Analysis
-
max time kernel
147s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20231127-en -
resource tags
arch:x64arch:x86image:win10v2004-20231127-enlocale:en-usos:windows10-2004-x64system -
submitted
29-11-2023 06:57
Static task
static1
Behavioral task
behavioral1
Sample
新指令.js
Resource
win7-20231025-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
新指令.js
Resource
win10v2004-20231127-en
windows10-2004-x64
9 signatures
150 seconds
General
-
Target
新指令.js
-
Size
953KB
-
MD5
21c25960399a73a630e1a4b8300d811c
-
SHA1
86152daa4a7edfd28f8a3f3083c804204fce7033
-
SHA256
f0962774a22adb03e29c34fda016085f1fc99598f23562e5165474469f653bd0
-
SHA512
7f9bc1296091e91e1cea8fb5ed4ac3542edaf74b1a9854e0d546a69e92be3d31b578c58cb81c21828cd43d4e7b37936bf6cd98d5ff68ab13e5fe1740a57cabff
-
SSDEEP
6144:XQ7Ai2LEudj0YJ404Lb2Hqoivl0WX1u4O9uziIBEJtB8ezLcbtSBYu3FC+ammFVV:gag
Score
10/10
Malware Config
Extracted
Family
wshrat
C2
http://snk2333.duckdns.org:47471
Signatures
-
Blocklisted process makes network request 32 IoCs
flow pid Process 16 3464 wscript.exe 21 3464 wscript.exe 39 3464 wscript.exe 40 3464 wscript.exe 41 3464 wscript.exe 43 3464 wscript.exe 44 3464 wscript.exe 46 3464 wscript.exe 47 3464 wscript.exe 53 3464 wscript.exe 62 3464 wscript.exe 63 3464 wscript.exe 64 3464 wscript.exe 65 3464 wscript.exe 66 3464 wscript.exe 69 3464 wscript.exe 74 3464 wscript.exe 76 3464 wscript.exe 77 3464 wscript.exe 78 3464 wscript.exe 79 3464 wscript.exe 82 3464 wscript.exe 83 3464 wscript.exe 84 3464 wscript.exe 85 3464 wscript.exe 86 3464 wscript.exe 87 3464 wscript.exe 91 3464 wscript.exe 92 3464 wscript.exe 93 3464 wscript.exe 94 3464 wscript.exe 95 3464 wscript.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3635043082-2972811465-3176142135-1000\Control Panel\International\Geo\Nation wscript.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\新指令.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\新指令.js wscript.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\??? = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\???.js\"" wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-3635043082-2972811465-3176142135-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\??? = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\???.js\"" wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\??? = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\???.js\"" wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-3635043082-2972811465-3176142135-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\??? = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\???.js\"" wscript.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 14 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Script User-Agent 30 IoCs
Uses user-agent string associated with script host/environment.
description flow ioc HTTP User-Agent header 41 WSHRAT|025E3C46|DQPLFPWB|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 29/11/2023|JavaScript-v3.4|NL:The Netherlands HTTP User-Agent header 53 WSHRAT|025E3C46|DQPLFPWB|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 29/11/2023|JavaScript-v3.4|NL:The Netherlands HTTP User-Agent header 63 WSHRAT|025E3C46|DQPLFPWB|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 29/11/2023|JavaScript-v3.4|NL:The Netherlands HTTP User-Agent header 86 WSHRAT|025E3C46|DQPLFPWB|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 29/11/2023|JavaScript-v3.4|NL:The Netherlands HTTP User-Agent header 93 WSHRAT|025E3C46|DQPLFPWB|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 29/11/2023|JavaScript-v3.4|NL:The Netherlands HTTP User-Agent header 95 WSHRAT|025E3C46|DQPLFPWB|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 29/11/2023|JavaScript-v3.4|NL:The Netherlands HTTP User-Agent header 44 WSHRAT|025E3C46|DQPLFPWB|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 29/11/2023|JavaScript-v3.4|NL:The Netherlands HTTP User-Agent header 69 WSHRAT|025E3C46|DQPLFPWB|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 29/11/2023|JavaScript-v3.4|NL:The Netherlands HTTP User-Agent header 92 WSHRAT|025E3C46|DQPLFPWB|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 29/11/2023|JavaScript-v3.4|NL:The Netherlands HTTP User-Agent header 39 WSHRAT|025E3C46|DQPLFPWB|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 29/11/2023|JavaScript-v3.4|NL:The Netherlands HTTP User-Agent header 46 WSHRAT|025E3C46|DQPLFPWB|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 29/11/2023|JavaScript-v3.4|NL:The Netherlands HTTP User-Agent header 74 WSHRAT|025E3C46|DQPLFPWB|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 29/11/2023|JavaScript-v3.4|NL:The Netherlands HTTP User-Agent header 76 WSHRAT|025E3C46|DQPLFPWB|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 29/11/2023|JavaScript-v3.4|NL:The Netherlands HTTP User-Agent header 79 WSHRAT|025E3C46|DQPLFPWB|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 29/11/2023|JavaScript-v3.4|NL:The Netherlands HTTP User-Agent header 83 WSHRAT|025E3C46|DQPLFPWB|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 29/11/2023|JavaScript-v3.4|NL:The Netherlands HTTP User-Agent header 91 WSHRAT|025E3C46|DQPLFPWB|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 29/11/2023|JavaScript-v3.4|NL:The Netherlands HTTP User-Agent header 21 WSHRAT|025E3C46|DQPLFPWB|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 29/11/2023|JavaScript-v3.4|NL:The Netherlands HTTP User-Agent header 77 WSHRAT|025E3C46|DQPLFPWB|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 29/11/2023|JavaScript-v3.4|NL:The Netherlands HTTP User-Agent header 85 WSHRAT|025E3C46|DQPLFPWB|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 29/11/2023|JavaScript-v3.4|NL:The Netherlands HTTP User-Agent header 64 WSHRAT|025E3C46|DQPLFPWB|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 29/11/2023|JavaScript-v3.4|NL:The Netherlands HTTP User-Agent header 65 WSHRAT|025E3C46|DQPLFPWB|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 29/11/2023|JavaScript-v3.4|NL:The Netherlands HTTP User-Agent header 62 WSHRAT|025E3C46|DQPLFPWB|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 29/11/2023|JavaScript-v3.4|NL:The Netherlands HTTP User-Agent header 66 WSHRAT|025E3C46|DQPLFPWB|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 29/11/2023|JavaScript-v3.4|NL:The Netherlands HTTP User-Agent header 40 WSHRAT|025E3C46|DQPLFPWB|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 29/11/2023|JavaScript-v3.4|NL:The Netherlands HTTP User-Agent header 82 WSHRAT|025E3C46|DQPLFPWB|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 29/11/2023|JavaScript-v3.4|NL:The Netherlands HTTP User-Agent header 84 WSHRAT|025E3C46|DQPLFPWB|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 29/11/2023|JavaScript-v3.4|NL:The Netherlands HTTP User-Agent header 87 WSHRAT|025E3C46|DQPLFPWB|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 29/11/2023|JavaScript-v3.4|NL:The Netherlands HTTP User-Agent header 94 WSHRAT|025E3C46|DQPLFPWB|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 29/11/2023|JavaScript-v3.4|NL:The Netherlands HTTP User-Agent header 47 WSHRAT|025E3C46|DQPLFPWB|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 29/11/2023|JavaScript-v3.4|NL:The Netherlands HTTP User-Agent header 78 WSHRAT|025E3C46|DQPLFPWB|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 29/11/2023|JavaScript-v3.4|NL:The Netherlands -
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 2728 wrote to memory of 3464 2728 wscript.exe 88 PID 2728 wrote to memory of 3464 2728 wscript.exe 88
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\新指令.js1⤵
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2728 -
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\新指令.js"2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
PID:3464
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
953KB
MD521c25960399a73a630e1a4b8300d811c
SHA186152daa4a7edfd28f8a3f3083c804204fce7033
SHA256f0962774a22adb03e29c34fda016085f1fc99598f23562e5165474469f653bd0
SHA5127f9bc1296091e91e1cea8fb5ed4ac3542edaf74b1a9854e0d546a69e92be3d31b578c58cb81c21828cd43d4e7b37936bf6cd98d5ff68ab13e5fe1740a57cabff
-
Filesize
953KB
MD521c25960399a73a630e1a4b8300d811c
SHA186152daa4a7edfd28f8a3f3083c804204fce7033
SHA256f0962774a22adb03e29c34fda016085f1fc99598f23562e5165474469f653bd0
SHA5127f9bc1296091e91e1cea8fb5ed4ac3542edaf74b1a9854e0d546a69e92be3d31b578c58cb81c21828cd43d4e7b37936bf6cd98d5ff68ab13e5fe1740a57cabff