Overview

overview

10

Static

static

payment.js

windows7-x64

10

payment.js

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    153s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    04/11/2022, 07:48

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    payment.js

  • Size

    24KB

  • MD5

    b3d68dd5492fa261df75900cc205205f

  • SHA1

    6b1ccb0ea2ad7f59ad4feff99f7c9f53218ac64d

  • SHA256

    d195a4460cbf030a568e980c5b07e7f33cb2f0d5b2f9634b1ca71ad43fafa8d6

  • SHA512

    42695f2c81e09343dd8fb94c5a5a82235bc587c70f8ea0bfd4c4490cf5d38e57243f1c641cd72180c5d036fefb8454b651bec6931b86b7d15304bb10043931a0

  • SSDEEP

    768:EIs214ugj9ZBAADEhsmaaqv8yZ/pzT84OFAjBM4b7:7sZ

Score
10/10
wshratpersistencetrojan

Malware Config

Extracted

Family

wshrat

C2

http://212.193.30.230:7780

Signatures

  • WSHRAT

    WSHRAT is a variant of Houdini worm and has vbs and js variants.

    trojanwshrat
  • Blocklisted process makes network request 9 IoCs
  • Drops startup file 2 IoCs
  • Adds Run key to start application 2 TTPs 8 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Script User-Agent 4 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe C:\Users\Admin\AppData\Local\Temp\payment.js
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:544
    • C:\Windows\System32\wscript.exe
      "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\payment.js"
      2⤵
      • Blocklisted process makes network request
      • Drops startup file
      • Adds Run key to start application
      PID:1872

Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\payment.js
          Filesize

          24KB

          MD5

          b3d68dd5492fa261df75900cc205205f

          SHA1

          6b1ccb0ea2ad7f59ad4feff99f7c9f53218ac64d

          SHA256

          d195a4460cbf030a568e980c5b07e7f33cb2f0d5b2f9634b1ca71ad43fafa8d6

          SHA512

          42695f2c81e09343dd8fb94c5a5a82235bc587c70f8ea0bfd4c4490cf5d38e57243f1c641cd72180c5d036fefb8454b651bec6931b86b7d15304bb10043931a0

          Download Submit

        • C:\Users\Admin\AppData\Roaming\payment.js
          Filesize

          24KB

          MD5

          b3d68dd5492fa261df75900cc205205f

          SHA1

          6b1ccb0ea2ad7f59ad4feff99f7c9f53218ac64d

          SHA256

          d195a4460cbf030a568e980c5b07e7f33cb2f0d5b2f9634b1ca71ad43fafa8d6

          SHA512

          42695f2c81e09343dd8fb94c5a5a82235bc587c70f8ea0bfd4c4490cf5d38e57243f1c641cd72180c5d036fefb8454b651bec6931b86b7d15304bb10043931a0

          Download Submit

        • memory/544-54-0x000007FEFBB21000-0x000007FEFBB23000-memory.dmp

          Filesize

          8KB

          Download