Analysis
-
max time kernel
142s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
01-11-2022 19:31
Static task
static1
Behavioral task
behavioral1
Sample
proof of payment.js
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
proof of payment.js
Resource
win10v2004-20220812-en
General
-
Target
proof of payment.js
-
Size
51KB
-
MD5
0d0b5b04e14fcc092409742a84532f26
-
SHA1
7d978a6f7f07629eb04a126d7a94a19662d0951f
-
SHA256
63ada20c4214f2995f841de3cffabfc465d5bff1b4bee0cf4ebac7be643fb67e
-
SHA512
b8cdb6164ccd45ad4ca94a3a5491e8d9a0b6a3e3aed56439994a59293141ae9ff3e80cecb4507373bb0ead9e796a83a381e2873f269bc3a100be365ef3c20c4f
-
SSDEEP
768:5Kk5HT1xsHylPCTBp0Jv8BD3DQ7vGOAX1OsIWgCX56nu1CPL2lssQ:ZPzwBSvcTQ7+OAX1O3CX56n4GL2lssQ
Malware Config
Extracted
wshrat
http://harold.jetos.com:1604
Signatures
-
Blocklisted process makes network request 25 IoCs
flow pid Process 7 448 wscript.exe 8 4752 wscript.exe 10 1584 wscript.exe 27 1584 wscript.exe 29 448 wscript.exe 30 4752 wscript.exe 38 1584 wscript.exe 39 1584 wscript.exe 40 1584 wscript.exe 43 448 wscript.exe 44 4752 wscript.exe 45 1584 wscript.exe 47 1584 wscript.exe 48 448 wscript.exe 49 4752 wscript.exe 50 1584 wscript.exe 52 1584 wscript.exe 53 1584 wscript.exe 54 1584 wscript.exe 55 448 wscript.exe 56 4752 wscript.exe 57 1584 wscript.exe 58 1584 wscript.exe 59 448 wscript.exe 60 4752 wscript.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation wscript.exe Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation wscript.exe -
Drops startup file 5 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\proof of payment.js wscript.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EsgAyEJrOf.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EsgAyEJrOf.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\proof of payment.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EsgAyEJrOf.js wscript.exe -
Adds Run key to start application 2 TTPs 8 IoCs
description ioc Process Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\proof of payment = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\proof of payment.js\"" wscript.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\proof of payment = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\proof of payment.js\"" wscript.exe Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\proof of payment = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\proof of payment.js\"" wscript.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\proof of payment = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\proof of payment.js\"" wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Script User-Agent 10 IoCs
Uses user-agent string associated with script host/environment.
description flow ioc HTTP User-Agent header 47 WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 1/11/2022|JavaScript HTTP User-Agent header 50 WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 1/11/2022|JavaScript HTTP User-Agent header 52 WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 1/11/2022|JavaScript HTTP User-Agent header 54 WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 1/11/2022|JavaScript HTTP User-Agent header 27 WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 1/11/2022|JavaScript HTTP User-Agent header 38 WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 1/11/2022|JavaScript HTTP User-Agent header 39 WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 1/11/2022|JavaScript HTTP User-Agent header 40 WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 1/11/2022|JavaScript HTTP User-Agent header 58 WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 1/11/2022|JavaScript HTTP User-Agent header 53 WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 1/11/2022|JavaScript -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4968 wrote to memory of 448 4968 wscript.exe 81 PID 4968 wrote to memory of 448 4968 wscript.exe 81 PID 4968 wrote to memory of 1584 4968 wscript.exe 82 PID 4968 wrote to memory of 1584 4968 wscript.exe 82 PID 1584 wrote to memory of 4752 1584 wscript.exe 83 PID 1584 wrote to memory of 4752 1584 wscript.exe 83
Processes
-
C:\Windows\system32\wscript.exewscript.exe "C:\Users\Admin\AppData\Local\Temp\proof of payment.js"1⤵
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4968 -
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\EsgAyEJrOf.js"2⤵
- Blocklisted process makes network request
- Drops startup file
PID:448
-
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\proof of payment.js"2⤵
- Blocklisted process makes network request
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1584 -
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\EsgAyEJrOf.js"3⤵
- Blocklisted process makes network request
- Drops startup file
PID:4752
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
10KB
MD569231c3446c45e0863b0f2ce4ca548ee
SHA1aa1b5083657f41f604bb5682e52f5016b434f929
SHA2562d587addbe7f7cbe295ed2364fac0ed6d4d95cc4528672d46067ae0f5cf64535
SHA512a1626d532d85d703e2e7aca73f51f1bca448e985a060d7c419bf56235fc69cbc007d4e0c2606e2d951a799d8de3f51c8c0c3333da3edc2f00f31dd5beb3c515b
-
Filesize
10KB
MD569231c3446c45e0863b0f2ce4ca548ee
SHA1aa1b5083657f41f604bb5682e52f5016b434f929
SHA2562d587addbe7f7cbe295ed2364fac0ed6d4d95cc4528672d46067ae0f5cf64535
SHA512a1626d532d85d703e2e7aca73f51f1bca448e985a060d7c419bf56235fc69cbc007d4e0c2606e2d951a799d8de3f51c8c0c3333da3edc2f00f31dd5beb3c515b
-
Filesize
10KB
MD569231c3446c45e0863b0f2ce4ca548ee
SHA1aa1b5083657f41f604bb5682e52f5016b434f929
SHA2562d587addbe7f7cbe295ed2364fac0ed6d4d95cc4528672d46067ae0f5cf64535
SHA512a1626d532d85d703e2e7aca73f51f1bca448e985a060d7c419bf56235fc69cbc007d4e0c2606e2d951a799d8de3f51c8c0c3333da3edc2f00f31dd5beb3c515b
-
Filesize
51KB
MD50d0b5b04e14fcc092409742a84532f26
SHA17d978a6f7f07629eb04a126d7a94a19662d0951f
SHA25663ada20c4214f2995f841de3cffabfc465d5bff1b4bee0cf4ebac7be643fb67e
SHA512b8cdb6164ccd45ad4ca94a3a5491e8d9a0b6a3e3aed56439994a59293141ae9ff3e80cecb4507373bb0ead9e796a83a381e2873f269bc3a100be365ef3c20c4f
-
Filesize
51KB
MD50d0b5b04e14fcc092409742a84532f26
SHA17d978a6f7f07629eb04a126d7a94a19662d0951f
SHA25663ada20c4214f2995f841de3cffabfc465d5bff1b4bee0cf4ebac7be643fb67e
SHA512b8cdb6164ccd45ad4ca94a3a5491e8d9a0b6a3e3aed56439994a59293141ae9ff3e80cecb4507373bb0ead9e796a83a381e2873f269bc3a100be365ef3c20c4f