Resubmissions
21-06-2024 12:37
240621-ptjematemr 321-06-2024 12:08
240621-paxg5sygkd 121-06-2024 12:05
240621-n9n5dasgpn 121-06-2024 12:05
240621-n9fs1ayfpc 121-06-2024 12:05
240621-n87v4asgmq 321-06-2024 06:25
240621-g6p4yatfjl 113-06-2024 04:58
240613-flzbfaydrn 10Analysis
-
max time kernel
34s -
max time network
34s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system -
submitted
24-05-2024 12:49
Static task
static1
Behavioral task
behavioral1
Sample
Tax Returns of R48_765.js
Resource
win7-20240419-en
General
-
Target
Tax Returns of R48_765.js
-
Size
957KB
-
MD5
0f597e6821a29bc87b36222f08eff311
-
SHA1
e7f24cd04de9b92c013d71d3de526461cfb33c91
-
SHA256
df018cc7e708b47edfe4f39769058ce0ba10a65fe653d3a32412dd504d3f2028
-
SHA512
693ed1331f7f048789c11bc661949519149c43e3a76b3b600a1990f74763500a6b4a5efb532921bcdb58b27f3a136af9ba63e2e1dce4094fe078076d0073f1a7
-
SSDEEP
6144:QQ5C90ha3hcY0c5OyZD5i8frkU+uKCbbBGZs3xh527wIy+6Y16vLKdYoiAL1Xl4R:TKF
Malware Config
Extracted
wshrat
http://harold.2waky.com:3609
Signatures
-
Blocklisted process makes network request 7 IoCs
Processes:
wscript.exeflow pid process 4 2612 wscript.exe 6 2612 wscript.exe 8 2612 wscript.exe 9 2612 wscript.exe 11 2612 wscript.exe 12 2612 wscript.exe 13 2612 wscript.exe -
Drops startup file 2 IoCs
Processes:
wscript.exewscript.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Tax Returns of R48_765.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Tax Returns of R48_765.js wscript.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 3 ip-api.com -
Command and Scripting Interpreter: JavaScript 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Script User-Agent 6 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 11 WSHRAT|98A703FB|UIBNQNMA|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 24/5/2024|JavaScript-v3.4|GB:United Kingdom HTTP User-Agent header 12 WSHRAT|98A703FB|UIBNQNMA|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 24/5/2024|JavaScript-v3.4|GB:United Kingdom HTTP User-Agent header 13 WSHRAT|98A703FB|UIBNQNMA|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 24/5/2024|JavaScript-v3.4|GB:United Kingdom HTTP User-Agent header 6 WSHRAT|98A703FB|UIBNQNMA|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 24/5/2024|JavaScript-v3.4|GB:United Kingdom HTTP User-Agent header 8 WSHRAT|98A703FB|UIBNQNMA|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 24/5/2024|JavaScript-v3.4|GB:United Kingdom HTTP User-Agent header 9 WSHRAT|98A703FB|UIBNQNMA|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 24/5/2024|JavaScript-v3.4|GB:United Kingdom -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
wscript.exedescription pid process target process PID 3028 wrote to memory of 2612 3028 wscript.exe wscript.exe PID 3028 wrote to memory of 2612 3028 wscript.exe wscript.exe PID 3028 wrote to memory of 2612 3028 wscript.exe wscript.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe "C:\Users\Admin\AppData\Local\Temp\Tax Returns of R48_765.js"1⤵
- Drops startup file
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\Tax Returns of R48_765.js"2⤵
- Blocklisted process makes network request
- Drops startup file
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Tax Returns of R48_765.jsFilesize
896KB
MD5bc801f212554c9679e5610f790edbba1
SHA1c6578e9c9c3805196f9060393c3730de99d05940
SHA25623127bf2384c9eef48c568566fa78cd5da9482b2005e0e6cdd39a12f41e3c677
SHA5124be8c7898250b6fa04b8cad09a80073d414a324ac33fd8bea43e30ee2f4ff84ba839e694cbd424fa6ef5c7b7c00efed780f80bd120891b5121103e07196f9e27
-
C:\Users\Admin\AppData\Roaming\Tax Returns of R48_765.jsFilesize
957KB
MD50f597e6821a29bc87b36222f08eff311
SHA1e7f24cd04de9b92c013d71d3de526461cfb33c91
SHA256df018cc7e708b47edfe4f39769058ce0ba10a65fe653d3a32412dd504d3f2028
SHA512693ed1331f7f048789c11bc661949519149c43e3a76b3b600a1990f74763500a6b4a5efb532921bcdb58b27f3a136af9ba63e2e1dce4094fe078076d0073f1a7