Analysis
-
max time kernel
148s -
max time network
158s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
-
submitted
06-04-2023 18:39
General
-
Target
Quotation_230406A.vbs
-
Size
271KB
-
MD5
26dd4d56ebc911f4088bff1a4ba6d90d
-
SHA1
81be8f4ad3eb8061da6722a8e69c4ca67c0c1a66
-
SHA256
a3d0cbb2060021757f2514e9f190b1ac4d7d0ec79bc91351ed7a794ba05cab0a
-
SHA512
2cb54bd272b2238a2168828e69c39e0c9ed9017690f08130927a71aa89e638419cce3d63e8e582ec151414c8c6bc94a56b2d5e937a56df182914e8ac6e0b3f59
-
SSDEEP
768:DQsieR2wEfnsuuhjdVex8HWqHBACAaDHfj5BjW:wl
Malware Config
Extracted
wshrat
http://chongmei33.publicvm.com:7045
Signatures
-
WSHRAT
WSHRAT is a variant of Houdini worm and has vbs and js variants.
-
Blocklisted process makes network request 21 IoCs
-
Drops startup file 2 IoCs
-
Adds Run key to start application 2 TTPs 4 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Quotation_230406A.vbs"1⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
271KB
MD526dd4d56ebc911f4088bff1a4ba6d90d
SHA181be8f4ad3eb8061da6722a8e69c4ca67c0c1a66
SHA256a3d0cbb2060021757f2514e9f190b1ac4d7d0ec79bc91351ed7a794ba05cab0a
SHA5122cb54bd272b2238a2168828e69c39e0c9ed9017690f08130927a71aa89e638419cce3d63e8e582ec151414c8c6bc94a56b2d5e937a56df182914e8ac6e0b3f59