Malware Analysis Report

2025-01-18 12:21

Sample ID 221031-jzeezaadc6
Target Invoice #487135.vbs
SHA256 ae0266271439504c17743067129b4d9a969cd643720bfe51ee1955b0c9f18cc5
Tags
wshrat persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ae0266271439504c17743067129b4d9a969cd643720bfe51ee1955b0c9f18cc5

Threat Level: Known bad

The file Invoice #487135.vbs was found to be: Known bad.

Malicious Activity Summary

wshrat persistence trojan

WSHRAT

Blocklisted process makes network request

Checks computer location settings

Drops startup file

Adds Run key to start application

Looks up external IP address via web service

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-10-31 08:06

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-10-31 08:06

Reported

2022-10-31 08:08

Platform

win7-20220812-en

Max time kernel

120s

Max time network

125s

Command Line

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Invoice #487135.vbs"

Signatures

WSHRAT

trojan wshrat

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Invoice #487135.vbs C:\Windows\System32\wscript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Invoice #487135.vbs C:\Windows\System32\wscript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Invoice #487135.vbs C:\Windows\System32\WScript.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Invoice #487135 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Invoice #487135.vbs\"" C:\Windows\System32\wscript.exe N/A
Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\software\microsoft\windows\currentversion\run C:\Windows\System32\WScript.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\Invoice #487135 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Invoice #487135.vbs\"" C:\Windows\System32\WScript.exe N/A
Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run C:\Windows\System32\WScript.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Invoice #487135 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Invoice #487135.vbs\"" C:\Windows\System32\WScript.exe N/A
Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\software\microsoft\windows\currentversion\run C:\Windows\System32\wscript.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\Invoice #487135 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Invoice #487135.vbs\"" C:\Windows\System32\wscript.exe N/A
Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run C:\Windows\System32\wscript.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Enumerates physical storage devices

Processes

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Invoice #487135.vbs"

C:\Windows\System32\wscript.exe

"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\kFRSBBXvyY.vbs"

C:\Windows\System32\wscript.exe

"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\Invoice #487135.vbs"

C:\Windows\System32\wscript.exe

"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\kFRSBBXvyY.vbs"

Network

Country Destination Domain Proto
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 snkcyp.duckdns.org udp
NL 84.38.133.111:3369 snkcyp.duckdns.org tcp
NL 84.38.133.111:3369 snkcyp.duckdns.org tcp
NL 84.38.133.111:3369 snkcyp.duckdns.org tcp

Files

memory/1488-54-0x000007FEFC001000-0x000007FEFC003000-memory.dmp

memory/984-55-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\kFRSBBXvyY.vbs

MD5 b980eced62f980d79060ee415e6ce652
SHA1 3f585f85195a841c0dfab80bf50469de54f913d6
SHA256 a6df4ba5f7612f89e91562bc7fa068e55c457318a04c7e1f02121769568daf2e
SHA512 86e6201394bead64a402a4d2346ddd1083aa84e88d76954d639849f90c8a06a120b7e52b96e4b16de9fa03d752e3eb7f1696ef1dd32cb12f4fc744635c3acd88

memory/1416-57-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Invoice #487135.vbs

MD5 de2cc767fcef3cd77ef0defdac9cba9a
SHA1 d2cb01e29f580276224d003157889fcd1c38a1cc
SHA256 ae0266271439504c17743067129b4d9a969cd643720bfe51ee1955b0c9f18cc5
SHA512 a840f3679644212b7f197081f36e800ffb9edabc654ab60e7f7646e3bbc496f7fb2a23dc05a89d664b2b0c77f47ecc8c1a55f1a9bb6167136f26f6c15df59538

memory/324-60-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\kFRSBBXvyY.vbs

MD5 b980eced62f980d79060ee415e6ce652
SHA1 3f585f85195a841c0dfab80bf50469de54f913d6
SHA256 a6df4ba5f7612f89e91562bc7fa068e55c457318a04c7e1f02121769568daf2e
SHA512 86e6201394bead64a402a4d2346ddd1083aa84e88d76954d639849f90c8a06a120b7e52b96e4b16de9fa03d752e3eb7f1696ef1dd32cb12f4fc744635c3acd88

C:\Users\Admin\AppData\Roaming\Invoice #487135.vbs

MD5 de2cc767fcef3cd77ef0defdac9cba9a
SHA1 d2cb01e29f580276224d003157889fcd1c38a1cc
SHA256 ae0266271439504c17743067129b4d9a969cd643720bfe51ee1955b0c9f18cc5
SHA512 a840f3679644212b7f197081f36e800ffb9edabc654ab60e7f7646e3bbc496f7fb2a23dc05a89d664b2b0c77f47ecc8c1a55f1a9bb6167136f26f6c15df59538

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Invoice #487135.vbs

MD5 de2cc767fcef3cd77ef0defdac9cba9a
SHA1 d2cb01e29f580276224d003157889fcd1c38a1cc
SHA256 ae0266271439504c17743067129b4d9a969cd643720bfe51ee1955b0c9f18cc5
SHA512 a840f3679644212b7f197081f36e800ffb9edabc654ab60e7f7646e3bbc496f7fb2a23dc05a89d664b2b0c77f47ecc8c1a55f1a9bb6167136f26f6c15df59538

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Invoice #487135.vbs

MD5 de2cc767fcef3cd77ef0defdac9cba9a
SHA1 d2cb01e29f580276224d003157889fcd1c38a1cc
SHA256 ae0266271439504c17743067129b4d9a969cd643720bfe51ee1955b0c9f18cc5
SHA512 a840f3679644212b7f197081f36e800ffb9edabc654ab60e7f7646e3bbc496f7fb2a23dc05a89d664b2b0c77f47ecc8c1a55f1a9bb6167136f26f6c15df59538

Analysis: behavioral2

Detonation Overview

Submitted

2022-10-31 08:06

Reported

2022-10-31 08:08

Platform

win10v2004-20220812-en

Max time kernel

142s

Max time network

149s

Command Line

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Invoice #487135.vbs"

Signatures

WSHRAT

trojan wshrat

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation C:\Windows\System32\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation C:\Windows\System32\wscript.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Invoice #487135.vbs C:\Windows\System32\WScript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Invoice #487135.vbs C:\Windows\System32\wscript.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Invoice #487135 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Invoice #487135.vbs\"" C:\Windows\System32\WScript.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\software\microsoft\windows\currentversion\run C:\Windows\System32\wscript.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Invoice #487135 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Invoice #487135.vbs\"" C:\Windows\System32\wscript.exe N/A
Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run C:\Windows\System32\wscript.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Invoice #487135 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Invoice #487135.vbs\"" C:\Windows\System32\wscript.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\software\microsoft\windows\currentversion\run C:\Windows\System32\WScript.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Invoice #487135 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Invoice #487135.vbs\"" C:\Windows\System32\WScript.exe N/A
Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run C:\Windows\System32\WScript.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 764 wrote to memory of 1988 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\wscript.exe
PID 764 wrote to memory of 1988 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\wscript.exe
PID 764 wrote to memory of 5088 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\wscript.exe
PID 764 wrote to memory of 5088 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\wscript.exe
PID 5088 wrote to memory of 4300 N/A C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe
PID 5088 wrote to memory of 4300 N/A C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe

Processes

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Invoice #487135.vbs"

C:\Windows\System32\wscript.exe

"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\kFRSBBXvyY.vbs"

C:\Windows\System32\wscript.exe

"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\Invoice #487135.vbs"

C:\Windows\System32\wscript.exe

"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\kFRSBBXvyY.vbs"

Network

Country Destination Domain Proto
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 snkcyp.duckdns.org udp
US 8.8.8.8:53 snkcyp.duckdns.org udp
NL 84.38.133.111:3369 snkcyp.duckdns.org tcp
US 20.42.72.131:443 tcp
US 8.253.135.241:80 tcp
US 209.197.3.8:80 tcp
US 209.197.3.8:80 tcp
US 8.253.135.241:80 tcp
US 8.8.8.8:53 15.89.54.20.in-addr.arpa udp
NL 84.38.133.111:3369 snkcyp.duckdns.org tcp
US 8.8.8.8:53 106.89.54.20.in-addr.arpa udp
US 8.8.8.8:53 0.e.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.0.0.0.4.0.c.0.0.3.0.1.3.0.6.2.ip6.arpa udp
NL 84.38.133.111:3369 snkcyp.duckdns.org tcp

Files

memory/1988-132-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\kFRSBBXvyY.vbs

MD5 b980eced62f980d79060ee415e6ce652
SHA1 3f585f85195a841c0dfab80bf50469de54f913d6
SHA256 a6df4ba5f7612f89e91562bc7fa068e55c457318a04c7e1f02121769568daf2e
SHA512 86e6201394bead64a402a4d2346ddd1083aa84e88d76954d639849f90c8a06a120b7e52b96e4b16de9fa03d752e3eb7f1696ef1dd32cb12f4fc744635c3acd88

memory/5088-134-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Invoice #487135.vbs

MD5 de2cc767fcef3cd77ef0defdac9cba9a
SHA1 d2cb01e29f580276224d003157889fcd1c38a1cc
SHA256 ae0266271439504c17743067129b4d9a969cd643720bfe51ee1955b0c9f18cc5
SHA512 a840f3679644212b7f197081f36e800ffb9edabc654ab60e7f7646e3bbc496f7fb2a23dc05a89d664b2b0c77f47ecc8c1a55f1a9bb6167136f26f6c15df59538

memory/4300-136-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Invoice #487135.vbs

MD5 de2cc767fcef3cd77ef0defdac9cba9a
SHA1 d2cb01e29f580276224d003157889fcd1c38a1cc
SHA256 ae0266271439504c17743067129b4d9a969cd643720bfe51ee1955b0c9f18cc5
SHA512 a840f3679644212b7f197081f36e800ffb9edabc654ab60e7f7646e3bbc496f7fb2a23dc05a89d664b2b0c77f47ecc8c1a55f1a9bb6167136f26f6c15df59538

C:\Users\Admin\AppData\Roaming\kFRSBBXvyY.vbs

MD5 b980eced62f980d79060ee415e6ce652
SHA1 3f585f85195a841c0dfab80bf50469de54f913d6
SHA256 a6df4ba5f7612f89e91562bc7fa068e55c457318a04c7e1f02121769568daf2e
SHA512 86e6201394bead64a402a4d2346ddd1083aa84e88d76954d639849f90c8a06a120b7e52b96e4b16de9fa03d752e3eb7f1696ef1dd32cb12f4fc744635c3acd88