Analysis
-
max time kernel
150s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
-
submitted
29-03-2023 09:38
General
-
Target
CcxGQ.vbs
-
Size
180KB
-
MD5
c30c220229f3395c538e0008155881d9
-
SHA1
54920b4a6da2ef1510dd619c41fabe4f9c104a04
-
SHA256
b74e920938d79ce4669f94d803d10d19c2330b458130b91b6c8f9f41720f8cfe
-
SHA512
45e7dfa45cf74617abc7a3a6d2b6d47f5548ff4ae57da60efad1a2b445848329cf379c83935f61285187b7eb6c2902c1e9b6d7d3043f0c9735349761049837f9
-
SSDEEP
3072:6Ag8xSXAmshISeWJQ0bamQvEz7ZAbURC3eGK/6xbIpklgVDSxGfmuZ1D:6Ag8xSQmshISeWmM6iRC3eGKoAklgF28
Malware Config
Extracted
wshrat
http://snkcyp.duckdns.org:3369
Signatures
-
WSHRAT
WSHRAT is a variant of Houdini worm and has vbs and js variants.
-
WSHRAT payload 3 IoCs
-
Blocklisted process makes network request 15 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Drops startup file 2 IoCs
-
Adds Run key to start application 2 TTPs 8 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 2 IoCs
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\CcxGQ.vbs"1⤵
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\CcxGQ.vbs"2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
305B
MD59503e14ea14378cadd7d034029a92f19
SHA17a57c0c5d074229ec0368f00ae4289ee4cb4f63e
SHA2568e19896bf0b7b5ae91cc4adf8a16376868731b95517760f0606175bf4ad4a8da
SHA51210c35cf7aa7b09e81ec0ea15179f4917863b194057482fd5d17cadd8975f756b4b05519e433507f717814acc16dd77a595b854ca353956bbcd416e07d77bb22d
-
Filesize
180KB
MD5c30c220229f3395c538e0008155881d9
SHA154920b4a6da2ef1510dd619c41fabe4f9c104a04
SHA256b74e920938d79ce4669f94d803d10d19c2330b458130b91b6c8f9f41720f8cfe
SHA51245e7dfa45cf74617abc7a3a6d2b6d47f5548ff4ae57da60efad1a2b445848329cf379c83935f61285187b7eb6c2902c1e9b6d7d3043f0c9735349761049837f9
-
Filesize
180KB
MD5c30c220229f3395c538e0008155881d9
SHA154920b4a6da2ef1510dd619c41fabe4f9c104a04
SHA256b74e920938d79ce4669f94d803d10d19c2330b458130b91b6c8f9f41720f8cfe
SHA51245e7dfa45cf74617abc7a3a6d2b6d47f5548ff4ae57da60efad1a2b445848329cf379c83935f61285187b7eb6c2902c1e9b6d7d3043f0c9735349761049837f9
-
Filesize
180KB
MD5c30c220229f3395c538e0008155881d9
SHA154920b4a6da2ef1510dd619c41fabe4f9c104a04
SHA256b74e920938d79ce4669f94d803d10d19c2330b458130b91b6c8f9f41720f8cfe
SHA51245e7dfa45cf74617abc7a3a6d2b6d47f5548ff4ae57da60efad1a2b445848329cf379c83935f61285187b7eb6c2902c1e9b6d7d3043f0c9735349761049837f9