Analysis
-
max time kernel
146s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
04-11-2022 07:48
Static task
static1
Behavioral task
behavioral1
Sample
payment.js
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
payment.js
Resource
win10v2004-20220812-en
General
-
Target
payment.js
-
Size
24KB
-
MD5
b3d68dd5492fa261df75900cc205205f
-
SHA1
6b1ccb0ea2ad7f59ad4feff99f7c9f53218ac64d
-
SHA256
d195a4460cbf030a568e980c5b07e7f33cb2f0d5b2f9634b1ca71ad43fafa8d6
-
SHA512
42695f2c81e09343dd8fb94c5a5a82235bc587c70f8ea0bfd4c4490cf5d38e57243f1c641cd72180c5d036fefb8454b651bec6931b86b7d15304bb10043931a0
-
SSDEEP
768:EIs214ugj9ZBAADEhsmaaqv8yZ/pzT84OFAjBM4b7:7sZ
Malware Config
Extracted
wshrat
http://212.193.30.230:7780
Signatures
-
Blocklisted process makes network request 14 IoCs
flow pid Process 4 1556 wscript.exe 12 1556 wscript.exe 13 1556 wscript.exe 14 1556 wscript.exe 17 1556 wscript.exe 18 1556 wscript.exe 48 1556 wscript.exe 51 1556 wscript.exe 58 1556 wscript.exe 70 1556 wscript.exe 71 1556 wscript.exe 83 1556 wscript.exe 84 1556 wscript.exe 85 1556 wscript.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation wscript.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\payment.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\payment.js wscript.exe -
Adds Run key to start application 2 TTPs 8 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\payment = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\payment.js\"" wscript.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\payment = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\payment.js\"" wscript.exe Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\payment = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\payment.js\"" wscript.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\payment = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\payment.js\"" wscript.exe Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Script User-Agent 9 IoCs
Uses user-agent string associated with script host/environment.
description flow ioc HTTP User-Agent header 4 WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 4/11/2022|JavaScript HTTP User-Agent header 13 WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 4/11/2022|JavaScript HTTP User-Agent header 14 WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 4/11/2022|JavaScript HTTP User-Agent header 17 WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 4/11/2022|JavaScript HTTP User-Agent header 84 WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 4/11/2022|JavaScript HTTP User-Agent header 12 WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 4/11/2022|JavaScript HTTP User-Agent header 48 WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 4/11/2022|JavaScript HTTP User-Agent header 70 WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 4/11/2022|JavaScript HTTP User-Agent header 83 WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 4/11/2022|JavaScript -
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 4612 wrote to memory of 1556 4612 wscript.exe 80 PID 4612 wrote to memory of 1556 4612 wscript.exe 80
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\payment.js1⤵
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4612 -
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\payment.js"2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
PID:1556
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
24KB
MD5b3d68dd5492fa261df75900cc205205f
SHA16b1ccb0ea2ad7f59ad4feff99f7c9f53218ac64d
SHA256d195a4460cbf030a568e980c5b07e7f33cb2f0d5b2f9634b1ca71ad43fafa8d6
SHA51242695f2c81e09343dd8fb94c5a5a82235bc587c70f8ea0bfd4c4490cf5d38e57243f1c641cd72180c5d036fefb8454b651bec6931b86b7d15304bb10043931a0
-
Filesize
24KB
MD5b3d68dd5492fa261df75900cc205205f
SHA16b1ccb0ea2ad7f59ad4feff99f7c9f53218ac64d
SHA256d195a4460cbf030a568e980c5b07e7f33cb2f0d5b2f9634b1ca71ad43fafa8d6
SHA51242695f2c81e09343dd8fb94c5a5a82235bc587c70f8ea0bfd4c4490cf5d38e57243f1c641cd72180c5d036fefb8454b651bec6931b86b7d15304bb10043931a0