Analysis
-
max time kernel
143s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
19-05-2023 16:14
Static task
static1
Behavioral task
behavioral1
Sample
Tax Returns of R58,765.js
Resource
win7-20230220-en
General
-
Target
Tax Returns of R58,765.js
-
Size
922KB
-
MD5
328c532dbdb1c8476def9b91f98230d9
-
SHA1
abd932482e30b79d29a481a1fa448e7e907a4948
-
SHA256
a29300445badc2587283db55eff6ecd93fcb489bf2c4ac94a2d756c96f73b035
-
SHA512
52e235eeac356b6b83a83e46b910c8c11f1c149936c27f824946982dd73167205e8e7200c9c76d1ba2743974856e010afd72e28248a5e99270e52a9150384e4a
-
SSDEEP
6144:QQ9aF0K7PD3n1NtwFfDEqD4Acy+GJIIyoEHwdCRslR/Y1FnW/ceZ0CYZ3a0W3Od2:TI6oje
Malware Config
Extracted
wshrat
http://harold.2waky.com:3609
Signatures
-
Blocklisted process makes network request 23 IoCs
Processes:
wscript.exeflow pid process 6 3472 wscript.exe 8 3472 wscript.exe 25 3472 wscript.exe 27 3472 wscript.exe 33 3472 wscript.exe 35 3472 wscript.exe 41 3472 wscript.exe 43 3472 wscript.exe 44 3472 wscript.exe 56 3472 wscript.exe 60 3472 wscript.exe 67 3472 wscript.exe 68 3472 wscript.exe 69 3472 wscript.exe 70 3472 wscript.exe 73 3472 wscript.exe 75 3472 wscript.exe 76 3472 wscript.exe 77 3472 wscript.exe 78 3472 wscript.exe 79 3472 wscript.exe 80 3472 wscript.exe 81 3472 wscript.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
wscript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation wscript.exe -
Drops startup file 2 IoCs
Processes:
wscript.exewscript.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Tax Returns of R58,765.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Tax Returns of R58,765.js wscript.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 5 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Script User-Agent 22 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 35 WSHRAT|78F0674A|HCIDPJOT|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 19/5/2023|JavaScript-v3.4|IN:India HTTP User-Agent header 41 WSHRAT|78F0674A|HCIDPJOT|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 19/5/2023|JavaScript-v3.4|IN:India HTTP User-Agent header 70 WSHRAT|78F0674A|HCIDPJOT|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 19/5/2023|JavaScript-v3.4|IN:India HTTP User-Agent header 75 WSHRAT|78F0674A|HCIDPJOT|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 19/5/2023|JavaScript-v3.4|IN:India HTTP User-Agent header 80 WSHRAT|78F0674A|HCIDPJOT|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 19/5/2023|JavaScript-v3.4|IN:India HTTP User-Agent header 8 WSHRAT|78F0674A|HCIDPJOT|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 19/5/2023|JavaScript-v3.4|IN:India HTTP User-Agent header 25 WSHRAT|78F0674A|HCIDPJOT|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 19/5/2023|JavaScript-v3.4|IN:India HTTP User-Agent header 33 WSHRAT|78F0674A|HCIDPJOT|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 19/5/2023|JavaScript-v3.4|IN:India HTTP User-Agent header 81 WSHRAT|78F0674A|HCIDPJOT|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 19/5/2023|JavaScript-v3.4|IN:India HTTP User-Agent header 27 WSHRAT|78F0674A|HCIDPJOT|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 19/5/2023|JavaScript-v3.4|IN:India HTTP User-Agent header 43 WSHRAT|78F0674A|HCIDPJOT|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 19/5/2023|JavaScript-v3.4|IN:India HTTP User-Agent header 73 WSHRAT|78F0674A|HCIDPJOT|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 19/5/2023|JavaScript-v3.4|IN:India HTTP User-Agent header 69 WSHRAT|78F0674A|HCIDPJOT|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 19/5/2023|JavaScript-v3.4|IN:India HTTP User-Agent header 76 WSHRAT|78F0674A|HCIDPJOT|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 19/5/2023|JavaScript-v3.4|IN:India HTTP User-Agent header 78 WSHRAT|78F0674A|HCIDPJOT|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 19/5/2023|JavaScript-v3.4|IN:India HTTP User-Agent header 56 WSHRAT|78F0674A|HCIDPJOT|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 19/5/2023|JavaScript-v3.4|IN:India HTTP User-Agent header 67 WSHRAT|78F0674A|HCIDPJOT|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 19/5/2023|JavaScript-v3.4|IN:India HTTP User-Agent header 68 WSHRAT|78F0674A|HCIDPJOT|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 19/5/2023|JavaScript-v3.4|IN:India HTTP User-Agent header 79 WSHRAT|78F0674A|HCIDPJOT|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 19/5/2023|JavaScript-v3.4|IN:India HTTP User-Agent header 44 WSHRAT|78F0674A|HCIDPJOT|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 19/5/2023|JavaScript-v3.4|IN:India HTTP User-Agent header 60 WSHRAT|78F0674A|HCIDPJOT|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 19/5/2023|JavaScript-v3.4|IN:India HTTP User-Agent header 77 WSHRAT|78F0674A|HCIDPJOT|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 19/5/2023|JavaScript-v3.4|IN:India -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
wscript.exedescription pid process target process PID 3148 wrote to memory of 3472 3148 wscript.exe wscript.exe PID 3148 wrote to memory of 3472 3148 wscript.exe wscript.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe "C:\Users\Admin\AppData\Local\Temp\Tax Returns of R58,765.js"1⤵
- Checks computer location settings
- Drops startup file
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\Tax Returns of R58,765.js"2⤵
- Blocklisted process makes network request
- Drops startup file
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Tax Returns of R58,765.jsFilesize
922KB
MD5a9794b1c79b15aadb49a56e147a65f87
SHA17dffd81c7973edf3dd7430ba2efdf410f7c73386
SHA25693370cd7a7e46d691715864df4f29bdfc50da3cadeb469d85d5374ab073324ab
SHA512a2783d9199f512e4d3570a4ad69bfde8961d22f3b9c9f9253e5bf8723cc6941edbaa82ba1871418e26a7454fed4d5d8ddef73848f6cf61ee4bc776c6b5f5fd41
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Tax Returns of R58,765.jsFilesize
922KB
MD5328c532dbdb1c8476def9b91f98230d9
SHA1abd932482e30b79d29a481a1fa448e7e907a4948
SHA256a29300445badc2587283db55eff6ecd93fcb489bf2c4ac94a2d756c96f73b035
SHA51252e235eeac356b6b83a83e46b910c8c11f1c149936c27f824946982dd73167205e8e7200c9c76d1ba2743974856e010afd72e28248a5e99270e52a9150384e4a
-
C:\Users\Admin\AppData\Roaming\Tax Returns of R58,765.jsFilesize
922KB
MD5328c532dbdb1c8476def9b91f98230d9
SHA1abd932482e30b79d29a481a1fa448e7e907a4948
SHA256a29300445badc2587283db55eff6ecd93fcb489bf2c4ac94a2d756c96f73b035
SHA51252e235eeac356b6b83a83e46b910c8c11f1c149936c27f824946982dd73167205e8e7200c9c76d1ba2743974856e010afd72e28248a5e99270e52a9150384e4a