Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
01-11-2022 08:40
Static task
static1
Behavioral task
behavioral1
Sample
wynmove (1).js
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
wynmove (1).js
Resource
win10v2004-20220901-en
General
-
Target
wynmove (1).js
-
Size
24KB
-
MD5
dc1bb14d9ae229088128fc7b820e0b37
-
SHA1
6852c416ec186e6cdd3be3e4bc13a2ec94dc1b0b
-
SHA256
03b7620c65c87c6db1bc76f63d8e88799bcd920b90e91f6bbbe8e4a899080270
-
SHA512
5192f50e7b013d09742e4e515f910933b5e8aabd80313a689cd3b89e757da7a49cd6acf2e315d5ea68eb67f263ffe76a32bbce2458a9d031fa51a8d1febd171b
-
SSDEEP
768:15nGPVNjCjZdGOO70IXgD2KTinmtalzDcVgg8a:1ZeKR
Malware Config
Extracted
wshrat
http://45.139.105.174:7670
Signatures
-
Blocklisted process makes network request 30 IoCs
flow pid Process 5 3288 wscript.exe 11 3288 wscript.exe 18 3288 wscript.exe 19 3288 wscript.exe 20 3288 wscript.exe 21 3288 wscript.exe 31 3288 wscript.exe 32 3288 wscript.exe 33 3288 wscript.exe 36 3288 wscript.exe 37 3288 wscript.exe 38 3288 wscript.exe 40 3288 wscript.exe 41 3288 wscript.exe 42 3288 wscript.exe 43 3288 wscript.exe 44 3288 wscript.exe 45 3288 wscript.exe 47 3288 wscript.exe 48 3288 wscript.exe 49 3288 wscript.exe 50 3288 wscript.exe 51 3288 wscript.exe 52 3288 wscript.exe 53 3288 wscript.exe 54 3288 wscript.exe 55 3288 wscript.exe 56 3288 wscript.exe 57 3288 wscript.exe 58 3288 wscript.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation wscript.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wynmove (1).js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wynmove (1).js wscript.exe -
Adds Run key to start application 2 TTPs 8 IoCs
description ioc Process Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wynmove (1) = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\wynmove (1).js\"" wscript.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wynmove (1) = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\wynmove (1).js\"" wscript.exe Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wynmove (1) = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\wynmove (1).js\"" wscript.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wynmove (1) = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\wynmove (1).js\"" wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Script User-Agent 29 IoCs
Uses user-agent string associated with script host/environment.
description flow ioc HTTP User-Agent header 21 WSHRAT|36F4858E|IYMUGYHL|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 1/11/2022|JavaScript HTTP User-Agent header 31 WSHRAT|36F4858E|IYMUGYHL|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 1/11/2022|JavaScript HTTP User-Agent header 48 WSHRAT|36F4858E|IYMUGYHL|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 1/11/2022|JavaScript HTTP User-Agent header 53 WSHRAT|36F4858E|IYMUGYHL|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 1/11/2022|JavaScript HTTP User-Agent header 55 WSHRAT|36F4858E|IYMUGYHL|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 1/11/2022|JavaScript HTTP User-Agent header 38 WSHRAT|36F4858E|IYMUGYHL|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 1/11/2022|JavaScript HTTP User-Agent header 18 WSHRAT|36F4858E|IYMUGYHL|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 1/11/2022|JavaScript HTTP User-Agent header 20 WSHRAT|36F4858E|IYMUGYHL|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 1/11/2022|JavaScript HTTP User-Agent header 50 WSHRAT|36F4858E|IYMUGYHL|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 1/11/2022|JavaScript HTTP User-Agent header 54 WSHRAT|36F4858E|IYMUGYHL|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 1/11/2022|JavaScript HTTP User-Agent header 19 WSHRAT|36F4858E|IYMUGYHL|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 1/11/2022|JavaScript HTTP User-Agent header 33 WSHRAT|36F4858E|IYMUGYHL|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 1/11/2022|JavaScript HTTP User-Agent header 40 WSHRAT|36F4858E|IYMUGYHL|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 1/11/2022|JavaScript HTTP User-Agent header 52 WSHRAT|36F4858E|IYMUGYHL|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 1/11/2022|JavaScript HTTP User-Agent header 11 WSHRAT|36F4858E|IYMUGYHL|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 1/11/2022|JavaScript HTTP User-Agent header 45 WSHRAT|36F4858E|IYMUGYHL|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 1/11/2022|JavaScript HTTP User-Agent header 51 WSHRAT|36F4858E|IYMUGYHL|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 1/11/2022|JavaScript HTTP User-Agent header 37 WSHRAT|36F4858E|IYMUGYHL|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 1/11/2022|JavaScript HTTP User-Agent header 42 WSHRAT|36F4858E|IYMUGYHL|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 1/11/2022|JavaScript HTTP User-Agent header 57 WSHRAT|36F4858E|IYMUGYHL|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 1/11/2022|JavaScript HTTP User-Agent header 5 WSHRAT|36F4858E|IYMUGYHL|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 1/11/2022|JavaScript HTTP User-Agent header 41 WSHRAT|36F4858E|IYMUGYHL|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 1/11/2022|JavaScript HTTP User-Agent header 56 WSHRAT|36F4858E|IYMUGYHL|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 1/11/2022|JavaScript HTTP User-Agent header 49 WSHRAT|36F4858E|IYMUGYHL|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 1/11/2022|JavaScript HTTP User-Agent header 32 WSHRAT|36F4858E|IYMUGYHL|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 1/11/2022|JavaScript HTTP User-Agent header 36 WSHRAT|36F4858E|IYMUGYHL|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 1/11/2022|JavaScript HTTP User-Agent header 43 WSHRAT|36F4858E|IYMUGYHL|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 1/11/2022|JavaScript HTTP User-Agent header 44 WSHRAT|36F4858E|IYMUGYHL|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 1/11/2022|JavaScript HTTP User-Agent header 47 WSHRAT|36F4858E|IYMUGYHL|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 1/11/2022|JavaScript -
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 1352 wrote to memory of 3288 1352 wscript.exe 76 PID 1352 wrote to memory of 3288 1352 wscript.exe 76
Processes
-
C:\Windows\system32\wscript.exewscript.exe "C:\Users\Admin\AppData\Local\Temp\wynmove (1).js"1⤵
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1352 -
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\wynmove (1).js"2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
PID:3288
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
24KB
MD5dc1bb14d9ae229088128fc7b820e0b37
SHA16852c416ec186e6cdd3be3e4bc13a2ec94dc1b0b
SHA25603b7620c65c87c6db1bc76f63d8e88799bcd920b90e91f6bbbe8e4a899080270
SHA5125192f50e7b013d09742e4e515f910933b5e8aabd80313a689cd3b89e757da7a49cd6acf2e315d5ea68eb67f263ffe76a32bbce2458a9d031fa51a8d1febd171b
-
Filesize
24KB
MD5dc1bb14d9ae229088128fc7b820e0b37
SHA16852c416ec186e6cdd3be3e4bc13a2ec94dc1b0b
SHA25603b7620c65c87c6db1bc76f63d8e88799bcd920b90e91f6bbbe8e4a899080270
SHA5125192f50e7b013d09742e4e515f910933b5e8aabd80313a689cd3b89e757da7a49cd6acf2e315d5ea68eb67f263ffe76a32bbce2458a9d031fa51a8d1febd171b