Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
03-11-2022 11:36
Static task
static1
Behavioral task
behavioral1
Sample
wynmove2.js
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
wynmove2.js
Resource
win10v2004-20220812-en
General
-
Target
wynmove2.js
-
Size
24KB
-
MD5
c786578dbb1fd998f418ed64ea235aaf
-
SHA1
d4eb6b6dade1b01a016f126989da542718ecc51a
-
SHA256
273a212f0b2db0d69cf66c7e1270bf9b798078844d20e22986b8670f674bd46b
-
SHA512
5e88c9208788a4c7be201282e72e0f9827e9a4aecd74fe4b9a4a5f4d67ab88b7c1ae62b9fc317f7a3fc32fb400b2de7f5bfa7596646855068d2b823a2c8c9d74
-
SSDEEP
384:TkdYmmTE76CKm3xvXreE161NULuRCJMFFk631qf9V9pe9u1EGJgaz02:TQStCJ3hbkRCnl1rJi2
Malware Config
Extracted
wshrat
http://45.139.105.174:7670
http://45.139.105.174:3670
Signatures
-
WSHRAT payload 3 IoCs
resource yara_rule behavioral2/files/0x000400000001629d-136.dat family_wshrat behavioral2/files/0x00070000000162a7-138.dat family_wshrat behavioral2/files/0x00050000000162ad-139.dat family_wshrat -
Blocklisted process makes network request 30 IoCs
flow pid Process 6 3708 wscript.exe 10 3708 wscript.exe 11 3708 wscript.exe 12 3708 wscript.exe 31 3708 wscript.exe 32 3708 wscript.exe 36 3708 wscript.exe 37 3708 wscript.exe 42 3708 wscript.exe 44 3708 wscript.exe 45 3708 wscript.exe 46 3708 wscript.exe 47 3708 wscript.exe 48 3708 wscript.exe 50 4372 wscript.exe 51 4372 wscript.exe 52 3708 wscript.exe 53 3708 wscript.exe 54 3708 wscript.exe 55 3708 wscript.exe 56 3708 wscript.exe 57 3708 wscript.exe 58 3708 wscript.exe 59 4372 wscript.exe 60 3708 wscript.exe 61 3708 wscript.exe 62 3708 wscript.exe 63 3708 wscript.exe 64 3708 wscript.exe 65 3708 wscript.exe -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation wscript.exe Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation wscript.exe -
Drops startup file 4 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wynlog02.js wscript.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wynmove2.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wynmove2.js wscript.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wynlog02.js WScript.exe -
Adds Run key to start application 2 TTPs 16 IoCs
description ioc Process Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run wscript.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wynmove2 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\wynmove2.js\"" wscript.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\software\microsoft\windows\currentversion\run WScript.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wynlog02 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\wynlog02.js\"" WScript.exe Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run WScript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wynlog02 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\wynlog02.js\"" wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wynmove2 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\wynmove2.js\"" wscript.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wynmove2 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\wynmove2.js\"" wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wynmove2 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\wynmove2.js\"" wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wynlog02 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\wynlog02.js\"" WScript.exe Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run wscript.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wynlog02 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\wynlog02.js\"" wscript.exe Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run wscript.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 49 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings wscript.exe -
Script User-Agent 28 IoCs
Uses user-agent string associated with script host/environment.
description flow ioc HTTP User-Agent header 53 WSHRAT|94D95F5C|GBQHURCC|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 3/11/2022|JavaScript HTTP User-Agent header 36 WSHRAT|94D95F5C|GBQHURCC|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 3/11/2022|JavaScript HTTP User-Agent header 42 WSHRAT|94D95F5C|GBQHURCC|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 3/11/2022|JavaScript HTTP User-Agent header 47 WSHRAT|94D95F5C|GBQHURCC|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 3/11/2022|JavaScript HTTP User-Agent header 52 WSHRAT|94D95F5C|GBQHURCC|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 3/11/2022|JavaScript HTTP User-Agent header 46 WSHRAT|94D95F5C|GBQHURCC|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 3/11/2022|JavaScript HTTP User-Agent header 63 WSHRAT|94D95F5C|GBQHURCC|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 3/11/2022|JavaScript HTTP User-Agent header 6 WSHRAT|94D95F5C|GBQHURCC|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 3/11/2022|JavaScript HTTP User-Agent header 45 WSHRAT|94D95F5C|GBQHURCC|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 3/11/2022|JavaScript HTTP User-Agent header 62 WSHRAT|94D95F5C|GBQHURCC|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 3/11/2022|JavaScript HTTP User-Agent header 54 WSHRAT|94D95F5C|GBQHURCC|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 3/11/2022|JavaScript HTTP User-Agent header 60 WSHRAT|94D95F5C|GBQHURCC|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 3/11/2022|JavaScript HTTP User-Agent header 58 WSHRAT|94D95F5C|GBQHURCC|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 3/11/2022|JavaScript HTTP User-Agent header 32 WSHRAT|94D95F5C|GBQHURCC|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 3/11/2022|JavaScript HTTP User-Agent header 57 WSHRAT|94D95F5C|GBQHURCC|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 3/11/2022|JavaScript HTTP User-Agent header 55 WSHRAT|94D95F5C|GBQHURCC|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 3/11/2022|JavaScript HTTP User-Agent header 56 WSHRAT|94D95F5C|GBQHURCC|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 3/11/2022|JavaScript HTTP User-Agent header 59 WSHRAT|94D95F5C|GBQHURCC|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 3/11/2022|JavaScript-v3.4|NL:Netherlands HTTP User-Agent header 64 WSHRAT|94D95F5C|GBQHURCC|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 3/11/2022|JavaScript HTTP User-Agent header 31 WSHRAT|94D95F5C|GBQHURCC|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 3/11/2022|JavaScript HTTP User-Agent header 37 WSHRAT|94D95F5C|GBQHURCC|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 3/11/2022|JavaScript HTTP User-Agent header 51 WSHRAT|94D95F5C|GBQHURCC|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 3/11/2022|JavaScript-v3.4|NL:Netherlands HTTP User-Agent header 44 WSHRAT|94D95F5C|GBQHURCC|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 3/11/2022|JavaScript HTTP User-Agent header 48 WSHRAT|94D95F5C|GBQHURCC|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 3/11/2022|JavaScript HTTP User-Agent header 61 WSHRAT|94D95F5C|GBQHURCC|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 3/11/2022|JavaScript HTTP User-Agent header 65 WSHRAT|94D95F5C|GBQHURCC|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 3/11/2022|JavaScript HTTP User-Agent header 10 WSHRAT|94D95F5C|GBQHURCC|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 3/11/2022|JavaScript HTTP User-Agent header 11 WSHRAT|94D95F5C|GBQHURCC|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 3/11/2022|JavaScript -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2796 wrote to memory of 3708 2796 wscript.exe 82 PID 2796 wrote to memory of 3708 2796 wscript.exe 82 PID 3708 wrote to memory of 2516 3708 wscript.exe 90 PID 3708 wrote to memory of 2516 3708 wscript.exe 90 PID 2516 wrote to memory of 4372 2516 WScript.exe 91 PID 2516 wrote to memory of 4372 2516 WScript.exe 91
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\wynmove2.js1⤵
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2796 -
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\wynmove2.js"2⤵
- Blocklisted process makes network request
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3708 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\wynlog02.js"3⤵
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2516 -
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Local\Temp\wynlog02.js"4⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
PID:4372
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
188KB
MD5159203fbff13320da03487c270bd16c9
SHA1a3f2d4fb77d2c0d08264d40441e5fec872b38b3c
SHA256d2d2d9e5730335867810ac8a3c95a75d36982ababaefd10d197ee4e79ac0fd88
SHA5129bdd4f0d155f0520478e7de55ce31b364882596426399cfdac971d70898528afb112dd0f1972ce58ac2467fad33898e8270f381128c3afa188681b325164a78c
-
Filesize
188KB
MD5159203fbff13320da03487c270bd16c9
SHA1a3f2d4fb77d2c0d08264d40441e5fec872b38b3c
SHA256d2d2d9e5730335867810ac8a3c95a75d36982ababaefd10d197ee4e79ac0fd88
SHA5129bdd4f0d155f0520478e7de55ce31b364882596426399cfdac971d70898528afb112dd0f1972ce58ac2467fad33898e8270f381128c3afa188681b325164a78c
-
Filesize
24KB
MD5c786578dbb1fd998f418ed64ea235aaf
SHA1d4eb6b6dade1b01a016f126989da542718ecc51a
SHA256273a212f0b2db0d69cf66c7e1270bf9b798078844d20e22986b8670f674bd46b
SHA5125e88c9208788a4c7be201282e72e0f9827e9a4aecd74fe4b9a4a5f4d67ab88b7c1ae62b9fc317f7a3fc32fb400b2de7f5bfa7596646855068d2b823a2c8c9d74
-
Filesize
188KB
MD5159203fbff13320da03487c270bd16c9
SHA1a3f2d4fb77d2c0d08264d40441e5fec872b38b3c
SHA256d2d2d9e5730335867810ac8a3c95a75d36982ababaefd10d197ee4e79ac0fd88
SHA5129bdd4f0d155f0520478e7de55ce31b364882596426399cfdac971d70898528afb112dd0f1972ce58ac2467fad33898e8270f381128c3afa188681b325164a78c
-
Filesize
24KB
MD5c786578dbb1fd998f418ed64ea235aaf
SHA1d4eb6b6dade1b01a016f126989da542718ecc51a
SHA256273a212f0b2db0d69cf66c7e1270bf9b798078844d20e22986b8670f674bd46b
SHA5125e88c9208788a4c7be201282e72e0f9827e9a4aecd74fe4b9a4a5f4d67ab88b7c1ae62b9fc317f7a3fc32fb400b2de7f5bfa7596646855068d2b823a2c8c9d74