Overview

overview

10

Static

static

1

beca565451...be2.js

windows7-x64

10

beca565451...be2.js

windows10-2004-x64

10

Analysis

  • max time kernel
    145s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240611-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03-07-2024 02:32

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    beca565451640f739d3c8771861c838417837e7169d73af86cc3780dbd099be2.js

  • Size

    7KB

  • MD5

    54ea1f4f2737e111ffbcc03808dfec31

  • SHA1

    7027bd0207b975128d688916230ec4f8900b2bd6

  • SHA256

    beca565451640f739d3c8771861c838417837e7169d73af86cc3780dbd099be2

  • SHA512

    fb9cabdcd57e7f70aef201d29bd922c615714ee40c21bc4697691ac01e8ac4b4959719436199054068abe7ceccbd22adb1c2eb0cd86ce8f768dcf637a2607b3a

  • SSDEEP

    96:qdXsINLKzIXYD4uVaX3X8+eaePEQSX/4KGa:la

Score
10/10
wshratexecutionpersistencetrojan

Malware Config

Extracted

Family

wshrat

C2

http://chongmei33.publicvm.com:7045

Signatures

  • WSHRAT

    WSHRAT is a variant of Houdini worm and has vbs and js variants.

    trojanwshrat
  • Blocklisted process makes network request 27 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Command and Scripting Interpreter: JavaScript 1 TTPs
    execution
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 1 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe C:\Users\Admin\AppData\Local\Temp\beca565451640f739d3c8771861c838417837e7169d73af86cc3780dbd099be2.js
    1⤵
    • Blocklisted process makes network request
    • Checks computer location settings
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:2764
    • C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\TEGJFO.vbs"
      2⤵
      • Blocklisted process makes network request
      • Drops startup file
      • Adds Run key to start application
      PID:1492

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\TEGJFO.vbs
    Filesize

    240KB

    MD5

    723330a9cf1200400aa6a4dcbd27e061

    SHA1

    cb361b81da7fb0f6c18ed3a92a1d6422a3b5122f

    SHA256

    e30d57423de675d1fca733884e5763d8259ee8713d90826e69d5d2705a7cb9e6

    SHA512

    cacd2d78611981d3ed7909eeb2b0fb0d295da1e60ccf599a4fe4049417039b0acf64c4b7dee81b01877974091ae5b093d1234d1318704dc3a77294a51116f605

    Download Submit