wshrat | 46648093234287c679db48c441de8f2d12306a3c8299b4d30e3fcf0057bcd633

Analysis

max time kernel
151s
max time network
151s
platform
windows7_x64
resource
win7-en-20211014
submitted
21-10-2021 18:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

IMG-9877-PO-PDF-LIST9576867.js
Size

2.1MB
MD5

66ce275ae44bfac23f7a71c0e3df1e76
SHA1

a8f6afbb0c136b8dcfe6f108cde75b40b7c0d2ce
SHA256

46648093234287c679db48c441de8f2d12306a3c8299b4d30e3fcf0057bcd633
SHA512

94e9ead33c3a0ff6133f46951fb9a52d4e59215f79a05f7c006cbff47712ab39130bcafabfc165cd5fa1402336a1a63b204b7eb33631a0172fc5e6463ba36afe

Score

10^/10

wshrat persistence trojan

Malware Config

Extracted

Family

wshrat

http://concideritdone.duckdns.org:5001

Signatures

WSHRAT
WSHRAT is a variant of Houdini worm and has vbs and js variants.
trojan wshrat

WSHRAT Payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\EkoHX.vbs	family_wshrat
C:\Users\Admin\AppData\Roaming\OPAFu.vbs	family_wshrat

Blocklisted process makes network request 10 IoCs

Processes:

wscript.exewscript.exe

flow	pid	process
8	296	wscript.exe
7	1572	wscript.exe
12	1572	wscript.exe
13	296	wscript.exe
15	1572	wscript.exe
17	296	wscript.exe
19	1572	wscript.exe
21	296	wscript.exe
25	1572	wscript.exe
27	296	wscript.exe

Executes dropped EXE 3 IoCs

Processes:

IMG-9877-PO-PDF-LIST9576867.exeWHS2.0.exegmebm.pif

pid process

580 IMG-9877-PO-PDF-LIST9576867.exe
1644 WHS2.0.exe
436 gmebm.pif

Drops startup file 4 IoCs

Processes:

wscript.exewscript.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EkoHX.vbs	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EkoHX.vbs	wscript.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OPAFu.vbs	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OPAFu.vbs	wscript.exe

Loads dropped DLL 9 IoCs

Processes:

IMG-9877-PO-PDF-LIST9576867.exe

pid	process
580	IMG-9877-PO-PDF-LIST9576867.exe
580	IMG-9877-PO-PDF-LIST9576867.exe
580	IMG-9877-PO-PDF-LIST9576867.exe
580	IMG-9877-PO-PDF-LIST9576867.exe
580	IMG-9877-PO-PDF-LIST9576867.exe
580	IMG-9877-PO-PDF-LIST9576867.exe
580	IMG-9877-PO-PDF-LIST9576867.exe
580	IMG-9877-PO-PDF-LIST9576867.exe
580	IMG-9877-PO-PDF-LIST9576867.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

wscript.exewscript.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\software\Wow6432Node\microsoft\windows\currentversion\run	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\EkoHX = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\EkoHX.vbs\""	wscript.exe
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\software\microsoft\windows\currentversion\run	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Windows\CurrentVersion\Run\OPAFu = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\OPAFu.vbs\""	wscript.exe
Key created	\REGISTRY\MACHINE\software\Wow6432Node\microsoft\windows\currentversion\run	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\OPAFu = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\OPAFu.vbs\""	wscript.exe
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\software\microsoft\windows\currentversion\run	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Windows\CurrentVersion\Run\EkoHX = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\EkoHX.vbs\""	wscript.exe

Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

5 ip-api.com
6 ip-api.com
Suspicious use of SetThreadContext 1 IoCs

Processes:

gmebm.pif

description pid process target process

PID 436 set thread context of 1384 436 gmebm.pif RegSvcs.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

RegSvcs.exe

pid process

1384 RegSvcs.exe
1384 RegSvcs.exe
1384 RegSvcs.exe
1384 RegSvcs.exe

flow	ioc
5	ip-api.com
6	ip-api.com

description	pid	process	target process
PID 436 set thread context of 1384	436	gmebm.pif	RegSvcs.exe

pid	process
1384	RegSvcs.exe
1384	RegSvcs.exe
1384	RegSvcs.exe
1384	RegSvcs.exe

Suspicious use of WriteProcessMemory 29 IoCs

Processes:

wscript.exeIMG-9877-PO-PDF-LIST9576867.exeWHS2.0.exegmebm.pifRegSvcs.exe

description	pid	process	target process
PID 1868 wrote to memory of 580	1868	wscript.exe	IMG-9877-PO-PDF-LIST9576867.exe
PID 1868 wrote to memory of 580	1868	wscript.exe	IMG-9877-PO-PDF-LIST9576867.exe
PID 1868 wrote to memory of 580	1868	wscript.exe	IMG-9877-PO-PDF-LIST9576867.exe
PID 1868 wrote to memory of 580	1868	wscript.exe	IMG-9877-PO-PDF-LIST9576867.exe
PID 580 wrote to memory of 1644	580	IMG-9877-PO-PDF-LIST9576867.exe	WHS2.0.exe
PID 580 wrote to memory of 1644	580	IMG-9877-PO-PDF-LIST9576867.exe	WHS2.0.exe
PID 580 wrote to memory of 1644	580	IMG-9877-PO-PDF-LIST9576867.exe	WHS2.0.exe
PID 580 wrote to memory of 1644	580	IMG-9877-PO-PDF-LIST9576867.exe	WHS2.0.exe
PID 580 wrote to memory of 436	580	IMG-9877-PO-PDF-LIST9576867.exe	gmebm.pif
PID 580 wrote to memory of 436	580	IMG-9877-PO-PDF-LIST9576867.exe	gmebm.pif
PID 580 wrote to memory of 436	580	IMG-9877-PO-PDF-LIST9576867.exe	gmebm.pif
PID 580 wrote to memory of 436	580	IMG-9877-PO-PDF-LIST9576867.exe	gmebm.pif
PID 1644 wrote to memory of 1572	1644	WHS2.0.exe	wscript.exe
PID 1644 wrote to memory of 1572	1644	WHS2.0.exe	wscript.exe
PID 1644 wrote to memory of 1572	1644	WHS2.0.exe	wscript.exe
PID 1644 wrote to memory of 1572	1644	WHS2.0.exe	wscript.exe
PID 436 wrote to memory of 1384	436	gmebm.pif	RegSvcs.exe
PID 436 wrote to memory of 1384	436	gmebm.pif	RegSvcs.exe
PID 436 wrote to memory of 1384	436	gmebm.pif	RegSvcs.exe
PID 436 wrote to memory of 1384	436	gmebm.pif	RegSvcs.exe
PID 436 wrote to memory of 1384	436	gmebm.pif	RegSvcs.exe
PID 436 wrote to memory of 1384	436	gmebm.pif	RegSvcs.exe
PID 436 wrote to memory of 1384	436	gmebm.pif	RegSvcs.exe
PID 436 wrote to memory of 1384	436	gmebm.pif	RegSvcs.exe
PID 436 wrote to memory of 1384	436	gmebm.pif	RegSvcs.exe
PID 1384 wrote to memory of 296	1384	RegSvcs.exe	wscript.exe
PID 1384 wrote to memory of 296	1384	RegSvcs.exe	wscript.exe
PID 1384 wrote to memory of 296	1384	RegSvcs.exe	wscript.exe
PID 1384 wrote to memory of 296	1384	RegSvcs.exe	wscript.exe

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\IMG-9877-PO-PDF-LIST9576867.js
1⤵
- Suspicious use of WriteProcessMemory
PID:1868

C:\Users\Admin\AppData\Roaming\IMG-9877-PO-PDF-LIST9576867.exe
"C:\Users\Admin\AppData\Roaming\IMG-9877-PO-PDF-LIST9576867.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:580

C:\Users\Admin\AppData\Roaming\61849594\WHS2.0.exe
"C:\Users\Admin\AppData\Roaming\61849594\WHS2.0.exe" ... that Dmitri Smirnov (pictured) composed the Triple Concerto No.
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1644

C:\Windows\SysWOW64\wscript.exe
"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Roaming\EkoHX.vbs
4⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
PID:1572

C:\Users\Admin\AppData\Roaming\61849594\gmebm.pif
"C:\Users\Admin\AppData\Roaming\61849594\gmebm.pif" qardexmt.mdc
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:436

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1384

C:\Windows\SysWOW64\wscript.exe
"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Roaming\OPAFu.vbs
5⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
PID:296

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RHI8KPQK\json[1].json
MD5
0c17abb0ed055fecf0c48bb6e46eb4eb

SHA1
a692730c8ec7353c31b94a888f359edb54aaa4c8

SHA256
f41e99f954e33e7b0e39930ec8620bf29801efc44275c1ee6b5cfa5e1be202c0

SHA512
645a9f2f94461d8a187261b736949df398ece5cfbf1af8653d18d3487ec1269d9f565534c1e249c12f31b3b1a41a8512953b1e991b001fc1360059e3fd494ec3

Download Submit
C:\Users\Admin\AppData\Roaming\61849594\WHS2.0.exe
MD5
40acb53d42e4b4d20a0111e6dd847606

SHA1
d010be1ba9ceea60098bebbfee425c0cda66b9a2

SHA256
213d841404449d68dd9f50c18f7259074c43df2fd5221f0bbd34d2e89b611b73

SHA512
a7834c27ab5e432a9243376fc7b058e819c56290580f96c28dcd61ca6356d4a7507f907373635cfec933c2fb916cbd07abb50ef39b7b1416c665c77b3930794d

Download Submit
C:\Users\Admin\AppData\Roaming\61849594\WHS2.0.exe
MD5
40acb53d42e4b4d20a0111e6dd847606

SHA1
d010be1ba9ceea60098bebbfee425c0cda66b9a2

SHA256
213d841404449d68dd9f50c18f7259074c43df2fd5221f0bbd34d2e89b611b73

SHA512
a7834c27ab5e432a9243376fc7b058e819c56290580f96c28dcd61ca6356d4a7507f907373635cfec933c2fb916cbd07abb50ef39b7b1416c665c77b3930794d

Download Submit
C:\Users\Admin\AppData\Roaming\61849594\amihgkew.urb
MD5
393bff19f709832ddbd70230f2ccc714

SHA1
8f605c8557d61a1049f4bd0614165f713b6dcecd

SHA256
6e21b346428b764227858b3c69e6c96ce4bf275715cc3b129065dcc41eace024

SHA512
b00f498f8576e38edf094ca0337b406d8890f76829e0941fc6974ca4ca9fb20290c928990bcf37a748423a52ac509f8661cb0337df6b003322951acb71923130

Download Submit
C:\Users\Admin\AppData\Roaming\61849594\aolgrnrpt.log
MD5
a1e3f47b52737f7a0d5136b89369b2f2

SHA1
37cd3f1073d88e938023915a4196b3ffcbe0dad9

SHA256
6ca30a0b9918922c3c3408b48399736998d41b34c2345e9cec712ac132c95ae0

SHA512
22ad5473ecc6bb9046f93378a4810ea1966b68567e7875e59b23a62180c62b81a4ae52a4fdfbdeb0bcba524b40223b000158e77067ebf3c5242098a6bff3725e

Download Submit
C:\Users\Admin\AppData\Roaming\61849594\gmebm.pif
MD5
1d7071dd5cda216508b235c0e2318b05

SHA1
0b972fbc1ea8a47204b2a187e608744a4e947bc2

SHA256
788edeacd860a1a3bb22b839c1ecf408227e1e14bbe0b1baf55824075161f996

SHA512
65965d2de629024773dddf5f8f37d40a15afc51cbaec48c8cda3b0763e9391e065c5ee6ab81b7f4e53ab1f531ef53bb9dccd9ddd4a1c9423922eebf37e544118

Download Submit
C:\Users\Admin\AppData\Roaming\61849594\qardexmt.mdc
MD5
f27a77b9bfeae77c1615e60bcffd751d

SHA1
269b839f255d2ed838b6847d7eef644a9e0d83ff

SHA256
c9e9898d9a9f16a2eeb18911162d81d9c0d305f689d0f16a6da16aad04e06489

SHA512
da05da38700bb0cf4a9cb6b4b3f1306eef2fb7b81cedcf25fbf1dcda75d3c85d7eadc72c8efff73c556d36d310fc365194f34ab33c3828e4776f05c060f479ca

Download Submit
C:\Users\Admin\AppData\Roaming\EkoHX.vbs
MD5
952b1cbd78885f81760a77dc3b453fd3

SHA1
4af75b46620b063fc23652c3ecaa3b4081074572

SHA256
fe3f15e4a3d59457c16fb955e38be8df4bfe3a0978a2b09c85705f14bb6d751d

SHA512
1d6f2f6d91f88725b9515b2877348616dee3d96b862014f6c6b54f41b18835483cdf5b6294e99e0fdff17d80d79b27ac70638cab6376b15526b87b592313b837

Download Submit
C:\Users\Admin\AppData\Roaming\IMG-9877-PO-PDF-LIST9576867.exe
MD5
4183142d3de98c340787c751ae2f8d03

SHA1
7b7161f73a3100eea2d67fbdf66488f322408c55

SHA256
c9589679c82039bc1fccaf2c300d564e969c651fc6fb440260e222690f3586bb

SHA512
8648129e13d7285b7d7d38c3627365f97a79e027173f794a82450bd56f1b0ef35f97a6ebf3c9b59bdf4b0991d95caf7ca3d93bd9c5afe29c03a0a42bdc557a88

Download Submit
C:\Users\Admin\AppData\Roaming\IMG-9877-PO-PDF-LIST9576867.exe
MD5
4183142d3de98c340787c751ae2f8d03

SHA1
7b7161f73a3100eea2d67fbdf66488f322408c55

SHA256
c9589679c82039bc1fccaf2c300d564e969c651fc6fb440260e222690f3586bb

SHA512
8648129e13d7285b7d7d38c3627365f97a79e027173f794a82450bd56f1b0ef35f97a6ebf3c9b59bdf4b0991d95caf7ca3d93bd9c5afe29c03a0a42bdc557a88

Download Submit
C:\Users\Admin\AppData\Roaming\OPAFu.vbs
MD5
952b1cbd78885f81760a77dc3b453fd3

SHA1
4af75b46620b063fc23652c3ecaa3b4081074572

SHA256
fe3f15e4a3d59457c16fb955e38be8df4bfe3a0978a2b09c85705f14bb6d751d

SHA512
1d6f2f6d91f88725b9515b2877348616dee3d96b862014f6c6b54f41b18835483cdf5b6294e99e0fdff17d80d79b27ac70638cab6376b15526b87b592313b837

Download Submit
\Users\Admin\AppData\Roaming\61849594\WHS2.0.exe
MD5
40acb53d42e4b4d20a0111e6dd847606

SHA1
d010be1ba9ceea60098bebbfee425c0cda66b9a2

SHA256
213d841404449d68dd9f50c18f7259074c43df2fd5221f0bbd34d2e89b611b73

SHA512
a7834c27ab5e432a9243376fc7b058e819c56290580f96c28dcd61ca6356d4a7507f907373635cfec933c2fb916cbd07abb50ef39b7b1416c665c77b3930794d

Download Submit
\Users\Admin\AppData\Roaming\61849594\WHS2.0.exe
MD5
40acb53d42e4b4d20a0111e6dd847606

SHA1
d010be1ba9ceea60098bebbfee425c0cda66b9a2

SHA256
213d841404449d68dd9f50c18f7259074c43df2fd5221f0bbd34d2e89b611b73

SHA512
a7834c27ab5e432a9243376fc7b058e819c56290580f96c28dcd61ca6356d4a7507f907373635cfec933c2fb916cbd07abb50ef39b7b1416c665c77b3930794d

Download Submit
\Users\Admin\AppData\Roaming\61849594\WHS2.0.exe
MD5
40acb53d42e4b4d20a0111e6dd847606

SHA1
d010be1ba9ceea60098bebbfee425c0cda66b9a2

SHA256
213d841404449d68dd9f50c18f7259074c43df2fd5221f0bbd34d2e89b611b73

SHA512
a7834c27ab5e432a9243376fc7b058e819c56290580f96c28dcd61ca6356d4a7507f907373635cfec933c2fb916cbd07abb50ef39b7b1416c665c77b3930794d

Download Submit
\Users\Admin\AppData\Roaming\61849594\WHS2.0.exe
MD5
40acb53d42e4b4d20a0111e6dd847606

SHA1
d010be1ba9ceea60098bebbfee425c0cda66b9a2

SHA256
213d841404449d68dd9f50c18f7259074c43df2fd5221f0bbd34d2e89b611b73

SHA512
a7834c27ab5e432a9243376fc7b058e819c56290580f96c28dcd61ca6356d4a7507f907373635cfec933c2fb916cbd07abb50ef39b7b1416c665c77b3930794d

Download Submit
\Users\Admin\AppData\Roaming\61849594\WHS2.0.exe
MD5
40acb53d42e4b4d20a0111e6dd847606

SHA1
d010be1ba9ceea60098bebbfee425c0cda66b9a2

SHA256
213d841404449d68dd9f50c18f7259074c43df2fd5221f0bbd34d2e89b611b73

SHA512
a7834c27ab5e432a9243376fc7b058e819c56290580f96c28dcd61ca6356d4a7507f907373635cfec933c2fb916cbd07abb50ef39b7b1416c665c77b3930794d

Download Submit
\Users\Admin\AppData\Roaming\61849594\gmebm.pif
MD5
1d7071dd5cda216508b235c0e2318b05

SHA1
0b972fbc1ea8a47204b2a187e608744a4e947bc2

SHA256
788edeacd860a1a3bb22b839c1ecf408227e1e14bbe0b1baf55824075161f996

SHA512
65965d2de629024773dddf5f8f37d40a15afc51cbaec48c8cda3b0763e9391e065c5ee6ab81b7f4e53ab1f531ef53bb9dccd9ddd4a1c9423922eebf37e544118

Download Submit
\Users\Admin\AppData\Roaming\61849594\gmebm.pif
MD5
1d7071dd5cda216508b235c0e2318b05

SHA1
0b972fbc1ea8a47204b2a187e608744a4e947bc2

SHA256
788edeacd860a1a3bb22b839c1ecf408227e1e14bbe0b1baf55824075161f996

SHA512
65965d2de629024773dddf5f8f37d40a15afc51cbaec48c8cda3b0763e9391e065c5ee6ab81b7f4e53ab1f531ef53bb9dccd9ddd4a1c9423922eebf37e544118

Download Submit
\Users\Admin\AppData\Roaming\61849594\gmebm.pif
MD5
1d7071dd5cda216508b235c0e2318b05

SHA1
0b972fbc1ea8a47204b2a187e608744a4e947bc2

SHA256
788edeacd860a1a3bb22b839c1ecf408227e1e14bbe0b1baf55824075161f996

SHA512
65965d2de629024773dddf5f8f37d40a15afc51cbaec48c8cda3b0763e9391e065c5ee6ab81b7f4e53ab1f531ef53bb9dccd9ddd4a1c9423922eebf37e544118

Download Submit
\Users\Admin\AppData\Roaming\61849594\gmebm.pif
MD5
1d7071dd5cda216508b235c0e2318b05

SHA1
0b972fbc1ea8a47204b2a187e608744a4e947bc2

SHA256
788edeacd860a1a3bb22b839c1ecf408227e1e14bbe0b1baf55824075161f996

SHA512
65965d2de629024773dddf5f8f37d40a15afc51cbaec48c8cda3b0763e9391e065c5ee6ab81b7f4e53ab1f531ef53bb9dccd9ddd4a1c9423922eebf37e544118

Download Submit
memory/296-87-0x0000000000000000-mapping.dmp

Download
memory/436-71-0x0000000000000000-mapping.dmp

Download
memory/580-57-0x0000000075B71000-0x0000000075B73000-memory.dmp

Filesize
8KB

Download
memory/580-55-0x0000000000000000-mapping.dmp

Download
memory/1384-85-0x0000000000270000-0x000000000089E000-memory.dmp

Filesize
6.2MB

Download
memory/1384-82-0x0000000000270000-0x000000000089E000-memory.dmp

Filesize
6.2MB

Download
memory/1384-83-0x00000000002F42AE-mapping.dmp

Download
memory/1384-81-0x0000000000270000-0x000000000089E000-memory.dmp

Filesize
6.2MB

Download
memory/1572-79-0x0000000000000000-mapping.dmp

Download
memory/1644-64-0x0000000000000000-mapping.dmp

Download
memory/1644-76-0x0000000000370000-0x0000000000371000-memory.dmp

Filesize
4KB

Download