Analysis
-
max time kernel
142s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20230712-en -
resource tags
arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system -
submitted
14-07-2023 08:14
Static task
static1
Behavioral task
behavioral1
Sample
Request For Quotation.js
Resource
win7-20230712-en
General
-
Target
Request For Quotation.js
-
Size
1.1MB
-
MD5
6802893839ecd1df26e60959bf4bfbd5
-
SHA1
91102e6f69fc112599939bdb891f46617c893947
-
SHA256
eb129e3d51a6aad56cc4c97fc90edd5faac9f5381cc6406875babcb3c3d25e17
-
SHA512
45f24d8c4b918c59cf169b66c9d22dfc9b9d2a711d611743e6d2cb64deed45dc3a07838100b7c59a604d268e30cb17936a88f6044a40c147350aa8c4c6f6b205
-
SSDEEP
6144:QQ6n1AxEHOJVStgtYTg+fUqsVQ72Qx8awByRoTLlksKpFWX3Dw4r8l8IMjKrd7ra:TuTtG
Malware Config
Extracted
wshrat
http://harold.2waky.com:3609
Signatures
-
Blocklisted process makes network request 17 IoCs
Processes:
wscript.exeflow pid process 5 1884 wscript.exe 7 1884 wscript.exe 8 1884 wscript.exe 9 1884 wscript.exe 11 1884 wscript.exe 12 1884 wscript.exe 13 1884 wscript.exe 15 1884 wscript.exe 16 1884 wscript.exe 17 1884 wscript.exe 19 1884 wscript.exe 20 1884 wscript.exe 21 1884 wscript.exe 23 1884 wscript.exe 24 1884 wscript.exe 25 1884 wscript.exe 27 1884 wscript.exe -
Drops startup file 2 IoCs
Processes:
wscript.exewscript.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Request For Quotation.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Request For Quotation.js wscript.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Script User-Agent 16 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 25 WSHRAT|241BFC28|NYBYVYTJ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 14/7/2023|JavaScript-v3.4|NL:Netherlands HTTP User-Agent header 8 WSHRAT|241BFC28|NYBYVYTJ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 14/7/2023|JavaScript-v3.4|NL:Netherlands HTTP User-Agent header 12 WSHRAT|241BFC28|NYBYVYTJ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 14/7/2023|JavaScript-v3.4|NL:Netherlands HTTP User-Agent header 13 WSHRAT|241BFC28|NYBYVYTJ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 14/7/2023|JavaScript-v3.4|NL:Netherlands HTTP User-Agent header 21 WSHRAT|241BFC28|NYBYVYTJ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 14/7/2023|JavaScript-v3.4|NL:Netherlands HTTP User-Agent header 24 WSHRAT|241BFC28|NYBYVYTJ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 14/7/2023|JavaScript-v3.4|NL:Netherlands HTTP User-Agent header 19 WSHRAT|241BFC28|NYBYVYTJ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 14/7/2023|JavaScript-v3.4|NL:Netherlands HTTP User-Agent header 27 WSHRAT|241BFC28|NYBYVYTJ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 14/7/2023|JavaScript-v3.4|NL:Netherlands HTTP User-Agent header 7 WSHRAT|241BFC28|NYBYVYTJ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 14/7/2023|JavaScript-v3.4|NL:Netherlands HTTP User-Agent header 9 WSHRAT|241BFC28|NYBYVYTJ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 14/7/2023|JavaScript-v3.4|NL:Netherlands HTTP User-Agent header 11 WSHRAT|241BFC28|NYBYVYTJ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 14/7/2023|JavaScript-v3.4|NL:Netherlands HTTP User-Agent header 15 WSHRAT|241BFC28|NYBYVYTJ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 14/7/2023|JavaScript-v3.4|NL:Netherlands HTTP User-Agent header 17 WSHRAT|241BFC28|NYBYVYTJ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 14/7/2023|JavaScript-v3.4|NL:Netherlands HTTP User-Agent header 16 WSHRAT|241BFC28|NYBYVYTJ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 14/7/2023|JavaScript-v3.4|NL:Netherlands HTTP User-Agent header 20 WSHRAT|241BFC28|NYBYVYTJ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 14/7/2023|JavaScript-v3.4|NL:Netherlands HTTP User-Agent header 23 WSHRAT|241BFC28|NYBYVYTJ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 14/7/2023|JavaScript-v3.4|NL:Netherlands -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
wscript.exedescription pid process target process PID 1708 wrote to memory of 1884 1708 wscript.exe wscript.exe PID 1708 wrote to memory of 1884 1708 wscript.exe wscript.exe PID 1708 wrote to memory of 1884 1708 wscript.exe wscript.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe "C:\Users\Admin\AppData\Local\Temp\Request For Quotation.js"1⤵
- Drops startup file
- Suspicious use of WriteProcessMemory
PID:1708 -
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\Request For Quotation.js"2⤵
- Blocklisted process makes network request
- Drops startup file
PID:1884
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Request For Quotation.js
Filesize256KB
MD5635e34d5f446e5526cd4d7f25032a063
SHA1e0e1ed53367e2192c92d4651f10669e491976e54
SHA2569318bf0047b502a6f978c7093f236c75c45b6669c72a8be9f90dca0731578e1a
SHA5128fbe11449f461ba1ac7985d3f89bedaf0ba50bc1fafed675a3ee1c3196d25726f45aff27354c34736ef3bf9a2fbf3e89678856a34ef2f5d0cb439ab2ea3b8558
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Request For Quotation.js
Filesize1.1MB
MD56802893839ecd1df26e60959bf4bfbd5
SHA191102e6f69fc112599939bdb891f46617c893947
SHA256eb129e3d51a6aad56cc4c97fc90edd5faac9f5381cc6406875babcb3c3d25e17
SHA51245f24d8c4b918c59cf169b66c9d22dfc9b9d2a711d611743e6d2cb64deed45dc3a07838100b7c59a604d268e30cb17936a88f6044a40c147350aa8c4c6f6b205
-
Filesize
1.1MB
MD56802893839ecd1df26e60959bf4bfbd5
SHA191102e6f69fc112599939bdb891f46617c893947
SHA256eb129e3d51a6aad56cc4c97fc90edd5faac9f5381cc6406875babcb3c3d25e17
SHA51245f24d8c4b918c59cf169b66c9d22dfc9b9d2a711d611743e6d2cb64deed45dc3a07838100b7c59a604d268e30cb17936a88f6044a40c147350aa8c4c6f6b205