Analysis
-
max time kernel
145s -
max time network
147s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
-
submitted
03-07-2024 02:32
General
-
Target
beca565451640f739d3c8771861c838417837e7169d73af86cc3780dbd099be2.js
-
Size
7KB
-
MD5
54ea1f4f2737e111ffbcc03808dfec31
-
SHA1
7027bd0207b975128d688916230ec4f8900b2bd6
-
SHA256
beca565451640f739d3c8771861c838417837e7169d73af86cc3780dbd099be2
-
SHA512
fb9cabdcd57e7f70aef201d29bd922c615714ee40c21bc4697691ac01e8ac4b4959719436199054068abe7ceccbd22adb1c2eb0cd86ce8f768dcf637a2607b3a
-
SSDEEP
96:qdXsINLKzIXYD4uVaX3X8+eaePEQSX/4KGa:la
Malware Config
Extracted
wshrat
http://chongmei33.publicvm.com:7045
Signatures
-
WSHRAT
WSHRAT is a variant of Houdini worm and has vbs and js variants.
-
Blocklisted process makes network request 27 IoCs
-
Drops startup file 2 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Command and Scripting Interpreter: JavaScript 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\beca565451640f739d3c8771861c838417837e7169d73af86cc3780dbd099be2.js1⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\TEGJFO.vbs"2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
240KB
MD5723330a9cf1200400aa6a4dcbd27e061
SHA1cb361b81da7fb0f6c18ed3a92a1d6422a3b5122f
SHA256e30d57423de675d1fca733884e5763d8259ee8713d90826e69d5d2705a7cb9e6
SHA512cacd2d78611981d3ed7909eeb2b0fb0d295da1e60ccf599a4fe4049417039b0acf64c4b7dee81b01877974091ae5b093d1234d1318704dc3a77294a51116f605