Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
24-05-2024 14:45
Static task
static1
Behavioral task
behavioral1
Sample
Tax Returns of R48_765.js
Resource
win7-20240215-en
windows7-x64
8 signatures
150 seconds
General
-
Target
Tax Returns of R48_765.js
-
Size
957KB
-
MD5
0f597e6821a29bc87b36222f08eff311
-
SHA1
e7f24cd04de9b92c013d71d3de526461cfb33c91
-
SHA256
df018cc7e708b47edfe4f39769058ce0ba10a65fe653d3a32412dd504d3f2028
-
SHA512
693ed1331f7f048789c11bc661949519149c43e3a76b3b600a1990f74763500a6b4a5efb532921bcdb58b27f3a136af9ba63e2e1dce4094fe078076d0073f1a7
-
SSDEEP
6144:QQ5C90ha3hcY0c5OyZD5i8frkU+uKCbbBGZs3xh527wIy+6Y16vLKdYoiAL1Xl4R:TKF
Malware Config
Extracted
Family
wshrat
C2
http://harold.2waky.com:3609
Signatures
-
Blocklisted process makes network request 28 IoCs
flow pid Process 7 4768 wscript.exe 9 4768 wscript.exe 24 4768 wscript.exe 31 4768 wscript.exe 32 4768 wscript.exe 33 4768 wscript.exe 34 4768 wscript.exe 48 4768 wscript.exe 49 4768 wscript.exe 50 4768 wscript.exe 51 4768 wscript.exe 52 4768 wscript.exe 55 4768 wscript.exe 62 4768 wscript.exe 63 4768 wscript.exe 64 4768 wscript.exe 65 4768 wscript.exe 68 4768 wscript.exe 72 4768 wscript.exe 85 4768 wscript.exe 86 4768 wscript.exe 87 4768 wscript.exe 88 4768 wscript.exe 89 4768 wscript.exe 90 4768 wscript.exe 91 4768 wscript.exe 92 4768 wscript.exe 93 4768 wscript.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation wscript.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Tax Returns of R48_765.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Tax Returns of R48_765.js wscript.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 6 ip-api.com -
Command and Scripting Interpreter: JavaScript 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Script User-Agent 27 IoCs
Uses user-agent string associated with script host/environment.
description flow ioc HTTP User-Agent header 31 WSHRAT|1426F231|BVRKIPTS|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 24/5/2024|JavaScript-v3.4|GB:United Kingdom HTTP User-Agent header 51 WSHRAT|1426F231|BVRKIPTS|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 24/5/2024|JavaScript-v3.4|GB:United Kingdom HTTP User-Agent header 68 WSHRAT|1426F231|BVRKIPTS|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 24/5/2024|JavaScript-v3.4|GB:United Kingdom HTTP User-Agent header 86 WSHRAT|1426F231|BVRKIPTS|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 24/5/2024|JavaScript-v3.4|GB:United Kingdom HTTP User-Agent header 49 WSHRAT|1426F231|BVRKIPTS|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 24/5/2024|JavaScript-v3.4|GB:United Kingdom HTTP User-Agent header 90 WSHRAT|1426F231|BVRKIPTS|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 24/5/2024|JavaScript-v3.4|GB:United Kingdom HTTP User-Agent header 92 WSHRAT|1426F231|BVRKIPTS|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 24/5/2024|JavaScript-v3.4|GB:United Kingdom HTTP User-Agent header 33 WSHRAT|1426F231|BVRKIPTS|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 24/5/2024|JavaScript-v3.4|GB:United Kingdom HTTP User-Agent header 65 WSHRAT|1426F231|BVRKIPTS|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 24/5/2024|JavaScript-v3.4|GB:United Kingdom HTTP User-Agent header 9 WSHRAT|1426F231|BVRKIPTS|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 24/5/2024|JavaScript-v3.4|GB:United Kingdom HTTP User-Agent header 24 WSHRAT|1426F231|BVRKIPTS|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 24/5/2024|JavaScript-v3.4|GB:United Kingdom HTTP User-Agent header 62 WSHRAT|1426F231|BVRKIPTS|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 24/5/2024|JavaScript-v3.4|GB:United Kingdom HTTP User-Agent header 64 WSHRAT|1426F231|BVRKIPTS|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 24/5/2024|JavaScript-v3.4|GB:United Kingdom HTTP User-Agent header 85 WSHRAT|1426F231|BVRKIPTS|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 24/5/2024|JavaScript-v3.4|GB:United Kingdom HTTP User-Agent header 87 WSHRAT|1426F231|BVRKIPTS|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 24/5/2024|JavaScript-v3.4|GB:United Kingdom HTTP User-Agent header 88 WSHRAT|1426F231|BVRKIPTS|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 24/5/2024|JavaScript-v3.4|GB:United Kingdom HTTP User-Agent header 89 WSHRAT|1426F231|BVRKIPTS|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 24/5/2024|JavaScript-v3.4|GB:United Kingdom HTTP User-Agent header 93 WSHRAT|1426F231|BVRKIPTS|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 24/5/2024|JavaScript-v3.4|GB:United Kingdom HTTP User-Agent header 48 WSHRAT|1426F231|BVRKIPTS|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 24/5/2024|JavaScript-v3.4|GB:United Kingdom HTTP User-Agent header 72 WSHRAT|1426F231|BVRKIPTS|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 24/5/2024|JavaScript-v3.4|GB:United Kingdom HTTP User-Agent header 32 WSHRAT|1426F231|BVRKIPTS|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 24/5/2024|JavaScript-v3.4|GB:United Kingdom HTTP User-Agent header 52 WSHRAT|1426F231|BVRKIPTS|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 24/5/2024|JavaScript-v3.4|GB:United Kingdom HTTP User-Agent header 55 WSHRAT|1426F231|BVRKIPTS|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 24/5/2024|JavaScript-v3.4|GB:United Kingdom HTTP User-Agent header 91 WSHRAT|1426F231|BVRKIPTS|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 24/5/2024|JavaScript-v3.4|GB:United Kingdom HTTP User-Agent header 34 WSHRAT|1426F231|BVRKIPTS|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 24/5/2024|JavaScript-v3.4|GB:United Kingdom HTTP User-Agent header 50 WSHRAT|1426F231|BVRKIPTS|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 24/5/2024|JavaScript-v3.4|GB:United Kingdom HTTP User-Agent header 63 WSHRAT|1426F231|BVRKIPTS|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 24/5/2024|JavaScript-v3.4|GB:United Kingdom -
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 1148 wrote to memory of 4768 1148 wscript.exe 84 PID 1148 wrote to memory of 4768 1148 wscript.exe 84
Processes
-
C:\Windows\system32\wscript.exewscript.exe "C:\Users\Admin\AppData\Local\Temp\Tax Returns of R48_765.js"1⤵
- Checks computer location settings
- Drops startup file
- Suspicious use of WriteProcessMemory
PID:1148 -
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\Tax Returns of R48_765.js"2⤵
- Blocklisted process makes network request
- Drops startup file
PID:4768
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
957KB
MD50f597e6821a29bc87b36222f08eff311
SHA1e7f24cd04de9b92c013d71d3de526461cfb33c91
SHA256df018cc7e708b47edfe4f39769058ce0ba10a65fe653d3a32412dd504d3f2028
SHA512693ed1331f7f048789c11bc661949519149c43e3a76b3b600a1990f74763500a6b4a5efb532921bcdb58b27f3a136af9ba63e2e1dce4094fe078076d0073f1a7