Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
-
submitted
21-05-2024 14:06
General
-
Target
3d3b93e744a9fc154a70b6a6b709be2806598abb2b00db8e51faa55f961f3076.js
-
Size
262KB
-
MD5
61003ace63f39ed1cc39a22cb924e6b1
-
SHA1
914548e77023a990b0e79e1cea9ce25991e8116e
-
SHA256
3d3b93e744a9fc154a70b6a6b709be2806598abb2b00db8e51faa55f961f3076
-
SHA512
e9d25955a7a9700b996dc435e23505ddb772290bf6370a0ccd122a34fc6c21c935b6a4dfc60fd2d2d00e74e6edb0f6f49d9df960a2ac3b7155a98d908560ba53
-
SSDEEP
96:GM969Xx6VdE6ruU6S+4SWp9uS+V6fXuSEFYcnhVM3/DyBCODI99PRdN1QNLq9Iu/:gWGcucNHw1c5UEWzC423S68XC
Malware Config
Extracted
wshrat
http://chongmei33.publicvm.com:7045
Signatures
-
WSHRAT
WSHRAT is a variant of Houdini worm and has vbs and js variants.
-
Blocklisted process makes network request 24 IoCs
-
Drops startup file 2 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Command and Scripting Interpreter: JavaScript 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Script User-Agent 24 IoCs
Uses user-agent string associated with script host/environment.
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\3d3b93e744a9fc154a70b6a6b709be2806598abb2b00db8e51faa55f961f3076.js1⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
262KB
MD561003ace63f39ed1cc39a22cb924e6b1
SHA1914548e77023a990b0e79e1cea9ce25991e8116e
SHA2563d3b93e744a9fc154a70b6a6b709be2806598abb2b00db8e51faa55f961f3076
SHA512e9d25955a7a9700b996dc435e23505ddb772290bf6370a0ccd122a34fc6c21c935b6a4dfc60fd2d2d00e74e6edb0f6f49d9df960a2ac3b7155a98d908560ba53