Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
04-11-2022 07:48
Static task
static1
Behavioral task
behavioral1
Sample
payment.js
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
payment.js
Resource
win10v2004-20220812-en
General
-
Target
payment.js
-
Size
24KB
-
MD5
b3d68dd5492fa261df75900cc205205f
-
SHA1
6b1ccb0ea2ad7f59ad4feff99f7c9f53218ac64d
-
SHA256
d195a4460cbf030a568e980c5b07e7f33cb2f0d5b2f9634b1ca71ad43fafa8d6
-
SHA512
42695f2c81e09343dd8fb94c5a5a82235bc587c70f8ea0bfd4c4490cf5d38e57243f1c641cd72180c5d036fefb8454b651bec6931b86b7d15304bb10043931a0
-
SSDEEP
768:EIs214ugj9ZBAADEhsmaaqv8yZ/pzT84OFAjBM4b7:7sZ
Malware Config
Extracted
wshrat
http://212.193.30.230:7780
Signatures
-
Blocklisted process makes network request 30 IoCs
flow pid Process 4 4568 wscript.exe 5 4568 wscript.exe 11 4568 wscript.exe 12 4568 wscript.exe 14 4568 wscript.exe 20 4568 wscript.exe 27 4568 wscript.exe 33 4568 wscript.exe 34 4568 wscript.exe 35 4568 wscript.exe 39 4568 wscript.exe 44 4568 wscript.exe 57 4568 wscript.exe 58 4568 wscript.exe 62 4568 wscript.exe 64 4568 wscript.exe 73 4568 wscript.exe 90 4568 wscript.exe 104 4568 wscript.exe 105 4568 wscript.exe 106 4568 wscript.exe 108 4568 wscript.exe 114 4568 wscript.exe 120 4568 wscript.exe 121 4568 wscript.exe 122 4568 wscript.exe 123 4568 wscript.exe 124 4568 wscript.exe 125 4568 wscript.exe 126 4568 wscript.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation wscript.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\payment.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\payment.js wscript.exe -
Adds Run key to start application 2 TTPs 8 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\payment = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\payment.js\"" wscript.exe Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\payment = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\payment.js\"" wscript.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\payment = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\payment.js\"" wscript.exe Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\payment = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\payment.js\"" wscript.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\software\microsoft\windows\currentversion\run wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Script User-Agent 29 IoCs
Uses user-agent string associated with script host/environment.
description flow ioc HTTP User-Agent header 35 WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 4/11/2022|JavaScript HTTP User-Agent header 39 WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 4/11/2022|JavaScript HTTP User-Agent header 57 WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 4/11/2022|JavaScript HTTP User-Agent header 106 WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 4/11/2022|JavaScript HTTP User-Agent header 4 WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 4/11/2022|JavaScript HTTP User-Agent header 121 WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 4/11/2022|JavaScript HTTP User-Agent header 125 WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 4/11/2022|JavaScript HTTP User-Agent header 11 WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 4/11/2022|JavaScript HTTP User-Agent header 58 WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 4/11/2022|JavaScript HTTP User-Agent header 64 WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 4/11/2022|JavaScript HTTP User-Agent header 73 WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 4/11/2022|JavaScript HTTP User-Agent header 124 WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 4/11/2022|JavaScript HTTP User-Agent header 5 WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 4/11/2022|JavaScript HTTP User-Agent header 27 WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 4/11/2022|JavaScript HTTP User-Agent header 108 WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 4/11/2022|JavaScript HTTP User-Agent header 14 WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 4/11/2022|JavaScript HTTP User-Agent header 44 WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 4/11/2022|JavaScript HTTP User-Agent header 104 WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 4/11/2022|JavaScript HTTP User-Agent header 105 WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 4/11/2022|JavaScript HTTP User-Agent header 34 WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 4/11/2022|JavaScript HTTP User-Agent header 114 WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 4/11/2022|JavaScript HTTP User-Agent header 120 WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 4/11/2022|JavaScript HTTP User-Agent header 122 WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 4/11/2022|JavaScript HTTP User-Agent header 90 WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 4/11/2022|JavaScript HTTP User-Agent header 123 WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 4/11/2022|JavaScript HTTP User-Agent header 12 WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 4/11/2022|JavaScript HTTP User-Agent header 20 WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 4/11/2022|JavaScript HTTP User-Agent header 33 WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 4/11/2022|JavaScript HTTP User-Agent header 62 WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 4/11/2022|JavaScript -
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 1700 wrote to memory of 4568 1700 wscript.exe 80 PID 1700 wrote to memory of 4568 1700 wscript.exe 80
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\payment.js1⤵
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1700 -
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\payment.js"2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
PID:4568
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
24KB
MD5b3d68dd5492fa261df75900cc205205f
SHA16b1ccb0ea2ad7f59ad4feff99f7c9f53218ac64d
SHA256d195a4460cbf030a568e980c5b07e7f33cb2f0d5b2f9634b1ca71ad43fafa8d6
SHA51242695f2c81e09343dd8fb94c5a5a82235bc587c70f8ea0bfd4c4490cf5d38e57243f1c641cd72180c5d036fefb8454b651bec6931b86b7d15304bb10043931a0
-
Filesize
24KB
MD5b3d68dd5492fa261df75900cc205205f
SHA16b1ccb0ea2ad7f59ad4feff99f7c9f53218ac64d
SHA256d195a4460cbf030a568e980c5b07e7f33cb2f0d5b2f9634b1ca71ad43fafa8d6
SHA51242695f2c81e09343dd8fb94c5a5a82235bc587c70f8ea0bfd4c4490cf5d38e57243f1c641cd72180c5d036fefb8454b651bec6931b86b7d15304bb10043931a0