wshrat | 2e4d9754a395aa51d9d35a6af209c4b041b8fa5c7fdad41bfc0df97d841091f6

Analysis

max time kernel
151s
max time network
147s
platform
windows10_x64
resource
win10-en-20211014
submitted
21-10-2021 21:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2e4d9754a395aa51d9d35a6af209c4b041b8fa5c7fdad41bfc0df97d841091f6.exe
Size

1.6MB
MD5

4fb831a65cce2392df4c5f792dad31e2
SHA1

887b24b866d5ad917273a3e8391ba785a5ba90a5
SHA256

2e4d9754a395aa51d9d35a6af209c4b041b8fa5c7fdad41bfc0df97d841091f6
SHA512

c2a2952741d4c045fe5a641bf7ff8ccfefa54608fa73a875eab00c74cc03464c2808c548df0a6abfeb52eeb2956fac0eecd67f2a4ab62a2f8d13613e670f20c5

Score

10^/10

wshrat persistence trojan

Malware Config

Extracted

Family

wshrat

http://concideritdone.duckdns.org:5001

Signatures

WSHRAT
WSHRAT is a variant of Houdini worm and has vbs and js variants.
trojan wshrat

WSHRAT Payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\EkoHX.vbs	family_wshrat
C:\Users\Admin\AppData\Roaming\OPAFu.vbs	family_wshrat

Blocklisted process makes network request 9 IoCs

Processes:

wscript.exewscript.exe

flow	pid	process
12	1500	wscript.exe
13	876	wscript.exe
16	876	wscript.exe
15	1500	wscript.exe
36	1500	wscript.exe
37	876	wscript.exe
45	1500	wscript.exe
46	876	wscript.exe
47	1500	wscript.exe

Executes dropped EXE 2 IoCs

Processes:

WHS2.0.exewcnaumia.pif

pid process

4556 WHS2.0.exe
4636 wcnaumia.pif

pid	process
4556	WHS2.0.exe
4636	wcnaumia.pif

Drops startup file 4 IoCs

Processes:

wscript.exewscript.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EkoHX.vbs	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EkoHX.vbs	wscript.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OPAFu.vbs	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OPAFu.vbs	wscript.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

wscript.exewscript.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\software\WOW6432Node\microsoft\windows\currentversion\run	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\OPAFu = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\OPAFu.vbs\""	wscript.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\software\microsoft\windows\currentversion\run	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows\CurrentVersion\Run\EkoHX = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\EkoHX.vbs\""	wscript.exe
Key created	\REGISTRY\MACHINE\software\WOW6432Node\microsoft\windows\currentversion\run	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\EkoHX = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\EkoHX.vbs\""	wscript.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\software\microsoft\windows\currentversion\run	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows\CurrentVersion\Run\OPAFu = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\OPAFu.vbs\""	wscript.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

11 ip-api.com
Suspicious use of SetThreadContext 1 IoCs

Processes:

wcnaumia.pif

description pid process target process

PID 4636 set thread context of 4284 4636 wcnaumia.pif RegSvcs.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

RegSvcs.exe

pid process

4284 RegSvcs.exe
4284 RegSvcs.exe
4284 RegSvcs.exe
4284 RegSvcs.exe

flow	ioc
11	ip-api.com

description	pid	process	target process
PID 4636 set thread context of 4284	4636	wcnaumia.pif	RegSvcs.exe

pid	process
4284	RegSvcs.exe
4284	RegSvcs.exe
4284	RegSvcs.exe
4284	RegSvcs.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

2e4d9754a395aa51d9d35a6af209c4b041b8fa5c7fdad41bfc0df97d841091f6.exewcnaumia.pifWHS2.0.exeRegSvcs.exe

description	pid	process	target process
PID 712 wrote to memory of 4556	712	2e4d9754a395aa51d9d35a6af209c4b041b8fa5c7fdad41bfc0df97d841091f6.exe	WHS2.0.exe
PID 712 wrote to memory of 4556	712	2e4d9754a395aa51d9d35a6af209c4b041b8fa5c7fdad41bfc0df97d841091f6.exe	WHS2.0.exe
PID 712 wrote to memory of 4556	712	2e4d9754a395aa51d9d35a6af209c4b041b8fa5c7fdad41bfc0df97d841091f6.exe	WHS2.0.exe
PID 712 wrote to memory of 4636	712	2e4d9754a395aa51d9d35a6af209c4b041b8fa5c7fdad41bfc0df97d841091f6.exe	wcnaumia.pif
PID 712 wrote to memory of 4636	712	2e4d9754a395aa51d9d35a6af209c4b041b8fa5c7fdad41bfc0df97d841091f6.exe	wcnaumia.pif
PID 712 wrote to memory of 4636	712	2e4d9754a395aa51d9d35a6af209c4b041b8fa5c7fdad41bfc0df97d841091f6.exe	wcnaumia.pif
PID 4636 wrote to memory of 4284	4636	wcnaumia.pif	RegSvcs.exe
PID 4636 wrote to memory of 4284	4636	wcnaumia.pif	RegSvcs.exe
PID 4636 wrote to memory of 4284	4636	wcnaumia.pif	RegSvcs.exe
PID 4636 wrote to memory of 4284	4636	wcnaumia.pif	RegSvcs.exe
PID 4636 wrote to memory of 4284	4636	wcnaumia.pif	RegSvcs.exe
PID 4556 wrote to memory of 876	4556	WHS2.0.exe	wscript.exe
PID 4556 wrote to memory of 876	4556	WHS2.0.exe	wscript.exe
PID 4556 wrote to memory of 876	4556	WHS2.0.exe	wscript.exe
PID 4284 wrote to memory of 1500	4284	RegSvcs.exe	wscript.exe
PID 4284 wrote to memory of 1500	4284	RegSvcs.exe	wscript.exe
PID 4284 wrote to memory of 1500	4284	RegSvcs.exe	wscript.exe

C:\Users\Admin\AppData\Local\Temp\2e4d9754a395aa51d9d35a6af209c4b041b8fa5c7fdad41bfc0df97d841091f6.exe
"C:\Users\Admin\AppData\Local\Temp\2e4d9754a395aa51d9d35a6af209c4b041b8fa5c7fdad41bfc0df97d841091f6.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:712

C:\74800197\WHS2.0.exe
"C:\74800197\WHS2.0.exe" Community portal â€“ Bulletin board,
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4556

C:\Windows\SysWOW64\wscript.exe
"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Roaming\EkoHX.vbs
3⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
PID:876

C:\74800197\wcnaumia.pif
"C:\74800197\wcnaumia.pif" fhmoqoe.prw
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4636

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4284

C:\Windows\SysWOW64\wscript.exe
"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Roaming\OPAFu.vbs
4⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
PID:1500

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\74800197\WHS2.0.exe
MD5
40acb53d42e4b4d20a0111e6dd847606

SHA1
d010be1ba9ceea60098bebbfee425c0cda66b9a2

SHA256
213d841404449d68dd9f50c18f7259074c43df2fd5221f0bbd34d2e89b611b73

SHA512
a7834c27ab5e432a9243376fc7b058e819c56290580f96c28dcd61ca6356d4a7507f907373635cfec933c2fb916cbd07abb50ef39b7b1416c665c77b3930794d

Download Submit
C:\74800197\WHS2.0.exe
MD5
40acb53d42e4b4d20a0111e6dd847606

SHA1
d010be1ba9ceea60098bebbfee425c0cda66b9a2

SHA256
213d841404449d68dd9f50c18f7259074c43df2fd5221f0bbd34d2e89b611b73

SHA512
a7834c27ab5e432a9243376fc7b058e819c56290580f96c28dcd61ca6356d4a7507f907373635cfec933c2fb916cbd07abb50ef39b7b1416c665c77b3930794d

Download Submit
C:\74800197\envmhh.cos
MD5
80eee5b692798640be0b6d0ca2f8768c

SHA1
c39d4b5b048194ef1acdecc8b7cab27e63bc0402

SHA256
9b6c1dad4b42a308e4fade72da97589161c7cc37c5d926353f216e1903ec9780

SHA512
c587cc27b96fa66a1188947b85f9f27ea61e502e21456411536f48e533377e80301a4fe82eba451d82c1d12b9c5368336d166542d44f12b990a73d10382612d8

Download Submit
C:\74800197\fhmoqoe.prw
MD5
e75fbfd8862e84ee21bcb907cc2892b5

SHA1
4e9cfb118f78515f50f55f0db76d31cbeea2d5f7

SHA256
608eaa0d2ace789444e27bf7f5da436e6c9d5459fddcb9d7237d7c2cb93261b4

SHA512
310538d019cc1a363b97d4c2a14998aaa2984e5284aa046478bf19539bffb55e08e8c19272361f2146ada6195380741d874a20e11f729b54f956d87292d07b1b

Download Submit
C:\74800197\vijppg.txt
MD5
808bdb5b8f93f34c6d64bb48283776ec

SHA1
e3f096b0ea493885ba3e1058594c2d48d4ea89c9

SHA256
799a62dc96ba037ccec9ca7a417a4c5428454a3f52c7b4444f728d79b5f06fd7

SHA512
97582524e55fbb90185dd4e5c8eb6ea5e1a57aa5354278878786881593ef2bd85f3fba8ef6a94d89b8f9dc14c07ee85553e58fa00dd64adfe73d954f3a4af0ff

Download Submit
C:\74800197\wcnaumia.pif
MD5
1d7071dd5cda216508b235c0e2318b05

SHA1
0b972fbc1ea8a47204b2a187e608744a4e947bc2

SHA256
788edeacd860a1a3bb22b839c1ecf408227e1e14bbe0b1baf55824075161f996

SHA512
65965d2de629024773dddf5f8f37d40a15afc51cbaec48c8cda3b0763e9391e065c5ee6ab81b7f4e53ab1f531ef53bb9dccd9ddd4a1c9423922eebf37e544118

Download Submit
C:\74800197\wcnaumia.pif
MD5
1d7071dd5cda216508b235c0e2318b05

SHA1
0b972fbc1ea8a47204b2a187e608744a4e947bc2

SHA256
788edeacd860a1a3bb22b839c1ecf408227e1e14bbe0b1baf55824075161f996

SHA512
65965d2de629024773dddf5f8f37d40a15afc51cbaec48c8cda3b0763e9391e065c5ee6ab81b7f4e53ab1f531ef53bb9dccd9ddd4a1c9423922eebf37e544118

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\1BA3P8U7\json[1].json
MD5
0c17abb0ed055fecf0c48bb6e46eb4eb

SHA1
a692730c8ec7353c31b94a888f359edb54aaa4c8

SHA256
f41e99f954e33e7b0e39930ec8620bf29801efc44275c1ee6b5cfa5e1be202c0

SHA512
645a9f2f94461d8a187261b736949df398ece5cfbf1af8653d18d3487ec1269d9f565534c1e249c12f31b3b1a41a8512953b1e991b001fc1360059e3fd494ec3

Download Submit
C:\Users\Admin\AppData\Roaming\EkoHX.vbs
MD5
952b1cbd78885f81760a77dc3b453fd3

SHA1
4af75b46620b063fc23652c3ecaa3b4081074572

SHA256
fe3f15e4a3d59457c16fb955e38be8df4bfe3a0978a2b09c85705f14bb6d751d

SHA512
1d6f2f6d91f88725b9515b2877348616dee3d96b862014f6c6b54f41b18835483cdf5b6294e99e0fdff17d80d79b27ac70638cab6376b15526b87b592313b837

Download Submit
C:\Users\Admin\AppData\Roaming\OPAFu.vbs
MD5
952b1cbd78885f81760a77dc3b453fd3

SHA1
4af75b46620b063fc23652c3ecaa3b4081074572

SHA256
fe3f15e4a3d59457c16fb955e38be8df4bfe3a0978a2b09c85705f14bb6d751d

SHA512
1d6f2f6d91f88725b9515b2877348616dee3d96b862014f6c6b54f41b18835483cdf5b6294e99e0fdff17d80d79b27ac70638cab6376b15526b87b592313b837

Download Submit
memory/876-127-0x0000000000000000-mapping.dmp

Download
memory/1500-131-0x0000000000000000-mapping.dmp

Download
memory/4284-125-0x0000000001020000-0x00000000014CE000-memory.dmp

Filesize
4.7MB

Download
memory/4284-126-0x00000000010A42AE-mapping.dmp

Download
memory/4556-122-0x0000000002990000-0x0000000002991000-memory.dmp

Filesize
4KB

Download
memory/4556-115-0x0000000000000000-mapping.dmp

Download
memory/4636-117-0x0000000000000000-mapping.dmp

Download