wshrat | 0aa70e7306349ec1f3b27d683bfb3fd717f242e86b508b4051e3691c584fbf8d

General

Target

CV Actualis_.bin.exe
Size

1.7MB
MD5

384b434bcfeec7287cf02b7aefa06c52
SHA1

8e2abd5f01f36b38d3674847dff518e7a4eef897
SHA256

0aa70e7306349ec1f3b27d683bfb3fd717f242e86b508b4051e3691c584fbf8d
SHA512

a33c8f4c6746d16cd39a19c4ba9fcc3ebabefdeb443c2e46585958bc1d10fca4ff44a6c2612acec5fb284935121ebbf1f4f6028df9060beb38f9e4d01da7d235

Score

10^/10

trojan wshrat discovery persistence

Malware Config

Signatures

WSHRAT
WSHRAT is a variant of Houdini worm and has vbs and js variants.
trojan wshrat

Blacklisted process makes network request 27 IoCs

flow	pid	Process
10	696	wscript.exe
12	696	wscript.exe
15	696	wscript.exe
18	696	wscript.exe
19	696	wscript.exe
20	696	wscript.exe
21	696	wscript.exe
22	696	wscript.exe
23	696	wscript.exe
24	696	wscript.exe
25	696	wscript.exe
26	696	wscript.exe
27	696	wscript.exe
28	696	wscript.exe
29	696	wscript.exe
30	696	wscript.exe
31	696	wscript.exe
32	696	wscript.exe
33	696	wscript.exe
34	696	wscript.exe
35	696	wscript.exe
36	696	wscript.exe
37	696	wscript.exe
38	696	wscript.exe
39	696	wscript.exe
40	696	wscript.exe
43	696	wscript.exe

Executes dropped EXE 3 IoCs

pid	Process
3028	InstallSlimPDFReader.exe
3724	InstallSlimPDFReader.tmp
1304	kl-plugin.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\InstallSlimPDFReader.js	WScript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\InstallSlimPDFReader.js	wscript.exe

Loads dropped DLL 1 IoCs

pid	Process
3724	InstallSlimPDFReader.tmp

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\software\WOW6432Node\microsoft\windows\currentversion\run	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\InstallSlimPDFReader = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\InstallSlimPDFReader.js\""	wscript.exe
Key created	\REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000\software\microsoft\windows\currentversion\run	WScript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000\Software\Microsoft\Windows\CurrentVersion\Run\InstallSlimPDFReader = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\InstallSlimPDFReader.js\""	WScript.exe
Key created	\REGISTRY\MACHINE\software\WOW6432Node\microsoft\windows\currentversion\run	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\InstallSlimPDFReader = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\InstallSlimPDFReader.js\""	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000\software\microsoft\windows\currentversion\run	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000\Software\Microsoft\Windows\CurrentVersion\Run\InstallSlimPDFReader = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\InstallSlimPDFReader.js\""	wscript.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
9	ip-api.com

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Investintech.com Inc\SlimPDF Reader\InstallSlimPDFReader.exe	CV Actualis_.bin.exe
File opened for modification	C:\Program Files (x86)\Investintech.com Inc\SlimPDF Reader\InstallSlimPDFReader.js	CV Actualis_.bin.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
2868	taskkill.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000_Classes\Local Settings	CV Actualis_.bin.exe

Script User-Agent 25 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	18	WSHRAT\|E4B9A6CA\|LZUKLIOU\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 9/10/2020\|JavaScript-v2.0\|NL:Netherlands
HTTP User-Agent header	21	WSHRAT\|E4B9A6CA\|LZUKLIOU\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 9/10/2020\|JavaScript-v2.0\|NL:Netherlands
HTTP User-Agent header	25	WSHRAT\|E4B9A6CA\|LZUKLIOU\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 9/10/2020\|JavaScript-v2.0\|NL:Netherlands
HTTP User-Agent header	29	WSHRAT\|E4B9A6CA\|LZUKLIOU\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 9/10/2020\|JavaScript-v2.0\|NL:Netherlands
HTTP User-Agent header	31	WSHRAT\|E4B9A6CA\|LZUKLIOU\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 9/10/2020\|JavaScript-v2.0\|NL:Netherlands
HTTP User-Agent header	34	WSHRAT\|E4B9A6CA\|LZUKLIOU\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 9/10/2020\|JavaScript-v2.0\|NL:Netherlands
HTTP User-Agent header	15	WSHRAT\|E4B9A6CA\|LZUKLIOU\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 9/10/2020\|JavaScript-v2.0\|NL:Netherlands
HTTP User-Agent header	19	WSHRAT\|E4B9A6CA\|LZUKLIOU\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 9/10/2020\|JavaScript-v2.0\|NL:Netherlands
HTTP User-Agent header	26	WSHRAT\|E4B9A6CA\|LZUKLIOU\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 9/10/2020\|JavaScript-v2.0\|NL:Netherlands
HTTP User-Agent header	30	WSHRAT\|E4B9A6CA\|LZUKLIOU\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 9/10/2020\|JavaScript-v2.0\|NL:Netherlands
HTTP User-Agent header	12	WSHRAT\|E4B9A6CA\|LZUKLIOU\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 9/10/2020\|JavaScript-v2.0\|NL:Netherlands
HTTP User-Agent header	20	WSHRAT\|E4B9A6CA\|LZUKLIOU\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 9/10/2020\|JavaScript-v2.0\|NL:Netherlands
HTTP User-Agent header	22	WSHRAT\|E4B9A6CA\|LZUKLIOU\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 9/10/2020\|JavaScript-v2.0\|NL:Netherlands
HTTP User-Agent header	23	WSHRAT\|E4B9A6CA\|LZUKLIOU\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 9/10/2020\|JavaScript-v2.0\|NL:Netherlands
HTTP User-Agent header	32	WSHRAT\|E4B9A6CA\|LZUKLIOU\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 9/10/2020\|JavaScript-v2.0\|NL:Netherlands
HTTP User-Agent header	35	WSHRAT\|E4B9A6CA\|LZUKLIOU\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 9/10/2020\|JavaScript-v2.0\|NL:Netherlands
HTTP User-Agent header	36	WSHRAT\|E4B9A6CA\|LZUKLIOU\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 9/10/2020\|JavaScript-v2.0\|NL:Netherlands
HTTP User-Agent header	37	WSHRAT\|E4B9A6CA\|LZUKLIOU\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 9/10/2020\|JavaScript-v2.0\|NL:Netherlands
HTTP User-Agent header	38	WSHRAT\|E4B9A6CA\|LZUKLIOU\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 9/10/2020\|JavaScript-v2.0\|NL:Netherlands
HTTP User-Agent header	24	WSHRAT\|E4B9A6CA\|LZUKLIOU\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 9/10/2020\|JavaScript-v2.0\|NL:Netherlands
HTTP User-Agent header	27	WSHRAT\|E4B9A6CA\|LZUKLIOU\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 9/10/2020\|JavaScript-v2.0\|NL:Netherlands
HTTP User-Agent header	28	WSHRAT\|E4B9A6CA\|LZUKLIOU\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 9/10/2020\|JavaScript-v2.0\|NL:Netherlands
HTTP User-Agent header	33	WSHRAT\|E4B9A6CA\|LZUKLIOU\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 9/10/2020\|JavaScript-v2.0\|NL:Netherlands
HTTP User-Agent header	39	WSHRAT\|E4B9A6CA\|LZUKLIOU\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 9/10/2020\|JavaScript-v2.0\|NL:Netherlands
HTTP User-Agent header	40	WSHRAT\|E4B9A6CA\|LZUKLIOU\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 9/10/2020\|JavaScript-v2.0\|NL:Netherlands

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2868	taskkill.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1304	kl-plugin.exe
1304	kl-plugin.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 584 wrote to memory of 3972	584	CV Actualis_.bin.exe	73
PID 584 wrote to memory of 3972	584	CV Actualis_.bin.exe	73
PID 584 wrote to memory of 3972	584	CV Actualis_.bin.exe	73
PID 3972 wrote to memory of 696	3972	WScript.exe	74
PID 3972 wrote to memory of 696	3972	WScript.exe	74
PID 3972 wrote to memory of 696	3972	WScript.exe	74
PID 584 wrote to memory of 3028	584	CV Actualis_.bin.exe	75
PID 584 wrote to memory of 3028	584	CV Actualis_.bin.exe	75
PID 584 wrote to memory of 3028	584	CV Actualis_.bin.exe	75
PID 3028 wrote to memory of 3724	3028	InstallSlimPDFReader.exe	76
PID 3028 wrote to memory of 3724	3028	InstallSlimPDFReader.exe	76
PID 3028 wrote to memory of 3724	3028	InstallSlimPDFReader.exe	76
PID 696 wrote to memory of 3688	696	wscript.exe	79
PID 696 wrote to memory of 3688	696	wscript.exe	79
PID 696 wrote to memory of 3688	696	wscript.exe	79
PID 3688 wrote to memory of 2868	3688	cmd.exe	81
PID 3688 wrote to memory of 2868	3688	cmd.exe	81
PID 3688 wrote to memory of 2868	3688	cmd.exe	81
PID 696 wrote to memory of 1304	696	wscript.exe	82
PID 696 wrote to memory of 1304	696	wscript.exe	82
PID 696 wrote to memory of 1304	696	wscript.exe	82

C:\Users\Admin\AppData\Local\Temp\CV Actualis_.bin.exe
"C:\Users\Admin\AppData\Local\Temp\CV Actualis_.bin.exe"
1⤵
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:584
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\Investintech.com Inc\SlimPDF Reader\InstallSlimPDFReader.js"
  2⤵
  - Drops startup file
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3972
- - C:\Windows\SysWOW64\wscript.exe
    "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\InstallSlimPDFReader.js"
    3⤵
    - Blacklisted process makes network request
    - Drops startup file
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:696
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c taskkill /F /IM kl-plugin.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3688
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM kl-plugin.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2868
  - - C:\Users\Admin\AppData\Roaming\kl-plugin.exe
      "C:\Users\Admin\AppData\Roaming\kl-plugin.exe" blackid-43205.portmap.io 1118 "WSHRAT|E4B9A6CA|LZUKLIOU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 9/10/2020|JavaScript-v2.0|NL:Netherlands" 1
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:1304
- C:\Program Files (x86)\Investintech.com Inc\SlimPDF Reader\InstallSlimPDFReader.exe
  "C:\Program Files (x86)\Investintech.com Inc\SlimPDF Reader\InstallSlimPDFReader.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3028
- - C:\Users\Admin\AppData\Local\Temp\is-R0JEC.tmp\InstallSlimPDFReader.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-R0JEC.tmp\InstallSlimPDFReader.tmp" /SL5="$50076,1106375,177152,C:\Program Files (x86)\Investintech.com Inc\SlimPDF Reader\InstallSlimPDFReader.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:3724

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads