wshrat | 83afc9dc11c5db83f7f4f7f065a184b24ab8fa95d5500b390052eacd0c9b19ae

Analysis

max time kernel
146s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
29-03-2023 07:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Equiptment_Order.vbs
Size

234KB
MD5

792c3b496734ad9ec371856e94f7cf35
SHA1

9ad583739ca482bee22c74b56e018893aa960595
SHA256

83afc9dc11c5db83f7f4f7f065a184b24ab8fa95d5500b390052eacd0c9b19ae
SHA512

ae95386382a5e631e3c0f1834c77e8130cc1ea608165fa2a5bcc863ba82da1d1a49e4b3623296e0083ed053f680d6a3a0a06f70f317e57016879d43a0ffeb87d
SSDEEP

768:BYaVSIsZ+XhEWr0AFYtAxY79BJWHkt06Dhp6y6ar7JFpt9u:lpx3

Score

10^/10

wshrat persistence trojan

Malware Config

Extracted

Family

wshrat

http://chongmei33.publicvm.com:7045

Signatures

WSHRAT
WSHRAT is a variant of Houdini worm and has vbs and js variants.
trojan wshrat

Blocklisted process makes network request 25 IoCs

flow	pid	Process
6	1436	WScript.exe
20	1436	WScript.exe
21	1436	WScript.exe
22	1436	WScript.exe
23	1436	WScript.exe
25	1436	WScript.exe
27	1436	WScript.exe
28	1436	WScript.exe
29	1436	WScript.exe
33	1436	WScript.exe
35	1436	WScript.exe
37	1436	WScript.exe
38	1436	WScript.exe
39	1436	WScript.exe
40	1436	WScript.exe
41	1436	WScript.exe
42	1436	WScript.exe
43	1436	WScript.exe
44	1436	WScript.exe
45	1436	WScript.exe
46	1436	WScript.exe
47	1436	WScript.exe
48	1436	WScript.exe
49	1436	WScript.exe
50	1436	WScript.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Equiptment_Order.vbs	WScript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Equiptment_Order.vbs	WScript.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\software\microsoft\windows\currentversion\run	WScript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Equiptment_Order = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\Equiptment_Order.vbs\""	WScript.exe
Key created	\REGISTRY\MACHINE\software\microsoft\windows\currentversion\run	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Equiptment_Order = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\Equiptment_Order.vbs\""	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Equiptment_Order.vbs"
1⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
PID:1436

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Equiptment_Order.vbs

Filesize
234KB

MD5
792c3b496734ad9ec371856e94f7cf35

SHA1
9ad583739ca482bee22c74b56e018893aa960595

SHA256
83afc9dc11c5db83f7f4f7f065a184b24ab8fa95d5500b390052eacd0c9b19ae

SHA512
ae95386382a5e631e3c0f1834c77e8130cc1ea608165fa2a5bcc863ba82da1d1a49e4b3623296e0083ed053f680d6a3a0a06f70f317e57016879d43a0ffeb87d

Download Submit