Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
20-02-2023 12:06
Static task
static1
Behavioral task
behavioral1
Sample
Payment Details.pdf.js
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
Payment Details.pdf.js
Resource
win10v2004-20220901-en
General
-
Target
Payment Details.pdf.js
-
Size
3.0MB
-
MD5
2e893ed360a5b3586ae13862a492652f
-
SHA1
053d796519b37d69bf6650f92c5404ef9830ec43
-
SHA256
ec20d0a098f22992a04e3b875996a6af49e023e929fea3e6192c7444fb80553f
-
SHA512
f5720175d6383ac7053c1138d3c88c2b4f152985620771e595b698960e699268b3926b000adbf7cc53f184f9d6a5611b34ebad7810da4a973820e9f94af7afec
-
SSDEEP
3072:gOMWWSK0P5mUSfibfWZN7T7VE+NFlC7575eGlGE32qXaj1slgD71dwMbb9rp6D9B:y1Ye4E/e/gElEiLnD
Malware Config
Extracted
wshrat
http://chongmei33.publicvm.com:7045
Signatures
-
Blocklisted process makes network request 34 IoCs
Processes:
wscript.exewscript.exeflow pid process 7 596 wscript.exe 8 1800 wscript.exe 9 1800 wscript.exe 11 596 wscript.exe 12 1800 wscript.exe 16 1800 wscript.exe 17 596 wscript.exe 20 1800 wscript.exe 22 596 wscript.exe 23 1800 wscript.exe 26 596 wscript.exe 28 1800 wscript.exe 30 1800 wscript.exe 31 596 wscript.exe 34 1800 wscript.exe 36 596 wscript.exe 37 1800 wscript.exe 39 596 wscript.exe 40 1800 wscript.exe 42 1800 wscript.exe 45 596 wscript.exe 47 1800 wscript.exe 49 1800 wscript.exe 51 596 wscript.exe 52 1800 wscript.exe 54 596 wscript.exe 56 1800 wscript.exe 57 596 wscript.exe 59 596 wscript.exe 61 1800 wscript.exe 62 596 wscript.exe 63 596 wscript.exe 65 596 wscript.exe 67 1800 wscript.exe -
Drops startup file 4 IoCs
Processes:
wscript.exewscript.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NNDWCOxfdH.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NNDWCOxfdH.js wscript.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Details.pdf.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Details.pdf.js wscript.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
wscript.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\Payment Details = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\Payment Details.pdf.js\"" wscript.exe Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Payment Details = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\Payment Details.pdf.js\"" wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Script User-Agent 17 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 8 WSHRAT|E8EA1FD0|VUIIVLGQ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 20/2/2023|JavaScript HTTP User-Agent header 23 WSHRAT|E8EA1FD0|VUIIVLGQ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 20/2/2023|JavaScript HTTP User-Agent header 40 WSHRAT|E8EA1FD0|VUIIVLGQ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 20/2/2023|JavaScript HTTP User-Agent header 42 WSHRAT|E8EA1FD0|VUIIVLGQ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 20/2/2023|JavaScript HTTP User-Agent header 49 WSHRAT|E8EA1FD0|VUIIVLGQ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 20/2/2023|JavaScript HTTP User-Agent header 9 WSHRAT|E8EA1FD0|VUIIVLGQ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 20/2/2023|JavaScript HTTP User-Agent header 61 WSHRAT|E8EA1FD0|VUIIVLGQ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 20/2/2023|JavaScript HTTP User-Agent header 67 WSHRAT|E8EA1FD0|VUIIVLGQ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 20/2/2023|JavaScript HTTP User-Agent header 16 WSHRAT|E8EA1FD0|VUIIVLGQ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 20/2/2023|JavaScript HTTP User-Agent header 28 WSHRAT|E8EA1FD0|VUIIVLGQ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 20/2/2023|JavaScript HTTP User-Agent header 34 WSHRAT|E8EA1FD0|VUIIVLGQ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 20/2/2023|JavaScript HTTP User-Agent header 37 WSHRAT|E8EA1FD0|VUIIVLGQ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 20/2/2023|JavaScript HTTP User-Agent header 47 WSHRAT|E8EA1FD0|VUIIVLGQ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 20/2/2023|JavaScript HTTP User-Agent header 12 WSHRAT|E8EA1FD0|VUIIVLGQ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 20/2/2023|JavaScript HTTP User-Agent header 20 WSHRAT|E8EA1FD0|VUIIVLGQ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 20/2/2023|JavaScript HTTP User-Agent header 30 WSHRAT|E8EA1FD0|VUIIVLGQ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 20/2/2023|JavaScript HTTP User-Agent header 52 WSHRAT|E8EA1FD0|VUIIVLGQ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 20/2/2023|JavaScript -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
wscript.exedescription pid process target process PID 1800 wrote to memory of 596 1800 wscript.exe wscript.exe PID 1800 wrote to memory of 596 1800 wscript.exe wscript.exe PID 1800 wrote to memory of 596 1800 wscript.exe wscript.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe "C:\Users\Admin\AppData\Local\Temp\Payment Details.pdf.js"1⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\NNDWCOxfdH.js"2⤵
- Blocklisted process makes network request
- Drops startup file
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\NNDWCOxfdH.jsFilesize
346KB
MD542afa4ae9b3f9f9de4000049c7e1750b
SHA10bf3d473f24bd9ad67b0b1efab040336cab97a8b
SHA256c33036b994da4cfa087e42d96ceea846341b0346232f5d93e500c91e6b6dd4df
SHA51222813368c9fde1db0fd1a388bddba7c9d53be14c01ddba5765c591fd08bb3c4eb1d1a9319dcb5fca389fd9b99027245ebd3fd76afa0060051492e441b1e718d4
-
memory/596-54-0x0000000000000000-mapping.dmp