Overview

overview

10

Static

static

1

ORDER-023816.pdf.vbs

windows7-x64

1

ORDER-023816.pdf.vbs

windows10-2004-x64

10

Analysis

  • max time kernel
    144s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230703-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17-08-2023 18:13

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ORDER-023816.pdf.vbs

  • Size

    9KB

  • MD5

    50615b36f7a22881d8cc2938257d8064

  • SHA1

    836cb5b89aed1b189c2d4d3c33371c29c1a406b7

  • SHA256

    76ba79480eb105609ad6add997a2c26a1c27e7c0eb97760f49dc8545d8f1a7d0

  • SHA512

    a7eb15724e977cd4151e4dd74a9590009f655661028e93222b933b0d121e604c7cee82ba554b09d9276cc90e8d5abb6612a3deaf7a6e79b9b6c3a1897f4549bf

  • SSDEEP

    48:KDE9y43sbbf4KkgGewDE9y48bdZFy4KkgGewDE9y483sZzz4KkgGew8Zb43sbbfy:US1+uFR4e1e11qLPfo11qMMcOP7

Score
10/10
wshratpersistencetrojan

Malware Config

Extracted

Family

wshrat

C2

http://chongmei33.publicvm.com:7045

Signatures

  • WSHRAT

    WSHRAT is a variant of Houdini worm and has vbs and js variants.

    trojanwshrat
  • Blocklisted process makes network request 28 IoCs
  • Drops startup file 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 1 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ORDER-023816.pdf.vbs"
    1⤵
    • Blocklisted process makes network request
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:2592
    • C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\QWQJBP.vbs"
      2⤵
      • Blocklisted process makes network request
      • Drops startup file
      • Adds Run key to start application
      PID:3848

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\QWQJBP.vbs
    Filesize

    257KB

    MD5

    d87d4c42c10f332a96aa10ffb455f49d

    SHA1

    c6167ce4e59f14ce826a50e8d32847101e5e9dc8

    SHA256

    5ad4d5fb75a277e31b05e1a6f19c5fc3c007b5c2be03109d876ca457173a135a

    SHA512

    d01c7072b7f9e85dbc8f160f0afc17116a5ec5039a1f07a9201d517d8029acc8f31b446ccd66f832eb5ea58c3e88db88b2e442c7965e0318af32852512c3aa8a

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QWQJBP.vbs
    Filesize

    257KB

    MD5

    d87d4c42c10f332a96aa10ffb455f49d

    SHA1

    c6167ce4e59f14ce826a50e8d32847101e5e9dc8

    SHA256

    5ad4d5fb75a277e31b05e1a6f19c5fc3c007b5c2be03109d876ca457173a135a

    SHA512

    d01c7072b7f9e85dbc8f160f0afc17116a5ec5039a1f07a9201d517d8029acc8f31b446ccd66f832eb5ea58c3e88db88b2e442c7965e0318af32852512c3aa8a

    Download Submit