Overview

overview

10

Static

static

DRAFT19984...86.exe

windows7-x64

10

DRAFT19984...86.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    146s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17/12/2022, 08:54

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    DRAFT199849-BILADING-8458886.exe

  • Size

    1.5MB

  • MD5

    f0b94cd08cddbffeafd2e96ca4cc5e3e

  • SHA1

    50fe4df2e4974447a23baa0007aec7e81db2fa29

  • SHA256

    fa2e0066a72e409c12bb2f71eb282d8feb9cf7a956ed51a22a69c4a43c7a9dba

  • SHA512

    6c489f64857d494826c0fe504b7351047692f10cecea2795c1b6d8dd246d3ed7742577511f8e18caaf8ad8d7e949f5e6f92bf042bae12e7d772684ddbb51ed12

  • SSDEEP

    24576:8AOcZ+2JfN+Owq85kORkr+5fvQz6TzGouZuvhHbyC1BQrXAz3fJzQsZx4Zig:q5KUOwq85kikQvQOvvhuCkAz3fBQsZOj

Score
10/10
wshratpersistencetrojan

Malware Config

Extracted

Family

wshrat

C2

http://newmoney2033.duckdns.org:5000

Signatures

  • WSHRAT

    WSHRAT is a variant of Houdini worm and has vbs and js variants.

    trojanwshrat
  • WSHRAT payload 5 IoCs
  • Blocklisted process makes network request 15 IoCs
  • Executes dropped EXE 5 IoCs
  • Checks computer location settings 2 TTPs 10 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 3 IoCs
  • Adds Run key to start application 2 TTPs 16 IoCs
    persistence
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 30 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\DRAFT199849-BILADING-8458886.exe
    "C:\Users\Admin\AppData\Local\Temp\DRAFT199849-BILADING-8458886.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:3556
    • C:\Windows\SysWOW64\wscript.exe
      "C:\Windows\System32\wscript.exe" incve-kbktrxnm.docx.vbe
      2⤵
      • Checks computer location settings
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:2656
      • C:\Users\Admin\AppData\Local\Temp\6_71\lemt.exe
        "C:\Users\Admin\AppData\Local\Temp\6_71\lemt.exe" cwrv.xml
        3⤵
        • Executes dropped EXE
        • Checks computer location settings
        • Adds Run key to start application
        • Suspicious use of SetThreadContext
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:4764
        • C:\Windows\SysWOW64\mshta.exe
          "C:\Windows\SysWOW64\mshta.exe"
          4⤵
            PID:4560
          • C:\Windows\SysWOW64\mshta.exe
            "C:\Windows\SysWOW64\mshta.exe"
            4⤵
              PID:2744
            • C:\Windows\SysWOW64\mshta.exe
              "C:\Windows\SysWOW64\mshta.exe"
              4⤵
                PID:2232
              • C:\Windows\SysWOW64\mshta.exe
                "C:\Windows\SysWOW64\mshta.exe"
                4⤵
                  PID:4360
                • C:\Windows\SysWOW64\mshta.exe
                  "C:\Windows\SysWOW64\mshta.exe"
                  4⤵
                    PID:2432
                  • C:\Windows\SysWOW64\mshta.exe
                    "C:\Windows\SysWOW64\mshta.exe"
                    4⤵
                      PID:4060
                    • C:\Windows\SysWOW64\mshta.exe
                      "C:\Windows\SysWOW64\mshta.exe"
                      4⤵
                        PID:2644
                      • C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
                        "C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"
                        4⤵
                        • Executes dropped EXE
                        • Checks computer location settings
                        • Suspicious use of WriteProcessMemory
                        PID:3044
                        • C:\Windows\SysWOW64\wscript.exe
                          "C:\Windows\System32\wscript.exe" "C:\Users\Admin\AppData\Roaming\WmBqH.vbs"
                          5⤵
                          • Checks computer location settings
                          • Drops startup file
                          • Adds Run key to start application
                          • Suspicious use of WriteProcessMemory
                          PID:3460
                          • C:\Windows\SysWOW64\wscript.exe
                            "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Local\Temp\WmBqH.vbs"
                            6⤵
                            • Blocklisted process makes network request
                            • Drops startup file
                            • Adds Run key to start application
                            PID:2608
                      • C:\Windows\SysWOW64\WScript.exe
                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6_71\run.vbs"
                        4⤵
                        • Checks computer location settings
                        • Modifies registry class
                        • Suspicious use of WriteProcessMemory
                        PID:1284
                        • C:\Users\Admin\AppData\Local\Temp\6_71\lemt.exe
                          "C:\Users\Admin\AppData\Local\Temp\6_71\lemt.exe" cwrv.xml
                          5⤵
                          • Executes dropped EXE
                          • Checks computer location settings
                          • Adds Run key to start application
                          • Suspicious use of SetThreadContext
                          • Modifies registry class
                          • Suspicious behavior: EnumeratesProcesses
                          • Suspicious use of WriteProcessMemory
                          PID:3956
                          • C:\Windows\SysWOW64\mshta.exe
                            "C:\Windows\SysWOW64\mshta.exe"
                            6⤵
                              PID:428
                            • C:\Windows\SysWOW64\mshta.exe
                              "C:\Windows\SysWOW64\mshta.exe"
                              6⤵
                                PID:5004
                              • C:\Windows\SysWOW64\mshta.exe
                                "C:\Windows\SysWOW64\mshta.exe"
                                6⤵
                                  PID:3120
                                • C:\Windows\SysWOW64\mshta.exe
                                  "C:\Windows\SysWOW64\mshta.exe"
                                  6⤵
                                    PID:1372
                                  • C:\Windows\SysWOW64\mshta.exe
                                    "C:\Windows\SysWOW64\mshta.exe"
                                    6⤵
                                      PID:4500
                                    • C:\Windows\SysWOW64\mshta.exe
                                      "C:\Windows\SysWOW64\mshta.exe"
                                      6⤵
                                        PID:1288
                                      • C:\Windows\SysWOW64\mshta.exe
                                        "C:\Windows\SysWOW64\mshta.exe"
                                        6⤵
                                          PID:3928
                                        • C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
                                          "C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"
                                          6⤵
                                          • Executes dropped EXE
                                          • Checks computer location settings
                                          PID:4812
                                          • C:\Windows\SysWOW64\wscript.exe
                                            "C:\Windows\System32\wscript.exe" "C:\Users\Admin\AppData\Roaming\WmBqH.vbs"
                                            7⤵
                                            • Checks computer location settings
                                            • Drops startup file
                                            • Adds Run key to start application
                                            PID:1080
                                            • C:\Windows\SysWOW64\wscript.exe
                                              "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Local\Temp\WmBqH.vbs"
                                              8⤵
                                                PID:2972
                                          • C:\Windows\SysWOW64\WScript.exe
                                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6_71\run.vbs"
                                            6⤵
                                            • Checks computer location settings
                                            • Modifies registry class
                                            PID:3648
                                            • C:\Users\Admin\AppData\Local\Temp\6_71\lemt.exe
                                              "C:\Users\Admin\AppData\Local\Temp\6_71\lemt.exe" cwrv.xml
                                              7⤵
                                              • Executes dropped EXE
                                              PID:496

                                Network

                                MITRE ATT&CK Enterprise v6

                                Replay Monitor

                                Loading Replay Monitor...

                                Downloads

                                • C:\Users\Admin\AppData\Local\Temp\6_71\cwrv.xml
                                  Filesize

                                  112.5MB

                                  MD5

                                  ed33cc743d130710832eab07801bf435

                                  SHA1

                                  9bffc99421cb95302e03d7a7972e3cedd8cd42cc

                                  SHA256

                                  8e96a439e9315097cbc7574e7e03f03a5136b7146b6d3788580855d0546a16e0

                                  SHA512

                                  103b3a802b9a13500acd5e31dfe52084d68cb634f6ca8fb502ddb4b562d4ae3d55e9ca47ead0ad80bc3c90f96ddca9d0b6dc8d8ab742cb4c2ce14814c64d9af1

                                  Download Submit

                                • C:\Users\Admin\AppData\Local\Temp\6_71\eiqvmdrp.bin
                                  Filesize

                                  61KB

                                  MD5

                                  acd44fc45e9437c37565aded9ff2409b

                                  SHA1

                                  013ce6d74dcea4ebb25baf1373e4ef370e84d874

                                  SHA256

                                  ff4de0f00bfb232f66b0104ddaf71a89237526e3f88fb09f86094b6c037b85a3

                                  SHA512

                                  cb4fac58d6a4fca868e559683c10ada6d1365f99623d8d1cb9d4603f1e35a5b0ffab3bb45188a282e0d7e83b4c4fd75a8838469f5ab0eb9903e907c6755a6e12

                                  Download Submit

                                • C:\Users\Admin\AppData\Local\Temp\6_71\kvuqk.xfd
                                  Filesize

                                  1.0MB

                                  MD5

                                  477a8a33de4f2dae436f1646100d5a4a

                                  SHA1

                                  5e394c2541f2ccd8ed462046a207827a9e8bd9c3

                                  SHA256

                                  99e46de7c1acc7c76eee2dccc6128c557a8791b469d457b053a78d6f1ca5d8fe

                                  SHA512

                                  e1eb0b2d7097b8546806b6177998db81bec427a101be0778a8a6e776ebe9ab609b858926c0945e64a8d007e9644cf2d4090a07d7af850c9bd91832e51c43d785

                                  Download Submit

                                • C:\Users\Admin\AppData\Local\Temp\6_71\lemt.exe
                                  Filesize

                                  887KB

                                  MD5

                                  e3425941149899428ef0d3b2d0819f98

                                  SHA1

                                  15942b4afb623470919f8c7af00781605eead810

                                  SHA256

                                  8c5c8085c2b0ab5afacd633f74583a50cdec8a65036c636b9c84c7f35d48a467

                                  SHA512

                                  a044db04a3968d5747ea34bd24a32c8001ed91f161adb69261a98f61aae8528ec9a6d1ccaeafb7bc65082023fe4bb0b0c349f5bbf60247f1aa7e627168193681

                                  Download Submit

                                • C:\Users\Admin\AppData\Local\Temp\6_71\lemt.exe
                                  Filesize

                                  887KB

                                  MD5

                                  e3425941149899428ef0d3b2d0819f98

                                  SHA1

                                  15942b4afb623470919f8c7af00781605eead810

                                  SHA256

                                  8c5c8085c2b0ab5afacd633f74583a50cdec8a65036c636b9c84c7f35d48a467

                                  SHA512

                                  a044db04a3968d5747ea34bd24a32c8001ed91f161adb69261a98f61aae8528ec9a6d1ccaeafb7bc65082023fe4bb0b0c349f5bbf60247f1aa7e627168193681

                                  Download Submit

                                • C:\Users\Admin\AppData\Local\Temp\6_71\lemt.exe
                                  Filesize

                                  887KB

                                  MD5

                                  e3425941149899428ef0d3b2d0819f98

                                  SHA1

                                  15942b4afb623470919f8c7af00781605eead810

                                  SHA256

                                  8c5c8085c2b0ab5afacd633f74583a50cdec8a65036c636b9c84c7f35d48a467

                                  SHA512

                                  a044db04a3968d5747ea34bd24a32c8001ed91f161adb69261a98f61aae8528ec9a6d1ccaeafb7bc65082023fe4bb0b0c349f5bbf60247f1aa7e627168193681

                                  Download Submit

                                • C:\Users\Admin\AppData\Local\Temp\6_71\lemt.exe
                                  Filesize

                                  887KB

                                  MD5

                                  e3425941149899428ef0d3b2d0819f98

                                  SHA1

                                  15942b4afb623470919f8c7af00781605eead810

                                  SHA256

                                  8c5c8085c2b0ab5afacd633f74583a50cdec8a65036c636b9c84c7f35d48a467

                                  SHA512

                                  a044db04a3968d5747ea34bd24a32c8001ed91f161adb69261a98f61aae8528ec9a6d1ccaeafb7bc65082023fe4bb0b0c349f5bbf60247f1aa7e627168193681

                                  Download Submit

                                • C:\Users\Admin\AppData\Local\Temp\6_71\run.vbs
                                  Filesize

                                  124B

                                  MD5

                                  34f7e07b3a29ca4c2ba4929ec6686ced

                                  SHA1

                                  e8e143c09b4821946d597c0e847e3a2c51582a64

                                  SHA256

                                  5c0f8f2bd0937fc05578531141412604baf6e405e8e822a6c306ccd52937517b

                                  SHA512

                                  614508bcfe4492946c5e8473898ecb30ce6e7dc335ba9e24a71c2274fa537e5f47d7d4d8dd06735a14a2bad58020220b2d80e08712ad7d67b3b5c8f24b883300

                                  Download Submit

                                • C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
                                  Filesize

                                  44KB

                                  MD5

                                  9d352bc46709f0cb5ec974633a0c3c94

                                  SHA1

                                  1969771b2f022f9a86d77ac4d4d239becdf08d07

                                  SHA256

                                  2c1eeb7097023c784c2bd040a2005a5070ed6f3a4abf13929377a9e39fab1390

                                  SHA512

                                  13c714244ec56beeb202279e4109d59c2a43c3cf29f90a374a751c04fd472b45228ca5a0178f41109ed863dbd34e0879e4a21f5e38ae3d89559c57e6be990a9b

                                  Download Submit

                                • C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
                                  Filesize

                                  44KB

                                  MD5

                                  9d352bc46709f0cb5ec974633a0c3c94

                                  SHA1

                                  1969771b2f022f9a86d77ac4d4d239becdf08d07

                                  SHA256

                                  2c1eeb7097023c784c2bd040a2005a5070ed6f3a4abf13929377a9e39fab1390

                                  SHA512

                                  13c714244ec56beeb202279e4109d59c2a43c3cf29f90a374a751c04fd472b45228ca5a0178f41109ed863dbd34e0879e4a21f5e38ae3d89559c57e6be990a9b

                                  Download Submit

                                • C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
                                  Filesize

                                  44KB

                                  MD5

                                  9d352bc46709f0cb5ec974633a0c3c94

                                  SHA1

                                  1969771b2f022f9a86d77ac4d4d239becdf08d07

                                  SHA256

                                  2c1eeb7097023c784c2bd040a2005a5070ed6f3a4abf13929377a9e39fab1390

                                  SHA512

                                  13c714244ec56beeb202279e4109d59c2a43c3cf29f90a374a751c04fd472b45228ca5a0178f41109ed863dbd34e0879e4a21f5e38ae3d89559c57e6be990a9b

                                  Download Submit

                                • C:\Users\Admin\AppData\Local\Temp\WmBqH.vbs
                                  Filesize

                                  180KB

                                  MD5

                                  a2c40a28f05614c3d68c9c9727fa9584

                                  SHA1

                                  c9d7c014564072d2ea951ede6718632c20a5cd48

                                  SHA256

                                  40a21327272d9c522a6061a595c640a33780a59a1cab0cc93706bb28a67891b7

                                  SHA512

                                  36beb41f0679d04fb60ebfdd0f60eb7b862591bc91bd1c93b66619213d13ef7a4b0b81d8c38d4a65870bb6163d00234af2f8fbccdb11311d4d0a12f8ee13c2aa

                                  Download Submit

                                • C:\Users\Admin\AppData\Local\temp\6_71\incve-kbktrxnm.docx.vbe
                                  Filesize

                                  62KB

                                  MD5

                                  43e67314acfe367bbc74d920b6dfa5bf

                                  SHA1

                                  e0071e7310259b96dcc8d3791c529ed6810a8d41

                                  SHA256

                                  003edd78a452744c128714259a7ebba275ea2b287b5c51776a41131db3e5f4a5

                                  SHA512

                                  92c804a7c0739e75f693005764a014a0efdf56535f7b356a6844229d588d5634922f5f18e0f3bb2bdeed8006aaa34a8b1eefd459663e8373b3abfa998e1cab07

                                  Download Submit

                                • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WmBqH.vbs
                                  Filesize

                                  64KB

                                  MD5

                                  21099e5ede9594274cd48bfeacf81e5f

                                  SHA1

                                  86fe4c46e9fccff2e16a02bbe0cc0d1785c91fc4

                                  SHA256

                                  d98b5fd4eb237919baf53175a6fbe62f71598b22bf0ecad89ff893abe316bd66

                                  SHA512

                                  ce9bdca6d91450fc88f2ed0a82f80224912bab920b553c59e1968ffc52a71c88ee01873980cc132dc088891687dd0424387575f3ba76f502eafe4e1f357dd930

                                  Download Submit

                                • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WmBqH.vbs
                                  Filesize

                                  180KB

                                  MD5

                                  a2c40a28f05614c3d68c9c9727fa9584

                                  SHA1

                                  c9d7c014564072d2ea951ede6718632c20a5cd48

                                  SHA256

                                  40a21327272d9c522a6061a595c640a33780a59a1cab0cc93706bb28a67891b7

                                  SHA512

                                  36beb41f0679d04fb60ebfdd0f60eb7b862591bc91bd1c93b66619213d13ef7a4b0b81d8c38d4a65870bb6163d00234af2f8fbccdb11311d4d0a12f8ee13c2aa

                                  Download Submit

                                • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WmBqH.vbs
                                  Filesize

                                  180KB

                                  MD5

                                  a2c40a28f05614c3d68c9c9727fa9584

                                  SHA1

                                  c9d7c014564072d2ea951ede6718632c20a5cd48

                                  SHA256

                                  40a21327272d9c522a6061a595c640a33780a59a1cab0cc93706bb28a67891b7

                                  SHA512

                                  36beb41f0679d04fb60ebfdd0f60eb7b862591bc91bd1c93b66619213d13ef7a4b0b81d8c38d4a65870bb6163d00234af2f8fbccdb11311d4d0a12f8ee13c2aa

                                  Download Submit

                                • C:\Users\Admin\AppData\Roaming\WmBqH.vbs
                                  Filesize

                                  180KB

                                  MD5

                                  a2c40a28f05614c3d68c9c9727fa9584

                                  SHA1

                                  c9d7c014564072d2ea951ede6718632c20a5cd48

                                  SHA256

                                  40a21327272d9c522a6061a595c640a33780a59a1cab0cc93706bb28a67891b7

                                  SHA512

                                  36beb41f0679d04fb60ebfdd0f60eb7b862591bc91bd1c93b66619213d13ef7a4b0b81d8c38d4a65870bb6163d00234af2f8fbccdb11311d4d0a12f8ee13c2aa

                                  Download Submit

                                • memory/3044-151-0x0000000000C00000-0x0000000000C8A000-memory.dmp

                                  Filesize

                                  552KB

                                  Download

                                • memory/3044-148-0x0000000000C00000-0x00000000010DC000-memory.dmp

                                  Filesize

                                  4.9MB

                                  Download

                                • memory/4812-169-0x0000000000F00000-0x0000000001614000-memory.dmp

                                  Filesize

                                  7.1MB

                                  Download