Analysis
-
max time kernel
151s -
max time network
159s -
platform
windows10-2004_x64 -
resource
win10v2004-20230703-en -
resource tags
-
submitted
20-08-2023 11:30
General
-
Target
ORDER-230918PA.XLS.js
-
Size
7KB
-
MD5
88bf291984995a3806e28a362c5f5bf2
-
SHA1
5b1362033885067323c063748efdf193d8ee710d
-
SHA256
fba9f9a0ff16e84ba7fc7b57850f86a1865391ac840f340f6fab233339b20919
-
SHA512
8074ab938b1a7a4c4c778009e5cf1c7a773eaef97ebdf3503a3771aa98ef575a1010d7654a17a9b3727134e98eb0d13fbcd0405a39ce8dac199bd8b5132c9f09
-
SSDEEP
48:60ZwVq3vMB5tVk6VVUPN2MTwmyrV2QJ1qXwnqNAsVEWEF:i7
Malware Config
Extracted
wshrat
http://chongmei33.publicvm.com:7045
Signatures
-
WSHRAT
WSHRAT is a variant of Houdini worm and has vbs and js variants.
-
Blocklisted process makes network request 29 IoCs
-
Drops startup file 2 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 1 IoCs
-
Suspicious use of WriteProcessMemory 2 IoCs
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\ORDER-230918PA.XLS.js1⤵
- Blocklisted process makes network request
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\WOAHUS.vbs"2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
243KB
MD569ac7e038effb4a60a906bb43ccae6fb
SHA19bef6b5ff1bd0c6ec5e57efae80d4d303d5582a7
SHA25661b43d95f7c0e0cb258513ef2d81d3a482b7e39f31cd039252ca05f72997d93c
SHA5128f48438ec155af7bd6fe2213b8cd42b58407472f7988dc6ad3916c443d55fa240bbb9cf2e7e306bcaa872a51a73a6a8c5f0b36af9dd4ccbeecab81f32cd8929f