Overview

overview

10

Static

static

1

PRODUCT_INQUIRY.js

windows7-x64

10

PRODUCT_INQUIRY.js

windows10-2004-x64

10

Analysis

  • max time kernel
    144s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-10-2024 14:46

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    PRODUCT_INQUIRY.js

  • Size

    7KB

  • MD5

    41b3e3fe16a95095c6027551de97fe56

  • SHA1

    4ab637d7586c39ebe0938cc01c1b78a4e74cf523

  • SHA256

    2371c47f96686c70eb365d46020b6a03e32f69d2f14e3b98b6de394d72e699bd

  • SHA512

    e9fb8db66b646aeef7c107730f91e037c67a5891fd4ff4db6cbfa39717f819d98dd7202286d1d1437982f14fb32fb56b3ff4de923fd32753c2d2ab7d725e6914

  • SSDEEP

    192:toauNMBVGFVsSvSLauwmS4aaSqOGwmC1CPqau0K+aq18aU4Vmnaujl5waJf4l:toauNMBVGFVsSvSLauwmS4aaSqOGwmCw

Score
10/10
wshratexecutionpersistencetrojan

Malware Config

Extracted

Family

wshrat

C2

http://chongmei33.publicvm.com:7045

Signatures

  • WSHRAT

    WSHRAT is a variant of Houdini worm and has vbs and js variants.

    trojanwshrat
  • Blocklisted process makes network request 26 IoCs
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Command and Scripting Interpreter: JavaScript 1 TTPs
    execution
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Kills process with taskkill 1 IoCs
    evasion
  • Modifies registry class 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe C:\Users\Admin\AppData\Local\Temp\PRODUCT_INQUIRY.js
    1⤵
    • Blocklisted process makes network request
    • Checks computer location settings
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:1556
    • C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ROBLPT.vbs"
      2⤵
      • Checks computer location settings
      • Drops startup file
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:3436
      • C:\Windows\System32\wscript.exe
        "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\ROBLPT.vbs"
        3⤵
        • Blocklisted process makes network request
        • Checks computer location settings
        • Drops startup file
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:2424
        • C:\Windows\system32\cmd.exe
          "C:\Windows\system32\cmd.exe" /c taskkill /F /IM kl-plugin.exe
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:2736
          • C:\Windows\system32\taskkill.exe
            taskkill /F /IM kl-plugin.exe
            5⤵
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:1580

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\ROBLPT.vbs
    Filesize

    194KB

    MD5

    c637f2b07dc8994b2b2cbef69f0138f0

    SHA1

    dd075b266a20b9e0b30ae54b32a9db8c597c87df

    SHA256

    9b2bcffb74eaa74e8e380656789d2afe9559db1b8e723f8a522f3871a1261167

    SHA512

    53a8e83fbff7c3c57ae6983129ece1dbf6420632d37174230f029ac13c6d24a541b8c4880045a137f5558b7877a1ae539282fb3bb1871833aee4e383a9a0f2aa

    Download Submit