Analysis Overview
SHA256
284839414beba349dfacfb02f8da76431513a9f072877d6cd9b783c60d8510fb
Threat Level: Known bad
The file Request For Quotation(RFQ).js was found to be: Known bad.
Malicious Activity Summary
WSHRAT
Blocklisted process makes network request
Drops startup file
Looks up external IP address via web service
Enumerates physical storage devices
Script User-Agent
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-08-10 14:26
Signatures
Analysis: behavioral2
Detonation Overview
Submitted
2023-08-10 14:26
Reported
2023-08-10 14:28
Platform
win10v2004-20230703-en
Max time kernel
148s
Max time network
154s
Command Line
Signatures
WSHRAT
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Request For Quotation(RFQ).js | C:\Windows\system32\wscript.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Request For Quotation(RFQ).js | C:\Windows\System32\wscript.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Enumerates physical storage devices
Script User-Agent
| Description | Indicator | Process | Target |
| HTTP User-Agent header | WSHRAT|B000C75D|LMMMEQUO|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 10/8/2023|JavaScript-v3.4|NL:Netherlands | N/A | N/A |
| HTTP User-Agent header | WSHRAT|B000C75D|LMMMEQUO|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 10/8/2023|JavaScript-v3.4|NL:Netherlands | N/A | N/A |
| HTTP User-Agent header | WSHRAT|B000C75D|LMMMEQUO|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 10/8/2023|JavaScript-v3.4|NL:Netherlands | N/A | N/A |
| HTTP User-Agent header | WSHRAT|B000C75D|LMMMEQUO|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 10/8/2023|JavaScript-v3.4|NL:Netherlands | N/A | N/A |
| HTTP User-Agent header | WSHRAT|B000C75D|LMMMEQUO|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 10/8/2023|JavaScript-v3.4|NL:Netherlands | N/A | N/A |
| HTTP User-Agent header | WSHRAT|B000C75D|LMMMEQUO|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 10/8/2023|JavaScript-v3.4|NL:Netherlands | N/A | N/A |
| HTTP User-Agent header | WSHRAT|B000C75D|LMMMEQUO|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 10/8/2023|JavaScript-v3.4|NL:Netherlands | N/A | N/A |
| HTTP User-Agent header | WSHRAT|B000C75D|LMMMEQUO|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 10/8/2023|JavaScript-v3.4|NL:Netherlands | N/A | N/A |
| HTTP User-Agent header | WSHRAT|B000C75D|LMMMEQUO|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 10/8/2023|JavaScript-v3.4|NL:Netherlands | N/A | N/A |
| HTTP User-Agent header | WSHRAT|B000C75D|LMMMEQUO|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 10/8/2023|JavaScript-v3.4|NL:Netherlands | N/A | N/A |
| HTTP User-Agent header | WSHRAT|B000C75D|LMMMEQUO|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 10/8/2023|JavaScript-v3.4|NL:Netherlands | N/A | N/A |
| HTTP User-Agent header | WSHRAT|B000C75D|LMMMEQUO|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 10/8/2023|JavaScript-v3.4|NL:Netherlands | N/A | N/A |
| HTTP User-Agent header | WSHRAT|B000C75D|LMMMEQUO|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 10/8/2023|JavaScript-v3.4|NL:Netherlands | N/A | N/A |
| HTTP User-Agent header | WSHRAT|B000C75D|LMMMEQUO|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 10/8/2023|JavaScript-v3.4|NL:Netherlands | N/A | N/A |
| HTTP User-Agent header | WSHRAT|B000C75D|LMMMEQUO|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 10/8/2023|JavaScript-v3.4|NL:Netherlands | N/A | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4132 wrote to memory of 4944 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\wscript.exe |
| PID 4132 wrote to memory of 4944 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\wscript.exe |
Processes
C:\Windows\system32\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Local\Temp\Request For Quotation(RFQ).js"
C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\Request For Quotation(RFQ).js"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 158.240.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | harold.2waky.com | udp |
| NL | 185.225.73.194:3609 | harold.2waky.com | tcp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.73.225.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 108.211.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 59.128.231.4.in-addr.arpa | udp |
| NL | 185.225.73.194:3609 | harold.2waky.com | tcp |
| NL | 185.225.73.194:3609 | harold.2waky.com | tcp |
| NL | 185.225.73.194:3609 | harold.2waky.com | tcp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| NL | 185.225.73.194:3609 | harold.2waky.com | tcp |
| NL | 185.225.73.194:3609 | harold.2waky.com | tcp |
| NL | 185.225.73.194:3609 | harold.2waky.com | tcp |
| NL | 185.225.73.194:3609 | harold.2waky.com | tcp |
| US | 8.8.8.8:53 | 126.152.241.8.in-addr.arpa | udp |
| NL | 185.225.73.194:3609 | harold.2waky.com | tcp |
| US | 8.8.8.8:53 | 73.254.224.20.in-addr.arpa | udp |
| NL | 185.225.73.194:3609 | harold.2waky.com | tcp |
| NL | 185.225.73.194:3609 | harold.2waky.com | tcp |
| NL | 185.225.73.194:3609 | harold.2waky.com | tcp |
| NL | 185.225.73.194:3609 | harold.2waky.com | tcp |
| NL | 185.225.73.194:3609 | harold.2waky.com | tcp |
| US | 8.8.8.8:53 | 168.117.168.52.in-addr.arpa | udp |
| NL | 185.225.73.194:3609 | harold.2waky.com | tcp |
Files
C:\Users\Admin\AppData\Roaming\Request For Quotation(RFQ).js
| MD5 | 70ebc4c266527efd8a70e6ff259d0ce1 |
| SHA1 | 44209fe366081d1a1191f7b7dbfd27f34e23d755 |
| SHA256 | 284839414beba349dfacfb02f8da76431513a9f072877d6cd9b783c60d8510fb |
| SHA512 | 72c742233a0d59777519c3b03af553bd43097d8d54782a8215343b6b01f48ba001dfe66d1210a1486808568db620a6277b78417621780e5483152b7c4d84ce3d |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Request For Quotation(RFQ).js
| MD5 | 7d0e70bd24c9431e9e90eb4a132eec82 |
| SHA1 | 228c57595183e96eb700aeca4e0f3487d9b42554 |
| SHA256 | 70edb99a3f1cae9e76d21ea3cb02131dddf69557258c652ff604ba934ba4a360 |
| SHA512 | a1b534599b5d92ee2102b0882ae7192c75aea67443d4cd0ef7e095533499d1cd4d84f34c33e7a383c2d55d7e79a2cb9317d5a2e1fc948cbc69b855e026e46f24 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Request For Quotation(RFQ).js
| MD5 | 70ebc4c266527efd8a70e6ff259d0ce1 |
| SHA1 | 44209fe366081d1a1191f7b7dbfd27f34e23d755 |
| SHA256 | 284839414beba349dfacfb02f8da76431513a9f072877d6cd9b783c60d8510fb |
| SHA512 | 72c742233a0d59777519c3b03af553bd43097d8d54782a8215343b6b01f48ba001dfe66d1210a1486808568db620a6277b78417621780e5483152b7c4d84ce3d |
Analysis: behavioral1
Detonation Overview
Submitted
2023-08-10 14:26
Reported
2023-08-10 14:28
Platform
win7-20230712-en
Max time kernel
143s
Max time network
148s
Command Line
Signatures
WSHRAT
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Request For Quotation(RFQ).js | C:\Windows\system32\wscript.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Request For Quotation(RFQ).js | C:\Windows\System32\wscript.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Enumerates physical storage devices
Script User-Agent
| Description | Indicator | Process | Target |
| HTTP User-Agent header | WSHRAT|0C1A2205|MGKTNXNO|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 10/8/2023|JavaScript-v3.4|NL:Netherlands | N/A | N/A |
| HTTP User-Agent header | WSHRAT|0C1A2205|MGKTNXNO|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 10/8/2023|JavaScript-v3.4|NL:Netherlands | N/A | N/A |
| HTTP User-Agent header | WSHRAT|0C1A2205|MGKTNXNO|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 10/8/2023|JavaScript-v3.4|NL:Netherlands | N/A | N/A |
| HTTP User-Agent header | WSHRAT|0C1A2205|MGKTNXNO|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 10/8/2023|JavaScript-v3.4|NL:Netherlands | N/A | N/A |
| HTTP User-Agent header | WSHRAT|0C1A2205|MGKTNXNO|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 10/8/2023|JavaScript-v3.4|NL:Netherlands | N/A | N/A |
| HTTP User-Agent header | WSHRAT|0C1A2205|MGKTNXNO|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 10/8/2023|JavaScript-v3.4|NL:Netherlands | N/A | N/A |
| HTTP User-Agent header | WSHRAT|0C1A2205|MGKTNXNO|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 10/8/2023|JavaScript-v3.4|NL:Netherlands | N/A | N/A |
| HTTP User-Agent header | WSHRAT|0C1A2205|MGKTNXNO|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 10/8/2023|JavaScript-v3.4|NL:Netherlands | N/A | N/A |
| HTTP User-Agent header | WSHRAT|0C1A2205|MGKTNXNO|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 10/8/2023|JavaScript-v3.4|NL:Netherlands | N/A | N/A |
| HTTP User-Agent header | WSHRAT|0C1A2205|MGKTNXNO|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 10/8/2023|JavaScript-v3.4|NL:Netherlands | N/A | N/A |
| HTTP User-Agent header | WSHRAT|0C1A2205|MGKTNXNO|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 10/8/2023|JavaScript-v3.4|NL:Netherlands | N/A | N/A |
| HTTP User-Agent header | WSHRAT|0C1A2205|MGKTNXNO|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 10/8/2023|JavaScript-v3.4|NL:Netherlands | N/A | N/A |
| HTTP User-Agent header | WSHRAT|0C1A2205|MGKTNXNO|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 10/8/2023|JavaScript-v3.4|NL:Netherlands | N/A | N/A |
| HTTP User-Agent header | WSHRAT|0C1A2205|MGKTNXNO|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 10/8/2023|JavaScript-v3.4|NL:Netherlands | N/A | N/A |
| HTTP User-Agent header | WSHRAT|0C1A2205|MGKTNXNO|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 10/8/2023|JavaScript-v3.4|NL:Netherlands | N/A | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2080 wrote to memory of 2336 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\wscript.exe |
| PID 2080 wrote to memory of 2336 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\wscript.exe |
| PID 2080 wrote to memory of 2336 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\wscript.exe |
Processes
C:\Windows\system32\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Local\Temp\Request For Quotation(RFQ).js"
C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\Request For Quotation(RFQ).js"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | harold.2waky.com | udp |
| NL | 185.225.73.194:3609 | harold.2waky.com | tcp |
| NL | 185.225.73.194:3609 | harold.2waky.com | tcp |
| NL | 185.225.73.194:3609 | harold.2waky.com | tcp |
| NL | 185.225.73.194:3609 | harold.2waky.com | tcp |
| NL | 185.225.73.194:3609 | harold.2waky.com | tcp |
| NL | 185.225.73.194:3609 | harold.2waky.com | tcp |
| NL | 185.225.73.194:3609 | harold.2waky.com | tcp |
| NL | 185.225.73.194:3609 | harold.2waky.com | tcp |
| NL | 185.225.73.194:3609 | harold.2waky.com | tcp |
| NL | 185.225.73.194:3609 | harold.2waky.com | tcp |
| NL | 185.225.73.194:3609 | harold.2waky.com | tcp |
| NL | 185.225.73.194:3609 | harold.2waky.com | tcp |
| NL | 185.225.73.194:3609 | harold.2waky.com | tcp |
| NL | 185.225.73.194:3609 | harold.2waky.com | tcp |
| NL | 185.225.73.194:3609 | harold.2waky.com | tcp |
Files
C:\Users\Admin\AppData\Roaming\Request For Quotation(RFQ).js
| MD5 | 70ebc4c266527efd8a70e6ff259d0ce1 |
| SHA1 | 44209fe366081d1a1191f7b7dbfd27f34e23d755 |
| SHA256 | 284839414beba349dfacfb02f8da76431513a9f072877d6cd9b783c60d8510fb |
| SHA512 | 72c742233a0d59777519c3b03af553bd43097d8d54782a8215343b6b01f48ba001dfe66d1210a1486808568db620a6277b78417621780e5483152b7c4d84ce3d |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Request For Quotation(RFQ).js
| MD5 | 70ebc4c266527efd8a70e6ff259d0ce1 |
| SHA1 | 44209fe366081d1a1191f7b7dbfd27f34e23d755 |
| SHA256 | 284839414beba349dfacfb02f8da76431513a9f072877d6cd9b783c60d8510fb |
| SHA512 | 72c742233a0d59777519c3b03af553bd43097d8d54782a8215343b6b01f48ba001dfe66d1210a1486808568db620a6277b78417621780e5483152b7c4d84ce3d |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Request For Quotation(RFQ).js
| MD5 | 70ebc4c266527efd8a70e6ff259d0ce1 |
| SHA1 | 44209fe366081d1a1191f7b7dbfd27f34e23d755 |
| SHA256 | 284839414beba349dfacfb02f8da76431513a9f072877d6cd9b783c60d8510fb |
| SHA512 | 72c742233a0d59777519c3b03af553bd43097d8d54782a8215343b6b01f48ba001dfe66d1210a1486808568db620a6277b78417621780e5483152b7c4d84ce3d |