wshrat | 39f7abd459bda03744d7d1dfb7dd15b2204014d75f20d86a13789648d6f44b1d

General

Target

Rechnung2498.js
Size

179KB
MD5

093aa4289d9d8d8315ab0ea9b306f0a0
SHA1

0316c6e558148a10d0acf63bc84f53ca315b1acf
SHA256

39f7abd459bda03744d7d1dfb7dd15b2204014d75f20d86a13789648d6f44b1d
SHA512

ddea7839a14759a27d17578850fb473f720bf911cb9d6e56c3e55a963eca51a85ae1706d2f8bca31b216fa7ef2457135dd1a198008203e6635cb73fd3df985f8

Score

10^/10

wshrat persistence trojan

Malware Config

Signatures

WSHRAT
WSHRAT is a variant of Houdini worm and has vbs and js variants.
trojan wshrat

WSHRAT Payload 1 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\Rechnung2498.js	family_wshrat

Blocklisted process makes network request 8 IoCs

Processes:

wscript.exe

flow pid process

5 1968 wscript.exe
6 1968 wscript.exe
9 1968 wscript.exe
10 1968 wscript.exe
11 1968 wscript.exe
12 1968 wscript.exe
13 1968 wscript.exe
15 1968 wscript.exe

flow	pid	process
5	1968	wscript.exe
6	1968	wscript.exe
9	1968	wscript.exe
10	1968	wscript.exe
11	1968	wscript.exe
12	1968	wscript.exe
13	1968	wscript.exe
15	1968	wscript.exe

Drops startup file 2 IoCs

Processes:

wscript.exewscript.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Rechnung2498.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Rechnung2498.js	wscript.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

wscript.exewscript.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Rechnung2498 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Rechnung2498.js\""	wscript.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\software\microsoft\windows\currentversion\run	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\Rechnung2498 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Rechnung2498.js\""	wscript.exe
Key created	\REGISTRY\MACHINE\software\microsoft\windows\currentversion\run	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Rechnung2498 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Rechnung2498.js\""	wscript.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\software\microsoft\windows\currentversion\run	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\Rechnung2498 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Rechnung2498.js\""	wscript.exe
Key created	\REGISTRY\MACHINE\software\microsoft\windows\currentversion\run	wscript.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 ip-api.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

flow	ioc
4	ip-api.com

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

wscript.exe

description	pid	process	target process
PID 776 wrote to memory of 1968	776	wscript.exe	wscript.exe
PID 776 wrote to memory of 1968	776	wscript.exe	wscript.exe
PID 776 wrote to memory of 1968	776	wscript.exe	wscript.exe

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\Rechnung2498.js
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:776
- C:\Windows\System32\wscript.exe
  "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\Rechnung2498.js"
  2⤵
  - Blocklisted process makes network request
  - Drops startup file
  - Adds Run key to start application
  PID:1968

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Rechnung2498.js

MD5
16762ff53a39a1e3bcf0d342cc626943

SHA1
c65fd5da7d7408c4569dbd443ed46f50b8b50456

SHA256
7b527b85a7177547c9ed361ce21e3312d3df09e4f0b1c36a89521c47ab2ebeda

SHA512
798fdfcbde7da6468e9fe0126fec9c8011caa0f1e09710d0015e97cbff9038dd62e9fca8de65a751539889b5786ff89627e7b8be3419ac24251f7658e1b55b3c

Download Submit
C:\Users\Admin\AppData\Roaming\Rechnung2498.js

MD5
093aa4289d9d8d8315ab0ea9b306f0a0

SHA1
0316c6e558148a10d0acf63bc84f53ca315b1acf

SHA256
39f7abd459bda03744d7d1dfb7dd15b2204014d75f20d86a13789648d6f44b1d

SHA512
ddea7839a14759a27d17578850fb473f720bf911cb9d6e56c3e55a963eca51a85ae1706d2f8bca31b216fa7ef2457135dd1a198008203e6635cb73fd3df985f8

Download Submit
memory/632-6-0x000007FEF74B0000-0x000007FEF772A000-memory.dmp

Filesize
2.5MB

Download
memory/776-3-0x00000000025D0000-0x00000000025D4000-memory.dmp

Filesize
16KB

Download
memory/1968-2-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads