Overview

overview

10

Static

static

DRAFT-COPY...69.exe

windows7-x64

10

DRAFT-COPY...69.exe

windows10-2004-x64

10

367d39225e...25.exe

windows7-x64

10

367d39225e...25.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20/12/2022, 13:53

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    DRAFT-COPY6979977-SHIPPING -DOCUMENT9696969.exe

  • Size

    1.4MB

  • MD5

    211ebc2eede41dbffd0cfa437ec6a32f

  • SHA1

    e0c0d52cb266c517d84b759f2423fb6e1a93f337

  • SHA256

    5b4db1bf348e86d6295c33248ec0a5085de36b830b1528ada92e9abf291f61c5

  • SHA512

    9c1c501fe3b5b149594c7110d8c8b15013c5bb595a1aaf2b341e9a9fee7140848744e45697b59f48d2216eec04f3008c7247457847808c22298fd3a98a698ce3

  • SSDEEP

    24576:JAOcZ5pO7jnAp0u8GFkfhadicVTc4T+ztkdtNBVQ70M/dj2qHLt:jlHAp5FkfhadicVJKztkXNjQ70MQqHR

Score
10/10
wshratpersistencetrojan

Malware Config

Extracted

Family

wshrat

C2

http://newmoney2033.duckdns.org:5000

Signatures

  • WSHRAT

    WSHRAT is a variant of Houdini worm and has vbs and js variants.

    trojanwshrat
  • WSHRAT payload 3 IoCs
  • Blocklisted process makes network request 23 IoCs
  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Adds Run key to start application 2 TTPs 8 IoCs
    persistence
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 1 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\DRAFT-COPY6979977-SHIPPING -DOCUMENT9696969.exe
    "C:\Users\Admin\AppData\Local\Temp\DRAFT-COPY6979977-SHIPPING -DOCUMENT9696969.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4604
    • C:\Windows\SysWOW64\wscript.exe
      "C:\Windows\System32\wscript.exe" idhfgg-olqiaucvha.txt.vbe
      2⤵
      • Checks computer location settings
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:4804
      • C:\Users\Admin\AppData\Local\Temp\6_76\bjpjnf.exe
        "C:\Users\Admin\AppData\Local\Temp\6_76\bjpjnf.exe" jsgmuc.txt
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:1100
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:1424
          • C:\Windows\SysWOW64\wscript.exe
            "C:\Windows\System32\wscript.exe" "C:\Users\Admin\AppData\Roaming\WmBqH.vbs"
            5⤵
            • Checks computer location settings
            • Drops startup file
            • Adds Run key to start application
            • Suspicious use of WriteProcessMemory
            PID:3804
            • C:\Windows\SysWOW64\wscript.exe
              "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Local\Temp\WmBqH.vbs"
              6⤵
              • Blocklisted process makes network request
              • Drops startup file
              • Adds Run key to start application
              PID:4592

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\6_76\bjpjnf.exe
    Filesize

    894KB

    MD5

    d6509f18d8abb4c032afd0133dfbd72d

    SHA1

    62cf1f9216f098f0db18292176bc2bbdc92afde3

    SHA256

    17b0cf3f370d030e74a65eec5e15d71fad91d28e4267ff5530066b7e5c962321

    SHA512

    b9849a79ccb2bbe38e97a8f8d0666bd3080535dac57e96fda1818d4175c02b5679e75a643a153b695b9c665d6ea5bd98d11f2ae941b43715eb259f6c42649897

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\6_76\bjpjnf.exe
    Filesize

    894KB

    MD5

    d6509f18d8abb4c032afd0133dfbd72d

    SHA1

    62cf1f9216f098f0db18292176bc2bbdc92afde3

    SHA256

    17b0cf3f370d030e74a65eec5e15d71fad91d28e4267ff5530066b7e5c962321

    SHA512

    b9849a79ccb2bbe38e97a8f8d0666bd3080535dac57e96fda1818d4175c02b5679e75a643a153b695b9c665d6ea5bd98d11f2ae941b43715eb259f6c42649897

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\6_76\jsgmuc.txt
    Filesize

    111.3MB

    MD5

    3243654b532186b9b6d64c4f1f3ab8cd

    SHA1

    d328f1a7a917debbd3fb8ebf2712c85606d65e5d

    SHA256

    851e2fac1aba90553918f289458929a37e331ec5c220a523e504803a2a736c23

    SHA512

    afcbbfd6949eb1e866c4393bdf29a1908c36dc57cf830a777de07e10952b04e781e88b0e5e8c4c960fa1ca53a93d9bbf61836f6f7b95eee5b1a6a119086374e6

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\6_76\sinn.hqe
    Filesize

    1.0MB

    MD5

    3957e803ebdbc8f852f8cbb02f52b45c

    SHA1

    368feaac47fa402899204f2b4d560f4a95d97620

    SHA256

    a9af9dd6cc0f55238a99e128b903a90ba03ead8afc1ebff41e417d69c8dd192b

    SHA512

    cc2a8d309338ce09c4acdef9c9586a214734d30812961dbcda03b3d1d390d3da7b669e4c87f8684c8c120755ae950e720ae647bf8938262e2e12ac7b3f79a9fe

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\6_76\wksdswnj.icm
    Filesize

    42KB

    MD5

    889808a98b8f41e7e49573d8e4715e42

    SHA1

    aa7cdf6b2e314a368a4ee02d069519e747813abb

    SHA256

    16ace2ad97ad01447e3c11807f34cab05a832e5b0b810b77f34a2831f622405f

    SHA512

    bfc8d45bbdaafa7a1f02292322e07726a912cdc2c4018ef60b9bd639ec6b0893c36c03cc1a40bb848573d69de4c7fb58e57b72a55448ecacb0345c1d7f1dbbb0

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\WmBqH.vbs
    Filesize

    180KB

    MD5

    a2c40a28f05614c3d68c9c9727fa9584

    SHA1

    c9d7c014564072d2ea951ede6718632c20a5cd48

    SHA256

    40a21327272d9c522a6061a595c640a33780a59a1cab0cc93706bb28a67891b7

    SHA512

    36beb41f0679d04fb60ebfdd0f60eb7b862591bc91bd1c93b66619213d13ef7a4b0b81d8c38d4a65870bb6163d00234af2f8fbccdb11311d4d0a12f8ee13c2aa

    Download Submit

  • C:\Users\Admin\AppData\Local\temp\6_76\idhfgg-olqiaucvha.txt.vbe
    Filesize

    61KB

    MD5

    647614acfa282a884cce2cf4031ef739

    SHA1

    fef06f6c3208b91387bdba6707c088ea746d8512

    SHA256

    cbfc2ac6f636b9ad49ae22f0199952a0bacaeda318c7cb20372dc7700b7e04ad

    SHA512

    d14680d93f84ec7a2d072ebe4d22f6917369c0d45e69e0775f4226003a6e662f24216805c18512c3a991793c119bf7bef805152992876f736242c41aafb21311

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WmBqH.vbs
    Filesize

    180KB

    MD5

    a2c40a28f05614c3d68c9c9727fa9584

    SHA1

    c9d7c014564072d2ea951ede6718632c20a5cd48

    SHA256

    40a21327272d9c522a6061a595c640a33780a59a1cab0cc93706bb28a67891b7

    SHA512

    36beb41f0679d04fb60ebfdd0f60eb7b862591bc91bd1c93b66619213d13ef7a4b0b81d8c38d4a65870bb6163d00234af2f8fbccdb11311d4d0a12f8ee13c2aa

    Download Submit

  • C:\Users\Admin\AppData\Roaming\WmBqH.vbs
    Filesize

    180KB

    MD5

    a2c40a28f05614c3d68c9c9727fa9584

    SHA1

    c9d7c014564072d2ea951ede6718632c20a5cd48

    SHA256

    40a21327272d9c522a6061a595c640a33780a59a1cab0cc93706bb28a67891b7

    SHA512

    36beb41f0679d04fb60ebfdd0f60eb7b862591bc91bd1c93b66619213d13ef7a4b0b81d8c38d4a65870bb6163d00234af2f8fbccdb11311d4d0a12f8ee13c2aa

    Download Submit

  • memory/1424-141-0x0000000000D80000-0x00000000013F1000-memory.dmp

    Filesize

    6.4MB

    Download

  • memory/1424-142-0x0000000000D80000-0x0000000000E0A000-memory.dmp

    Filesize

    552KB

    Download