Overview

overview

10

Static

static

1

ORDER-23118FC.pdf.js

windows7-x64

8

ORDER-23118FC.pdf.js

windows10-2004-x64

10

Analysis

  • max time kernel
    168s
  • max time network
    182s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231023-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08-11-2023 08:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ORDER-23118FC.pdf.js

  • Size

    7KB

  • MD5

    cf34cf3dc725d0145cb4b3ecfba459e7

  • SHA1

    365a0053eed4c3b621521231c00cd88fef001328

  • SHA256

    6766c478915817f5a95bc278a0205a89d0fbc03432d544399b70ab3fdc137001

  • SHA512

    b5bf5cb90d6e1081cf78dbecf73236f8dc33b0a3c3f9e137c0707006fa6e330b727281be6f3bfbf45fb1db3bfd6249d50d6bc20782aaae79daf4451b0693a32a

  • SSDEEP

    48:hSJE7GJLO4JJoNK5JzOTwgNS2utIGndHsRbJJz0GhD7GJ5o4fuwufQAJ6Gmfo/iT:yO1wtOMgR1uMF5SNEiGF4sdc

Score
10/10
wshratpersistencetrojan

Malware Config

Extracted

Family

wshrat

C2

http://chongmei33.publicvm.com:7045

Signatures

  • WSHRAT

    WSHRAT is a variant of Houdini worm and has vbs and js variants.

    trojanwshrat
  • Blocklisted process makes network request 23 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 1 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe C:\Users\Admin\AppData\Local\Temp\ORDER-23118FC.pdf.js
    1⤵
    • Blocklisted process makes network request
    • Checks computer location settings
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:5000
    • C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\VRVLMK.vbs"
      2⤵
      • Blocklisted process makes network request
      • Drops startup file
      • Adds Run key to start application
      PID:4964

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\VRVLMK.vbs
    Filesize

    209KB

    MD5

    f98b2d9799e83e700d3be6e231c3e615

    SHA1

    2f015cd0918335e2847eef255b63d46b983cb653

    SHA256

    5f68fdf47b0e899369554258245c474772ba2dd1d10263200c93e988d41e22ff

    SHA512

    01ace290765ea93a2e481c2e7636c2ee5b60cad7932be3bd841c90abd51c3642accf8a40f9b8814650067a64773446980a959379ff5ef1460c7377264e3f85cc

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VRVLMK.vbs
    Filesize

    209KB

    MD5

    f98b2d9799e83e700d3be6e231c3e615

    SHA1

    2f015cd0918335e2847eef255b63d46b983cb653

    SHA256

    5f68fdf47b0e899369554258245c474772ba2dd1d10263200c93e988d41e22ff

    SHA512

    01ace290765ea93a2e481c2e7636c2ee5b60cad7932be3bd841c90abd51c3642accf8a40f9b8814650067a64773446980a959379ff5ef1460c7377264e3f85cc

    Download Submit