Malware Analysis Report

2024-10-23 22:01

Sample ID 230714-mwjgasdc46
Target Request For Quotation.xz
SHA256 712b6c5a744401fc648b910cca5d3f4529722d8eb85cb9f16b19b0495ff058bc
Tags
wshrat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

712b6c5a744401fc648b910cca5d3f4529722d8eb85cb9f16b19b0495ff058bc

Threat Level: Known bad

The file Request For Quotation.xz was found to be: Known bad.

Malicious Activity Summary

wshrat trojan

WSHRAT

Blocklisted process makes network request

Checks computer location settings

Drops startup file

Looks up external IP address via web service

Enumerates physical storage devices

Script User-Agent

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-07-14 10:48

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2023-07-14 10:48

Reported

2023-07-14 10:51

Platform

win10v2004-20230703-en

Max time kernel

142s

Max time network

150s

Command Line

wscript.exe "C:\Users\Admin\AppData\Local\Temp\Request For Quotation.js"

Signatures

WSHRAT

trojan wshrat

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\Control Panel\International\Geo\Nation C:\Windows\system32\wscript.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Request For Quotation.js C:\Windows\system32\wscript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Request For Quotation.js C:\Windows\System32\wscript.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Enumerates physical storage devices

Script User-Agent

Description Indicator Process Target
HTTP User-Agent header WSHRAT|22189A4B|HISXQJCD|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 14/7/2023|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|22189A4B|HISXQJCD|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 14/7/2023|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|22189A4B|HISXQJCD|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 14/7/2023|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|22189A4B|HISXQJCD|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 14/7/2023|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|22189A4B|HISXQJCD|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 14/7/2023|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|22189A4B|HISXQJCD|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 14/7/2023|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|22189A4B|HISXQJCD|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 14/7/2023|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|22189A4B|HISXQJCD|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 14/7/2023|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|22189A4B|HISXQJCD|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 14/7/2023|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|22189A4B|HISXQJCD|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 14/7/2023|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|22189A4B|HISXQJCD|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 14/7/2023|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|22189A4B|HISXQJCD|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 14/7/2023|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|22189A4B|HISXQJCD|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 14/7/2023|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|22189A4B|HISXQJCD|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 14/7/2023|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|22189A4B|HISXQJCD|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 14/7/2023|JavaScript-v3.4|NL:Netherlands N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4548 wrote to memory of 852 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe
PID 4548 wrote to memory of 852 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe

Processes

C:\Windows\system32\wscript.exe

wscript.exe "C:\Users\Admin\AppData\Local\Temp\Request For Quotation.js"

C:\Windows\System32\wscript.exe

"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\Request For Quotation.js"

Network

Country Destination Domain Proto
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 8.3.197.209.in-addr.arpa udp
US 8.8.8.8:53 harold.2waky.com udp
NL 45.81.39.90:3609 harold.2waky.com tcp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 8.8.8.8:53 90.39.81.45.in-addr.arpa udp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 76.121.18.2.in-addr.arpa udp
NL 45.81.39.90:3609 harold.2waky.com tcp
NL 45.81.39.90:3609 harold.2waky.com tcp
NL 45.81.39.90:3609 harold.2waky.com tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
NL 45.81.39.90:3609 harold.2waky.com tcp
NL 45.81.39.90:3609 harold.2waky.com tcp
NL 45.81.39.90:3609 harold.2waky.com tcp
US 8.8.8.8:53 126.132.241.8.in-addr.arpa udp
NL 45.81.39.90:3609 harold.2waky.com tcp
NL 45.81.39.90:3609 harold.2waky.com tcp
US 8.8.8.8:53 203.151.224.20.in-addr.arpa udp
NL 45.81.39.90:3609 harold.2waky.com tcp
NL 45.81.39.90:3609 harold.2waky.com tcp
NL 45.81.39.90:3609 harold.2waky.com tcp
NL 45.81.39.90:3609 harold.2waky.com tcp
NL 45.81.39.90:3609 harold.2waky.com tcp
NL 45.81.39.90:3609 harold.2waky.com tcp
US 8.8.8.8:53 14.173.189.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Roaming\Request For Quotation.js

MD5 8b3ad681d5649f4c1955096bc04bfe18
SHA1 09ef01f730ceef26760567522dfe3e87f59afc8a
SHA256 31c2e51efcbff0aa489aa6af1a48cf78f6a9febfb449a19d029f8cc8ebb4495f
SHA512 20ec006e32344b25757c5e67ff5b0a2f6880cf4d991b9d9e32bf3c4a42e4f849ce7abc30a5e8b006e024861c4ee2628a5958ba9a82a7e057acbd6b9b5dced2ab

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Request For Quotation.js

MD5 8b3ad681d5649f4c1955096bc04bfe18
SHA1 09ef01f730ceef26760567522dfe3e87f59afc8a
SHA256 31c2e51efcbff0aa489aa6af1a48cf78f6a9febfb449a19d029f8cc8ebb4495f
SHA512 20ec006e32344b25757c5e67ff5b0a2f6880cf4d991b9d9e32bf3c4a42e4f849ce7abc30a5e8b006e024861c4ee2628a5958ba9a82a7e057acbd6b9b5dced2ab

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Request For Quotation.js

MD5 8b3ad681d5649f4c1955096bc04bfe18
SHA1 09ef01f730ceef26760567522dfe3e87f59afc8a
SHA256 31c2e51efcbff0aa489aa6af1a48cf78f6a9febfb449a19d029f8cc8ebb4495f
SHA512 20ec006e32344b25757c5e67ff5b0a2f6880cf4d991b9d9e32bf3c4a42e4f849ce7abc30a5e8b006e024861c4ee2628a5958ba9a82a7e057acbd6b9b5dced2ab

Analysis: behavioral1

Detonation Overview

Submitted

2023-07-14 10:48

Reported

2023-07-14 10:51

Platform

win7-20230712-en

Max time kernel

149s

Max time network

151s

Command Line

wscript.exe "C:\Users\Admin\AppData\Local\Temp\Request For Quotation.js"

Signatures

WSHRAT

trojan wshrat

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Request For Quotation.js C:\Windows\system32\wscript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Request For Quotation.js C:\Windows\System32\wscript.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Enumerates physical storage devices

Script User-Agent

Description Indicator Process Target
HTTP User-Agent header WSHRAT|701717DD|WGWIREOE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 14/7/2023|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|701717DD|WGWIREOE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 14/7/2023|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|701717DD|WGWIREOE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 14/7/2023|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|701717DD|WGWIREOE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 14/7/2023|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|701717DD|WGWIREOE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 14/7/2023|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|701717DD|WGWIREOE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 14/7/2023|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|701717DD|WGWIREOE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 14/7/2023|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|701717DD|WGWIREOE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 14/7/2023|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|701717DD|WGWIREOE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 14/7/2023|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|701717DD|WGWIREOE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 14/7/2023|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|701717DD|WGWIREOE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 14/7/2023|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|701717DD|WGWIREOE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 14/7/2023|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|701717DD|WGWIREOE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 14/7/2023|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|701717DD|WGWIREOE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 14/7/2023|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|701717DD|WGWIREOE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 14/7/2023|JavaScript-v3.4|NL:Netherlands N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2896 wrote to memory of 2828 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe
PID 2896 wrote to memory of 2828 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe
PID 2896 wrote to memory of 2828 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe

Processes

C:\Windows\system32\wscript.exe

wscript.exe "C:\Users\Admin\AppData\Local\Temp\Request For Quotation.js"

C:\Windows\System32\wscript.exe

"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\Request For Quotation.js"

Network

Country Destination Domain Proto
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 harold.2waky.com udp
NL 45.81.39.90:3609 harold.2waky.com tcp
NL 45.81.39.90:3609 harold.2waky.com tcp
NL 45.81.39.90:3609 harold.2waky.com tcp
NL 45.81.39.90:3609 harold.2waky.com tcp
NL 45.81.39.90:3609 harold.2waky.com tcp
NL 45.81.39.90:3609 harold.2waky.com tcp
NL 45.81.39.90:3609 harold.2waky.com tcp
NL 45.81.39.90:3609 harold.2waky.com tcp
NL 45.81.39.90:3609 harold.2waky.com tcp
NL 45.81.39.90:3609 harold.2waky.com tcp
NL 45.81.39.90:3609 harold.2waky.com tcp
NL 45.81.39.90:3609 harold.2waky.com tcp
NL 45.81.39.90:3609 harold.2waky.com tcp
NL 45.81.39.90:3609 harold.2waky.com tcp
NL 45.81.39.90:3609 harold.2waky.com tcp

Files

C:\Users\Admin\AppData\Roaming\Request For Quotation.js

MD5 8b3ad681d5649f4c1955096bc04bfe18
SHA1 09ef01f730ceef26760567522dfe3e87f59afc8a
SHA256 31c2e51efcbff0aa489aa6af1a48cf78f6a9febfb449a19d029f8cc8ebb4495f
SHA512 20ec006e32344b25757c5e67ff5b0a2f6880cf4d991b9d9e32bf3c4a42e4f849ce7abc30a5e8b006e024861c4ee2628a5958ba9a82a7e057acbd6b9b5dced2ab

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Request For Quotation.js

MD5 8b3ad681d5649f4c1955096bc04bfe18
SHA1 09ef01f730ceef26760567522dfe3e87f59afc8a
SHA256 31c2e51efcbff0aa489aa6af1a48cf78f6a9febfb449a19d029f8cc8ebb4495f
SHA512 20ec006e32344b25757c5e67ff5b0a2f6880cf4d991b9d9e32bf3c4a42e4f849ce7abc30a5e8b006e024861c4ee2628a5958ba9a82a7e057acbd6b9b5dced2ab

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Request For Quotation.js

MD5 8b3ad681d5649f4c1955096bc04bfe18
SHA1 09ef01f730ceef26760567522dfe3e87f59afc8a
SHA256 31c2e51efcbff0aa489aa6af1a48cf78f6a9febfb449a19d029f8cc8ebb4495f
SHA512 20ec006e32344b25757c5e67ff5b0a2f6880cf4d991b9d9e32bf3c4a42e4f849ce7abc30a5e8b006e024861c4ee2628a5958ba9a82a7e057acbd6b9b5dced2ab