Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
31-10-2022 17:21
Static task
static1
Behavioral task
behavioral1
Sample
PAYMENT SETTLEMENT.vbs
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
PAYMENT SETTLEMENT.vbs
Resource
win10v2004-20220812-en
General
-
Target
PAYMENT SETTLEMENT.vbs
-
Size
240KB
-
MD5
c0526db1f0ccb70c709d23c044329e0b
-
SHA1
fe1672dc2aa4095d57ae670b9ba28804f7e4faaa
-
SHA256
f2fb70e9f299fc61f65c13c40c3094c4e9b58d4e1f8af7e75e2d030d586eee9c
-
SHA512
0d9ff14a9db9a8c61b1207deada2a93373866c45a9a80ee9287cb324524a6155ccafd85a62a80329a7feb415aa72b5f729804bd4ff841049b751c85813f26dc4
-
SSDEEP
6144:/hwQdksTNeDQOsc7PqKz26fqCPR1FZm/B8HXCllgyI+v:VdxUQ2JagqCP0eywhY
Malware Config
Extracted
wshrat
http://0b3c.duckdns.org:1988
Signatures
-
Blocklisted process makes network request 18 IoCs
flow pid Process 4 1212 wscript.exe 6 1212 wscript.exe 7 1212 wscript.exe 8 1212 wscript.exe 10 1212 wscript.exe 11 1212 wscript.exe 12 1212 wscript.exe 15 1212 wscript.exe 18 1212 wscript.exe 19 1212 wscript.exe 20 1212 wscript.exe 22 1212 wscript.exe 23 1212 wscript.exe 24 1212 wscript.exe 26 1212 wscript.exe 27 1212 wscript.exe 28 1212 wscript.exe 30 1212 wscript.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PAYMENT SETTLEMENT.vbs WScript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PAYMENT SETTLEMENT.vbs wscript.exe -
Adds Run key to start application 2 TTPs 8 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PAYMENT SETTLEMENT = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\PAYMENT SETTLEMENT.vbs\"" wscript.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\software\microsoft\windows\currentversion\run WScript.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\PAYMENT SETTLEMENT = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\PAYMENT SETTLEMENT.vbs\"" WScript.exe Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run WScript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PAYMENT SETTLEMENT = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\PAYMENT SETTLEMENT.vbs\"" WScript.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\PAYMENT SETTLEMENT = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\PAYMENT SETTLEMENT.vbs\"" wscript.exe Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run wscript.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 3 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 1048 wrote to memory of 1512 1048 WScript.exe 27 PID 1048 wrote to memory of 1512 1048 WScript.exe 27 PID 1048 wrote to memory of 1512 1048 WScript.exe 27 PID 1048 wrote to memory of 1212 1048 WScript.exe 28 PID 1048 wrote to memory of 1212 1048 WScript.exe 28 PID 1048 wrote to memory of 1212 1048 WScript.exe 28 PID 1212 wrote to memory of 1784 1212 wscript.exe 29 PID 1212 wrote to memory of 1784 1212 wscript.exe 29 PID 1212 wrote to memory of 1784 1212 wscript.exe 29
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\PAYMENT SETTLEMENT.vbs"1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1048 -
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\BwQRZzEAzr.vbs"2⤵PID:1512
-
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\PAYMENT SETTLEMENT.vbs"2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1212 -
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\BwQRZzEAzr.vbs"3⤵PID:1784
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD53df35da081f5c18c2e2c7491cf83dc5f
SHA178ad3a5f1c78798cee08c2cd9cb2b22621ef2620
SHA256045369096a68226d83915b9e5cab0476f7d9b876647d2e423d31b83d64e9dd0f
SHA5122181482aa98f7149939cb73e53756b700dca722d6c958c3d3f82e902f5b456b9a770d8f619f1cf43d74768746192e9ab40b92f449599364f47d88307c783b0a3
-
Filesize
1KB
MD53df35da081f5c18c2e2c7491cf83dc5f
SHA178ad3a5f1c78798cee08c2cd9cb2b22621ef2620
SHA256045369096a68226d83915b9e5cab0476f7d9b876647d2e423d31b83d64e9dd0f
SHA5122181482aa98f7149939cb73e53756b700dca722d6c958c3d3f82e902f5b456b9a770d8f619f1cf43d74768746192e9ab40b92f449599364f47d88307c783b0a3
-
Filesize
240KB
MD5c0526db1f0ccb70c709d23c044329e0b
SHA1fe1672dc2aa4095d57ae670b9ba28804f7e4faaa
SHA256f2fb70e9f299fc61f65c13c40c3094c4e9b58d4e1f8af7e75e2d030d586eee9c
SHA5120d9ff14a9db9a8c61b1207deada2a93373866c45a9a80ee9287cb324524a6155ccafd85a62a80329a7feb415aa72b5f729804bd4ff841049b751c85813f26dc4
-
Filesize
240KB
MD5c0526db1f0ccb70c709d23c044329e0b
SHA1fe1672dc2aa4095d57ae670b9ba28804f7e4faaa
SHA256f2fb70e9f299fc61f65c13c40c3094c4e9b58d4e1f8af7e75e2d030d586eee9c
SHA5120d9ff14a9db9a8c61b1207deada2a93373866c45a9a80ee9287cb324524a6155ccafd85a62a80329a7feb415aa72b5f729804bd4ff841049b751c85813f26dc4