Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
01-11-2022 19:30
Static task
static1
Behavioral task
behavioral1
Sample
proof of payment.js
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
proof of payment.js
Resource
win10v2004-20220812-en
General
-
Target
proof of payment.js
-
Size
51KB
-
MD5
0d0b5b04e14fcc092409742a84532f26
-
SHA1
7d978a6f7f07629eb04a126d7a94a19662d0951f
-
SHA256
63ada20c4214f2995f841de3cffabfc465d5bff1b4bee0cf4ebac7be643fb67e
-
SHA512
b8cdb6164ccd45ad4ca94a3a5491e8d9a0b6a3e3aed56439994a59293141ae9ff3e80cecb4507373bb0ead9e796a83a381e2873f269bc3a100be365ef3c20c4f
-
SSDEEP
768:5Kk5HT1xsHylPCTBp0Jv8BD3DQ7vGOAX1OsIWgCX56nu1CPL2lssQ:ZPzwBSvcTQ7+OAX1O3CX56n4GL2lssQ
Malware Config
Extracted
wshrat
http://harold.jetos.com:1604
Signatures
-
Blocklisted process makes network request 31 IoCs
flow pid Process 12 1792 wscript.exe 13 4744 wscript.exe 14 4324 wscript.exe 26 4324 wscript.exe 31 4324 wscript.exe 32 4324 wscript.exe 36 1792 wscript.exe 37 4744 wscript.exe 40 4324 wscript.exe 42 4324 wscript.exe 43 4324 wscript.exe 46 4324 wscript.exe 47 1792 wscript.exe 48 4744 wscript.exe 53 4324 wscript.exe 54 4324 wscript.exe 55 4324 wscript.exe 56 1792 wscript.exe 57 4744 wscript.exe 58 4324 wscript.exe 59 4324 wscript.exe 60 4324 wscript.exe 61 1792 wscript.exe 62 4744 wscript.exe 63 4324 wscript.exe 64 4324 wscript.exe 65 4324 wscript.exe 66 4324 wscript.exe 67 1792 wscript.exe 68 4744 wscript.exe 69 4324 wscript.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation wscript.exe Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation wscript.exe -
Drops startup file 5 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\proof of payment.js wscript.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EsgAyEJrOf.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EsgAyEJrOf.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\proof of payment.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EsgAyEJrOf.js wscript.exe -
Adds Run key to start application 2 TTPs 8 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\proof of payment = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\proof of payment.js\"" wscript.exe Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\proof of payment = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\proof of payment.js\"" wscript.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\proof of payment = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\proof of payment.js\"" wscript.exe Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\proof of payment = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\proof of payment.js\"" wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Script User-Agent 19 IoCs
Uses user-agent string associated with script host/environment.
description flow ioc HTTP User-Agent header 31 WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 1/11/2022|JavaScript HTTP User-Agent header 40 WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 1/11/2022|JavaScript HTTP User-Agent header 43 WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 1/11/2022|JavaScript HTTP User-Agent header 55 WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 1/11/2022|JavaScript HTTP User-Agent header 63 WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 1/11/2022|JavaScript HTTP User-Agent header 14 WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 1/11/2022|JavaScript HTTP User-Agent header 26 WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 1/11/2022|JavaScript HTTP User-Agent header 42 WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 1/11/2022|JavaScript HTTP User-Agent header 59 WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 1/11/2022|JavaScript HTTP User-Agent header 65 WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 1/11/2022|JavaScript HTTP User-Agent header 69 WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 1/11/2022|JavaScript HTTP User-Agent header 66 WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 1/11/2022|JavaScript HTTP User-Agent header 32 WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 1/11/2022|JavaScript HTTP User-Agent header 46 WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 1/11/2022|JavaScript HTTP User-Agent header 53 WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 1/11/2022|JavaScript HTTP User-Agent header 54 WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 1/11/2022|JavaScript HTTP User-Agent header 58 WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 1/11/2022|JavaScript HTTP User-Agent header 60 WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 1/11/2022|JavaScript HTTP User-Agent header 64 WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 1/11/2022|JavaScript -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 5104 wrote to memory of 1792 5104 wscript.exe 81 PID 5104 wrote to memory of 1792 5104 wscript.exe 81 PID 5104 wrote to memory of 4324 5104 wscript.exe 82 PID 5104 wrote to memory of 4324 5104 wscript.exe 82 PID 4324 wrote to memory of 4744 4324 wscript.exe 83 PID 4324 wrote to memory of 4744 4324 wscript.exe 83
Processes
-
C:\Windows\system32\wscript.exewscript.exe "C:\Users\Admin\AppData\Local\Temp\proof of payment.js"1⤵
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:5104 -
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\EsgAyEJrOf.js"2⤵
- Blocklisted process makes network request
- Drops startup file
PID:1792
-
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\proof of payment.js"2⤵
- Blocklisted process makes network request
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4324 -
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\EsgAyEJrOf.js"3⤵
- Blocklisted process makes network request
- Drops startup file
PID:4744
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
10KB
MD569231c3446c45e0863b0f2ce4ca548ee
SHA1aa1b5083657f41f604bb5682e52f5016b434f929
SHA2562d587addbe7f7cbe295ed2364fac0ed6d4d95cc4528672d46067ae0f5cf64535
SHA512a1626d532d85d703e2e7aca73f51f1bca448e985a060d7c419bf56235fc69cbc007d4e0c2606e2d951a799d8de3f51c8c0c3333da3edc2f00f31dd5beb3c515b
-
Filesize
10KB
MD569231c3446c45e0863b0f2ce4ca548ee
SHA1aa1b5083657f41f604bb5682e52f5016b434f929
SHA2562d587addbe7f7cbe295ed2364fac0ed6d4d95cc4528672d46067ae0f5cf64535
SHA512a1626d532d85d703e2e7aca73f51f1bca448e985a060d7c419bf56235fc69cbc007d4e0c2606e2d951a799d8de3f51c8c0c3333da3edc2f00f31dd5beb3c515b
-
Filesize
10KB
MD569231c3446c45e0863b0f2ce4ca548ee
SHA1aa1b5083657f41f604bb5682e52f5016b434f929
SHA2562d587addbe7f7cbe295ed2364fac0ed6d4d95cc4528672d46067ae0f5cf64535
SHA512a1626d532d85d703e2e7aca73f51f1bca448e985a060d7c419bf56235fc69cbc007d4e0c2606e2d951a799d8de3f51c8c0c3333da3edc2f00f31dd5beb3c515b
-
Filesize
51KB
MD50d0b5b04e14fcc092409742a84532f26
SHA17d978a6f7f07629eb04a126d7a94a19662d0951f
SHA25663ada20c4214f2995f841de3cffabfc465d5bff1b4bee0cf4ebac7be643fb67e
SHA512b8cdb6164ccd45ad4ca94a3a5491e8d9a0b6a3e3aed56439994a59293141ae9ff3e80cecb4507373bb0ead9e796a83a381e2873f269bc3a100be365ef3c20c4f
-
Filesize
51KB
MD50d0b5b04e14fcc092409742a84532f26
SHA17d978a6f7f07629eb04a126d7a94a19662d0951f
SHA25663ada20c4214f2995f841de3cffabfc465d5bff1b4bee0cf4ebac7be643fb67e
SHA512b8cdb6164ccd45ad4ca94a3a5491e8d9a0b6a3e3aed56439994a59293141ae9ff3e80cecb4507373bb0ead9e796a83a381e2873f269bc3a100be365ef3c20c4f