Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system -
submitted
03-05-2024 01:00
Static task
static1
Behavioral task
behavioral1
Sample
010095c8ca094243c44f0d489b55dc1a132e0f776ab71e6bc221ff8c127a810b.js
Resource
win7-20240221-en
windows7-x64
9 signatures
150 seconds
Behavioral task
behavioral2
Sample
010095c8ca094243c44f0d489b55dc1a132e0f776ab71e6bc221ff8c127a810b.js
Resource
win10v2004-20240419-en
windows10-2004-x64
9 signatures
150 seconds
General
-
Target
010095c8ca094243c44f0d489b55dc1a132e0f776ab71e6bc221ff8c127a810b.js
-
Size
2.1MB
-
MD5
a6397cdb9e01000e53c123893acad42c
-
SHA1
6cd4fbdf9d806e21533c546e3aca996d20a611ba
-
SHA256
010095c8ca094243c44f0d489b55dc1a132e0f776ab71e6bc221ff8c127a810b
-
SHA512
3f2dd11560d819839697a3f256a9e4dae693f7401d4b870c93d40d1c9d35449de35e7366acf1ca66d537759ff62d6a1859c906d792847074f88740a3536510a5
-
SSDEEP
49152:DScjW/OiHYKmqYRBWiV0j79VyNBrccl3dndiGrlvU2YpLharpFL5+gzzPsg0m2Qh:/
Score
10/10
Malware Config
Extracted
Family
wshrat
C2
http://masterokrwh.duckdns.org:8426
Signatures
-
Blocklisted process makes network request 30 IoCs
flow pid Process 34 336 wscript.exe 36 336 wscript.exe 37 336 wscript.exe 41 336 wscript.exe 46 336 wscript.exe 49 336 wscript.exe 50 336 wscript.exe 53 336 wscript.exe 65 336 wscript.exe 66 336 wscript.exe 67 336 wscript.exe 68 336 wscript.exe 69 336 wscript.exe 73 336 wscript.exe 82 336 wscript.exe 83 336 wscript.exe 84 336 wscript.exe 85 336 wscript.exe 86 336 wscript.exe 93 336 wscript.exe 98 336 wscript.exe 99 336 wscript.exe 100 336 wscript.exe 101 336 wscript.exe 102 336 wscript.exe 103 336 wscript.exe 104 336 wscript.exe 105 336 wscript.exe 106 336 wscript.exe 111 336 wscript.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\010095c8ca094243c44f0d489b55dc1a132e0f776ab71e6bc221ff8c127a810b.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\010095c8ca094243c44f0d489b55dc1a132e0f776ab71e6bc221ff8c127a810b.js wscript.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\010095c8ca094243c44f0d489b55dc1a132e0f776ab71e6bc221ff8c127a810b = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\010095c8ca094243c44f0d489b55dc1a132e0f776ab71e6bc221ff8c127a810b.js\"" wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\010095c8ca094243c44f0d489b55dc1a132e0f776ab71e6bc221ff8c127a810b = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\010095c8ca094243c44f0d489b55dc1a132e0f776ab71e6bc221ff8c127a810b.js\"" wscript.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 35 pastebin.com 37 pastebin.com -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 33 ip-api.com -
Command and Scripting Interpreter: JavaScript 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Script User-Agent 28 IoCs
Uses user-agent string associated with script host/environment.
description flow ioc HTTP User-Agent header 36 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 41 WSHRAT|20FDBEDC|EXNCLZLI|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 3/5/2024|JavaScript-v3.4|GB:United Kingdom HTTP User-Agent header 67 WSHRAT|20FDBEDC|EXNCLZLI|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 3/5/2024|JavaScript-v3.4|GB:United Kingdom HTTP User-Agent header 84 WSHRAT|20FDBEDC|EXNCLZLI|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 3/5/2024|JavaScript-v3.4|GB:United Kingdom HTTP User-Agent header 85 WSHRAT|20FDBEDC|EXNCLZLI|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 3/5/2024|JavaScript-v3.4|GB:United Kingdom HTTP User-Agent header 98 WSHRAT|20FDBEDC|EXNCLZLI|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 3/5/2024|JavaScript-v3.4|GB:United Kingdom HTTP User-Agent header 53 WSHRAT|20FDBEDC|EXNCLZLI|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 3/5/2024|JavaScript-v3.4|GB:United Kingdom HTTP User-Agent header 102 WSHRAT|20FDBEDC|EXNCLZLI|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 3/5/2024|JavaScript-v3.4|GB:United Kingdom HTTP User-Agent header 46 WSHRAT|20FDBEDC|EXNCLZLI|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 3/5/2024|JavaScript-v3.4|GB:United Kingdom HTTP User-Agent header 50 WSHRAT|20FDBEDC|EXNCLZLI|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 3/5/2024|JavaScript-v3.4|GB:United Kingdom HTTP User-Agent header 65 WSHRAT|20FDBEDC|EXNCLZLI|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 3/5/2024|JavaScript-v3.4|GB:United Kingdom HTTP User-Agent header 104 WSHRAT|20FDBEDC|EXNCLZLI|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 3/5/2024|JavaScript-v3.4|GB:United Kingdom HTTP User-Agent header 49 WSHRAT|20FDBEDC|EXNCLZLI|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 3/5/2024|JavaScript-v3.4|GB:United Kingdom HTTP User-Agent header 68 WSHRAT|20FDBEDC|EXNCLZLI|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 3/5/2024|JavaScript-v3.4|GB:United Kingdom HTTP User-Agent header 83 WSHRAT|20FDBEDC|EXNCLZLI|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 3/5/2024|JavaScript-v3.4|GB:United Kingdom HTTP User-Agent header 105 WSHRAT|20FDBEDC|EXNCLZLI|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 3/5/2024|JavaScript-v3.4|GB:United Kingdom HTTP User-Agent header 37 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 82 WSHRAT|20FDBEDC|EXNCLZLI|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 3/5/2024|JavaScript-v3.4|GB:United Kingdom HTTP User-Agent header 103 WSHRAT|20FDBEDC|EXNCLZLI|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 3/5/2024|JavaScript-v3.4|GB:United Kingdom HTTP User-Agent header 69 WSHRAT|20FDBEDC|EXNCLZLI|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 3/5/2024|JavaScript-v3.4|GB:United Kingdom HTTP User-Agent header 86 WSHRAT|20FDBEDC|EXNCLZLI|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 3/5/2024|JavaScript-v3.4|GB:United Kingdom HTTP User-Agent header 101 WSHRAT|20FDBEDC|EXNCLZLI|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 3/5/2024|JavaScript-v3.4|GB:United Kingdom HTTP User-Agent header 73 WSHRAT|20FDBEDC|EXNCLZLI|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 3/5/2024|JavaScript-v3.4|GB:United Kingdom HTTP User-Agent header 99 WSHRAT|20FDBEDC|EXNCLZLI|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 3/5/2024|JavaScript-v3.4|GB:United Kingdom HTTP User-Agent header 66 WSHRAT|20FDBEDC|EXNCLZLI|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 3/5/2024|JavaScript-v3.4|GB:United Kingdom HTTP User-Agent header 93 WSHRAT|20FDBEDC|EXNCLZLI|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 3/5/2024|JavaScript-v3.4|GB:United Kingdom HTTP User-Agent header 100 WSHRAT|20FDBEDC|EXNCLZLI|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 3/5/2024|JavaScript-v3.4|GB:United Kingdom HTTP User-Agent header 106 WSHRAT|20FDBEDC|EXNCLZLI|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 3/5/2024|JavaScript-v3.4|GB:United Kingdom
Processes
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\010095c8ca094243c44f0d489b55dc1a132e0f776ab71e6bc221ff8c127a810b.js
Filesize2.1MB
MD5a6397cdb9e01000e53c123893acad42c
SHA16cd4fbdf9d806e21533c546e3aca996d20a611ba
SHA256010095c8ca094243c44f0d489b55dc1a132e0f776ab71e6bc221ff8c127a810b
SHA5123f2dd11560d819839697a3f256a9e4dae693f7401d4b870c93d40d1c9d35449de35e7366acf1ca66d537759ff62d6a1859c906d792847074f88740a3536510a5