Analysis
-
max time kernel
146s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
22-05-2023 08:52
Static task
static1
Behavioral task
behavioral1
Sample
Payment Notification.js
Resource
win7-20230220-en
General
-
Target
Payment Notification.js
-
Size
1009KB
-
MD5
e7fcc6eafeb8d232acb424cf11a72144
-
SHA1
4c16409adece66c53e8b1caf87f6bd6f30e611e8
-
SHA256
4854f4cdfc2cc56b7e62e3cb3503e4d2873207bd1dd99805f3c39a666a1473b5
-
SHA512
5e03618e89145435b49aaeaccb3b40886a44ecf752c8bf49a1284e8b2a647c7492199c8a2ad13c0393ae591d71f221c09ecd0e2be93b76a8fee6a29196128949
-
SSDEEP
3072:QQLlH0xKE8W8za9r6HLb6kyVIksLgu9M/z/SjANqyCCn50jPjSF:QQG
Malware Config
Extracted
wshrat
http://harold.2waky.com:1604
Signatures
-
Blocklisted process makes network request 19 IoCs
Processes:
wscript.exeflow pid process 8 4680 wscript.exe 10 4680 wscript.exe 17 4680 wscript.exe 18 4680 wscript.exe 24 4680 wscript.exe 45 4680 wscript.exe 53 4680 wscript.exe 55 4680 wscript.exe 62 4680 wscript.exe 72 4680 wscript.exe 73 4680 wscript.exe 79 4680 wscript.exe 82 4680 wscript.exe 83 4680 wscript.exe 86 4680 wscript.exe 87 4680 wscript.exe 88 4680 wscript.exe 91 4680 wscript.exe 92 4680 wscript.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
wscript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation wscript.exe -
Drops startup file 2 IoCs
Processes:
wscript.exewscript.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Notification.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Notification.js wscript.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 7 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Script User-Agent 17 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 24 WSHRAT|924C16C7|OZADSVWH|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 22/5/2023|JavaScript-v3.4|IN:India HTTP User-Agent header 86 WSHRAT|924C16C7|OZADSVWH|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 22/5/2023|JavaScript-v3.4|IN:India HTTP User-Agent header 87 WSHRAT|924C16C7|OZADSVWH|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 22/5/2023|JavaScript-v3.4|IN:India HTTP User-Agent header 62 WSHRAT|924C16C7|OZADSVWH|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 22/5/2023|JavaScript-v3.4|IN:India HTTP User-Agent header 88 WSHRAT|924C16C7|OZADSVWH|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 22/5/2023|JavaScript-v3.4|IN:India HTTP User-Agent header 18 WSHRAT|924C16C7|OZADSVWH|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 22/5/2023|JavaScript-v3.4|IN:India HTTP User-Agent header 45 WSHRAT|924C16C7|OZADSVWH|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 22/5/2023|JavaScript-v3.4|IN:India HTTP User-Agent header 55 WSHRAT|924C16C7|OZADSVWH|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 22/5/2023|JavaScript-v3.4|IN:India HTTP User-Agent header 91 WSHRAT|924C16C7|OZADSVWH|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 22/5/2023|JavaScript-v3.4|IN:India HTTP User-Agent header 17 WSHRAT|924C16C7|OZADSVWH|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 22/5/2023|JavaScript-v3.4|IN:India HTTP User-Agent header 72 WSHRAT|924C16C7|OZADSVWH|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 22/5/2023|JavaScript-v3.4|IN:India HTTP User-Agent header 82 WSHRAT|924C16C7|OZADSVWH|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 22/5/2023|JavaScript-v3.4|IN:India HTTP User-Agent header 83 WSHRAT|924C16C7|OZADSVWH|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 22/5/2023|JavaScript-v3.4|IN:India HTTP User-Agent header 92 WSHRAT|924C16C7|OZADSVWH|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 22/5/2023|JavaScript-v3.4|IN:India HTTP User-Agent header 10 WSHRAT|924C16C7|OZADSVWH|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 22/5/2023|JavaScript-v3.4|IN:India HTTP User-Agent header 53 WSHRAT|924C16C7|OZADSVWH|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 22/5/2023|JavaScript-v3.4|IN:India HTTP User-Agent header 79 WSHRAT|924C16C7|OZADSVWH|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 22/5/2023|JavaScript-v3.4|IN:India -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
wscript.exedescription pid process target process PID 4556 wrote to memory of 4680 4556 wscript.exe wscript.exe PID 4556 wrote to memory of 4680 4556 wscript.exe wscript.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe "C:\Users\Admin\AppData\Local\Temp\Payment Notification.js"1⤵
- Checks computer location settings
- Drops startup file
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\Payment Notification.js"2⤵
- Blocklisted process makes network request
- Drops startup file
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Notification.jsFilesize
1009KB
MD5e7fcc6eafeb8d232acb424cf11a72144
SHA14c16409adece66c53e8b1caf87f6bd6f30e611e8
SHA2564854f4cdfc2cc56b7e62e3cb3503e4d2873207bd1dd99805f3c39a666a1473b5
SHA5125e03618e89145435b49aaeaccb3b40886a44ecf752c8bf49a1284e8b2a647c7492199c8a2ad13c0393ae591d71f221c09ecd0e2be93b76a8fee6a29196128949
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Notification.jsFilesize
1009KB
MD5e7fcc6eafeb8d232acb424cf11a72144
SHA14c16409adece66c53e8b1caf87f6bd6f30e611e8
SHA2564854f4cdfc2cc56b7e62e3cb3503e4d2873207bd1dd99805f3c39a666a1473b5
SHA5125e03618e89145435b49aaeaccb3b40886a44ecf752c8bf49a1284e8b2a647c7492199c8a2ad13c0393ae591d71f221c09ecd0e2be93b76a8fee6a29196128949
-
C:\Users\Admin\Payment Notification.jsFilesize
1009KB
MD5e7fcc6eafeb8d232acb424cf11a72144
SHA14c16409adece66c53e8b1caf87f6bd6f30e611e8
SHA2564854f4cdfc2cc56b7e62e3cb3503e4d2873207bd1dd99805f3c39a666a1473b5
SHA5125e03618e89145435b49aaeaccb3b40886a44ecf752c8bf49a1284e8b2a647c7492199c8a2ad13c0393ae591d71f221c09ecd0e2be93b76a8fee6a29196128949