Analysis
-
max time kernel
130s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20250314-en -
resource tags
-
submitted
26/03/2025, 17:18
General
-
Target
7fbe90daab199a8095505ce3b7e9e13a23b638e84378bf5809e84fc91ee92a68.js
-
Size
180KB
-
MD5
8040208fce8d913e8bfd30d079ff289b
-
SHA1
ef7a86909f86a1256d4dca3ae06f025eede7af5d
-
SHA256
7fbe90daab199a8095505ce3b7e9e13a23b638e84378bf5809e84fc91ee92a68
-
SHA512
9009bac53eeb69271a232a2d5a7b8e941ac1baf3fd46f4aa186e674d0af471725c1ac9898def16e5caa3e37e8bcbe01369dd51e026d617c7f63b6243a7d96cc8
-
SSDEEP
3072:fp1gHeX3reXff6ZKOBRY+7Q0bamKZtvEzKbURCqeGK/6SbIpklgVDSxGfmuZyas:fp1gHeX3reXff6ZKwRY+cM24RCqeGKZR
Malware Config
Signatures
-
Modifies Windows Defender DisableAntiSpyware settings 3 TTPs 2 IoCs
-
WSHRAT
WSHRAT is a variant of Houdini worm and has vbs and js variants.
-
WSHRAT payload 1 IoCs
-
Wshrat family
-
Blocklisted process makes network request 6 IoCs
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Drops startup file 2 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Command and Scripting Interpreter: JavaScript 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 2 IoCs
-
Runs .reg file with regedit 2 IoCs
-
Suspicious use of WriteProcessMemory 6 IoCs
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\7fbe90daab199a8095505ce3b7e9e13a23b638e84378bf5809e84fc91ee92a68.js1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\regedit.exe"regedit.exe" "C:\Users\Admin\AppData\Local\Temp\ebgeaegdbdecaedfebace.reg"2⤵
- Modifies Windows Defender DisableAntiSpyware settings
- Runs .reg file with regedit
-
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Local\Temp\7fbe90daab199a8095505ce3b7e9e13a23b638e84378bf5809e84fc91ee92a68.js" /elevated2⤵
- Blocklisted process makes network request
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\regedit.exe"regedit.exe" "C:\Users\Admin\AppData\Local\Temp\ebgeaegdbdecaedfebace.reg"3⤵
- Modifies Windows Defender DisableAntiSpyware settings
- Runs .reg file with regedit
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
143B
MD50e5411d7ecba9a435afda71c6c39d8fd
SHA12d6812052bf7be1b5e213e1d813ae39faa07284c
SHA256cb68d50df5817e51ec5b2f72893dc4c749bf3504519107e0a78dda84d55f09e2
SHA512903ac6e5c8a12607af267b54bcbbedfa5542c5b4f7ea289ab7c6a32a424d5b846ae406d830cb4ad48e2b46f92c504163c0856af8c3e09685a8855f39f616ddb1
-
Filesize
180KB
MD58040208fce8d913e8bfd30d079ff289b
SHA1ef7a86909f86a1256d4dca3ae06f025eede7af5d
SHA2567fbe90daab199a8095505ce3b7e9e13a23b638e84378bf5809e84fc91ee92a68
SHA5129009bac53eeb69271a232a2d5a7b8e941ac1baf3fd46f4aa186e674d0af471725c1ac9898def16e5caa3e37e8bcbe01369dd51e026d617c7f63b6243a7d96cc8