Analysis
-
max time kernel
148s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
-
submitted
30-05-2023 10:32
General
-
Target
Quotation_Request.js
-
Size
985KB
-
MD5
4aaba804e86dad56392b2a3dda056001
-
SHA1
d544b097a373d1357570a4385b7912457367da3c
-
SHA256
15e847369c9a89eadb626ec7b3f058b17fce169dad5d0ad44edab3d7ec04f745
-
SHA512
7423d168f25f948310295e27b9a950b8666c6cd44a6a7d0f5768cdf69aec53cb7d068aaf6c3caa0674aed94bbb66aeef8f53dc04107a601cfbabf76641ad412b
-
SSDEEP
6144:QQb9JgDg3ynDDKFCxCDwYjgegH0LGsJ2W1G32bi3/v0AbiBB8pt1vGWtkbIcJOyq:T7tm
Malware Config
Extracted
wshrat
http://harold.2waky.com:3609
Signatures
-
WSHRAT
WSHRAT is a variant of Houdini worm and has vbs and js variants.
-
Blocklisted process makes network request 17 IoCs
-
Drops startup file 2 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Script User-Agent 16 IoCs
Uses user-agent string associated with script host/environment.
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\Quotation_Request.js1⤵
- Drops startup file
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\Quotation_Request.js"2⤵
- Blocklisted process makes network request
- Drops startup file
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
704KB
MD5546b6694622d75c06b6b0e42f4ee144d
SHA18adb6c3ac2d70fe0789b7f9ec2aafadf68198025
SHA256abf1544fb6c3978efc53bd10aaf363cc71f1ad1c621f67db7104376dea28bb1c
SHA5129a5348b0a1e775c9f72d5cf2a600806de69e9c97ba608d4add21c5358197a29fc85dca64acf0b758a2d44969e50f186ddcdc1bcd4f210f7e6c2d46016f7fcde2
-
Filesize
985KB
MD54aaba804e86dad56392b2a3dda056001
SHA1d544b097a373d1357570a4385b7912457367da3c
SHA25615e847369c9a89eadb626ec7b3f058b17fce169dad5d0ad44edab3d7ec04f745
SHA5127423d168f25f948310295e27b9a950b8666c6cd44a6a7d0f5768cdf69aec53cb7d068aaf6c3caa0674aed94bbb66aeef8f53dc04107a601cfbabf76641ad412b
-
Filesize
985KB
MD54aaba804e86dad56392b2a3dda056001
SHA1d544b097a373d1357570a4385b7912457367da3c
SHA25615e847369c9a89eadb626ec7b3f058b17fce169dad5d0ad44edab3d7ec04f745
SHA5127423d168f25f948310295e27b9a950b8666c6cd44a6a7d0f5768cdf69aec53cb7d068aaf6c3caa0674aed94bbb66aeef8f53dc04107a601cfbabf76641ad412b