Analysis
-
max time kernel
143s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
03-11-2022 12:21
Static task
static1
Behavioral task
behavioral1
Sample
63ada20c4214f2995f841de3cffabfc465d5bff1b4bee0cf4ebac7be643fb67e.js
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
63ada20c4214f2995f841de3cffabfc465d5bff1b4bee0cf4ebac7be643fb67e.js
Resource
win10v2004-20220812-en
General
-
Target
63ada20c4214f2995f841de3cffabfc465d5bff1b4bee0cf4ebac7be643fb67e.js
-
Size
51KB
-
MD5
0d0b5b04e14fcc092409742a84532f26
-
SHA1
7d978a6f7f07629eb04a126d7a94a19662d0951f
-
SHA256
63ada20c4214f2995f841de3cffabfc465d5bff1b4bee0cf4ebac7be643fb67e
-
SHA512
b8cdb6164ccd45ad4ca94a3a5491e8d9a0b6a3e3aed56439994a59293141ae9ff3e80cecb4507373bb0ead9e796a83a381e2873f269bc3a100be365ef3c20c4f
-
SSDEEP
768:5Kk5HT1xsHylPCTBp0Jv8BD3DQ7vGOAX1OsIWgCX56nu1CPL2lssQ:ZPzwBSvcTQ7+OAX1O3CX56n4GL2lssQ
Malware Config
Extracted
wshrat
http://harold.jetos.com:1604
Signatures
-
Blocklisted process makes network request 30 IoCs
flow pid Process 7 4668 wscript.exe 8 1676 wscript.exe 9 2252 wscript.exe 19 2252 wscript.exe 27 2252 wscript.exe 33 2252 wscript.exe 37 4668 wscript.exe 38 1676 wscript.exe 41 2252 wscript.exe 43 2252 wscript.exe 47 2252 wscript.exe 50 1676 wscript.exe 51 4668 wscript.exe 52 2252 wscript.exe 55 2252 wscript.exe 57 2252 wscript.exe 58 2252 wscript.exe 59 1676 wscript.exe 60 4668 wscript.exe 61 2252 wscript.exe 62 2252 wscript.exe 63 2252 wscript.exe 64 4668 wscript.exe 65 1676 wscript.exe 66 2252 wscript.exe 67 2252 wscript.exe 68 2252 wscript.exe 69 2252 wscript.exe 70 4668 wscript.exe 71 1676 wscript.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation wscript.exe Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation wscript.exe -
Drops startup file 5 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EsgAyEJrOf.js wscript.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\63ada20c4214f2995f841de3cffabfc465d5bff1b4bee0cf4ebac7be643fb67e.js wscript.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EsgAyEJrOf.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EsgAyEJrOf.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\63ada20c4214f2995f841de3cffabfc465d5bff1b4bee0cf4ebac7be643fb67e.js wscript.exe -
Adds Run key to start application 2 TTPs 8 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\63ada20c4214f2995f841de3cffabfc465d5bff1b4bee0cf4ebac7be643fb67e = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\63ada20c4214f2995f841de3cffabfc465d5bff1b4bee0cf4ebac7be643fb67e.js\"" wscript.exe Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\63ada20c4214f2995f841de3cffabfc465d5bff1b4bee0cf4ebac7be643fb67e = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\63ada20c4214f2995f841de3cffabfc465d5bff1b4bee0cf4ebac7be643fb67e.js\"" wscript.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\63ada20c4214f2995f841de3cffabfc465d5bff1b4bee0cf4ebac7be643fb67e = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\63ada20c4214f2995f841de3cffabfc465d5bff1b4bee0cf4ebac7be643fb67e.js\"" wscript.exe Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\63ada20c4214f2995f841de3cffabfc465d5bff1b4bee0cf4ebac7be643fb67e = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\63ada20c4214f2995f841de3cffabfc465d5bff1b4bee0cf4ebac7be643fb67e.js\"" wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Script User-Agent 18 IoCs
Uses user-agent string associated with script host/environment.
description flow ioc HTTP User-Agent header 58 WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 3/11/2022|JavaScript HTTP User-Agent header 61 WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 3/11/2022|JavaScript HTTP User-Agent header 62 WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 3/11/2022|JavaScript HTTP User-Agent header 68 WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 3/11/2022|JavaScript HTTP User-Agent header 19 WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 3/11/2022|JavaScript HTTP User-Agent header 41 WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 3/11/2022|JavaScript HTTP User-Agent header 55 WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 3/11/2022|JavaScript HTTP User-Agent header 43 WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 3/11/2022|JavaScript HTTP User-Agent header 47 WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 3/11/2022|JavaScript HTTP User-Agent header 52 WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 3/11/2022|JavaScript HTTP User-Agent header 9 WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 3/11/2022|JavaScript HTTP User-Agent header 27 WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 3/11/2022|JavaScript HTTP User-Agent header 67 WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 3/11/2022|JavaScript HTTP User-Agent header 66 WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 3/11/2022|JavaScript HTTP User-Agent header 69 WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 3/11/2022|JavaScript HTTP User-Agent header 33 WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 3/11/2022|JavaScript HTTP User-Agent header 57 WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 3/11/2022|JavaScript HTTP User-Agent header 63 WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 3/11/2022|JavaScript -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4676 wrote to memory of 1676 4676 wscript.exe 80 PID 4676 wrote to memory of 1676 4676 wscript.exe 80 PID 4676 wrote to memory of 2252 4676 wscript.exe 81 PID 4676 wrote to memory of 2252 4676 wscript.exe 81 PID 2252 wrote to memory of 4668 2252 wscript.exe 82 PID 2252 wrote to memory of 4668 2252 wscript.exe 82
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\63ada20c4214f2995f841de3cffabfc465d5bff1b4bee0cf4ebac7be643fb67e.js1⤵
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4676 -
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\EsgAyEJrOf.js"2⤵
- Blocklisted process makes network request
- Drops startup file
PID:1676
-
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\63ada20c4214f2995f841de3cffabfc465d5bff1b4bee0cf4ebac7be643fb67e.js"2⤵
- Blocklisted process makes network request
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2252 -
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\EsgAyEJrOf.js"3⤵
- Blocklisted process makes network request
- Drops startup file
PID:4668
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
51KB
MD50d0b5b04e14fcc092409742a84532f26
SHA17d978a6f7f07629eb04a126d7a94a19662d0951f
SHA25663ada20c4214f2995f841de3cffabfc465d5bff1b4bee0cf4ebac7be643fb67e
SHA512b8cdb6164ccd45ad4ca94a3a5491e8d9a0b6a3e3aed56439994a59293141ae9ff3e80cecb4507373bb0ead9e796a83a381e2873f269bc3a100be365ef3c20c4f
-
Filesize
10KB
MD569231c3446c45e0863b0f2ce4ca548ee
SHA1aa1b5083657f41f604bb5682e52f5016b434f929
SHA2562d587addbe7f7cbe295ed2364fac0ed6d4d95cc4528672d46067ae0f5cf64535
SHA512a1626d532d85d703e2e7aca73f51f1bca448e985a060d7c419bf56235fc69cbc007d4e0c2606e2d951a799d8de3f51c8c0c3333da3edc2f00f31dd5beb3c515b
-
Filesize
10KB
MD569231c3446c45e0863b0f2ce4ca548ee
SHA1aa1b5083657f41f604bb5682e52f5016b434f929
SHA2562d587addbe7f7cbe295ed2364fac0ed6d4d95cc4528672d46067ae0f5cf64535
SHA512a1626d532d85d703e2e7aca73f51f1bca448e985a060d7c419bf56235fc69cbc007d4e0c2606e2d951a799d8de3f51c8c0c3333da3edc2f00f31dd5beb3c515b
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\63ada20c4214f2995f841de3cffabfc465d5bff1b4bee0cf4ebac7be643fb67e.js
Filesize51KB
MD50d0b5b04e14fcc092409742a84532f26
SHA17d978a6f7f07629eb04a126d7a94a19662d0951f
SHA25663ada20c4214f2995f841de3cffabfc465d5bff1b4bee0cf4ebac7be643fb67e
SHA512b8cdb6164ccd45ad4ca94a3a5491e8d9a0b6a3e3aed56439994a59293141ae9ff3e80cecb4507373bb0ead9e796a83a381e2873f269bc3a100be365ef3c20c4f
-
Filesize
10KB
MD569231c3446c45e0863b0f2ce4ca548ee
SHA1aa1b5083657f41f604bb5682e52f5016b434f929
SHA2562d587addbe7f7cbe295ed2364fac0ed6d4d95cc4528672d46067ae0f5cf64535
SHA512a1626d532d85d703e2e7aca73f51f1bca448e985a060d7c419bf56235fc69cbc007d4e0c2606e2d951a799d8de3f51c8c0c3333da3edc2f00f31dd5beb3c515b