Analysis
-
max time kernel
147s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
31-01-2023 10:16
Static task
static1
Behavioral task
behavioral1
Sample
3e1b30de-f946-42cd-85a4-cc60c6337553.js
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
3e1b30de-f946-42cd-85a4-cc60c6337553.js
Resource
win10v2004-20220812-en
General
-
Target
3e1b30de-f946-42cd-85a4-cc60c6337553.js
-
Size
994KB
-
MD5
3e24fff43158556e25533e4b9ad50ffa
-
SHA1
0f681b9867dd9d2db193ffe668c6e401a95aa089
-
SHA256
723df9facfa6a4b8f4107a7dd238f7ef2b467fe995c103de7c9edd1692e9b25f
-
SHA512
0ce28b4ea4178b9cf9ee013227301bfb55c9f3d5b90152d180152975d271de637bed04dd2642b4aa412edcb7bf48f5c35d0ea8db78ce1957967709239910c797
-
SSDEEP
6144:eQfPBx5q0sQ1o7rsbHC01mDBpNW2mTMSbpuV8bubfQI+IGBYJje:eQ3B7qgpUbfo7
Malware Config
Extracted
wshrat
http://oyo.powrkenken.info:46077
Signatures
-
Blocklisted process makes network request 56 IoCs
Processes:
wscript.exewscript.exewscript.exeflow pid process 5 2448 wscript.exe 6 4948 wscript.exe 8 3892 wscript.exe 14 3892 wscript.exe 15 2448 wscript.exe 16 4948 wscript.exe 17 3892 wscript.exe 18 2448 wscript.exe 19 4948 wscript.exe 20 3892 wscript.exe 31 3892 wscript.exe 40 2448 wscript.exe 42 4948 wscript.exe 68 3892 wscript.exe 90 2448 wscript.exe 91 4948 wscript.exe 92 3892 wscript.exe 93 3892 wscript.exe 94 2448 wscript.exe 95 4948 wscript.exe 99 3892 wscript.exe 102 2448 wscript.exe 103 4948 wscript.exe 104 3892 wscript.exe 106 3892 wscript.exe 107 2448 wscript.exe 108 4948 wscript.exe 109 3892 wscript.exe 110 2448 wscript.exe 111 4948 wscript.exe 112 3892 wscript.exe 113 3892 wscript.exe 114 2448 wscript.exe 115 4948 wscript.exe 117 3892 wscript.exe 118 2448 wscript.exe 119 4948 wscript.exe 120 3892 wscript.exe 121 3892 wscript.exe 122 2448 wscript.exe 123 4948 wscript.exe 124 3892 wscript.exe 125 2448 wscript.exe 126 4948 wscript.exe 127 3892 wscript.exe 128 3892 wscript.exe 129 2448 wscript.exe 130 4948 wscript.exe 131 3892 wscript.exe 132 2448 wscript.exe 133 4948 wscript.exe 134 3892 wscript.exe 135 3892 wscript.exe 136 2448 wscript.exe 137 4948 wscript.exe 138 3892 wscript.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
wscript.exewscript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation wscript.exe Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation wscript.exe -
Drops startup file 5 IoCs
Processes:
wscript.exewscript.exewscript.exewscript.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pBCXlynutq.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pBCXlynutq.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\3e1b30de-f946-42cd-85a4-cc60c6337553.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pBCXlynutq.js wscript.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\3e1b30de-f946-42cd-85a4-cc60c6337553.js wscript.exe -
Adds Run key to start application 2 TTPs 8 IoCs
Processes:
wscript.exewscript.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\3e1b30de-f946-42cd-85a4-cc60c6337553 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\3e1b30de-f946-42cd-85a4-cc60c6337553.js\"" wscript.exe Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\3e1b30de-f946-42cd-85a4-cc60c6337553 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\3e1b30de-f946-42cd-85a4-cc60c6337553.js\"" wscript.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\3e1b30de-f946-42cd-85a4-cc60c6337553 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\3e1b30de-f946-42cd-85a4-cc60c6337553.js\"" wscript.exe Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\3e1b30de-f946-42cd-85a4-cc60c6337553 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\3e1b30de-f946-42cd-85a4-cc60c6337553.js\"" wscript.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\software\microsoft\windows\currentversion\run wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Script User-Agent 24 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 8 WSHRAT|94D95F5C|GBQHURCC|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 31/1/2023|JavaScript HTTP User-Agent header 17 WSHRAT|94D95F5C|GBQHURCC|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 31/1/2023|JavaScript HTTP User-Agent header 20 WSHRAT|94D95F5C|GBQHURCC|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 31/1/2023|JavaScript HTTP User-Agent header 120 WSHRAT|94D95F5C|GBQHURCC|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 31/1/2023|JavaScript HTTP User-Agent header 121 WSHRAT|94D95F5C|GBQHURCC|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 31/1/2023|JavaScript HTTP User-Agent header 93 WSHRAT|94D95F5C|GBQHURCC|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 31/1/2023|JavaScript HTTP User-Agent header 117 WSHRAT|94D95F5C|GBQHURCC|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 31/1/2023|JavaScript HTTP User-Agent header 127 WSHRAT|94D95F5C|GBQHURCC|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 31/1/2023|JavaScript HTTP User-Agent header 112 WSHRAT|94D95F5C|GBQHURCC|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 31/1/2023|JavaScript HTTP User-Agent header 113 WSHRAT|94D95F5C|GBQHURCC|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 31/1/2023|JavaScript HTTP User-Agent header 14 WSHRAT|94D95F5C|GBQHURCC|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 31/1/2023|JavaScript HTTP User-Agent header 68 WSHRAT|94D95F5C|GBQHURCC|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 31/1/2023|JavaScript HTTP User-Agent header 99 WSHRAT|94D95F5C|GBQHURCC|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 31/1/2023|JavaScript HTTP User-Agent header 104 WSHRAT|94D95F5C|GBQHURCC|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 31/1/2023|JavaScript HTTP User-Agent header 106 WSHRAT|94D95F5C|GBQHURCC|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 31/1/2023|JavaScript HTTP User-Agent header 109 WSHRAT|94D95F5C|GBQHURCC|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 31/1/2023|JavaScript HTTP User-Agent header 135 WSHRAT|94D95F5C|GBQHURCC|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 31/1/2023|JavaScript HTTP User-Agent header 138 WSHRAT|94D95F5C|GBQHURCC|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 31/1/2023|JavaScript HTTP User-Agent header 31 WSHRAT|94D95F5C|GBQHURCC|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 31/1/2023|JavaScript HTTP User-Agent header 92 WSHRAT|94D95F5C|GBQHURCC|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 31/1/2023|JavaScript HTTP User-Agent header 124 WSHRAT|94D95F5C|GBQHURCC|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 31/1/2023|JavaScript HTTP User-Agent header 128 WSHRAT|94D95F5C|GBQHURCC|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 31/1/2023|JavaScript HTTP User-Agent header 131 WSHRAT|94D95F5C|GBQHURCC|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 31/1/2023|JavaScript HTTP User-Agent header 134 WSHRAT|94D95F5C|GBQHURCC|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 31/1/2023|JavaScript -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
wscript.exewscript.exedescription pid process target process PID 3916 wrote to memory of 2448 3916 wscript.exe wscript.exe PID 3916 wrote to memory of 2448 3916 wscript.exe wscript.exe PID 3916 wrote to memory of 3892 3916 wscript.exe wscript.exe PID 3916 wrote to memory of 3892 3916 wscript.exe wscript.exe PID 3892 wrote to memory of 4948 3892 wscript.exe wscript.exe PID 3892 wrote to memory of 4948 3892 wscript.exe wscript.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\3e1b30de-f946-42cd-85a4-cc60c6337553.js1⤵
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\pBCXlynutq.js"2⤵
- Blocklisted process makes network request
- Drops startup file
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\3e1b30de-f946-42cd-85a4-cc60c6337553.js"2⤵
- Blocklisted process makes network request
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\pBCXlynutq.js"3⤵
- Blocklisted process makes network request
- Drops startup file
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\3e1b30de-f946-42cd-85a4-cc60c6337553.jsFilesize
994KB
MD53e24fff43158556e25533e4b9ad50ffa
SHA10f681b9867dd9d2db193ffe668c6e401a95aa089
SHA256723df9facfa6a4b8f4107a7dd238f7ef2b467fe995c103de7c9edd1692e9b25f
SHA5120ce28b4ea4178b9cf9ee013227301bfb55c9f3d5b90152d180152975d271de637bed04dd2642b4aa412edcb7bf48f5c35d0ea8db78ce1957967709239910c797
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\3e1b30de-f946-42cd-85a4-cc60c6337553.jsFilesize
994KB
MD53e24fff43158556e25533e4b9ad50ffa
SHA10f681b9867dd9d2db193ffe668c6e401a95aa089
SHA256723df9facfa6a4b8f4107a7dd238f7ef2b467fe995c103de7c9edd1692e9b25f
SHA5120ce28b4ea4178b9cf9ee013227301bfb55c9f3d5b90152d180152975d271de637bed04dd2642b4aa412edcb7bf48f5c35d0ea8db78ce1957967709239910c797
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pBCXlynutq.jsFilesize
346KB
MD5332f3d9969e8d9eb6affc2082767c7a9
SHA1b1b5a15f54cf685f8447a28df41aa27924f296fb
SHA2569417aeaf164db1b0d8449a7b9e9643eb657ba9f80c0ae6c7b8028ad493a17491
SHA5129333a4223cb1ad13344d08084dfa87cf6943aefc9c04422938493df61895fcddd716b6f9474db07c86e0813a444984609e385837d4ddc54b14b7aa102bc49fe3
-
C:\Users\Admin\AppData\Roaming\pBCXlynutq.jsFilesize
346KB
MD5332f3d9969e8d9eb6affc2082767c7a9
SHA1b1b5a15f54cf685f8447a28df41aa27924f296fb
SHA2569417aeaf164db1b0d8449a7b9e9643eb657ba9f80c0ae6c7b8028ad493a17491
SHA5129333a4223cb1ad13344d08084dfa87cf6943aefc9c04422938493df61895fcddd716b6f9474db07c86e0813a444984609e385837d4ddc54b14b7aa102bc49fe3
-
C:\Users\Admin\AppData\Roaming\pBCXlynutq.jsFilesize
346KB
MD5332f3d9969e8d9eb6affc2082767c7a9
SHA1b1b5a15f54cf685f8447a28df41aa27924f296fb
SHA2569417aeaf164db1b0d8449a7b9e9643eb657ba9f80c0ae6c7b8028ad493a17491
SHA5129333a4223cb1ad13344d08084dfa87cf6943aefc9c04422938493df61895fcddd716b6f9474db07c86e0813a444984609e385837d4ddc54b14b7aa102bc49fe3
-
memory/2448-132-0x0000000000000000-mapping.dmp
-
memory/3892-134-0x0000000000000000-mapping.dmp
-
memory/4948-136-0x0000000000000000-mapping.dmp