Analysis
-
max time kernel
134s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
-
submitted
07-05-2024 08:13
General
-
Target
Invoice Payment N8977823.js
-
Size
614KB
-
MD5
2299cd103202899b48a32a317f58192d
-
SHA1
f813552dffb221b7cfaf356d571bf6468b9e58aa
-
SHA256
2027db19e08f49cb365ca8523145ff5ce77bf4b4430075c3bf274f4a4f3f789b
-
SHA512
2385b8acefda53c6620bb220e7dc5a8fde64c7d6ccb110a6a0d32152d0d87444fcfbc88bb9dbef322f0ced7bc27b92d43fc1bc1bb5d409f289ae86b816123d14
-
SSDEEP
12288:kYeIrWr/qRigAyX/kngXFbjTLvaH28nZH19Iimg0VtxWvTbxzOObcizI/mofdEMU:kYeIrWr/qRigAyX/kngXFbjTLvaH28nJ
Malware Config
Extracted
wshrat
http://masterokrwh.duckdns.org:8426
Signatures
-
WSHRAT
WSHRAT is a variant of Houdini worm and has vbs and js variants.
-
Blocklisted process makes network request 13 IoCs
-
Drops startup file 2 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Command and Scripting Interpreter: JavaScript 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Script User-Agent 9 IoCs
Uses user-agent string associated with script host/environment.
Processes
-
C:\Windows\system32\wscript.exewscript.exe "C:\Users\Admin\AppData\Local\Temp\Invoice Payment N8977823.js"1⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
614KB
MD52299cd103202899b48a32a317f58192d
SHA1f813552dffb221b7cfaf356d571bf6468b9e58aa
SHA2562027db19e08f49cb365ca8523145ff5ce77bf4b4430075c3bf274f4a4f3f789b
SHA5122385b8acefda53c6620bb220e7dc5a8fde64c7d6ccb110a6a0d32152d0d87444fcfbc88bb9dbef322f0ced7bc27b92d43fc1bc1bb5d409f289ae86b816123d14