Analysis Overview
SHA256
f2fb70e9f299fc61f65c13c40c3094c4e9b58d4e1f8af7e75e2d030d586eee9c
Threat Level: Known bad
The file PAYMENT SETTLEMENT.vbs was found to be: Known bad.
Malicious Activity Summary
WSHRAT
Blocklisted process makes network request
Drops startup file
Checks computer location settings
Adds Run key to start application
Looks up external IP address via web service
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-10-31 17:21
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-10-31 17:21
Reported
2022-10-31 17:23
Platform
win7-20220812-en
Max time kernel
149s
Max time network
153s
Command Line
Signatures
WSHRAT
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PAYMENT SETTLEMENT.vbs | C:\Windows\System32\WScript.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PAYMENT SETTLEMENT.vbs | C:\Windows\System32\wscript.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PAYMENT SETTLEMENT = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\PAYMENT SETTLEMENT.vbs\"" | C:\Windows\System32\wscript.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\software\microsoft\windows\currentversion\run | C:\Windows\System32\WScript.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\PAYMENT SETTLEMENT = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\PAYMENT SETTLEMENT.vbs\"" | C:\Windows\System32\WScript.exe | N/A |
| Key created | \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run | C:\Windows\System32\WScript.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PAYMENT SETTLEMENT = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\PAYMENT SETTLEMENT.vbs\"" | C:\Windows\System32\WScript.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\software\microsoft\windows\currentversion\run | C:\Windows\System32\wscript.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\PAYMENT SETTLEMENT = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\PAYMENT SETTLEMENT.vbs\"" | C:\Windows\System32\wscript.exe | N/A |
| Key created | \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run | C:\Windows\System32\wscript.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1048 wrote to memory of 1512 | N/A | C:\Windows\System32\WScript.exe | C:\Windows\System32\wscript.exe |
| PID 1048 wrote to memory of 1512 | N/A | C:\Windows\System32\WScript.exe | C:\Windows\System32\wscript.exe |
| PID 1048 wrote to memory of 1512 | N/A | C:\Windows\System32\WScript.exe | C:\Windows\System32\wscript.exe |
| PID 1048 wrote to memory of 1212 | N/A | C:\Windows\System32\WScript.exe | C:\Windows\System32\wscript.exe |
| PID 1048 wrote to memory of 1212 | N/A | C:\Windows\System32\WScript.exe | C:\Windows\System32\wscript.exe |
| PID 1048 wrote to memory of 1212 | N/A | C:\Windows\System32\WScript.exe | C:\Windows\System32\wscript.exe |
| PID 1212 wrote to memory of 1784 | N/A | C:\Windows\System32\wscript.exe | C:\Windows\System32\wscript.exe |
| PID 1212 wrote to memory of 1784 | N/A | C:\Windows\System32\wscript.exe | C:\Windows\System32\wscript.exe |
| PID 1212 wrote to memory of 1784 | N/A | C:\Windows\System32\wscript.exe | C:\Windows\System32\wscript.exe |
Processes
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\PAYMENT SETTLEMENT.vbs"
C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\BwQRZzEAzr.vbs"
C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\PAYMENT SETTLEMENT.vbs"
C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\BwQRZzEAzr.vbs"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | 0b3c.duckdns.org | udp |
| LV | 46.183.220.121:1988 | 0b3c.duckdns.org | tcp |
| LV | 46.183.220.121:1988 | 0b3c.duckdns.org | tcp |
| LV | 46.183.220.121:1988 | 0b3c.duckdns.org | tcp |
| LV | 46.183.220.121:1988 | 0b3c.duckdns.org | tcp |
| LV | 46.183.220.121:1988 | 0b3c.duckdns.org | tcp |
| LV | 46.183.220.121:1988 | 0b3c.duckdns.org | tcp |
| LV | 46.183.220.121:1988 | 0b3c.duckdns.org | tcp |
| LV | 46.183.220.121:1988 | 0b3c.duckdns.org | tcp |
| LV | 46.183.220.121:1988 | 0b3c.duckdns.org | tcp |
| LV | 46.183.220.121:1988 | 0b3c.duckdns.org | tcp |
| LV | 46.183.220.121:1988 | 0b3c.duckdns.org | tcp |
| LV | 46.183.220.121:1988 | 0b3c.duckdns.org | tcp |
| LV | 46.183.220.121:1988 | 0b3c.duckdns.org | tcp |
| LV | 46.183.220.121:1988 | 0b3c.duckdns.org | tcp |
| LV | 46.183.220.121:1988 | 0b3c.duckdns.org | tcp |
| LV | 46.183.220.121:1988 | 0b3c.duckdns.org | tcp |
| LV | 46.183.220.121:1988 | 0b3c.duckdns.org | tcp |
Files
memory/1048-54-0x000007FEFC281000-0x000007FEFC283000-memory.dmp
memory/1512-55-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\BwQRZzEAzr.vbs
| MD5 | 3df35da081f5c18c2e2c7491cf83dc5f |
| SHA1 | 78ad3a5f1c78798cee08c2cd9cb2b22621ef2620 |
| SHA256 | 045369096a68226d83915b9e5cab0476f7d9b876647d2e423d31b83d64e9dd0f |
| SHA512 | 2181482aa98f7149939cb73e53756b700dca722d6c958c3d3f82e902f5b456b9a770d8f619f1cf43d74768746192e9ab40b92f449599364f47d88307c783b0a3 |
memory/1212-57-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\PAYMENT SETTLEMENT.vbs
| MD5 | c0526db1f0ccb70c709d23c044329e0b |
| SHA1 | fe1672dc2aa4095d57ae670b9ba28804f7e4faaa |
| SHA256 | f2fb70e9f299fc61f65c13c40c3094c4e9b58d4e1f8af7e75e2d030d586eee9c |
| SHA512 | 0d9ff14a9db9a8c61b1207deada2a93373866c45a9a80ee9287cb324524a6155ccafd85a62a80329a7feb415aa72b5f729804bd4ff841049b751c85813f26dc4 |
memory/1784-60-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PAYMENT SETTLEMENT.vbs
| MD5 | c0526db1f0ccb70c709d23c044329e0b |
| SHA1 | fe1672dc2aa4095d57ae670b9ba28804f7e4faaa |
| SHA256 | f2fb70e9f299fc61f65c13c40c3094c4e9b58d4e1f8af7e75e2d030d586eee9c |
| SHA512 | 0d9ff14a9db9a8c61b1207deada2a93373866c45a9a80ee9287cb324524a6155ccafd85a62a80329a7feb415aa72b5f729804bd4ff841049b751c85813f26dc4 |
C:\Users\Admin\AppData\Roaming\BwQRZzEAzr.vbs
| MD5 | 3df35da081f5c18c2e2c7491cf83dc5f |
| SHA1 | 78ad3a5f1c78798cee08c2cd9cb2b22621ef2620 |
| SHA256 | 045369096a68226d83915b9e5cab0476f7d9b876647d2e423d31b83d64e9dd0f |
| SHA512 | 2181482aa98f7149939cb73e53756b700dca722d6c958c3d3f82e902f5b456b9a770d8f619f1cf43d74768746192e9ab40b92f449599364f47d88307c783b0a3 |
Analysis: behavioral2
Detonation Overview
Submitted
2022-10-31 17:21
Reported
2022-10-31 17:24
Platform
win10v2004-20220812-en
Max time kernel
145s
Max time network
151s
Command Line
Signatures
WSHRAT
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation | C:\Windows\System32\WScript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation | C:\Windows\System32\wscript.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PAYMENT SETTLEMENT.vbs | C:\Windows\System32\WScript.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PAYMENT SETTLEMENT.vbs | C:\Windows\System32\wscript.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PAYMENT SETTLEMENT = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\PAYMENT SETTLEMENT.vbs\"" | C:\Windows\System32\wscript.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\software\microsoft\windows\currentversion\run | C:\Windows\System32\WScript.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PAYMENT SETTLEMENT = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\PAYMENT SETTLEMENT.vbs\"" | C:\Windows\System32\WScript.exe | N/A |
| Key created | \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run | C:\Windows\System32\WScript.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PAYMENT SETTLEMENT = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\PAYMENT SETTLEMENT.vbs\"" | C:\Windows\System32\WScript.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\software\microsoft\windows\currentversion\run | C:\Windows\System32\wscript.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PAYMENT SETTLEMENT = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\PAYMENT SETTLEMENT.vbs\"" | C:\Windows\System32\wscript.exe | N/A |
| Key created | \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run | C:\Windows\System32\wscript.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1056 wrote to memory of 1052 | N/A | C:\Windows\System32\WScript.exe | C:\Windows\System32\wscript.exe |
| PID 1056 wrote to memory of 1052 | N/A | C:\Windows\System32\WScript.exe | C:\Windows\System32\wscript.exe |
| PID 1056 wrote to memory of 3788 | N/A | C:\Windows\System32\WScript.exe | C:\Windows\System32\wscript.exe |
| PID 1056 wrote to memory of 3788 | N/A | C:\Windows\System32\WScript.exe | C:\Windows\System32\wscript.exe |
| PID 3788 wrote to memory of 2052 | N/A | C:\Windows\System32\wscript.exe | C:\Windows\System32\wscript.exe |
| PID 3788 wrote to memory of 2052 | N/A | C:\Windows\System32\wscript.exe | C:\Windows\System32\wscript.exe |
Processes
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\PAYMENT SETTLEMENT.vbs"
C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\BwQRZzEAzr.vbs"
C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\PAYMENT SETTLEMENT.vbs"
C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\BwQRZzEAzr.vbs"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | 0b3c.duckdns.org | udp |
| LV | 46.183.220.121:1988 | 0b3c.duckdns.org | tcp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| LV | 46.183.220.121:1988 | 0b3c.duckdns.org | tcp |
| LV | 46.183.220.121:1988 | 0b3c.duckdns.org | tcp |
| LV | 46.183.220.121:1988 | 0b3c.duckdns.org | tcp |
| LV | 46.183.220.121:1988 | 0b3c.duckdns.org | tcp |
| NL | 178.79.208.1:80 | tcp | |
| LV | 46.183.220.121:1988 | 0b3c.duckdns.org | tcp |
| LV | 46.183.220.121:1988 | 0b3c.duckdns.org | tcp |
| LV | 46.183.220.121:1988 | 0b3c.duckdns.org | tcp |
| LV | 46.183.220.121:1988 | 0b3c.duckdns.org | tcp |
Files
memory/1052-132-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\BwQRZzEAzr.vbs
| MD5 | 3df35da081f5c18c2e2c7491cf83dc5f |
| SHA1 | 78ad3a5f1c78798cee08c2cd9cb2b22621ef2620 |
| SHA256 | 045369096a68226d83915b9e5cab0476f7d9b876647d2e423d31b83d64e9dd0f |
| SHA512 | 2181482aa98f7149939cb73e53756b700dca722d6c958c3d3f82e902f5b456b9a770d8f619f1cf43d74768746192e9ab40b92f449599364f47d88307c783b0a3 |
memory/3788-134-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\PAYMENT SETTLEMENT.vbs
| MD5 | c0526db1f0ccb70c709d23c044329e0b |
| SHA1 | fe1672dc2aa4095d57ae670b9ba28804f7e4faaa |
| SHA256 | f2fb70e9f299fc61f65c13c40c3094c4e9b58d4e1f8af7e75e2d030d586eee9c |
| SHA512 | 0d9ff14a9db9a8c61b1207deada2a93373866c45a9a80ee9287cb324524a6155ccafd85a62a80329a7feb415aa72b5f729804bd4ff841049b751c85813f26dc4 |
memory/2052-136-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PAYMENT SETTLEMENT.vbs
| MD5 | c0526db1f0ccb70c709d23c044329e0b |
| SHA1 | fe1672dc2aa4095d57ae670b9ba28804f7e4faaa |
| SHA256 | f2fb70e9f299fc61f65c13c40c3094c4e9b58d4e1f8af7e75e2d030d586eee9c |
| SHA512 | 0d9ff14a9db9a8c61b1207deada2a93373866c45a9a80ee9287cb324524a6155ccafd85a62a80329a7feb415aa72b5f729804bd4ff841049b751c85813f26dc4 |
C:\Users\Admin\AppData\Roaming\BwQRZzEAzr.vbs
| MD5 | 3df35da081f5c18c2e2c7491cf83dc5f |
| SHA1 | 78ad3a5f1c78798cee08c2cd9cb2b22621ef2620 |
| SHA256 | 045369096a68226d83915b9e5cab0476f7d9b876647d2e423d31b83d64e9dd0f |
| SHA512 | 2181482aa98f7149939cb73e53756b700dca722d6c958c3d3f82e902f5b456b9a770d8f619f1cf43d74768746192e9ab40b92f449599364f47d88307c783b0a3 |