Overview

overview

10

Static

static

1

ORDER-2410...PDF.js

windows7-x64

10

ORDER-2410...PDF.js

windows10-2004-x64

10

Analysis

  • max time kernel
    298s
  • max time network
    297s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    10-10-2024 03:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ORDER-241091799.PDF.js

  • Size

    7KB

  • MD5

    e1daa8253602476d0ddd51e91e406a1a

  • SHA1

    10b0e9306019e58356a38074e609da3040da6641

  • SHA256

    4126a6f8a65fdb58a76b7af70974711560c58943c16466666cd8099ba2d117ac

  • SHA512

    70687606118a4599da950600ef7529c9c941c1ce524104512c8e3c852d1f81ab40710c1f4df6f4e3f95da01e8da9c2f35d6658f706667b55c4d4a817d32e7c3c

  • SSDEEP

    96:BmbAkRJ1vz3bYLEGU37ybeCwLHtYFCbvA:BmbAkRJ1vTbYLEGo7ybeCwLHmFCbvA

Score
10/10
wshratexecutionpersistencetrojan

Malware Config

Extracted

Family

wshrat

C2

http://chongmei33.publicvm.com:7044

Signatures

  • WSHRAT

    WSHRAT is a variant of Houdini worm and has vbs and js variants.

    trojanwshrat
  • Blocklisted process makes network request 54 IoCs
  • Drops startup file 2 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Command and Scripting Interpreter: JavaScript 1 TTPs
    execution
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe C:\Users\Admin\AppData\Local\Temp\ORDER-241091799.PDF.js
    1⤵
    • Blocklisted process makes network request
    • Suspicious use of WriteProcessMemory
    PID:1364
    • C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\SEWZOM.vbs"
      2⤵
      • Drops startup file
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:2972
      • C:\Windows\System32\wscript.exe
        "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\SEWZOM.vbs"
        3⤵
        • Blocklisted process makes network request
        • Drops startup file
        • Adds Run key to start application
        PID:1888

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\SEWZOM.vbs
    Filesize

    238KB

    MD5

    210c243e3ae3e8cdcf28caad58547c96

    SHA1

    0a5811eb25bd8dbe548f7ff819e2e50e2f8c897a

    SHA256

    c80ad15e2f164e7eaeaacb50dbe50fd5176fa0068e669b225fdcdbcf35fc16ea

    SHA512

    ccdd3767e0f5ba936991a42706ccd7e5af808f4deebde75427634d2c847ce5f228da38bdc4a8b76ad1fc5498b5eedda393ce5fec92462ba74e62b6d30eaf1d99

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SEWZOM.vbs
    Filesize

    238KB

    MD5

    80bbae9a7841c94196fb63ab95e86791

    SHA1

    f42ecf1db7b7f7d1ddfd0d751b638bb4ade946b1

    SHA256

    ab4462c34ecbdfaa35db749fd8e19c6d50601df5b3937eb0da37667b4118218b

    SHA512

    0af0104d6fd927d1a3637a59a559394e891f463f7cf74aa302d8c4825449fb6384099f457fd44afa4a4ac6544c482ec7f61dfb33c21e91b2ce2feea77ae21513

    Download Submit