wshrat | 6f4e16acaab16780b1ec03d549053980c05966b17b02d4b836240358f283ae57

Analysis

max time kernel
149s
max time network
152s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
23-03-2023 15:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ORDER_230323.vbs
Size

237KB
MD5

ad09b8c1e47b162243c8e6cfeb030ab6
SHA1

1777b8cb69f2984f55aa913282c16dc2aa0590ee
SHA256

6f4e16acaab16780b1ec03d549053980c05966b17b02d4b836240358f283ae57
SHA512

a3bedaee5151042318aed2b8fe97908ab259703ddf878e6c70fae20177907b7cac33673a8a96926d38aa749c4e2053ea25154ff50b02ee6e2836758346cd2bfc
SSDEEP

768:BMq8WDyk6tuYFiPYfiVXbniXs1YmV3hSmS6VBtLZJX+:S

Score

10^/10

wshrat persistence trojan

Malware Config

Extracted

Family

wshrat

http://chongmei33.publicvm.com:7045

Signatures

WSHRAT
WSHRAT is a variant of Houdini worm and has vbs and js variants.
trojan wshrat

Blocklisted process makes network request 21 IoCs

flow	pid	Process
4	1320	WScript.exe
5	1320	WScript.exe
6	1320	WScript.exe
8	1320	WScript.exe
10	1320	WScript.exe
11	1320	WScript.exe
13	1320	WScript.exe
14	1320	WScript.exe
15	1320	WScript.exe
17	1320	WScript.exe
18	1320	WScript.exe
19	1320	WScript.exe
21	1320	WScript.exe
22	1320	WScript.exe
23	1320	WScript.exe
25	1320	WScript.exe
26	1320	WScript.exe
27	1320	WScript.exe
29	1320	WScript.exe
30	1320	WScript.exe
31	1320	WScript.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ORDER_230323.vbs	WScript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ORDER_230323.vbs	WScript.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\software\microsoft\windows\currentversion\run	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ORDER_230323 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\ORDER_230323.vbs\""	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\software\microsoft\windows\currentversion\run	WScript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Windows\CurrentVersion\Run\ORDER_230323 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\ORDER_230323.vbs\""	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ORDER_230323.vbs"
1⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
PID:1320

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ORDER_230323.vbs

Filesize
237KB

MD5
ad09b8c1e47b162243c8e6cfeb030ab6

SHA1
1777b8cb69f2984f55aa913282c16dc2aa0590ee

SHA256
6f4e16acaab16780b1ec03d549053980c05966b17b02d4b836240358f283ae57

SHA512
a3bedaee5151042318aed2b8fe97908ab259703ddf878e6c70fae20177907b7cac33673a8a96926d38aa749c4e2053ea25154ff50b02ee6e2836758346cd2bfc

Download Submit