Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
16-02-2023 15:35
Static task
static1
Behavioral task
behavioral1
Sample
ORDER-2030213F.vbs
Resource
win7-20221111-en
5 signatures
150 seconds
Behavioral task
behavioral2
Sample
ORDER-2030213F.vbs
Resource
win10v2004-20221111-en
5 signatures
150 seconds
General
-
Target
ORDER-2030213F.vbs
-
Size
227KB
-
MD5
cfd1f9bddf2a1aac9386621f2df068d5
-
SHA1
abb692951d21f1820583716dd324de928dfd9b6b
-
SHA256
164d4f5ae08f512aa6341b37bf57d32bc471415185c63dd175e88a35626b20b6
-
SHA512
220b962cee21fcbc4049e2a98a2d5cd798820b6be0b5db678d041c7b3a35ce1f2ec0628d770ec812dbb98edccf138d8b3906cf6dd8fbdb4b217b372faf6e3e9f
-
SSDEEP
768:xMbGEQhUfQB8/UgFcxgfcdVH5xOnxWzi6R/6Y6oHDHrL1V0:WB
Score
10/10
Malware Config
Extracted
Family
wshrat
C2
http://chongmei33.publicvm.com:7045
Signatures
-
Blocklisted process makes network request 20 IoCs
flow pid Process 4 1200 WScript.exe 5 1200 WScript.exe 6 1200 WScript.exe 9 1200 WScript.exe 10 1200 WScript.exe 11 1200 WScript.exe 13 1200 WScript.exe 14 1200 WScript.exe 15 1200 WScript.exe 17 1200 WScript.exe 18 1200 WScript.exe 19 1200 WScript.exe 21 1200 WScript.exe 22 1200 WScript.exe 23 1200 WScript.exe 25 1200 WScript.exe 26 1200 WScript.exe 27 1200 WScript.exe 29 1200 WScript.exe 30 1200 WScript.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ORDER-2030213F.vbs WScript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ORDER-2030213F.vbs WScript.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ORDER-2030213F = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\ORDER-2030213F.vbs\"" WScript.exe Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\software\microsoft\windows\currentversion\run WScript.exe Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\ORDER-2030213F = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\ORDER-2030213F.vbs\"" WScript.exe Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run WScript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.