Analysis
-
max time kernel
141s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
01-11-2022 08:41
Behavioral task
behavioral1
Sample
wynlog (1).js
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
wynlog (1).js
Resource
win10v2004-20220812-en
General
-
Target
wynlog (1).js
-
Size
188KB
-
MD5
affa61f41e7abdd50ebec8a6179023dc
-
SHA1
ca6d2ec065b722c8454c220cb6938f1cce5ce4c9
-
SHA256
4dd4c87a2a5901ab66a358f41a71c5c0f2b068b8e741497878cf8754d5a63f33
-
SHA512
98251a3ef43e86014cf51e091226748a7a094c433a38f51dc40745e71ccdfa69dafc168980bef4209d2ccc7b1c2279f4c92ad3bad262382fade35b928a678222
-
SSDEEP
3072:yNQmvEznZ3Q0bamvbURCFeGK/6tHpEbIpklgVDSxGfmuZIY:yNfrMyRCFeGKMHpaAklgF2GuuZZ
Malware Config
Extracted
wshrat
http://45.139.105.174:3670
Signatures
-
Blocklisted process makes network request 7 IoCs
flow pid Process 6 1872 wscript.exe 19 1872 wscript.exe 40 1872 wscript.exe 99 1872 wscript.exe 105 1872 wscript.exe 106 1872 wscript.exe 107 1872 wscript.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wynlog (1).js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wynlog (1).js wscript.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wynlog (1) = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\wynlog (1).js\"" wscript.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wynlog (1) = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\wynlog (1).js\"" wscript.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 5 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Script User-Agent 6 IoCs
Uses user-agent string associated with script host/environment.
description flow ioc HTTP User-Agent header 40 WSHRAT|94D95F5C|GBQHURCC|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 1/11/2022|JavaScript-v3.4|01:Unknown HTTP User-Agent header 99 WSHRAT|94D95F5C|GBQHURCC|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 1/11/2022|JavaScript-v3.4|01:Unknown HTTP User-Agent header 105 WSHRAT|94D95F5C|GBQHURCC|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 1/11/2022|JavaScript-v3.4|01:Unknown HTTP User-Agent header 106 WSHRAT|94D95F5C|GBQHURCC|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 1/11/2022|JavaScript-v3.4|01:Unknown HTTP User-Agent header 107 WSHRAT|94D95F5C|GBQHURCC|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 1/11/2022|JavaScript-v3.4|01:Unknown HTTP User-Agent header 19 WSHRAT|94D95F5C|GBQHURCC|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 1/11/2022|JavaScript-v3.4|01:Unknown