Edit tour

Windows Analysis Report
http://Warehousingpro.com

Overview

General Information

Sample URL:	http://Warehousingpro.com
Analysis ID:	1524986
Infos:

Detection

Score:	72
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Suricata IDS alerts for network traffic

System process connects to network (likely due to code injection or exploit)

Blob-based file download detected

Sigma detected: Script Initiated Connection to Non-Local Network

Sigma detected: WScript or CScript Dropper

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Detected non-DNS traffic on DNS port

Found WSH timer for Javascript or VBS script (likely evasive script)

Found iframes

HTML body with high number of embedded images detected

HTML page contains hidden javascript code

HTML page contains obfuscated script src

Queries the volume information (name, serial number etc) of a device

Sigma detected: Script Initiated Connection

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Stores files to the Windows start menu directory

Classification

Process Tree

System is w10x64_ra

chrome.exe (PID: 5232 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank" MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 6992 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2156 --field-trial-handle=1920,i,4567259569682355783,11763435268329821200,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 6564 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" "http://Warehousingpro.com" MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

rundll32.exe (PID: 7856 cmdline: C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding MD5: EF3179D498793BF4234F708D3BE28633)

notepad.exe (PID: 7048 cmdline: "C:\Windows\System32\Notepad.exe" C:\Users\user\Downloads\download.js MD5: 27F71B12CB585541885A31BE22F61C83)

wscript.exe (PID: 3184 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\Downloads\download.js" MD5: A47CBE969EA935BDD3AB568BB126BC80)

wscript.exe (PID: 2216 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\Downloads\download.js" MD5: A47CBE969EA935BDD3AB568BB126BC80)

cleanup

Sigma Signatures

System Summary

Sigma detected: Script Initiated Connection to Non-Local Network

Source: Network Connection

Author: frack113, Florian Roth: Data: DestinationIp: 170.75.167.85, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Windows\System32\wscript.exe, Initiated: true, ProcessId: 3184, Protocol: tcp, SourceIp: 192.168.2.16, SourceIsIpv6: false, SourcePort: 55877

Sigma detected: WScript or CScript Dropper

Source: Process started

Author: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\Downloads\download.js" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\Downloads\download.js" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4380, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\Downloads\download.js" , ProcessId: 3184, ProcessName: wscript.exe

Sigma detected: Script Initiated Connection

Source: Network Connection

Author: frack113: Data: DestinationIp: 170.75.167.85, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Windows\System32\wscript.exe, Initiated: true, ProcessId: 3184, Protocol: tcp, SourceIp: 192.168.2.16, SourceIsIpv6: false, SourcePort: 55877

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Source: Process started

Author: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\Downloads\download.js" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\Downloads\download.js" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4380, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\Downloads\download.js" , ProcessId: 3184, ProcessName: wscript.exe

Suricata Signatures

ET MALWARE SocGholish CnC Domain in DNS (* .shades .whatisaweekend .com)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-03T14:58:48.601756+0200	2056321	1	Domain Observed Used for C2 Detected	192.168.2.16	59742	1.1.1.1	53	UDP

ET MALWARE SocGholish CnC Domain in TLS SNI (* .shades .whatisaweekend .com)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-03T14:58:49.323878+0200	2056322	1	Domain Observed Used for C2 Detected	192.168.2.16	55877	170.75.167.85	443	TCP
2024-10-03T14:59:07.721820+0200	2056322	1	Domain Observed Used for C2 Detected	192.168.2.16	55878	170.75.167.85	443	TCP