wshrat | b17bdafe054295b84b35190c7021be09bb456095ba5702988048299e478a7284

Analysis

max time kernel
141s
max time network
73s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
29-03-2023 13:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tmp.exe
Size

396KB
MD5

81f9f37ac3c2eedeb3469b055c4b8e96
SHA1

20d50098fcbff0e933c3f9fd42f82b22f741843b
SHA256

b17bdafe054295b84b35190c7021be09bb456095ba5702988048299e478a7284
SHA512

947df24f4f6b3aa38c47099f949c6ac383ac45d7dd40ac0b7b268b5191df8805a06b774f16188e3e1cb8e2c442d6cd22f10e3ddd074afb426e927f293bb65a5f
SSDEEP

12288:/YfkqbKDGNB+AzcBrQtV7ExskKQrftxpm4:/YfkqbKDGNB+M0KqsbQrzH

Score

10^/10

wshrat persistence trojan

Malware Config

Extracted

Family

wshrat

http://snkcyp.duckdns.org:3369

Signatures

WSHRAT
WSHRAT is a variant of Houdini worm and has vbs and js variants.
trojan wshrat

WSHRAT payload 2 IoCs

resource	yara_rule
behavioral1/files/0x000b0000000126bf-76.dat	family_wshrat
behavioral1/files/0x000700000001339d-92.dat	family_wshrat

Blocklisted process makes network request 5 IoCs

flow	pid	Process
4	2028	wscript.exe
6	2028	wscript.exe
7	2028	wscript.exe
9	2028	wscript.exe
11	2028	wscript.exe

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CcxGQ.vbs	wscript.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CcxGQ.vbs	wscript.exe

Executes dropped EXE 2 IoCs

pid	Process
1500	ircqalsaxa.exe
1072	ircqalsaxa.exe

Loads dropped DLL 6 IoCs

pid	Process
1612	tmp.exe
1612	tmp.exe
1500	ircqalsaxa.exe
1756	WerFault.exe
1756	WerFault.exe
1756	WerFault.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CcxGQ = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\CcxGQ.vbs\""	wscript.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\software\microsoft\windows\currentversion\run	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Windows\CurrentVersion\Run\CcxGQ = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\CcxGQ.vbs\""	wscript.exe
Key created	\REGISTRY\MACHINE\software\Wow6432Node\microsoft\windows\currentversion\run	wscript.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
3	ip-api.com

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1500 set thread context of 1072	1500	ircqalsaxa.exe	28

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1756	1072	WerFault.exe	28

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
1500	ircqalsaxa.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 1612 wrote to memory of 1500	1612	tmp.exe	27
PID 1612 wrote to memory of 1500	1612	tmp.exe	27
PID 1612 wrote to memory of 1500	1612	tmp.exe	27
PID 1612 wrote to memory of 1500	1612	tmp.exe	27
PID 1500 wrote to memory of 1072	1500	ircqalsaxa.exe	28
PID 1500 wrote to memory of 1072	1500	ircqalsaxa.exe	28
PID 1500 wrote to memory of 1072	1500	ircqalsaxa.exe	28
PID 1500 wrote to memory of 1072	1500	ircqalsaxa.exe	28
PID 1500 wrote to memory of 1072	1500	ircqalsaxa.exe	28
PID 1072 wrote to memory of 2028	1072	ircqalsaxa.exe	29
PID 1072 wrote to memory of 2028	1072	ircqalsaxa.exe	29
PID 1072 wrote to memory of 2028	1072	ircqalsaxa.exe	29
PID 1072 wrote to memory of 2028	1072	ircqalsaxa.exe	29
PID 1072 wrote to memory of 1756	1072	ircqalsaxa.exe	30
PID 1072 wrote to memory of 1756	1072	ircqalsaxa.exe	30
PID 1072 wrote to memory of 1756	1072	ircqalsaxa.exe	30
PID 1072 wrote to memory of 1756	1072	ircqalsaxa.exe	30

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1612
- C:\Users\Admin\AppData\Local\Temp\ircqalsaxa.exe
  "C:\Users\Admin\AppData\Local\Temp\ircqalsaxa.exe" C:\Users\Admin\AppData\Local\Temp\tfslygqgv.ymt
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:1500
- - C:\Users\Admin\AppData\Local\Temp\ircqalsaxa.exe
    "C:\Users\Admin\AppData\Local\Temp\ircqalsaxa.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1072
  - - C:\Windows\SysWOW64\wscript.exe
      "C:\Windows\System32\wscript.exe" "C:\Users\Admin\AppData\Roaming\CcxGQ.vbs"
      4⤵
      Blocklisted process makes network request
      Drops startup file
      Adds Run key to start application
      PID:2028
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1072 -s 608
      4⤵
      Loads dropped DLL
      Program crash
      PID:1756

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ircqalsaxa.exe

Filesize
34KB

MD5
5156b5ac3fa8a0ecc21135ce632d6ce2

SHA1
1a4e335e88be239080240ff345333f10d5171f41

SHA256
038616d4dccb3ced306700bb83d5772191e65ee9ce33f642ba69f36598e289b9

SHA512
68319b2e216733eced4177521ed4959e98b204fe7fcbca7e76fedc7a9d3f4b30f43df218892b4fc441a5001ba00b6cd1db9a6305d0caf1956c9abdf7294bfef6

Download Submit
C:\Users\Admin\AppData\Local\Temp\ircqalsaxa.exe

Filesize
34KB

MD5
5156b5ac3fa8a0ecc21135ce632d6ce2

SHA1
1a4e335e88be239080240ff345333f10d5171f41

SHA256
038616d4dccb3ced306700bb83d5772191e65ee9ce33f642ba69f36598e289b9

SHA512
68319b2e216733eced4177521ed4959e98b204fe7fcbca7e76fedc7a9d3f4b30f43df218892b4fc441a5001ba00b6cd1db9a6305d0caf1956c9abdf7294bfef6

Download Submit
C:\Users\Admin\AppData\Local\Temp\ircqalsaxa.exe

Filesize
34KB

MD5
5156b5ac3fa8a0ecc21135ce632d6ce2

SHA1
1a4e335e88be239080240ff345333f10d5171f41

SHA256
038616d4dccb3ced306700bb83d5772191e65ee9ce33f642ba69f36598e289b9

SHA512
68319b2e216733eced4177521ed4959e98b204fe7fcbca7e76fedc7a9d3f4b30f43df218892b4fc441a5001ba00b6cd1db9a6305d0caf1956c9abdf7294bfef6

Download Submit
C:\Users\Admin\AppData\Local\Temp\ircqalsaxa.exe

Filesize
34KB

MD5
5156b5ac3fa8a0ecc21135ce632d6ce2

SHA1
1a4e335e88be239080240ff345333f10d5171f41

SHA256
038616d4dccb3ced306700bb83d5772191e65ee9ce33f642ba69f36598e289b9

SHA512
68319b2e216733eced4177521ed4959e98b204fe7fcbca7e76fedc7a9d3f4b30f43df218892b4fc441a5001ba00b6cd1db9a6305d0caf1956c9abdf7294bfef6

Download Submit
C:\Users\Admin\AppData\Local\Temp\tfslygqgv.ymt

Filesize
5KB

MD5
0485af8d69087ccc01f2c7b560dd8e93

SHA1
71ea79419a5efa0a1167d3871f38a0101cf5d56e

SHA256
9037c0e57e6bc2428f726b38626a66e13c465def8ec9913e0d02b1426e0b8ecf

SHA512
6abd60567313587a0b1ad9b15ab76d4881334b89b1a5f6edd1a1d56695585ffa8264324f8317ddf0a370048f74e9ad9632b29cb8ee44a5825a2e507f00ad6570

Download Submit
C:\Users\Admin\AppData\Local\Temp\vcvfrgkw.jb

Filesize
626KB

MD5
64251ef9de697de16e24d6473ccf711c

SHA1
e76de59b3580d2f0f3a9fe1843aafa1b62f50338

SHA256
c78537edb3cce99c014cc02598c7988e03f838f5732d4e3899e13eb661c1f7e5

SHA512
ff215bd7134041387cf21279c0e8873f7465ab29e9d791e64679b6b20a217740a9d727e83b30075c1ddc5b1a1d4b6ad8eb7d5cd8994a75b58f75376467152592

Download Submit
C:\Users\Admin\AppData\Roaming\CcxGQ.vbs

Filesize
180KB

MD5
c30c220229f3395c538e0008155881d9

SHA1
54920b4a6da2ef1510dd619c41fabe4f9c104a04

SHA256
b74e920938d79ce4669f94d803d10d19c2330b458130b91b6c8f9f41720f8cfe

SHA512
45e7dfa45cf74617abc7a3a6d2b6d47f5548ff4ae57da60efad1a2b445848329cf379c83935f61285187b7eb6c2902c1e9b6d7d3043f0c9735349761049837f9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CcxGQ.vbs

Filesize
180KB

MD5
c30c220229f3395c538e0008155881d9

SHA1
54920b4a6da2ef1510dd619c41fabe4f9c104a04

SHA256
b74e920938d79ce4669f94d803d10d19c2330b458130b91b6c8f9f41720f8cfe

SHA512
45e7dfa45cf74617abc7a3a6d2b6d47f5548ff4ae57da60efad1a2b445848329cf379c83935f61285187b7eb6c2902c1e9b6d7d3043f0c9735349761049837f9

Download Submit
\Users\Admin\AppData\Local\Temp\ircqalsaxa.exe

Filesize
34KB

MD5
5156b5ac3fa8a0ecc21135ce632d6ce2

SHA1
1a4e335e88be239080240ff345333f10d5171f41

SHA256
038616d4dccb3ced306700bb83d5772191e65ee9ce33f642ba69f36598e289b9

SHA512
68319b2e216733eced4177521ed4959e98b204fe7fcbca7e76fedc7a9d3f4b30f43df218892b4fc441a5001ba00b6cd1db9a6305d0caf1956c9abdf7294bfef6

Download Submit
\Users\Admin\AppData\Local\Temp\ircqalsaxa.exe

Filesize
34KB

MD5
5156b5ac3fa8a0ecc21135ce632d6ce2

SHA1
1a4e335e88be239080240ff345333f10d5171f41

SHA256
038616d4dccb3ced306700bb83d5772191e65ee9ce33f642ba69f36598e289b9

SHA512
68319b2e216733eced4177521ed4959e98b204fe7fcbca7e76fedc7a9d3f4b30f43df218892b4fc441a5001ba00b6cd1db9a6305d0caf1956c9abdf7294bfef6

Download Submit
\Users\Admin\AppData\Local\Temp\ircqalsaxa.exe

Filesize
34KB

MD5
5156b5ac3fa8a0ecc21135ce632d6ce2

SHA1
1a4e335e88be239080240ff345333f10d5171f41

SHA256
038616d4dccb3ced306700bb83d5772191e65ee9ce33f642ba69f36598e289b9

SHA512
68319b2e216733eced4177521ed4959e98b204fe7fcbca7e76fedc7a9d3f4b30f43df218892b4fc441a5001ba00b6cd1db9a6305d0caf1956c9abdf7294bfef6

Download Submit
\Users\Admin\AppData\Local\Temp\ircqalsaxa.exe

Filesize
34KB

MD5
5156b5ac3fa8a0ecc21135ce632d6ce2

SHA1
1a4e335e88be239080240ff345333f10d5171f41

SHA256
038616d4dccb3ced306700bb83d5772191e65ee9ce33f642ba69f36598e289b9

SHA512
68319b2e216733eced4177521ed4959e98b204fe7fcbca7e76fedc7a9d3f4b30f43df218892b4fc441a5001ba00b6cd1db9a6305d0caf1956c9abdf7294bfef6

Download Submit
\Users\Admin\AppData\Local\Temp\ircqalsaxa.exe

Filesize
34KB

MD5
5156b5ac3fa8a0ecc21135ce632d6ce2

SHA1
1a4e335e88be239080240ff345333f10d5171f41

SHA256
038616d4dccb3ced306700bb83d5772191e65ee9ce33f642ba69f36598e289b9

SHA512
68319b2e216733eced4177521ed4959e98b204fe7fcbca7e76fedc7a9d3f4b30f43df218892b4fc441a5001ba00b6cd1db9a6305d0caf1956c9abdf7294bfef6

Download Submit
\Users\Admin\AppData\Local\Temp\ircqalsaxa.exe

Filesize
34KB

MD5
5156b5ac3fa8a0ecc21135ce632d6ce2

SHA1
1a4e335e88be239080240ff345333f10d5171f41

SHA256
038616d4dccb3ced306700bb83d5772191e65ee9ce33f642ba69f36598e289b9

SHA512
68319b2e216733eced4177521ed4959e98b204fe7fcbca7e76fedc7a9d3f4b30f43df218892b4fc441a5001ba00b6cd1db9a6305d0caf1956c9abdf7294bfef6

Download Submit
memory/1072-74-0x0000000004520000-0x00000000045AA000-memory.dmp

Filesize
552KB

Download
memory/1072-73-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/1072-71-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/1072-79-0x0000000004630000-0x0000000004670000-memory.dmp

Filesize
256KB

Download
memory/1072-80-0x0000000004630000-0x0000000004670000-memory.dmp

Filesize
256KB

Download
memory/1072-81-0x0000000004630000-0x0000000004670000-memory.dmp

Filesize
256KB

Download
memory/1072-86-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/1072-68-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download