Analysis Overview
SHA256
d195a4460cbf030a568e980c5b07e7f33cb2f0d5b2f9634b1ca71ad43fafa8d6
Threat Level: Known bad
The file payment.js was found to be: Known bad.
Malicious Activity Summary
WSHRAT
Blocklisted process makes network request
Checks computer location settings
Drops startup file
Adds Run key to start application
Enumerates physical storage devices
Script User-Agent
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-11-04 07:48
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-11-04 07:48
Reported
2022-11-04 07:50
Platform
win7-20220812-en
Max time kernel
150s
Max time network
153s
Command Line
Signatures
WSHRAT
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\payment.js | C:\Windows\system32\wscript.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\payment.js | C:\Windows\System32\wscript.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\software\microsoft\windows\currentversion\run | C:\Windows\system32\wscript.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\payment = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\payment.js\"" | C:\Windows\system32\wscript.exe | N/A |
| Key created | \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run | C:\Windows\system32\wscript.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\payment = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\payment.js\"" | C:\Windows\system32\wscript.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\software\microsoft\windows\currentversion\run | C:\Windows\System32\wscript.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\payment = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\payment.js\"" | C:\Windows\System32\wscript.exe | N/A |
| Key created | \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run | C:\Windows\System32\wscript.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\payment = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\payment.js\"" | C:\Windows\System32\wscript.exe | N/A |
Enumerates physical storage devices
Script User-Agent
| Description | Indicator | Process | Target |
| HTTP User-Agent header | WSHRAT|D44DAEDB|ORXGKKZC|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 4/11/2022|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|D44DAEDB|ORXGKKZC|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 4/11/2022|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|D44DAEDB|ORXGKKZC|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 4/11/2022|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|D44DAEDB|ORXGKKZC|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 4/11/2022|JavaScript | N/A | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 544 wrote to memory of 1872 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\wscript.exe |
| PID 544 wrote to memory of 1872 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\wscript.exe |
| PID 544 wrote to memory of 1872 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\wscript.exe |
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\payment.js
C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\payment.js"
Network
| Country | Destination | Domain | Proto |
| NL | 212.193.30.230:7780 | tcp | |
| NL | 212.193.30.230:7780 | tcp | |
| NL | 212.193.30.230:7780 | tcp | |
| NL | 212.193.30.230:7780 | 212.193.30.230 | tcp |
| NL | 212.193.30.230:7780 | tcp | |
| NL | 212.193.30.230:7780 | tcp | |
| NL | 212.193.30.230:7780 | 212.193.30.230 | tcp |
| NL | 212.193.30.230:7780 | 212.193.30.230 | tcp |
| NL | 212.193.30.230:7780 | 212.193.30.230 | tcp |
Files
memory/544-54-0x000007FEFBB21000-0x000007FEFBB23000-memory.dmp
memory/1872-55-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\payment.js
| MD5 | b3d68dd5492fa261df75900cc205205f |
| SHA1 | 6b1ccb0ea2ad7f59ad4feff99f7c9f53218ac64d |
| SHA256 | d195a4460cbf030a568e980c5b07e7f33cb2f0d5b2f9634b1ca71ad43fafa8d6 |
| SHA512 | 42695f2c81e09343dd8fb94c5a5a82235bc587c70f8ea0bfd4c4490cf5d38e57243f1c641cd72180c5d036fefb8454b651bec6931b86b7d15304bb10043931a0 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\payment.js
| MD5 | b3d68dd5492fa261df75900cc205205f |
| SHA1 | 6b1ccb0ea2ad7f59ad4feff99f7c9f53218ac64d |
| SHA256 | d195a4460cbf030a568e980c5b07e7f33cb2f0d5b2f9634b1ca71ad43fafa8d6 |
| SHA512 | 42695f2c81e09343dd8fb94c5a5a82235bc587c70f8ea0bfd4c4490cf5d38e57243f1c641cd72180c5d036fefb8454b651bec6931b86b7d15304bb10043931a0 |
Analysis: behavioral2
Detonation Overview
Submitted
2022-11-04 07:48
Reported
2022-11-04 07:50
Platform
win10v2004-20220812-en
Max time kernel
146s
Max time network
152s
Command Line
Signatures
WSHRAT
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\wscript.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\payment.js | C:\Windows\system32\wscript.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\payment.js | C:\Windows\System32\wscript.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\payment = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\payment.js\"" | C:\Windows\system32\wscript.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\software\microsoft\windows\currentversion\run | C:\Windows\System32\wscript.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\payment = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\payment.js\"" | C:\Windows\System32\wscript.exe | N/A |
| Key created | \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run | C:\Windows\System32\wscript.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\payment = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\payment.js\"" | C:\Windows\System32\wscript.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\software\microsoft\windows\currentversion\run | C:\Windows\system32\wscript.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\payment = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\payment.js\"" | C:\Windows\system32\wscript.exe | N/A |
| Key created | \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run | C:\Windows\system32\wscript.exe | N/A |
Enumerates physical storage devices
Script User-Agent
| Description | Indicator | Process | Target |
| HTTP User-Agent header | WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 4/11/2022|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 4/11/2022|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 4/11/2022|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 4/11/2022|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 4/11/2022|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 4/11/2022|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 4/11/2022|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 4/11/2022|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 4/11/2022|JavaScript | N/A | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4612 wrote to memory of 1556 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\wscript.exe |
| PID 4612 wrote to memory of 1556 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\wscript.exe |
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\payment.js
C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\payment.js"
Network
| Country | Destination | Domain | Proto |
| NL | 212.193.30.230:7780 | 212.193.30.230 | tcp |
| NL | 212.193.30.230:7780 | 212.193.30.230 | tcp |
| NL | 212.193.30.230:7780 | 212.193.30.230 | tcp |
| NL | 212.193.30.230:7780 | 212.193.30.230 | tcp |
| NL | 212.193.30.230:7780 | 212.193.30.230 | tcp |
| NL | 212.193.30.230:7780 | tcp | |
| US | 93.184.221.240:80 | tcp | |
| DE | 20.52.64.200:443 | tcp | |
| NL | 212.193.30.230:7780 | 212.193.30.230 | tcp |
| NL | 212.193.30.230:7780 | tcp | |
| NL | 212.193.30.230:7780 | tcp | |
| NL | 212.193.30.230:7780 | 212.193.30.230 | tcp |
| NL | 212.193.30.230:7780 | tcp | |
| NL | 212.193.30.230:7780 | 212.193.30.230 | tcp |
| NL | 212.193.30.230:7780 | 212.193.30.230 | tcp |
| NL | 212.193.30.230:7780 | tcp |
Files
memory/1556-132-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\payment.js
| MD5 | b3d68dd5492fa261df75900cc205205f |
| SHA1 | 6b1ccb0ea2ad7f59ad4feff99f7c9f53218ac64d |
| SHA256 | d195a4460cbf030a568e980c5b07e7f33cb2f0d5b2f9634b1ca71ad43fafa8d6 |
| SHA512 | 42695f2c81e09343dd8fb94c5a5a82235bc587c70f8ea0bfd4c4490cf5d38e57243f1c641cd72180c5d036fefb8454b651bec6931b86b7d15304bb10043931a0 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\payment.js
| MD5 | b3d68dd5492fa261df75900cc205205f |
| SHA1 | 6b1ccb0ea2ad7f59ad4feff99f7c9f53218ac64d |
| SHA256 | d195a4460cbf030a568e980c5b07e7f33cb2f0d5b2f9634b1ca71ad43fafa8d6 |
| SHA512 | 42695f2c81e09343dd8fb94c5a5a82235bc587c70f8ea0bfd4c4490cf5d38e57243f1c641cd72180c5d036fefb8454b651bec6931b86b7d15304bb10043931a0 |