Overview

overview

10

Static

static

Quotation Request.js

windows7-x64

10

Quotation Request.js

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    155s
  • platform
    windows7_x64
  • resource
    win7-20220901-en
  • resource tags

    arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
  • submitted
    02/12/2022, 12:42

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Quotation Request.js

  • Size

    42KB

  • MD5

    c345961a64e6bf1dd83dea9418c2323a

  • SHA1

    b2edb5c1c41415a1b1f50a809c1b528008bdcf38

  • SHA256

    ae5f01695d046a56eb08b76363f51320921fd6ac021ec057d90785d976832c34

  • SHA512

    9f0d32cd2b0f8f51deabf0e79d60cb8068ab9075d84b4b08d184e9266b6d55b779dfc8e8d49988b3efb6f14b08950f922b64342287fe736acf77b32aa7507f91

  • SSDEEP

    768:NYN31nEZlOxsDSBppfF3GVk4v4ccO/fD3lzo1r8IYOz27s:e0IdBDtGVmEflMoIYOiQ

Score
10/10
vjw0rmwshratpersistencetrojanworm

Malware Config

Extracted

Family

wshrat

C2

http://185.246.220.208:5358

Signatures

  • Vjw0rm

    Vjw0rm is a remote access trojan written in JavaScript.

    trojanwormvjw0rm
  • WSHRAT

    WSHRAT is a variant of Houdini worm and has vbs and js variants.

    trojanwshrat
  • Blocklisted process makes network request 27 IoCs
  • Drops startup file 5 IoCs
  • Adds Run key to start application 2 TTPs 8 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Script User-Agent 17 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe "C:\Users\Admin\AppData\Local\Temp\Quotation Request.js"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:2012
    • C:\Windows\System32\wscript.exe
      "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\dlaOuRctgb.js"
      2⤵
      • Blocklisted process makes network request
      • Drops startup file
      PID:2004
    • C:\Windows\System32\wscript.exe
      "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\Quotation Request.js"
      2⤵
      • Blocklisted process makes network request
      • Drops startup file
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:1684
      • C:\Windows\System32\wscript.exe
        "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\dlaOuRctgb.js"
        3⤵
        • Blocklisted process makes network request
        • Drops startup file
        PID:1548

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Quotation Request.js
    Filesize

    42KB

    MD5

    c345961a64e6bf1dd83dea9418c2323a

    SHA1

    b2edb5c1c41415a1b1f50a809c1b528008bdcf38

    SHA256

    ae5f01695d046a56eb08b76363f51320921fd6ac021ec057d90785d976832c34

    SHA512

    9f0d32cd2b0f8f51deabf0e79d60cb8068ab9075d84b4b08d184e9266b6d55b779dfc8e8d49988b3efb6f14b08950f922b64342287fe736acf77b32aa7507f91

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dlaOuRctgb.js
    Filesize

    7KB

    MD5

    6ec157e9bc6512caa18d2c4d438bceff

    SHA1

    c16435aa60bd5ffda8546a18233c3f6c521a9f1e

    SHA256

    73ece740572017a0a3ed9e88f1a8169796690606ed5284db979fd975c774bf44

    SHA512

    ccf524745228ae4dda399a7d3e3f78f285233d88ca7ae28bdd306b820f7a2799c18387f75cf0a3a995d52ea8dfc529d7e940ce8e54a41ab51e22fc97644bfd44

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Quotation Request.js
    Filesize

    42KB

    MD5

    c345961a64e6bf1dd83dea9418c2323a

    SHA1

    b2edb5c1c41415a1b1f50a809c1b528008bdcf38

    SHA256

    ae5f01695d046a56eb08b76363f51320921fd6ac021ec057d90785d976832c34

    SHA512

    9f0d32cd2b0f8f51deabf0e79d60cb8068ab9075d84b4b08d184e9266b6d55b779dfc8e8d49988b3efb6f14b08950f922b64342287fe736acf77b32aa7507f91

    Download Submit

  • C:\Users\Admin\AppData\Roaming\dlaOuRctgb.js
    Filesize

    7KB

    MD5

    6ec157e9bc6512caa18d2c4d438bceff

    SHA1

    c16435aa60bd5ffda8546a18233c3f6c521a9f1e

    SHA256

    73ece740572017a0a3ed9e88f1a8169796690606ed5284db979fd975c774bf44

    SHA512

    ccf524745228ae4dda399a7d3e3f78f285233d88ca7ae28bdd306b820f7a2799c18387f75cf0a3a995d52ea8dfc529d7e940ce8e54a41ab51e22fc97644bfd44

    Download Submit

  • C:\Users\Admin\AppData\Roaming\dlaOuRctgb.js
    Filesize

    7KB

    MD5

    6ec157e9bc6512caa18d2c4d438bceff

    SHA1

    c16435aa60bd5ffda8546a18233c3f6c521a9f1e

    SHA256

    73ece740572017a0a3ed9e88f1a8169796690606ed5284db979fd975c774bf44

    SHA512

    ccf524745228ae4dda399a7d3e3f78f285233d88ca7ae28bdd306b820f7a2799c18387f75cf0a3a995d52ea8dfc529d7e940ce8e54a41ab51e22fc97644bfd44

    Download Submit

  • memory/2012-54-0x000007FEFB771000-0x000007FEFB773000-memory.dmp

    Filesize

    8KB

    Download