Analysis
-
max time kernel
146s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
31-10-2022 17:06
Static task
static1
Behavioral task
behavioral1
Sample
PO. AND FULL COMPANY DETAILS.js
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
PO. AND FULL COMPANY DETAILS.js
Resource
win10v2004-20220901-en
General
-
Target
PO. AND FULL COMPANY DETAILS.js
-
Size
52KB
-
MD5
8bc16b0d732b50f86fedb1f18bb0a49a
-
SHA1
3f0fc1ebce788f408926e5776e290374f380e072
-
SHA256
22f2f984996706f3bfdfaa95016c163d00764601cfef3a0ee7691f361f1b0bed
-
SHA512
9f4001740b63e8b4a53655b84c5b432f1d07f82eae60062d244ff25a43699b64bb1c9d4675ef97e2db50ab66dfac27b6e1ea7013527bac48566e7a22ebfb5d1e
-
SSDEEP
1536:jFeQf26nBIldsK9GyP18QyEy4j1vnsrXK:jrzQ7L
Malware Config
Extracted
wshrat
http://91.193.75.135:2120
Signatures
-
Blocklisted process makes network request 41 IoCs
flow pid Process 5 740 wscript.exe 7 4116 wscript.exe 8 3192 wscript.exe 15 740 wscript.exe 18 740 wscript.exe 19 740 wscript.exe 21 740 wscript.exe 22 740 wscript.exe 31 3192 wscript.exe 32 4116 wscript.exe 36 740 wscript.exe 40 740 wscript.exe 41 740 wscript.exe 47 740 wscript.exe 48 740 wscript.exe 49 740 wscript.exe 51 3192 wscript.exe 50 4116 wscript.exe 54 740 wscript.exe 56 740 wscript.exe 57 740 wscript.exe 59 740 wscript.exe 60 740 wscript.exe 61 3192 wscript.exe 62 4116 wscript.exe 63 740 wscript.exe 66 740 wscript.exe 67 740 wscript.exe 68 740 wscript.exe 69 740 wscript.exe 70 740 wscript.exe 71 3192 wscript.exe 72 4116 wscript.exe 73 740 wscript.exe 74 740 wscript.exe 75 740 wscript.exe 76 740 wscript.exe 77 740 wscript.exe 78 3192 wscript.exe 79 4116 wscript.exe 80 740 wscript.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation wscript.exe Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation wscript.exe -
Drops startup file 5 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PO. AND FULL COMPANY DETAILS.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PO. AND FULL COMPANY DETAILS.js wscript.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KkAJQFWrPZ.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KkAJQFWrPZ.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KkAJQFWrPZ.js wscript.exe -
Adds Run key to start application 2 TTPs 8 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PO = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\PO. AND FULL COMPANY DETAILS.js\"" wscript.exe Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PO = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\PO. AND FULL COMPANY DETAILS.js\"" wscript.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PO = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\PO. AND FULL COMPANY DETAILS.js\"" wscript.exe Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PO = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\PO. AND FULL COMPANY DETAILS.js\"" wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Script User-Agent 29 IoCs
Uses user-agent string associated with script host/environment.
description flow ioc HTTP User-Agent header 36 WSHRAT|36F4858E|IYMUGYHL|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 31/10/2022|JavaScript HTTP User-Agent header 56 WSHRAT|36F4858E|IYMUGYHL|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 31/10/2022|JavaScript HTTP User-Agent header 57 WSHRAT|36F4858E|IYMUGYHL|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 31/10/2022|JavaScript HTTP User-Agent header 69 WSHRAT|36F4858E|IYMUGYHL|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 31/10/2022|JavaScript HTTP User-Agent header 18 WSHRAT|36F4858E|IYMUGYHL|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 31/10/2022|JavaScript HTTP User-Agent header 22 WSHRAT|36F4858E|IYMUGYHL|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 31/10/2022|JavaScript HTTP User-Agent header 54 WSHRAT|36F4858E|IYMUGYHL|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 31/10/2022|JavaScript HTTP User-Agent header 76 WSHRAT|36F4858E|IYMUGYHL|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 31/10/2022|JavaScript HTTP User-Agent header 41 WSHRAT|36F4858E|IYMUGYHL|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 31/10/2022|JavaScript HTTP User-Agent header 49 WSHRAT|36F4858E|IYMUGYHL|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 31/10/2022|JavaScript HTTP User-Agent header 59 WSHRAT|36F4858E|IYMUGYHL|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 31/10/2022|JavaScript HTTP User-Agent header 66 WSHRAT|36F4858E|IYMUGYHL|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 31/10/2022|JavaScript HTTP User-Agent header 47 WSHRAT|36F4858E|IYMUGYHL|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 31/10/2022|JavaScript HTTP User-Agent header 48 WSHRAT|36F4858E|IYMUGYHL|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 31/10/2022|JavaScript HTTP User-Agent header 73 WSHRAT|36F4858E|IYMUGYHL|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 31/10/2022|JavaScript HTTP User-Agent header 68 WSHRAT|36F4858E|IYMUGYHL|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 31/10/2022|JavaScript HTTP User-Agent header 60 WSHRAT|36F4858E|IYMUGYHL|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 31/10/2022|JavaScript HTTP User-Agent header 67 WSHRAT|36F4858E|IYMUGYHL|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 31/10/2022|JavaScript HTTP User-Agent header 74 WSHRAT|36F4858E|IYMUGYHL|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 31/10/2022|JavaScript HTTP User-Agent header 77 WSHRAT|36F4858E|IYMUGYHL|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 31/10/2022|JavaScript HTTP User-Agent header 80 WSHRAT|36F4858E|IYMUGYHL|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 31/10/2022|JavaScript HTTP User-Agent header 5 WSHRAT|36F4858E|IYMUGYHL|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 31/10/2022|JavaScript HTTP User-Agent header 21 WSHRAT|36F4858E|IYMUGYHL|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 31/10/2022|JavaScript HTTP User-Agent header 63 WSHRAT|36F4858E|IYMUGYHL|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 31/10/2022|JavaScript HTTP User-Agent header 70 WSHRAT|36F4858E|IYMUGYHL|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 31/10/2022|JavaScript HTTP User-Agent header 75 WSHRAT|36F4858E|IYMUGYHL|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 31/10/2022|JavaScript HTTP User-Agent header 15 WSHRAT|36F4858E|IYMUGYHL|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 31/10/2022|JavaScript HTTP User-Agent header 19 WSHRAT|36F4858E|IYMUGYHL|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 31/10/2022|JavaScript HTTP User-Agent header 40 WSHRAT|36F4858E|IYMUGYHL|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 31/10/2022|JavaScript -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4788 wrote to memory of 4116 4788 wscript.exe 81 PID 4788 wrote to memory of 4116 4788 wscript.exe 81 PID 4788 wrote to memory of 740 4788 wscript.exe 82 PID 4788 wrote to memory of 740 4788 wscript.exe 82 PID 740 wrote to memory of 3192 740 wscript.exe 84 PID 740 wrote to memory of 3192 740 wscript.exe 84
Processes
-
C:\Windows\system32\wscript.exewscript.exe "C:\Users\Admin\AppData\Local\Temp\PO. AND FULL COMPANY DETAILS.js"1⤵
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4788 -
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\KkAJQFWrPZ.js"2⤵
- Blocklisted process makes network request
- Drops startup file
PID:4116
-
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\PO. AND FULL COMPANY DETAILS.js"2⤵
- Blocklisted process makes network request
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:740 -
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\KkAJQFWrPZ.js"3⤵
- Blocklisted process makes network request
- Drops startup file
PID:3192
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
10KB
MD555e53bf999e8da52880af2e3eb145dd7
SHA1eb3cb8113ac5bdbd28884a5ec8f8486ab1579ea7
SHA256ce43f09fa4934454576496833efc115ca2872e0163e0a7cba1a20ed8b1af1a06
SHA5129141ce714b512f497355d1ce7fce407a47d6dad5434ae05311cc2a745cc84f7394eeb5ce1750b5831ca772e3486a446470cba66ecfd62f77299da6cd06616eda
-
Filesize
10KB
MD555e53bf999e8da52880af2e3eb145dd7
SHA1eb3cb8113ac5bdbd28884a5ec8f8486ab1579ea7
SHA256ce43f09fa4934454576496833efc115ca2872e0163e0a7cba1a20ed8b1af1a06
SHA5129141ce714b512f497355d1ce7fce407a47d6dad5434ae05311cc2a745cc84f7394eeb5ce1750b5831ca772e3486a446470cba66ecfd62f77299da6cd06616eda
-
Filesize
10KB
MD555e53bf999e8da52880af2e3eb145dd7
SHA1eb3cb8113ac5bdbd28884a5ec8f8486ab1579ea7
SHA256ce43f09fa4934454576496833efc115ca2872e0163e0a7cba1a20ed8b1af1a06
SHA5129141ce714b512f497355d1ce7fce407a47d6dad5434ae05311cc2a745cc84f7394eeb5ce1750b5831ca772e3486a446470cba66ecfd62f77299da6cd06616eda
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PO. AND FULL COMPANY DETAILS.js
Filesize52KB
MD58bc16b0d732b50f86fedb1f18bb0a49a
SHA13f0fc1ebce788f408926e5776e290374f380e072
SHA25622f2f984996706f3bfdfaa95016c163d00764601cfef3a0ee7691f361f1b0bed
SHA5129f4001740b63e8b4a53655b84c5b432f1d07f82eae60062d244ff25a43699b64bb1c9d4675ef97e2db50ab66dfac27b6e1ea7013527bac48566e7a22ebfb5d1e
-
Filesize
52KB
MD58bc16b0d732b50f86fedb1f18bb0a49a
SHA13f0fc1ebce788f408926e5776e290374f380e072
SHA25622f2f984996706f3bfdfaa95016c163d00764601cfef3a0ee7691f361f1b0bed
SHA5129f4001740b63e8b4a53655b84c5b432f1d07f82eae60062d244ff25a43699b64bb1c9d4675ef97e2db50ab66dfac27b6e1ea7013527bac48566e7a22ebfb5d1e