Analysis
-
max time kernel
151s -
max time network
147s -
platform
windows10_x64 -
resource
win10-en-20211014 -
submitted
21-10-2021 21:26
Static task
static1
Behavioral task
behavioral1
Sample
2e4d9754a395aa51d9d35a6af209c4b041b8fa5c7fdad41bfc0df97d841091f6.exe
Resource
win10-en-20211014
General
-
Target
2e4d9754a395aa51d9d35a6af209c4b041b8fa5c7fdad41bfc0df97d841091f6.exe
-
Size
1.6MB
-
MD5
4fb831a65cce2392df4c5f792dad31e2
-
SHA1
887b24b866d5ad917273a3e8391ba785a5ba90a5
-
SHA256
2e4d9754a395aa51d9d35a6af209c4b041b8fa5c7fdad41bfc0df97d841091f6
-
SHA512
c2a2952741d4c045fe5a641bf7ff8ccfefa54608fa73a875eab00c74cc03464c2808c548df0a6abfeb52eeb2956fac0eecd67f2a4ab62a2f8d13613e670f20c5
Malware Config
Extracted
wshrat
http://concideritdone.duckdns.org:5001
Signatures
-
WSHRAT Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\EkoHX.vbs family_wshrat C:\Users\Admin\AppData\Roaming\OPAFu.vbs family_wshrat -
Blocklisted process makes network request 9 IoCs
Processes:
wscript.exewscript.exeflow pid process 12 1500 wscript.exe 13 876 wscript.exe 16 876 wscript.exe 15 1500 wscript.exe 36 1500 wscript.exe 37 876 wscript.exe 45 1500 wscript.exe 46 876 wscript.exe 47 1500 wscript.exe -
Executes dropped EXE 2 IoCs
Processes:
WHS2.0.exewcnaumia.pifpid process 4556 WHS2.0.exe 4636 wcnaumia.pif -
Drops startup file 4 IoCs
Processes:
wscript.exewscript.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EkoHX.vbs wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EkoHX.vbs wscript.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OPAFu.vbs wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OPAFu.vbs wscript.exe -
Adds Run key to start application 2 TTPs 8 IoCs
Processes:
wscript.exewscript.exedescription ioc process Key created \REGISTRY\MACHINE\software\WOW6432Node\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\OPAFu = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\OPAFu.vbs\"" wscript.exe Key created \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows\CurrentVersion\Run\EkoHX = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\EkoHX.vbs\"" wscript.exe Key created \REGISTRY\MACHINE\software\WOW6432Node\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\EkoHX = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\EkoHX.vbs\"" wscript.exe Key created \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows\CurrentVersion\Run\OPAFu = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\OPAFu.vbs\"" wscript.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 11 ip-api.com -
Suspicious use of SetThreadContext 1 IoCs
Processes:
wcnaumia.pifdescription pid process target process PID 4636 set thread context of 4284 4636 wcnaumia.pif RegSvcs.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
RegSvcs.exepid process 4284 RegSvcs.exe 4284 RegSvcs.exe 4284 RegSvcs.exe 4284 RegSvcs.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
2e4d9754a395aa51d9d35a6af209c4b041b8fa5c7fdad41bfc0df97d841091f6.exewcnaumia.pifWHS2.0.exeRegSvcs.exedescription pid process target process PID 712 wrote to memory of 4556 712 2e4d9754a395aa51d9d35a6af209c4b041b8fa5c7fdad41bfc0df97d841091f6.exe WHS2.0.exe PID 712 wrote to memory of 4556 712 2e4d9754a395aa51d9d35a6af209c4b041b8fa5c7fdad41bfc0df97d841091f6.exe WHS2.0.exe PID 712 wrote to memory of 4556 712 2e4d9754a395aa51d9d35a6af209c4b041b8fa5c7fdad41bfc0df97d841091f6.exe WHS2.0.exe PID 712 wrote to memory of 4636 712 2e4d9754a395aa51d9d35a6af209c4b041b8fa5c7fdad41bfc0df97d841091f6.exe wcnaumia.pif PID 712 wrote to memory of 4636 712 2e4d9754a395aa51d9d35a6af209c4b041b8fa5c7fdad41bfc0df97d841091f6.exe wcnaumia.pif PID 712 wrote to memory of 4636 712 2e4d9754a395aa51d9d35a6af209c4b041b8fa5c7fdad41bfc0df97d841091f6.exe wcnaumia.pif PID 4636 wrote to memory of 4284 4636 wcnaumia.pif RegSvcs.exe PID 4636 wrote to memory of 4284 4636 wcnaumia.pif RegSvcs.exe PID 4636 wrote to memory of 4284 4636 wcnaumia.pif RegSvcs.exe PID 4636 wrote to memory of 4284 4636 wcnaumia.pif RegSvcs.exe PID 4636 wrote to memory of 4284 4636 wcnaumia.pif RegSvcs.exe PID 4556 wrote to memory of 876 4556 WHS2.0.exe wscript.exe PID 4556 wrote to memory of 876 4556 WHS2.0.exe wscript.exe PID 4556 wrote to memory of 876 4556 WHS2.0.exe wscript.exe PID 4284 wrote to memory of 1500 4284 RegSvcs.exe wscript.exe PID 4284 wrote to memory of 1500 4284 RegSvcs.exe wscript.exe PID 4284 wrote to memory of 1500 4284 RegSvcs.exe wscript.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2e4d9754a395aa51d9d35a6af209c4b041b8fa5c7fdad41bfc0df97d841091f6.exe"C:\Users\Admin\AppData\Local\Temp\2e4d9754a395aa51d9d35a6af209c4b041b8fa5c7fdad41bfc0df97d841091f6.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\74800197\WHS2.0.exe"C:\74800197\WHS2.0.exe" Community portal – Bulletin board,2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\wscript.exe"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Roaming\EkoHX.vbs3⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
-
C:\74800197\wcnaumia.pif"C:\74800197\wcnaumia.pif" fhmoqoe.prw2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\wscript.exe"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Roaming\OPAFu.vbs4⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\74800197\WHS2.0.exeMD5
40acb53d42e4b4d20a0111e6dd847606
SHA1d010be1ba9ceea60098bebbfee425c0cda66b9a2
SHA256213d841404449d68dd9f50c18f7259074c43df2fd5221f0bbd34d2e89b611b73
SHA512a7834c27ab5e432a9243376fc7b058e819c56290580f96c28dcd61ca6356d4a7507f907373635cfec933c2fb916cbd07abb50ef39b7b1416c665c77b3930794d
-
C:\74800197\WHS2.0.exeMD5
40acb53d42e4b4d20a0111e6dd847606
SHA1d010be1ba9ceea60098bebbfee425c0cda66b9a2
SHA256213d841404449d68dd9f50c18f7259074c43df2fd5221f0bbd34d2e89b611b73
SHA512a7834c27ab5e432a9243376fc7b058e819c56290580f96c28dcd61ca6356d4a7507f907373635cfec933c2fb916cbd07abb50ef39b7b1416c665c77b3930794d
-
C:\74800197\envmhh.cosMD5
80eee5b692798640be0b6d0ca2f8768c
SHA1c39d4b5b048194ef1acdecc8b7cab27e63bc0402
SHA2569b6c1dad4b42a308e4fade72da97589161c7cc37c5d926353f216e1903ec9780
SHA512c587cc27b96fa66a1188947b85f9f27ea61e502e21456411536f48e533377e80301a4fe82eba451d82c1d12b9c5368336d166542d44f12b990a73d10382612d8
-
C:\74800197\fhmoqoe.prwMD5
e75fbfd8862e84ee21bcb907cc2892b5
SHA14e9cfb118f78515f50f55f0db76d31cbeea2d5f7
SHA256608eaa0d2ace789444e27bf7f5da436e6c9d5459fddcb9d7237d7c2cb93261b4
SHA512310538d019cc1a363b97d4c2a14998aaa2984e5284aa046478bf19539bffb55e08e8c19272361f2146ada6195380741d874a20e11f729b54f956d87292d07b1b
-
C:\74800197\vijppg.txtMD5
808bdb5b8f93f34c6d64bb48283776ec
SHA1e3f096b0ea493885ba3e1058594c2d48d4ea89c9
SHA256799a62dc96ba037ccec9ca7a417a4c5428454a3f52c7b4444f728d79b5f06fd7
SHA51297582524e55fbb90185dd4e5c8eb6ea5e1a57aa5354278878786881593ef2bd85f3fba8ef6a94d89b8f9dc14c07ee85553e58fa00dd64adfe73d954f3a4af0ff
-
C:\74800197\wcnaumia.pifMD5
1d7071dd5cda216508b235c0e2318b05
SHA10b972fbc1ea8a47204b2a187e608744a4e947bc2
SHA256788edeacd860a1a3bb22b839c1ecf408227e1e14bbe0b1baf55824075161f996
SHA51265965d2de629024773dddf5f8f37d40a15afc51cbaec48c8cda3b0763e9391e065c5ee6ab81b7f4e53ab1f531ef53bb9dccd9ddd4a1c9423922eebf37e544118
-
C:\74800197\wcnaumia.pifMD5
1d7071dd5cda216508b235c0e2318b05
SHA10b972fbc1ea8a47204b2a187e608744a4e947bc2
SHA256788edeacd860a1a3bb22b839c1ecf408227e1e14bbe0b1baf55824075161f996
SHA51265965d2de629024773dddf5f8f37d40a15afc51cbaec48c8cda3b0763e9391e065c5ee6ab81b7f4e53ab1f531ef53bb9dccd9ddd4a1c9423922eebf37e544118
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\1BA3P8U7\json[1].jsonMD5
0c17abb0ed055fecf0c48bb6e46eb4eb
SHA1a692730c8ec7353c31b94a888f359edb54aaa4c8
SHA256f41e99f954e33e7b0e39930ec8620bf29801efc44275c1ee6b5cfa5e1be202c0
SHA512645a9f2f94461d8a187261b736949df398ece5cfbf1af8653d18d3487ec1269d9f565534c1e249c12f31b3b1a41a8512953b1e991b001fc1360059e3fd494ec3
-
C:\Users\Admin\AppData\Roaming\EkoHX.vbsMD5
952b1cbd78885f81760a77dc3b453fd3
SHA14af75b46620b063fc23652c3ecaa3b4081074572
SHA256fe3f15e4a3d59457c16fb955e38be8df4bfe3a0978a2b09c85705f14bb6d751d
SHA5121d6f2f6d91f88725b9515b2877348616dee3d96b862014f6c6b54f41b18835483cdf5b6294e99e0fdff17d80d79b27ac70638cab6376b15526b87b592313b837
-
C:\Users\Admin\AppData\Roaming\OPAFu.vbsMD5
952b1cbd78885f81760a77dc3b453fd3
SHA14af75b46620b063fc23652c3ecaa3b4081074572
SHA256fe3f15e4a3d59457c16fb955e38be8df4bfe3a0978a2b09c85705f14bb6d751d
SHA5121d6f2f6d91f88725b9515b2877348616dee3d96b862014f6c6b54f41b18835483cdf5b6294e99e0fdff17d80d79b27ac70638cab6376b15526b87b592313b837
-
memory/876-127-0x0000000000000000-mapping.dmp
-
memory/1500-131-0x0000000000000000-mapping.dmp
-
memory/4284-125-0x0000000001020000-0x00000000014CE000-memory.dmpFilesize
4.7MB
-
memory/4284-126-0x00000000010A42AE-mapping.dmp
-
memory/4556-122-0x0000000002990000-0x0000000002991000-memory.dmpFilesize
4KB
-
memory/4556-115-0x0000000000000000-mapping.dmp
-
memory/4636-117-0x0000000000000000-mapping.dmp