Analysis

  • max time kernel
    142s
  • max time network
    148s
  • platform
    windows7_x64
  • resource
    win7-20230712-en
  • resource tags

    arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
  • submitted
    14-07-2023 08:14

General

  • Target

    Request For Quotation.js

  • Size

    1.1MB

  • MD5

    6802893839ecd1df26e60959bf4bfbd5

  • SHA1

    91102e6f69fc112599939bdb891f46617c893947

  • SHA256

    eb129e3d51a6aad56cc4c97fc90edd5faac9f5381cc6406875babcb3c3d25e17

  • SHA512

    45f24d8c4b918c59cf169b66c9d22dfc9b9d2a711d611743e6d2cb64deed45dc3a07838100b7c59a604d268e30cb17936a88f6044a40c147350aa8c4c6f6b205

  • SSDEEP

    6144:QQ6n1AxEHOJVStgtYTg+fUqsVQ72Qx8awByRoTLlksKpFWX3Dw4r8l8IMjKrd7ra:TuTtG

Score
10/10

Malware Config

Extracted

Family

wshrat

C2

http://harold.2waky.com:3609

Signatures

  • WSHRAT

    WSHRAT is a variant of Houdini worm and has vbs and js variants.

  • Blocklisted process makes network request 17 IoCs
  • Drops startup file 2 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Script User-Agent 16 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe "C:\Users\Admin\AppData\Local\Temp\Request For Quotation.js"
    1⤵
    • Drops startup file
    • Suspicious use of WriteProcessMemory
    PID:1708
    • C:\Windows\System32\wscript.exe
      "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\Request For Quotation.js"
      2⤵
      • Blocklisted process makes network request
      • Drops startup file
      PID:1884

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Request For Quotation.js

    Filesize

    256KB

    MD5

    635e34d5f446e5526cd4d7f25032a063

    SHA1

    e0e1ed53367e2192c92d4651f10669e491976e54

    SHA256

    9318bf0047b502a6f978c7093f236c75c45b6669c72a8be9f90dca0731578e1a

    SHA512

    8fbe11449f461ba1ac7985d3f89bedaf0ba50bc1fafed675a3ee1c3196d25726f45aff27354c34736ef3bf9a2fbf3e89678856a34ef2f5d0cb439ab2ea3b8558

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Request For Quotation.js

    Filesize

    1.1MB

    MD5

    6802893839ecd1df26e60959bf4bfbd5

    SHA1

    91102e6f69fc112599939bdb891f46617c893947

    SHA256

    eb129e3d51a6aad56cc4c97fc90edd5faac9f5381cc6406875babcb3c3d25e17

    SHA512

    45f24d8c4b918c59cf169b66c9d22dfc9b9d2a711d611743e6d2cb64deed45dc3a07838100b7c59a604d268e30cb17936a88f6044a40c147350aa8c4c6f6b205

  • C:\Users\Admin\AppData\Roaming\Request For Quotation.js

    Filesize

    1.1MB

    MD5

    6802893839ecd1df26e60959bf4bfbd5

    SHA1

    91102e6f69fc112599939bdb891f46617c893947

    SHA256

    eb129e3d51a6aad56cc4c97fc90edd5faac9f5381cc6406875babcb3c3d25e17

    SHA512

    45f24d8c4b918c59cf169b66c9d22dfc9b9d2a711d611743e6d2cb64deed45dc3a07838100b7c59a604d268e30cb17936a88f6044a40c147350aa8c4c6f6b205