Overview

overview

10

Static

static

1

ORDER-2410...PDF.js

windows7-x64

10

ORDER-2410...PDF.js

windows10-2004-x64

10

Analysis

  • max time kernel
    297s
  • max time network
    300s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10-10-2024 03:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ORDER-241091799.PDF.js

  • Size

    7KB

  • MD5

    e1daa8253602476d0ddd51e91e406a1a

  • SHA1

    10b0e9306019e58356a38074e609da3040da6641

  • SHA256

    4126a6f8a65fdb58a76b7af70974711560c58943c16466666cd8099ba2d117ac

  • SHA512

    70687606118a4599da950600ef7529c9c941c1ce524104512c8e3c852d1f81ab40710c1f4df6f4e3f95da01e8da9c2f35d6658f706667b55c4d4a817d32e7c3c

  • SSDEEP

    96:BmbAkRJ1vz3bYLEGU37ybeCwLHtYFCbvA:BmbAkRJ1vTbYLEGo7ybeCwLHmFCbvA

Score
10/10
wshratexecutionpersistencetrojan

Malware Config

Extracted

Family

wshrat

C2

http://chongmei33.publicvm.com:7044

Signatures

  • WSHRAT

    WSHRAT is a variant of Houdini worm and has vbs and js variants.

    trojanwshrat
  • Blocklisted process makes network request 53 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Command and Scripting Interpreter: JavaScript 1 TTPs
    execution
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe C:\Users\Admin\AppData\Local\Temp\ORDER-241091799.PDF.js
    1⤵
    • Blocklisted process makes network request
    • Checks computer location settings
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:4808
    • C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\SEWZOM.vbs"
      2⤵
      • Checks computer location settings
      • Drops startup file
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:2260
      • C:\Windows\System32\wscript.exe
        "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\SEWZOM.vbs"
        3⤵
        • Blocklisted process makes network request
        • Drops startup file
        • Adds Run key to start application
        PID:4380

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\SEWZOM.vbs
    Filesize

    238KB

    MD5

    210c243e3ae3e8cdcf28caad58547c96

    SHA1

    0a5811eb25bd8dbe548f7ff819e2e50e2f8c897a

    SHA256

    c80ad15e2f164e7eaeaacb50dbe50fd5176fa0068e669b225fdcdbcf35fc16ea

    SHA512

    ccdd3767e0f5ba936991a42706ccd7e5af808f4deebde75427634d2c847ce5f228da38bdc4a8b76ad1fc5498b5eedda393ce5fec92462ba74e62b6d30eaf1d99

    Download Submit