Analysis
-
max time kernel
150s -
max time network
155s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
03-11-2022 11:36
Static task
static1
Behavioral task
behavioral1
Sample
wynmove2.js
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
wynmove2.js
Resource
win10v2004-20220812-en
General
-
Target
wynmove2.js
-
Size
24KB
-
MD5
c786578dbb1fd998f418ed64ea235aaf
-
SHA1
d4eb6b6dade1b01a016f126989da542718ecc51a
-
SHA256
273a212f0b2db0d69cf66c7e1270bf9b798078844d20e22986b8670f674bd46b
-
SHA512
5e88c9208788a4c7be201282e72e0f9827e9a4aecd74fe4b9a4a5f4d67ab88b7c1ae62b9fc317f7a3fc32fb400b2de7f5bfa7596646855068d2b823a2c8c9d74
-
SSDEEP
384:TkdYmmTE76CKm3xvXreE161NULuRCJMFFk631qf9V9pe9u1EGJgaz02:TQStCJ3hbkRCnl1rJi2
Malware Config
Extracted
wshrat
http://45.139.105.174:7670
http://45.139.105.174:3670
Signatures
-
WSHRAT payload 2 IoCs
resource yara_rule behavioral1/files/0x00080000000139e4-60.dat family_wshrat behavioral1/files/0x0007000000013aad-63.dat family_wshrat -
Blocklisted process makes network request 32 IoCs
flow pid Process 3 304 wscript.exe 4 304 wscript.exe 5 304 wscript.exe 7 304 wscript.exe 8 304 wscript.exe 10 304 wscript.exe 12 304 wscript.exe 13 304 wscript.exe 14 304 wscript.exe 16 304 wscript.exe 17 304 wscript.exe 18 304 wscript.exe 19 304 wscript.exe 20 304 wscript.exe 23 1672 wscript.exe 24 1672 wscript.exe 25 304 wscript.exe 26 304 wscript.exe 27 304 wscript.exe 29 304 wscript.exe 31 304 wscript.exe 32 304 wscript.exe 34 1672 wscript.exe 36 304 wscript.exe 37 304 wscript.exe 39 304 wscript.exe 42 304 wscript.exe 44 304 wscript.exe 46 304 wscript.exe 50 304 wscript.exe 51 1672 wscript.exe 52 304 wscript.exe -
Drops startup file 4 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wynlog02.js WScript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wynlog02.js wscript.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wynmove2.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wynmove2.js wscript.exe -
Adds Run key to start application 2 TTPs 16 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wynmove2 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\wynmove2.js\"" wscript.exe Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\software\microsoft\windows\currentversion\run WScript.exe Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run WScript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wynlog02 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\wynlog02.js\"" WScript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wynlog02 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\wynlog02.js\"" wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\wynmove2 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\wynmove2.js\"" wscript.exe Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\wynlog02 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\wynlog02.js\"" WScript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wynmove2 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\wynmove2.js\"" wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\wynlog02 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\wynlog02.js\"" wscript.exe Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run wscript.exe Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\software\microsoft\windows\currentversion\run wscript.exe Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\software\microsoft\windows\currentversion\run wscript.exe Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\wynmove2 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\wynmove2.js\"" wscript.exe Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run wscript.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 22 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Script User-Agent 31 IoCs
Uses user-agent string associated with script host/environment.
description flow ioc HTTP User-Agent header 19 WSHRAT|D44DAEDB|ORXGKKZC|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 3/11/2022|JavaScript HTTP User-Agent header 31 WSHRAT|D44DAEDB|ORXGKKZC|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 3/11/2022|JavaScript HTTP User-Agent header 46 WSHRAT|D44DAEDB|ORXGKKZC|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 3/11/2022|JavaScript HTTP User-Agent header 51 WSHRAT|D44DAEDB|ORXGKKZC|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 3/11/2022|JavaScript-v3.4|NL:Netherlands HTTP User-Agent header 4 WSHRAT|D44DAEDB|ORXGKKZC|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 3/11/2022|JavaScript HTTP User-Agent header 7 WSHRAT|D44DAEDB|ORXGKKZC|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 3/11/2022|JavaScript HTTP User-Agent header 8 WSHRAT|D44DAEDB|ORXGKKZC|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 3/11/2022|JavaScript HTTP User-Agent header 32 WSHRAT|D44DAEDB|ORXGKKZC|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 3/11/2022|JavaScript HTTP User-Agent header 36 WSHRAT|D44DAEDB|ORXGKKZC|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 3/11/2022|JavaScript HTTP User-Agent header 5 WSHRAT|D44DAEDB|ORXGKKZC|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 3/11/2022|JavaScript HTTP User-Agent header 16 WSHRAT|D44DAEDB|ORXGKKZC|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 3/11/2022|JavaScript HTTP User-Agent header 17 WSHRAT|D44DAEDB|ORXGKKZC|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 3/11/2022|JavaScript HTTP User-Agent header 27 WSHRAT|D44DAEDB|ORXGKKZC|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 3/11/2022|JavaScript HTTP User-Agent header 52 WSHRAT|D44DAEDB|ORXGKKZC|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 3/11/2022|JavaScript HTTP User-Agent header 10 WSHRAT|D44DAEDB|ORXGKKZC|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 3/11/2022|JavaScript HTTP User-Agent header 12 WSHRAT|D44DAEDB|ORXGKKZC|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 3/11/2022|JavaScript HTTP User-Agent header 18 WSHRAT|D44DAEDB|ORXGKKZC|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 3/11/2022|JavaScript HTTP User-Agent header 20 WSHRAT|D44DAEDB|ORXGKKZC|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 3/11/2022|JavaScript HTTP User-Agent header 50 WSHRAT|D44DAEDB|ORXGKKZC|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 3/11/2022|JavaScript HTTP User-Agent header 25 WSHRAT|D44DAEDB|ORXGKKZC|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 3/11/2022|JavaScript HTTP User-Agent header 3 WSHRAT|D44DAEDB|ORXGKKZC|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 3/11/2022|JavaScript HTTP User-Agent header 42 WSHRAT|D44DAEDB|ORXGKKZC|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 3/11/2022|JavaScript HTTP User-Agent header 24 WSHRAT|D44DAEDB|ORXGKKZC|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 3/11/2022|JavaScript-v3.4|NL:Netherlands HTTP User-Agent header 34 WSHRAT|D44DAEDB|ORXGKKZC|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 3/11/2022|JavaScript-v3.4|NL:Netherlands HTTP User-Agent header 39 WSHRAT|D44DAEDB|ORXGKKZC|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 3/11/2022|JavaScript HTTP User-Agent header 44 WSHRAT|D44DAEDB|ORXGKKZC|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 3/11/2022|JavaScript HTTP User-Agent header 13 WSHRAT|D44DAEDB|ORXGKKZC|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 3/11/2022|JavaScript HTTP User-Agent header 14 WSHRAT|D44DAEDB|ORXGKKZC|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 3/11/2022|JavaScript HTTP User-Agent header 26 WSHRAT|D44DAEDB|ORXGKKZC|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 3/11/2022|JavaScript HTTP User-Agent header 29 WSHRAT|D44DAEDB|ORXGKKZC|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 3/11/2022|JavaScript HTTP User-Agent header 37 WSHRAT|D44DAEDB|ORXGKKZC|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 3/11/2022|JavaScript -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 1348 wrote to memory of 304 1348 wscript.exe 26 PID 1348 wrote to memory of 304 1348 wscript.exe 26 PID 1348 wrote to memory of 304 1348 wscript.exe 26 PID 304 wrote to memory of 1844 304 wscript.exe 33 PID 304 wrote to memory of 1844 304 wscript.exe 33 PID 304 wrote to memory of 1844 304 wscript.exe 33 PID 1844 wrote to memory of 1672 1844 WScript.exe 34 PID 1844 wrote to memory of 1672 1844 WScript.exe 34 PID 1844 wrote to memory of 1672 1844 WScript.exe 34
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\wynmove2.js1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1348 -
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\wynmove2.js"2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:304 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\wynlog02.js"3⤵
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1844 -
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Local\Temp\wynlog02.js"4⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
PID:1672
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
188KB
MD5159203fbff13320da03487c270bd16c9
SHA1a3f2d4fb77d2c0d08264d40441e5fec872b38b3c
SHA256d2d2d9e5730335867810ac8a3c95a75d36982ababaefd10d197ee4e79ac0fd88
SHA5129bdd4f0d155f0520478e7de55ce31b364882596426399cfdac971d70898528afb112dd0f1972ce58ac2467fad33898e8270f381128c3afa188681b325164a78c
-
Filesize
24KB
MD5c786578dbb1fd998f418ed64ea235aaf
SHA1d4eb6b6dade1b01a016f126989da542718ecc51a
SHA256273a212f0b2db0d69cf66c7e1270bf9b798078844d20e22986b8670f674bd46b
SHA5125e88c9208788a4c7be201282e72e0f9827e9a4aecd74fe4b9a4a5f4d67ab88b7c1ae62b9fc317f7a3fc32fb400b2de7f5bfa7596646855068d2b823a2c8c9d74
-
Filesize
188KB
MD5159203fbff13320da03487c270bd16c9
SHA1a3f2d4fb77d2c0d08264d40441e5fec872b38b3c
SHA256d2d2d9e5730335867810ac8a3c95a75d36982ababaefd10d197ee4e79ac0fd88
SHA5129bdd4f0d155f0520478e7de55ce31b364882596426399cfdac971d70898528afb112dd0f1972ce58ac2467fad33898e8270f381128c3afa188681b325164a78c
-
Filesize
24KB
MD5c786578dbb1fd998f418ed64ea235aaf
SHA1d4eb6b6dade1b01a016f126989da542718ecc51a
SHA256273a212f0b2db0d69cf66c7e1270bf9b798078844d20e22986b8670f674bd46b
SHA5125e88c9208788a4c7be201282e72e0f9827e9a4aecd74fe4b9a4a5f4d67ab88b7c1ae62b9fc317f7a3fc32fb400b2de7f5bfa7596646855068d2b823a2c8c9d74