Malware Analysis Report

2025-01-18 12:23

Sample ID 221115-pjy3bshf6v
Target cf7bad0b2b13efccb7df15f015ec51d766d5a63a2b5acec200fff093c6d70c03
SHA256 cf7bad0b2b13efccb7df15f015ec51d766d5a63a2b5acec200fff093c6d70c03
Tags
wshrat persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

cf7bad0b2b13efccb7df15f015ec51d766d5a63a2b5acec200fff093c6d70c03

Threat Level: Known bad

The file cf7bad0b2b13efccb7df15f015ec51d766d5a63a2b5acec200fff093c6d70c03 was found to be: Known bad.

Malicious Activity Summary

wshrat persistence trojan

WSHRAT payload

WSHRAT

Blocklisted process makes network request

Executes dropped EXE

Drops startup file

Adds Run key to start application

Looks up external IP address via web service

Suspicious use of SetThreadContext

Enumerates physical storage devices

Program crash

NSIS installer

Suspicious behavior: MapViewOfSection

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-11-15 12:22

Signatures

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-11-15 12:22

Reported

2022-11-15 12:24

Platform

win10-20220812-en

Max time kernel

148s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\cf7bad0b2b13efccb7df15f015ec51d766d5a63a2b5acec200fff093c6d70c03.exe"

Signatures

WSHRAT

trojan wshrat

WSHRAT payload

Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ocymim.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ocymim.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wApVJ.vbs C:\Windows\SysWOW64\wscript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wApVJ.vbs C:\Windows\SysWOW64\wscript.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\software\microsoft\windows\currentversion\run C:\Windows\SysWOW64\wscript.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Windows\CurrentVersion\Run\wApVJ = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\wApVJ.vbs\"" C:\Windows\SysWOW64\wscript.exe N/A
Key created \REGISTRY\MACHINE\software\WOW6432Node\microsoft\windows\currentversion\run C:\Windows\SysWOW64\wscript.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wApVJ = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\wApVJ.vbs\"" C:\Windows\SysWOW64\wscript.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1476 set thread context of 3264 N/A C:\Users\Admin\AppData\Local\Temp\ocymim.exe C:\Users\Admin\AppData\Local\Temp\ocymim.exe

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\ocymim.exe

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ocymim.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ocymim.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ocymim.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ocymim.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ocymim.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\cf7bad0b2b13efccb7df15f015ec51d766d5a63a2b5acec200fff093c6d70c03.exe

"C:\Users\Admin\AppData\Local\Temp\cf7bad0b2b13efccb7df15f015ec51d766d5a63a2b5acec200fff093c6d70c03.exe"

C:\Users\Admin\AppData\Local\Temp\ocymim.exe

"C:\Users\Admin\AppData\Local\Temp\ocymim.exe" "C:\Users\Admin\AppData\Local\Temp\bhxbv.au3"

C:\Users\Admin\AppData\Local\Temp\ocymim.exe

"C:\Users\Admin\AppData\Local\Temp\ocymim.exe" "C:\Users\Admin\AppData\Local\Temp\bhxbv.au3"

C:\Windows\SysWOW64\wscript.exe

"C:\Windows\System32\wscript.exe" "C:\Users\Admin\AppData\Roaming\wApVJ.vbs"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3264 -s 1260

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 ip-api.com udp
N/A 208.95.112.1:80 ip-api.com tcp
N/A 8.8.8.8:53 snkcyp.duckdns.org udp
N/A 194.180.48.65:44147 snkcyp.duckdns.org tcp
N/A 194.180.48.65:44147 snkcyp.duckdns.org tcp
N/A 194.180.48.65:44147 snkcyp.duckdns.org tcp
N/A 20.42.65.84:443 tcp
N/A 194.180.48.65:44147 snkcyp.duckdns.org tcp
N/A 209.197.3.8:80 tcp
N/A 194.180.48.65:44147 snkcyp.duckdns.org tcp
N/A 194.180.48.65:44147 snkcyp.duckdns.org tcp
N/A 194.180.48.65:44147 snkcyp.duckdns.org tcp
N/A 194.180.48.65:44147 snkcyp.duckdns.org tcp
N/A 194.180.48.65:44147 snkcyp.duckdns.org tcp
N/A 194.180.48.65:44147 snkcyp.duckdns.org tcp
N/A 194.180.48.65:44147 snkcyp.duckdns.org tcp
N/A 194.180.48.65:44147 snkcyp.duckdns.org tcp

Files

memory/3468-119-0x0000000077740000-0x00000000778CE000-memory.dmp

memory/3468-120-0x0000000077740000-0x00000000778CE000-memory.dmp

memory/3468-121-0x0000000077740000-0x00000000778CE000-memory.dmp

memory/3468-122-0x0000000077740000-0x00000000778CE000-memory.dmp

memory/3468-123-0x0000000077740000-0x00000000778CE000-memory.dmp

memory/3468-125-0x0000000077740000-0x00000000778CE000-memory.dmp

memory/3468-124-0x0000000077740000-0x00000000778CE000-memory.dmp

memory/3468-126-0x0000000077740000-0x00000000778CE000-memory.dmp

memory/3468-127-0x0000000077740000-0x00000000778CE000-memory.dmp

memory/3468-128-0x0000000077740000-0x00000000778CE000-memory.dmp

memory/3468-129-0x0000000077740000-0x00000000778CE000-memory.dmp

memory/3468-130-0x0000000077740000-0x00000000778CE000-memory.dmp

memory/3468-131-0x0000000077740000-0x00000000778CE000-memory.dmp

memory/3468-132-0x0000000077740000-0x00000000778CE000-memory.dmp

memory/3468-133-0x0000000077740000-0x00000000778CE000-memory.dmp

memory/3468-134-0x0000000077740000-0x00000000778CE000-memory.dmp

memory/3468-135-0x0000000077740000-0x00000000778CE000-memory.dmp

memory/3468-136-0x0000000077740000-0x00000000778CE000-memory.dmp

memory/3468-137-0x0000000077740000-0x00000000778CE000-memory.dmp

memory/3468-138-0x0000000077740000-0x00000000778CE000-memory.dmp

memory/3468-139-0x0000000077740000-0x00000000778CE000-memory.dmp

memory/3468-140-0x0000000077740000-0x00000000778CE000-memory.dmp

memory/3468-141-0x0000000077740000-0x00000000778CE000-memory.dmp

memory/3468-143-0x0000000077740000-0x00000000778CE000-memory.dmp

memory/3468-144-0x0000000077740000-0x00000000778CE000-memory.dmp

memory/3468-145-0x0000000077740000-0x00000000778CE000-memory.dmp

memory/3468-146-0x0000000077740000-0x00000000778CE000-memory.dmp

memory/3468-147-0x0000000077740000-0x00000000778CE000-memory.dmp

memory/3468-148-0x0000000077740000-0x00000000778CE000-memory.dmp

memory/3468-149-0x0000000077740000-0x00000000778CE000-memory.dmp

memory/3468-150-0x0000000077740000-0x00000000778CE000-memory.dmp

memory/3468-151-0x0000000077740000-0x00000000778CE000-memory.dmp

memory/3468-142-0x0000000077740000-0x00000000778CE000-memory.dmp

memory/3468-152-0x0000000077740000-0x00000000778CE000-memory.dmp

memory/3468-153-0x0000000077740000-0x00000000778CE000-memory.dmp

memory/3468-155-0x0000000077740000-0x00000000778CE000-memory.dmp

memory/3468-156-0x0000000077740000-0x00000000778CE000-memory.dmp

memory/3468-154-0x0000000077740000-0x00000000778CE000-memory.dmp

memory/3468-157-0x0000000077740000-0x00000000778CE000-memory.dmp

memory/3468-158-0x0000000077740000-0x00000000778CE000-memory.dmp

memory/3468-159-0x0000000077740000-0x00000000778CE000-memory.dmp

memory/1476-160-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\ocymim.exe

MD5 c56b5f0201a3b3de53e561fe76912bfd
SHA1 2a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512 195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

memory/1476-162-0x0000000077740000-0x00000000778CE000-memory.dmp

memory/1476-165-0x0000000077740000-0x00000000778CE000-memory.dmp

memory/1476-164-0x0000000077740000-0x00000000778CE000-memory.dmp

memory/1476-163-0x0000000077740000-0x00000000778CE000-memory.dmp

memory/1476-166-0x0000000077740000-0x00000000778CE000-memory.dmp

memory/1476-167-0x0000000077740000-0x00000000778CE000-memory.dmp

memory/1476-168-0x0000000077740000-0x00000000778CE000-memory.dmp

memory/1476-169-0x0000000077740000-0x00000000778CE000-memory.dmp

memory/1476-170-0x0000000077740000-0x00000000778CE000-memory.dmp

memory/1476-171-0x0000000077740000-0x00000000778CE000-memory.dmp

memory/1476-172-0x0000000077740000-0x00000000778CE000-memory.dmp

memory/1476-173-0x0000000077740000-0x00000000778CE000-memory.dmp

memory/1476-174-0x0000000077740000-0x00000000778CE000-memory.dmp

memory/1476-175-0x0000000077740000-0x00000000778CE000-memory.dmp

memory/1476-176-0x0000000077740000-0x00000000778CE000-memory.dmp

memory/1476-177-0x0000000077740000-0x00000000778CE000-memory.dmp

memory/1476-178-0x0000000077740000-0x00000000778CE000-memory.dmp

memory/1476-180-0x0000000077740000-0x00000000778CE000-memory.dmp

memory/1476-181-0x0000000077740000-0x00000000778CE000-memory.dmp

memory/1476-179-0x0000000077740000-0x00000000778CE000-memory.dmp

memory/1476-182-0x0000000077740000-0x00000000778CE000-memory.dmp

memory/1476-183-0x0000000077740000-0x00000000778CE000-memory.dmp

memory/1476-184-0x0000000077740000-0x00000000778CE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\bhxbv.au3

MD5 15c76149d977e7b58cd8ec39e9fc0ffc
SHA1 df15820647280ed3570411bd6d4b7f53de120a58
SHA256 07f89ca81aaa00e7bbba649b436badd01c3890f5d3c4ec982c91908aea6c1dca
SHA512 1935a375d29e645335ddd870bfe767a1a2be9af7b18138ff0490d3aa815f09ce37719424c816c8139ffdc56dc1f3d2c261f1925b3bbadc2caeb4594be7a995d6

C:\Users\Admin\AppData\Local\Temp\jhrljxs.o

MD5 3cddfd67ea5d870e028336f33ed3e2bf
SHA1 12e888cd359c5446b95d554caf95ce51f013260b
SHA256 b13a437518174975b7c229806c328c0294e285ee70ac34e3bad96bfbea6108f1
SHA512 890f3b7847a639e2e4e7dd5a5b7d075fecce956baaefab6dcf31cfddea3b960689a3b9fa42a56788f668d52d6c23120e49b7a55ce90caa2f10bc7c067c569233

C:\Users\Admin\AppData\Local\Temp\bduwbvp.s

MD5 763ecd63206a47ff65311e4044d5ad9d
SHA1 834b765c686043538aa1103322211d64fd08eb92
SHA256 564b8f221a4c2cc40ad9979d19125883307a7f623a58de6ede10b9ffc2db0e7e
SHA512 db4050f06e7b81b76b8cd65fb2365b6bb703057f9472d6da413b15bdd4d36e39a213a8aab4715e0c888bc61d99ef765c1a7442afad22845f4e966d7468b12ca4

memory/3264-211-0x0000000000401896-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\ocymim.exe

MD5 c56b5f0201a3b3de53e561fe76912bfd
SHA1 2a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512 195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

memory/3264-253-0x0000000002BB0000-0x0000000002C3A000-memory.dmp

memory/3264-254-0x0000000000400000-0x000000000049C000-memory.dmp

memory/4224-267-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\wApVJ.vbs

MD5 f57851c2992b81862fb373cc0986ffa8
SHA1 78e8025e28e2198bc9931d0a825e31ad25ea0069
SHA256 4656fa5210092757e338ed88d2e1a071e3f8da982b82046f5705af6fd8be7733
SHA512 7dc7c539ae7a67401ed490b680070f26a13d6a839301970aef7306c4c0e5505059493692b53cbf5593c6b91292331e1f0e47c65b0be49fe99317fdd7f722024c