Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20230831-en -
resource tags
arch:x64arch:x86image:win10v2004-20230831-enlocale:en-usos:windows10-2004-x64system -
submitted
13/09/2023, 16:56
Static task
static1
Behavioral task
behavioral1
Sample
Invoice.js
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
Invoice.js
Resource
win10v2004-20230831-en
General
-
Target
Invoice.js
-
Size
21KB
-
MD5
12b2471d3c8dd16efd69ab5aca0678b9
-
SHA1
15dca12d5e2d7d0281990ee43ffbcd22396fe01a
-
SHA256
ae69570258cabd6bbede57ef510836d167c0d9b1752d3d742f8e4769e17eba15
-
SHA512
7f72edfe2fa615279bfb18a6117afdac855ea6c37250b2473dad2f9ee6d701869123240f44d631020b4fb727869d00a697de5ed7c7bd59640594b57a4db787ac
-
SSDEEP
384:6/+tc8v+YhrKZKZXeX5U7CP9fD0eX5GrnB63vQOaSDsvkysjqFJ8TatW8TaUxTam:6/+tbv+YhdZXeXic9fD0eXknB6Y6Dsv7
Malware Config
Extracted
wshrat
http://wishpeople.duckdns.org:9071
Signatures
-
Blocklisted process makes network request 18 IoCs
flow pid Process 13 1860 wscript.exe 97 1860 wscript.exe 134 1860 wscript.exe 135 1860 wscript.exe 136 1860 wscript.exe 137 1860 wscript.exe 138 1860 wscript.exe 139 1860 wscript.exe 140 1860 wscript.exe 141 1860 wscript.exe 142 1860 wscript.exe 143 1860 wscript.exe 144 1860 wscript.exe 145 1860 wscript.exe 146 1860 wscript.exe 147 1860 wscript.exe 151 1860 wscript.exe 152 1860 wscript.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4078585466-1563564224-3678410669-1000\Control Panel\International\Geo\Nation wscript.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Invoice.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Invoice.js wscript.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4078585466-1563564224-3678410669-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Invoice = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Invoice.js\"" wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Invoice = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Invoice.js\"" wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-4078585466-1563564224-3678410669-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Invoice = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Invoice.js\"" wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Invoice = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Invoice.js\"" wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Script User-Agent 18 IoCs
Uses user-agent string associated with script host/environment.
description flow ioc HTTP User-Agent header 13 WSHRAT|AA342AE5|NVYNMMTR|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 13/9/2023|JavaScript HTTP User-Agent header 139 WSHRAT|AA342AE5|NVYNMMTR|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 13/9/2023|JavaScript HTTP User-Agent header 142 WSHRAT|AA342AE5|NVYNMMTR|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 13/9/2023|JavaScript HTTP User-Agent header 143 WSHRAT|AA342AE5|NVYNMMTR|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 13/9/2023|JavaScript HTTP User-Agent header 97 WSHRAT|AA342AE5|NVYNMMTR|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 13/9/2023|JavaScript HTTP User-Agent header 134 WSHRAT|AA342AE5|NVYNMMTR|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 13/9/2023|JavaScript HTTP User-Agent header 135 WSHRAT|AA342AE5|NVYNMMTR|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 13/9/2023|JavaScript HTTP User-Agent header 140 WSHRAT|AA342AE5|NVYNMMTR|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 13/9/2023|JavaScript HTTP User-Agent header 136 WSHRAT|AA342AE5|NVYNMMTR|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 13/9/2023|JavaScript HTTP User-Agent header 138 WSHRAT|AA342AE5|NVYNMMTR|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 13/9/2023|JavaScript HTTP User-Agent header 146 WSHRAT|AA342AE5|NVYNMMTR|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 13/9/2023|JavaScript HTTP User-Agent header 147 WSHRAT|AA342AE5|NVYNMMTR|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 13/9/2023|JavaScript HTTP User-Agent header 151 WSHRAT|AA342AE5|NVYNMMTR|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 13/9/2023|JavaScript HTTP User-Agent header 152 WSHRAT|AA342AE5|NVYNMMTR|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 13/9/2023|JavaScript HTTP User-Agent header 137 WSHRAT|AA342AE5|NVYNMMTR|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 13/9/2023|JavaScript HTTP User-Agent header 141 WSHRAT|AA342AE5|NVYNMMTR|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 13/9/2023|JavaScript HTTP User-Agent header 144 WSHRAT|AA342AE5|NVYNMMTR|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 13/9/2023|JavaScript HTTP User-Agent header 145 WSHRAT|AA342AE5|NVYNMMTR|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 13/9/2023|JavaScript -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeManageVolumePrivilege 1672 svchost.exe -
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 5012 wrote to memory of 1860 5012 wscript.exe 85 PID 5012 wrote to memory of 1860 5012 wscript.exe 85
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\Invoice.js1⤵
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:5012 -
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\Invoice.js"2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
PID:1860
-
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe1⤵PID:4812
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k UnistackSvcGroup1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1672
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
16KB
MD5b4958eaaadde9e85cf1b1acae299494a
SHA17c17846d10ebeade6a908551a40b86ad81c58b6b
SHA25612c07204d79fba4f4ae043fb776965a7407f58ef14f1a95e02dc42579e247c1a
SHA5127c35c88b0e36ab30979f6d734aa3bac8f24247b03f8f4148f75269bda267621a993911520ea6ad7965032ab3109052549d725188e2539b13e3e6078413ed4bab
-
Filesize
21KB
MD512b2471d3c8dd16efd69ab5aca0678b9
SHA115dca12d5e2d7d0281990ee43ffbcd22396fe01a
SHA256ae69570258cabd6bbede57ef510836d167c0d9b1752d3d742f8e4769e17eba15
SHA5127f72edfe2fa615279bfb18a6117afdac855ea6c37250b2473dad2f9ee6d701869123240f44d631020b4fb727869d00a697de5ed7c7bd59640594b57a4db787ac
-
Filesize
21KB
MD512b2471d3c8dd16efd69ab5aca0678b9
SHA115dca12d5e2d7d0281990ee43ffbcd22396fe01a
SHA256ae69570258cabd6bbede57ef510836d167c0d9b1752d3d742f8e4769e17eba15
SHA5127f72edfe2fa615279bfb18a6117afdac855ea6c37250b2473dad2f9ee6d701869123240f44d631020b4fb727869d00a697de5ed7c7bd59640594b57a4db787ac
-
Filesize
21KB
MD512b2471d3c8dd16efd69ab5aca0678b9
SHA115dca12d5e2d7d0281990ee43ffbcd22396fe01a
SHA256ae69570258cabd6bbede57ef510836d167c0d9b1752d3d742f8e4769e17eba15
SHA5127f72edfe2fa615279bfb18a6117afdac855ea6c37250b2473dad2f9ee6d701869123240f44d631020b4fb727869d00a697de5ed7c7bd59640594b57a4db787ac