Overview

overview

10

Static

static

1

Quote.js

windows7-x64

10

Quote.js

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17-10-2024 08:14

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Quote.js

  • Size

    1.5MB

  • MD5

    7d2d391002b97ff0652b9148902b6abd

  • SHA1

    142abb8196206209738c16b1da79e9773d349ba5

  • SHA256

    1605ba6b37eeca60319c2a18a2004856d01b7563aa660793d229a80acbfa669b

  • SHA512

    f6c1ecba496b65b8ff7f78b22e846db8dc1adceae21fd5f2ac8c0720a81cfee3c18b106d6b7cf844a47443bbf697b3c7966b795996bbc46c84ff1ad3a687ea1a

  • SSDEEP

    6144:KQiFy0BCvRBHByGr0cr4lUGZB4By1jnld66nsleTosWDRC/Gjt5PzoArRT9S5ZTI:Z6VR7loaaf

Score
10/10
wshratdiscoveryexecutionpersistencetrojan

Malware Config

Extracted

Family

wshrat

C2

http://37.48.102.22:2020

Signatures

  • WSHRAT

    WSHRAT is a variant of Houdini worm and has vbs and js variants.

    trojanwshrat
  • Blocklisted process makes network request 24 IoCs
  • Checks computer location settings 2 TTPs 4 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 8 IoCs
    persistence
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Command and Scripting Interpreter: JavaScript 1 TTPs
    execution
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 3 IoCs
  • Runs .reg file with regedit 2 IoCs
  • Script User-Agent 18 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe C:\Users\Admin\AppData\Local\Temp\Quote.js
    1⤵
    • Checks computer location settings
    • Drops startup file
    • Adds Run key to start application
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:64
    • C:\Windows\regedit.exe
      "regedit.exe" "C:\Users\Admin\AppData\Local\Temp\ebgeaegdbdecaedfebace.reg"
      2⤵
      • Runs .reg file with regedit
      PID:3244
    • C:\Windows\System32\wscript.exe
      "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\Quote.js"
      2⤵
      • Blocklisted process makes network request
      • Checks computer location settings
      • Drops startup file
      • Adds Run key to start application
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:2400
      • C:\Windows\regedit.exe
        "regedit.exe" "C:\Users\Admin\AppData\Local\Temp\ebgeaegdbdecaedfebace.reg"
        3⤵
        • Runs .reg file with regedit
        PID:2252
      • C:\Users\Admin\AppData\Roaming\keylogger.exe
        "C:\Users\Admin\AppData\Roaming\keylogger.exe"
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        • Modifies registry class
        • Suspicious use of WriteProcessMemory
        PID:956
        • C:\Windows\SysWOW64\WScript.exe
          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
          4⤵
          • Checks computer location settings
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2088
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\ViottoKeylogger\vkl.exe"
            5⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:4688
            • C:\Users\Admin\AppData\Roaming\ViottoKeylogger\vkl.exe
              C:\Users\Admin\AppData\Roaming\ViottoKeylogger\vkl.exe
              6⤵
              • Executes dropped EXE
              • Adds Run key to start application
              • System Location Discovery: System Language Discovery
              • Suspicious use of SetWindowsHookEx
              PID:4668

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\ebgeaegdbdecaedfebace.reg
    Filesize

    143B

    MD5

    0e5411d7ecba9a435afda71c6c39d8fd

    SHA1

    2d6812052bf7be1b5e213e1d813ae39faa07284c

    SHA256

    cb68d50df5817e51ec5b2f72893dc4c749bf3504519107e0a78dda84d55f09e2

    SHA512

    903ac6e5c8a12607af267b54bcbbedfa5542c5b4f7ea289ab7c6a32a424d5b846ae406d830cb4ad48e2b46f92c504163c0856af8c3e09685a8855f39f616ddb1

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\install.vbs
    Filesize

    430B

    MD5

    f4111f61c6d6f585ad20f674592ea89f

    SHA1

    35a84b1a1ab37853ce54560fcc71bca91b0e3ca7

    SHA256

    7b74cf34df17a030bc08fc12d519bda615d38bfe322865fad474a2c2266c171c

    SHA512

    15c2629ff9366277e1cfed9532e01c7c254b2dad0683ac3e19be9a448ad9fe8f2b5b5e1813da7f79fa930aaa10862da02f58077488ee92c91576e37c23fe66df

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Quote.js
    Filesize

    1.5MB

    MD5

    7d2d391002b97ff0652b9148902b6abd

    SHA1

    142abb8196206209738c16b1da79e9773d349ba5

    SHA256

    1605ba6b37eeca60319c2a18a2004856d01b7563aa660793d229a80acbfa669b

    SHA512

    f6c1ecba496b65b8ff7f78b22e846db8dc1adceae21fd5f2ac8c0720a81cfee3c18b106d6b7cf844a47443bbf697b3c7966b795996bbc46c84ff1ad3a687ea1a

    Download Submit

  • C:\Users\Admin\AppData\Roaming\keylogger.exe
    Filesize

    82KB

    MD5

    7d1ec62e7af8e03924a871a1043febbe

    SHA1

    753b472506fafb875217090d518040bc66a330ab

    SHA256

    69b5981fbff2fbd191b8c786da080b3783252742fe47d00d6012ce572dc32d7d

    SHA512

    f4e5945183c4e150525e7b4a3bd1150efb311694e00a31bf2e15491138d27877b2cb0d2bbbe0c90abf2e88f4a4ec54da412794379c3aa130d10b4f71115b3c8f

    Download Submit

  • C:\Users\Admin\AppData\Roaming\log.txt
    Filesize

    168B

    MD5

    e0b6eeb58fbd7d7428ab458c24865d37

    SHA1

    a2ae56fb6d1241072a204b8f6b0c3f5d306c240e

    SHA256

    a5089e715201ef2611994bab4f103bdf85eba71a5f4b0b87d6eab490859c53e8

    SHA512

    ceb03f9cb0bc2507efc1874283f6ca02a0fccb7371b54450adb1c3921f720bad1f4ba2ab6fe603179b094a693cd38915cac94d0bf5f7d8726aeed1611d5263c2

    Download Submit

  • memory/956-20-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB

    Download

  • memory/956-29-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB

    Download

  • memory/4668-38-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB

    Download

  • memory/4668-68-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB

    Download