Analysis

  • max time kernel
    120s
  • max time network
    125s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    31-10-2022 08:06

General

  • Target

    Invoice #487135.vbs

  • Size

    240KB

  • MD5

    de2cc767fcef3cd77ef0defdac9cba9a

  • SHA1

    d2cb01e29f580276224d003157889fcd1c38a1cc

  • SHA256

    ae0266271439504c17743067129b4d9a969cd643720bfe51ee1955b0c9f18cc5

  • SHA512

    a840f3679644212b7f197081f36e800ffb9edabc654ab60e7f7646e3bbc496f7fb2a23dc05a89d664b2b0c77f47ecc8c1a55f1a9bb6167136f26f6c15df59538

  • SSDEEP

    6144:5OvNErKf2keySscTM4vr2sn513CrFKQ0k7:Uk+e3R2c3Vy

Malware Config

Extracted

Family

wshrat

C2

http://snkcyp.duckdns.org:3369

Signatures

  • WSHRAT

    WSHRAT is a variant of Houdini worm and has vbs and js variants.

  • Blocklisted process makes network request 4 IoCs
  • Drops startup file 3 IoCs
  • Adds Run key to start application 2 TTPs 8 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Invoice #487135.vbs"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1488
    • C:\Windows\System32\wscript.exe
      "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\kFRSBBXvyY.vbs"
      2⤵
        PID:984
      • C:\Windows\System32\wscript.exe
        "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\Invoice #487135.vbs"
        2⤵
        • Blocklisted process makes network request
        • Drops startup file
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:1416
        • C:\Windows\System32\wscript.exe
          "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\kFRSBBXvyY.vbs"
          3⤵
            PID:324

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Roaming\Invoice #487135.vbs

        Filesize

        240KB

        MD5

        de2cc767fcef3cd77ef0defdac9cba9a

        SHA1

        d2cb01e29f580276224d003157889fcd1c38a1cc

        SHA256

        ae0266271439504c17743067129b4d9a969cd643720bfe51ee1955b0c9f18cc5

        SHA512

        a840f3679644212b7f197081f36e800ffb9edabc654ab60e7f7646e3bbc496f7fb2a23dc05a89d664b2b0c77f47ecc8c1a55f1a9bb6167136f26f6c15df59538

      • C:\Users\Admin\AppData\Roaming\Invoice #487135.vbs

        Filesize

        240KB

        MD5

        de2cc767fcef3cd77ef0defdac9cba9a

        SHA1

        d2cb01e29f580276224d003157889fcd1c38a1cc

        SHA256

        ae0266271439504c17743067129b4d9a969cd643720bfe51ee1955b0c9f18cc5

        SHA512

        a840f3679644212b7f197081f36e800ffb9edabc654ab60e7f7646e3bbc496f7fb2a23dc05a89d664b2b0c77f47ecc8c1a55f1a9bb6167136f26f6c15df59538

      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Invoice #487135.vbs

        Filesize

        240KB

        MD5

        de2cc767fcef3cd77ef0defdac9cba9a

        SHA1

        d2cb01e29f580276224d003157889fcd1c38a1cc

        SHA256

        ae0266271439504c17743067129b4d9a969cd643720bfe51ee1955b0c9f18cc5

        SHA512

        a840f3679644212b7f197081f36e800ffb9edabc654ab60e7f7646e3bbc496f7fb2a23dc05a89d664b2b0c77f47ecc8c1a55f1a9bb6167136f26f6c15df59538

      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Invoice #487135.vbs

        Filesize

        240KB

        MD5

        de2cc767fcef3cd77ef0defdac9cba9a

        SHA1

        d2cb01e29f580276224d003157889fcd1c38a1cc

        SHA256

        ae0266271439504c17743067129b4d9a969cd643720bfe51ee1955b0c9f18cc5

        SHA512

        a840f3679644212b7f197081f36e800ffb9edabc654ab60e7f7646e3bbc496f7fb2a23dc05a89d664b2b0c77f47ecc8c1a55f1a9bb6167136f26f6c15df59538

      • C:\Users\Admin\AppData\Roaming\kFRSBBXvyY.vbs

        Filesize

        1KB

        MD5

        b980eced62f980d79060ee415e6ce652

        SHA1

        3f585f85195a841c0dfab80bf50469de54f913d6

        SHA256

        a6df4ba5f7612f89e91562bc7fa068e55c457318a04c7e1f02121769568daf2e

        SHA512

        86e6201394bead64a402a4d2346ddd1083aa84e88d76954d639849f90c8a06a120b7e52b96e4b16de9fa03d752e3eb7f1696ef1dd32cb12f4fc744635c3acd88

      • C:\Users\Admin\AppData\Roaming\kFRSBBXvyY.vbs

        Filesize

        1KB

        MD5

        b980eced62f980d79060ee415e6ce652

        SHA1

        3f585f85195a841c0dfab80bf50469de54f913d6

        SHA256

        a6df4ba5f7612f89e91562bc7fa068e55c457318a04c7e1f02121769568daf2e

        SHA512

        86e6201394bead64a402a4d2346ddd1083aa84e88d76954d639849f90c8a06a120b7e52b96e4b16de9fa03d752e3eb7f1696ef1dd32cb12f4fc744635c3acd88

      • memory/1488-54-0x000007FEFC001000-0x000007FEFC003000-memory.dmp

        Filesize

        8KB