Analysis
-
max time kernel
114s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
03-11-2022 11:36
Behavioral task
behavioral1
Sample
wynlog02.js
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
wynlog02.js
Resource
win10v2004-20220812-en
General
-
Target
wynlog02.js
-
Size
188KB
-
MD5
159203fbff13320da03487c270bd16c9
-
SHA1
a3f2d4fb77d2c0d08264d40441e5fec872b38b3c
-
SHA256
d2d2d9e5730335867810ac8a3c95a75d36982ababaefd10d197ee4e79ac0fd88
-
SHA512
9bdd4f0d155f0520478e7de55ce31b364882596426399cfdac971d70898528afb112dd0f1972ce58ac2467fad33898e8270f381128c3afa188681b325164a78c
-
SSDEEP
3072:a8WQ0bamubIpklgVDSxGfmuZ4eGK/6Z4J5vEzjbURCU6QP9Z5:aYMqAklgF2GuuZ4eGKrlBRCU6G
Malware Config
Extracted
wshrat
http://45.139.105.174:3670
Signatures
-
Blocklisted process makes network request 5 IoCs
flow pid Process 4 1976 wscript.exe 5 1976 wscript.exe 7 1976 wscript.exe 8 1976 wscript.exe 10 1976 wscript.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wynlog02.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wynlog02.js wscript.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\wynlog02 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\wynlog02.js\"" wscript.exe Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wynlog02 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\wynlog02.js\"" wscript.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 3 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Script User-Agent 4 IoCs
Uses user-agent string associated with script host/environment.
description flow ioc HTTP User-Agent header 5 WSHRAT|D44DAEDB|ORXGKKZC|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 3/11/2022|JavaScript-v3.4|NL:Netherlands HTTP User-Agent header 7 WSHRAT|D44DAEDB|ORXGKKZC|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 3/11/2022|JavaScript-v3.4|NL:Netherlands HTTP User-Agent header 8 WSHRAT|D44DAEDB|ORXGKKZC|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 3/11/2022|JavaScript-v3.4|NL:Netherlands HTTP User-Agent header 10 WSHRAT|D44DAEDB|ORXGKKZC|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 3/11/2022|JavaScript-v3.4|NL:Netherlands