTP User-Agent header 99 WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 31/10/2022|JavaScript HTTP User-Agent header 24 WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 31/10/2022|JavaScript HTTP User-Agent header 63 WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 31/10/2022|JavaScript HTTP User-Agent header 83 WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 31/10/2022|JavaScript HTTP User-Agent header 90 WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 31/10/2022|JavaScript HTTP User-Agent header 96 WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 31/10/2022|JavaScript HTTP User-Agent header 100 WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 31/10/2022|JavaScript HTTP User-Agent header 20 WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 31/10/2022|JavaScript HTTP User-Agent header 29 WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 31/10/2022|JavaScript HTTP User-Agent header 80 WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 31/10/2022|JavaScript HTTP User-Agent header 81 WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 31/10/2022|JavaScript HTTP User-Agent header 93 WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 31/10/2022|JavaScript HTTP User-Agent header 14 WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 31/10/2022|JavaScript HTTP User-Agent header 73 WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 31/10/2022|JavaScript HTTP User-Agent header 92 WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 31/10/2022|JavaScript HTTP User-Agent header 101 WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 31/10/2022|JavaScript HTTP User-Agent header 104 WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 31/10/2022|JavaScript HTTP User-Agent header 97 WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 31/10/2022|JavaScript HTTP User-Agent header 98 WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 31/10/2022|JavaScript HTTP User-Agent header 32 WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 31/10/2022|JavaScript HTTP User-Agent header 82 WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 31/10/2022|JavaScript HTTP User-Agent header 86 WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 31/10/2022|JavaScript HTTP User-Agent header 89 WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 31/10/2022|JavaScript HTTP User-Agent header 91 WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 31/10/2022|JavaScript -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 5036 wrote to memory of 1468 5036 wscript.exe 81 PID 5036 wrote to memory of 1468 5036 wscript.exe 81 PID 5036 wrote to memory of 1032 5036 wscript.exe 82 PID 5036 wrote to memory of 1032 5036 wscript.exe 82 PID 1032 wrote to memory of 2328 1032 wscript.exe 83 PID 1032 wrote to memory of 2328 1032 wscript.exe 83
Processes
-
C:\Windows\system32\wscript.exewscript.exe "C:\Users\Admin\AppData\Local\Temp\PO. AND FULL COMPANY DETAILS.js"1⤵
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:5036 -
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\KkAJQFWrPZ.js"2⤵
- Blocklisted process makes network request
- Drops startup file
PID:1468
-
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\PO. AND FULL COMPANY DETAILS.js"2⤵
- Blocklisted process makes network request
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1032 -
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\KkAJQFWrPZ.js"3⤵
- Blocklisted process makes network request
- Drops startup file
PID:2328
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
10KB
MD555e53bf999e8da52880af2e3eb145dd7
SHA1eb3cb8113ac5bdbd28884a5ec8f8486ab1579ea7
SHA256ce43f09fa4934454576496833efc115ca2872e0163e0a7cba1a20ed8b1af1a06
SHA5129141ce714b512f497355d1ce7fce407a47d6dad5434ae05311cc2a745cc84f7394eeb5ce1750b5831ca772e3486a446470cba66ecfd62f77299da6cd06616eda
-
Filesize
10KB
MD555e53bf999e8da52880af2e3eb145dd7
SHA1eb3cb8113ac5bdbd28884a5ec8f8486ab1579ea7
SHA256ce43f09fa4934454576496833efc115ca2872e0163e0a7cba1a20ed8b1af1a06
SHA5129141ce714b512f497355d1ce7fce407a47d6dad5434ae05311cc2a745cc84f7394eeb5ce1750b5831ca772e3486a446470cba66ecfd62f77299da6cd06616eda
-
Filesize
10KB
MD555e53bf999e8da52880af2e3eb145dd7
SHA1eb3cb8113ac5bdbd28884a5ec8f8486ab1579ea7
SHA256ce43f09fa4934454576496833efc115ca2872e0163e0a7cba1a20ed8b1af1a06
SHA5129141ce714b512f497355d1ce7fce407a47d6dad5434ae05311cc2a745cc84f7394eeb5ce1750b5831ca772e3486a446470cba66ecfd62f77299da6cd06616eda
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PO. AND FULL COMPANY DETAILS.js
Filesize52KB
MD58bc16b0d732b50f86fedb1f18bb0a49a
SHA13f0fc1ebce788f408926e5776e290374f380e072
SHA25622f2f984996706f3bfdfaa95016c163d00764601cfef3a0ee7691f361f1b0bed
SHA5129f4001740b63e8b4a53655b84c5b432f1d07f82eae60062d244ff25a43699b64bb1c9d4675ef97e2db50ab66dfac27b6e1ea7013527bac48566e7a22ebfb5d1e
-
Filesize
52KB
MD58bc16b0d732b50f86fedb1f18bb0a49a
SHA13f0fc1ebce788f408926e5776e290374f380e072
SHA25622f2f984996706f3bfdfaa95016c163d00764601cfef3a0ee7691f361f1b0bed
SHA5129f4001740b63e8b4a53655b84c5b432f1d07f82eae60062d244ff25a43699b64bb1c9d4675ef97e2db50ab66dfac27b6e1ea7013527bac48566e7a22ebfb5d1e