Malware Analysis Report

2025-01-18 12:20

Sample ID 221031-vwzsaabef7
Target PAYMENT SETTLEMENT.vbs
SHA256 f2fb70e9f299fc61f65c13c40c3094c4e9b58d4e1f8af7e75e2d030d586eee9c
Tags
wshrat persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f2fb70e9f299fc61f65c13c40c3094c4e9b58d4e1f8af7e75e2d030d586eee9c

Threat Level: Known bad

The file PAYMENT SETTLEMENT.vbs was found to be: Known bad.

Malicious Activity Summary

wshrat persistence trojan

WSHRAT

Blocklisted process makes network request

Drops startup file

Checks computer location settings

Adds Run key to start application

Looks up external IP address via web service

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-10-31 17:21

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-10-31 17:21

Reported

2022-10-31 17:23

Platform

win7-20220812-en

Max time kernel

149s

Max time network

153s

Command Line

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\PAYMENT SETTLEMENT.vbs"

Signatures

WSHRAT

trojan wshrat

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PAYMENT SETTLEMENT.vbs C:\Windows\System32\WScript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PAYMENT SETTLEMENT.vbs C:\Windows\System32\wscript.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PAYMENT SETTLEMENT = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\PAYMENT SETTLEMENT.vbs\"" C:\Windows\System32\wscript.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\software\microsoft\windows\currentversion\run C:\Windows\System32\WScript.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\PAYMENT SETTLEMENT = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\PAYMENT SETTLEMENT.vbs\"" C:\Windows\System32\WScript.exe N/A
Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run C:\Windows\System32\WScript.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PAYMENT SETTLEMENT = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\PAYMENT SETTLEMENT.vbs\"" C:\Windows\System32\WScript.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\software\microsoft\windows\currentversion\run C:\Windows\System32\wscript.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\PAYMENT SETTLEMENT = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\PAYMENT SETTLEMENT.vbs\"" C:\Windows\System32\wscript.exe N/A
Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run C:\Windows\System32\wscript.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Enumerates physical storage devices

Processes

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\PAYMENT SETTLEMENT.vbs"

C:\Windows\System32\wscript.exe

"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\BwQRZzEAzr.vbs"

C:\Windows\System32\wscript.exe

"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\PAYMENT SETTLEMENT.vbs"

C:\Windows\System32\wscript.exe

"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\BwQRZzEAzr.vbs"

Network

Country Destination Domain Proto
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 0b3c.duckdns.org udp
LV 46.183.220.121:1988 0b3c.duckdns.org tcp
LV 46.183.220.121:1988 0b3c.duckdns.org tcp
LV 46.183.220.121:1988 0b3c.duckdns.org tcp
LV 46.183.220.121:1988 0b3c.duckdns.org tcp
LV 46.183.220.121:1988 0b3c.duckdns.org tcp
LV 46.183.220.121:1988 0b3c.duckdns.org tcp
LV 46.183.220.121:1988 0b3c.duckdns.org tcp
LV 46.183.220.121:1988 0b3c.duckdns.org tcp
LV 46.183.220.121:1988 0b3c.duckdns.org tcp
LV 46.183.220.121:1988 0b3c.duckdns.org tcp
LV 46.183.220.121:1988 0b3c.duckdns.org tcp
LV 46.183.220.121:1988 0b3c.duckdns.org tcp
LV 46.183.220.121:1988 0b3c.duckdns.org tcp
LV 46.183.220.121:1988 0b3c.duckdns.org tcp
LV 46.183.220.121:1988 0b3c.duckdns.org tcp
LV 46.183.220.121:1988 0b3c.duckdns.org tcp
LV 46.183.220.121:1988 0b3c.duckdns.org tcp

Files

memory/1048-54-0x000007FEFC281000-0x000007FEFC283000-memory.dmp

memory/1512-55-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\BwQRZzEAzr.vbs

MD5 3df35da081f5c18c2e2c7491cf83dc5f
SHA1 78ad3a5f1c78798cee08c2cd9cb2b22621ef2620
SHA256 045369096a68226d83915b9e5cab0476f7d9b876647d2e423d31b83d64e9dd0f
SHA512 2181482aa98f7149939cb73e53756b700dca722d6c958c3d3f82e902f5b456b9a770d8f619f1cf43d74768746192e9ab40b92f449599364f47d88307c783b0a3

memory/1212-57-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\PAYMENT SETTLEMENT.vbs

MD5 c0526db1f0ccb70c709d23c044329e0b
SHA1 fe1672dc2aa4095d57ae670b9ba28804f7e4faaa
SHA256 f2fb70e9f299fc61f65c13c40c3094c4e9b58d4e1f8af7e75e2d030d586eee9c
SHA512 0d9ff14a9db9a8c61b1207deada2a93373866c45a9a80ee9287cb324524a6155ccafd85a62a80329a7feb415aa72b5f729804bd4ff841049b751c85813f26dc4

memory/1784-60-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PAYMENT SETTLEMENT.vbs

MD5 c0526db1f0ccb70c709d23c044329e0b
SHA1 fe1672dc2aa4095d57ae670b9ba28804f7e4faaa
SHA256 f2fb70e9f299fc61f65c13c40c3094c4e9b58d4e1f8af7e75e2d030d586eee9c
SHA512 0d9ff14a9db9a8c61b1207deada2a93373866c45a9a80ee9287cb324524a6155ccafd85a62a80329a7feb415aa72b5f729804bd4ff841049b751c85813f26dc4

C:\Users\Admin\AppData\Roaming\BwQRZzEAzr.vbs

MD5 3df35da081f5c18c2e2c7491cf83dc5f
SHA1 78ad3a5f1c78798cee08c2cd9cb2b22621ef2620
SHA256 045369096a68226d83915b9e5cab0476f7d9b876647d2e423d31b83d64e9dd0f
SHA512 2181482aa98f7149939cb73e53756b700dca722d6c958c3d3f82e902f5b456b9a770d8f619f1cf43d74768746192e9ab40b92f449599364f47d88307c783b0a3

Analysis: behavioral2

Detonation Overview

Submitted

2022-10-31 17:21

Reported

2022-10-31 17:24

Platform

win10v2004-20220812-en

Max time kernel

145s

Max time network

151s

Command Line

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\PAYMENT SETTLEMENT.vbs"

Signatures

WSHRAT

trojan wshrat

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation C:\Windows\System32\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation C:\Windows\System32\wscript.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PAYMENT SETTLEMENT.vbs C:\Windows\System32\WScript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PAYMENT SETTLEMENT.vbs C:\Windows\System32\wscript.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PAYMENT SETTLEMENT = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\PAYMENT SETTLEMENT.vbs\"" C:\Windows\System32\wscript.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\software\microsoft\windows\currentversion\run C:\Windows\System32\WScript.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PAYMENT SETTLEMENT = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\PAYMENT SETTLEMENT.vbs\"" C:\Windows\System32\WScript.exe N/A
Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run C:\Windows\System32\WScript.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PAYMENT SETTLEMENT = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\PAYMENT SETTLEMENT.vbs\"" C:\Windows\System32\WScript.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\software\microsoft\windows\currentversion\run C:\Windows\System32\wscript.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PAYMENT SETTLEMENT = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\PAYMENT SETTLEMENT.vbs\"" C:\Windows\System32\wscript.exe N/A
Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run C:\Windows\System32\wscript.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1056 wrote to memory of 1052 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\wscript.exe
PID 1056 wrote to memory of 1052 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\wscript.exe
PID 1056 wrote to memory of 3788 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\wscript.exe
PID 1056 wrote to memory of 3788 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\wscript.exe
PID 3788 wrote to memory of 2052 N/A C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe
PID 3788 wrote to memory of 2052 N/A C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe

Processes

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\PAYMENT SETTLEMENT.vbs"

C:\Windows\System32\wscript.exe

"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\BwQRZzEAzr.vbs"

C:\Windows\System32\wscript.exe

"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\PAYMENT SETTLEMENT.vbs"

C:\Windows\System32\wscript.exe

"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\BwQRZzEAzr.vbs"

Network

Country Destination Domain Proto
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 0b3c.duckdns.org udp
LV 46.183.220.121:1988 0b3c.duckdns.org tcp
US 208.95.112.1:80 ip-api.com tcp
LV 46.183.220.121:1988 0b3c.duckdns.org tcp
LV 46.183.220.121:1988 0b3c.duckdns.org tcp
LV 46.183.220.121:1988 0b3c.duckdns.org tcp
LV 46.183.220.121:1988 0b3c.duckdns.org tcp
NL 178.79.208.1:80 tcp
LV 46.183.220.121:1988 0b3c.duckdns.org tcp
LV 46.183.220.121:1988 0b3c.duckdns.org tcp
LV 46.183.220.121:1988 0b3c.duckdns.org tcp
LV 46.183.220.121:1988 0b3c.duckdns.org tcp

Files

memory/1052-132-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\BwQRZzEAzr.vbs

MD5 3df35da081f5c18c2e2c7491cf83dc5f
SHA1 78ad3a5f1c78798cee08c2cd9cb2b22621ef2620
SHA256 045369096a68226d83915b9e5cab0476f7d9b876647d2e423d31b83d64e9dd0f
SHA512 2181482aa98f7149939cb73e53756b700dca722d6c958c3d3f82e902f5b456b9a770d8f619f1cf43d74768746192e9ab40b92f449599364f47d88307c783b0a3

memory/3788-134-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\PAYMENT SETTLEMENT.vbs

MD5 c0526db1f0ccb70c709d23c044329e0b
SHA1 fe1672dc2aa4095d57ae670b9ba28804f7e4faaa
SHA256 f2fb70e9f299fc61f65c13c40c3094c4e9b58d4e1f8af7e75e2d030d586eee9c
SHA512 0d9ff14a9db9a8c61b1207deada2a93373866c45a9a80ee9287cb324524a6155ccafd85a62a80329a7feb415aa72b5f729804bd4ff841049b751c85813f26dc4

memory/2052-136-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PAYMENT SETTLEMENT.vbs

MD5 c0526db1f0ccb70c709d23c044329e0b
SHA1 fe1672dc2aa4095d57ae670b9ba28804f7e4faaa
SHA256 f2fb70e9f299fc61f65c13c40c3094c4e9b58d4e1f8af7e75e2d030d586eee9c
SHA512 0d9ff14a9db9a8c61b1207deada2a93373866c45a9a80ee9287cb324524a6155ccafd85a62a80329a7feb415aa72b5f729804bd4ff841049b751c85813f26dc4

C:\Users\Admin\AppData\Roaming\BwQRZzEAzr.vbs

MD5 3df35da081f5c18c2e2c7491cf83dc5f
SHA1 78ad3a5f1c78798cee08c2cd9cb2b22621ef2620
SHA256 045369096a68226d83915b9e5cab0476f7d9b876647d2e423d31b83d64e9dd0f
SHA512 2181482aa98f7149939cb73e53756b700dca722d6c958c3d3f82e902f5b456b9a770d8f619f1cf43d74768746192e9ab40b92f449599364f47d88307c783b0a3