Analysis

  • max time kernel
    147s
  • max time network
    152s
  • platform
    windows10_x64
  • resource
    win10v20210408
  • submitted
    04/10/2021, 14:27

General

  • Target

    PO50029310.js

  • Size

    1012KB

  • MD5

    9942f5e63c2e6084f444410558ce4ee1

  • SHA1

    1a0e7f8746755d7e155eea004f3441b34d08563b

  • SHA256

    d385dde374b8858e48a85353d81ab03b988901aa49c27bdff815f116fe7742ef

  • SHA512

    83ce45e658a6c6edb63d4660b20d732f52c6e4cfe49a97368e5ef3cb707a78b40273b52debd049041a764057d1619e74ebaa06e32a768f550f7c821dd1648e49

Malware Config

Signatures

  • WSHRAT

    WSHRAT is a variant of Houdini worm and has vbs and js variants.

  • suricata: ET MALWARE WSHRAT CnC Checkin

    suricata: ET MALWARE WSHRAT CnC Checkin

  • suricata: ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm Checkin 1

    suricata: ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm Checkin 1

  • Blocklisted process makes network request 33 IoCs
  • Drops startup file 2 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Script User-Agent 30 IoCs

    Uses user-agent string associated with script host/environment.

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe C:\Users\Admin\AppData\Local\Temp\PO50029310.js
    1⤵
    • Blocklisted process makes network request
    • Drops startup file
    • Adds Run key to start application
    PID:4060

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads