Analysis

  • max time kernel
    141s
  • max time network
    144s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03-11-2022 11:36

General

  • Target

    wynlog02.js

  • Size

    188KB

  • MD5

    159203fbff13320da03487c270bd16c9

  • SHA1

    a3f2d4fb77d2c0d08264d40441e5fec872b38b3c

  • SHA256

    d2d2d9e5730335867810ac8a3c95a75d36982ababaefd10d197ee4e79ac0fd88

  • SHA512

    9bdd4f0d155f0520478e7de55ce31b364882596426399cfdac971d70898528afb112dd0f1972ce58ac2467fad33898e8270f381128c3afa188681b325164a78c

  • SSDEEP

    3072:a8WQ0bamubIpklgVDSxGfmuZ4eGK/6Z4J5vEzjbURCU6QP9Z5:aYMqAklgF2GuuZ4eGKrlBRCU6G

Malware Config

Extracted

Family

wshrat

C2

http://45.139.105.174:3670

Signatures

  • WSHRAT

    WSHRAT is a variant of Houdini worm and has vbs and js variants.

  • Blocklisted process makes network request 6 IoCs
  • Drops startup file 2 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Script User-Agent 5 IoCs

    Uses user-agent string associated with script host/environment.

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe C:\Users\Admin\AppData\Local\Temp\wynlog02.js
    1⤵
    • Blocklisted process makes network request
    • Drops startup file
    • Adds Run key to start application
    PID:4984

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads