Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
01-11-2022 19:30
Static task
static1
Behavioral task
behavioral1
Sample
proof of payment.js
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
proof of payment.js
Resource
win10v2004-20220812-en
General
-
Target
proof of payment.js
-
Size
51KB
-
MD5
0d0b5b04e14fcc092409742a84532f26
-
SHA1
7d978a6f7f07629eb04a126d7a94a19662d0951f
-
SHA256
63ada20c4214f2995f841de3cffabfc465d5bff1b4bee0cf4ebac7be643fb67e
-
SHA512
b8cdb6164ccd45ad4ca94a3a5491e8d9a0b6a3e3aed56439994a59293141ae9ff3e80cecb4507373bb0ead9e796a83a381e2873f269bc3a100be365ef3c20c4f
-
SSDEEP
768:5Kk5HT1xsHylPCTBp0Jv8BD3DQ7vGOAX1OsIWgCX56nu1CPL2lssQ:ZPzwBSvcTQ7+OAX1O3CX56n4GL2lssQ
Malware Config
Extracted
wshrat
http://harold.jetos.com:1604
Signatures
-
Blocklisted process makes network request 26 IoCs
flow pid Process 10 1708 wscript.exe 11 764 wscript.exe 12 1204 wscript.exe 13 1204 wscript.exe 15 1204 wscript.exe 19 1204 wscript.exe 23 1708 wscript.exe 24 764 wscript.exe 25 1204 wscript.exe 27 1204 wscript.exe 31 1204 wscript.exe 33 764 wscript.exe 35 1708 wscript.exe 36 1204 wscript.exe 38 1204 wscript.exe 43 1204 wscript.exe 44 1204 wscript.exe 46 1708 wscript.exe 48 764 wscript.exe 49 1204 wscript.exe 52 1204 wscript.exe 55 1204 wscript.exe 57 764 wscript.exe 59 1708 wscript.exe 60 1204 wscript.exe 63 1204 wscript.exe -
Drops startup file 5 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\proof of payment.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\proof of payment.js wscript.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EsgAyEJrOf.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EsgAyEJrOf.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EsgAyEJrOf.js wscript.exe -
Adds Run key to start application 2 TTPs 8 IoCs
description ioc Process Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\proof of payment = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\proof of payment.js\"" wscript.exe Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\proof of payment = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\proof of payment.js\"" wscript.exe Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\proof of payment = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\proof of payment.js\"" wscript.exe Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\proof of payment = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\proof of payment.js\"" wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Script User-Agent 16 IoCs
Uses user-agent string associated with script host/environment.
description flow ioc HTTP User-Agent header 25 WSHRAT|D44DAEDB|ORXGKKZC|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 1/11/2022|JavaScript HTTP User-Agent header 27 WSHRAT|D44DAEDB|ORXGKKZC|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 1/11/2022|JavaScript HTTP User-Agent header 36 WSHRAT|D44DAEDB|ORXGKKZC|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 1/11/2022|JavaScript HTTP User-Agent header 38 WSHRAT|D44DAEDB|ORXGKKZC|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 1/11/2022|JavaScript HTTP User-Agent header 55 WSHRAT|D44DAEDB|ORXGKKZC|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 1/11/2022|JavaScript HTTP User-Agent header 15 WSHRAT|D44DAEDB|ORXGKKZC|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 1/11/2022|JavaScript HTTP User-Agent header 13 WSHRAT|D44DAEDB|ORXGKKZC|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 1/11/2022|JavaScript HTTP User-Agent header 52 WSHRAT|D44DAEDB|ORXGKKZC|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 1/11/2022|JavaScript HTTP User-Agent header 12 WSHRAT|D44DAEDB|ORXGKKZC|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 1/11/2022|JavaScript HTTP User-Agent header 31 WSHRAT|D44DAEDB|ORXGKKZC|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 1/11/2022|JavaScript HTTP User-Agent header 49 WSHRAT|D44DAEDB|ORXGKKZC|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 1/11/2022|JavaScript HTTP User-Agent header 19 WSHRAT|D44DAEDB|ORXGKKZC|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 1/11/2022|JavaScript HTTP User-Agent header 44 WSHRAT|D44DAEDB|ORXGKKZC|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 1/11/2022|JavaScript HTTP User-Agent header 60 WSHRAT|D44DAEDB|ORXGKKZC|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 1/11/2022|JavaScript HTTP User-Agent header 63 WSHRAT|D44DAEDB|ORXGKKZC|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 1/11/2022|JavaScript HTTP User-Agent header 43 WSHRAT|D44DAEDB|ORXGKKZC|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 1/11/2022|JavaScript -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 1192 wrote to memory of 1708 1192 wscript.exe 27 PID 1192 wrote to memory of 1708 1192 wscript.exe 27 PID 1192 wrote to memory of 1708 1192 wscript.exe 27 PID 1192 wrote to memory of 1204 1192 wscript.exe 29 PID 1192 wrote to memory of 1204 1192 wscript.exe 29 PID 1192 wrote to memory of 1204 1192 wscript.exe 29 PID 1204 wrote to memory of 764 1204 wscript.exe 30 PID 1204 wrote to memory of 764 1204 wscript.exe 30 PID 1204 wrote to memory of 764 1204 wscript.exe 30
Processes
-
C:\Windows\system32\wscript.exewscript.exe "C:\Users\Admin\AppData\Local\Temp\proof of payment.js"1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1192 -
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\EsgAyEJrOf.js"2⤵
- Blocklisted process makes network request
- Drops startup file
PID:1708
-
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\proof of payment.js"2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1204 -
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\EsgAyEJrOf.js"3⤵
- Blocklisted process makes network request
- Drops startup file
PID:764
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
10KB
MD569231c3446c45e0863b0f2ce4ca548ee
SHA1aa1b5083657f41f604bb5682e52f5016b434f929
SHA2562d587addbe7f7cbe295ed2364fac0ed6d4d95cc4528672d46067ae0f5cf64535
SHA512a1626d532d85d703e2e7aca73f51f1bca448e985a060d7c419bf56235fc69cbc007d4e0c2606e2d951a799d8de3f51c8c0c3333da3edc2f00f31dd5beb3c515b
-
Filesize
10KB
MD569231c3446c45e0863b0f2ce4ca548ee
SHA1aa1b5083657f41f604bb5682e52f5016b434f929
SHA2562d587addbe7f7cbe295ed2364fac0ed6d4d95cc4528672d46067ae0f5cf64535
SHA512a1626d532d85d703e2e7aca73f51f1bca448e985a060d7c419bf56235fc69cbc007d4e0c2606e2d951a799d8de3f51c8c0c3333da3edc2f00f31dd5beb3c515b
-
Filesize
10KB
MD569231c3446c45e0863b0f2ce4ca548ee
SHA1aa1b5083657f41f604bb5682e52f5016b434f929
SHA2562d587addbe7f7cbe295ed2364fac0ed6d4d95cc4528672d46067ae0f5cf64535
SHA512a1626d532d85d703e2e7aca73f51f1bca448e985a060d7c419bf56235fc69cbc007d4e0c2606e2d951a799d8de3f51c8c0c3333da3edc2f00f31dd5beb3c515b
-
Filesize
51KB
MD50d0b5b04e14fcc092409742a84532f26
SHA17d978a6f7f07629eb04a126d7a94a19662d0951f
SHA25663ada20c4214f2995f841de3cffabfc465d5bff1b4bee0cf4ebac7be643fb67e
SHA512b8cdb6164ccd45ad4ca94a3a5491e8d9a0b6a3e3aed56439994a59293141ae9ff3e80cecb4507373bb0ead9e796a83a381e2873f269bc3a100be365ef3c20c4f
-
Filesize
51KB
MD50d0b5b04e14fcc092409742a84532f26
SHA17d978a6f7f07629eb04a126d7a94a19662d0951f
SHA25663ada20c4214f2995f841de3cffabfc465d5bff1b4bee0cf4ebac7be643fb67e
SHA512b8cdb6164ccd45ad4ca94a3a5491e8d9a0b6a3e3aed56439994a59293141ae9ff3e80cecb4507373bb0ead9e796a83a381e2873f269bc3a100be365ef3c20c4f