Overview

overview

10

Static

static

1

tmp.exe

windows7-x64

10

tmp.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    83s
  • max time network
    144s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29-03-2023 13:40

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    tmp.exe

  • Size

    396KB

  • MD5

    81f9f37ac3c2eedeb3469b055c4b8e96

  • SHA1

    20d50098fcbff0e933c3f9fd42f82b22f741843b

  • SHA256

    b17bdafe054295b84b35190c7021be09bb456095ba5702988048299e478a7284

  • SHA512

    947df24f4f6b3aa38c47099f949c6ac383ac45d7dd40ac0b7b268b5191df8805a06b774f16188e3e1cb8e2c442d6cd22f10e3ddd074afb426e927f293bb65a5f

  • SSDEEP

    12288:/YfkqbKDGNB+AzcBrQtV7ExskKQrftxpm4:/YfkqbKDGNB+M0KqsbQrzH

Score
10/10
wshratpersistencetrojan

Malware Config

Extracted

Family

wshrat

C2

http://snkcyp.duckdns.org:3369

Signatures

  • WSHRAT

    WSHRAT is a variant of Houdini worm and has vbs and js variants.

    trojanwshrat
  • WSHRAT payload 2 IoCs
  • Blocklisted process makes network request 7 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\tmp.exe
    "C:\Users\Admin\AppData\Local\Temp\tmp.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3696
    • C:\Users\Admin\AppData\Local\Temp\ircqalsaxa.exe
      "C:\Users\Admin\AppData\Local\Temp\ircqalsaxa.exe" C:\Users\Admin\AppData\Local\Temp\tfslygqgv.ymt
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:3604
      • C:\Users\Admin\AppData\Local\Temp\ircqalsaxa.exe
        "C:\Users\Admin\AppData\Local\Temp\ircqalsaxa.exe"
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:3644
        • C:\Windows\SysWOW64\wscript.exe
          "C:\Windows\System32\wscript.exe" "C:\Users\Admin\AppData\Roaming\CcxGQ.vbs"
          4⤵
          • Blocklisted process makes network request
          • Drops startup file
          • Adds Run key to start application
          PID:2988
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 3644 -s 964
          4⤵
          • Program crash
          PID:3308
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 3644 -ip 3644
    1⤵
      PID:4728

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\YYL8D8JJ\json[1].json
      Filesize

      305B

      MD5

      9503e14ea14378cadd7d034029a92f19

      SHA1

      7a57c0c5d074229ec0368f00ae4289ee4cb4f63e

      SHA256

      8e19896bf0b7b5ae91cc4adf8a16376868731b95517760f0606175bf4ad4a8da

      SHA512

      10c35cf7aa7b09e81ec0ea15179f4917863b194057482fd5d17cadd8975f756b4b05519e433507f717814acc16dd77a595b854ca353956bbcd416e07d77bb22d

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\ircqalsaxa.exe
      Filesize

      34KB

      MD5

      5156b5ac3fa8a0ecc21135ce632d6ce2

      SHA1

      1a4e335e88be239080240ff345333f10d5171f41

      SHA256

      038616d4dccb3ced306700bb83d5772191e65ee9ce33f642ba69f36598e289b9

      SHA512

      68319b2e216733eced4177521ed4959e98b204fe7fcbca7e76fedc7a9d3f4b30f43df218892b4fc441a5001ba00b6cd1db9a6305d0caf1956c9abdf7294bfef6

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\ircqalsaxa.exe
      Filesize

      34KB

      MD5

      5156b5ac3fa8a0ecc21135ce632d6ce2

      SHA1

      1a4e335e88be239080240ff345333f10d5171f41

      SHA256

      038616d4dccb3ced306700bb83d5772191e65ee9ce33f642ba69f36598e289b9

      SHA512

      68319b2e216733eced4177521ed4959e98b204fe7fcbca7e76fedc7a9d3f4b30f43df218892b4fc441a5001ba00b6cd1db9a6305d0caf1956c9abdf7294bfef6

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\ircqalsaxa.exe
      Filesize

      34KB

      MD5

      5156b5ac3fa8a0ecc21135ce632d6ce2

      SHA1

      1a4e335e88be239080240ff345333f10d5171f41

      SHA256

      038616d4dccb3ced306700bb83d5772191e65ee9ce33f642ba69f36598e289b9

      SHA512

      68319b2e216733eced4177521ed4959e98b204fe7fcbca7e76fedc7a9d3f4b30f43df218892b4fc441a5001ba00b6cd1db9a6305d0caf1956c9abdf7294bfef6

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\tfslygqgv.ymt
      Filesize

      5KB

      MD5

      0485af8d69087ccc01f2c7b560dd8e93

      SHA1

      71ea79419a5efa0a1167d3871f38a0101cf5d56e

      SHA256

      9037c0e57e6bc2428f726b38626a66e13c465def8ec9913e0d02b1426e0b8ecf

      SHA512

      6abd60567313587a0b1ad9b15ab76d4881334b89b1a5f6edd1a1d56695585ffa8264324f8317ddf0a370048f74e9ad9632b29cb8ee44a5825a2e507f00ad6570

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\vcvfrgkw.jb
      Filesize

      626KB

      MD5

      64251ef9de697de16e24d6473ccf711c

      SHA1

      e76de59b3580d2f0f3a9fe1843aafa1b62f50338

      SHA256

      c78537edb3cce99c014cc02598c7988e03f838f5732d4e3899e13eb661c1f7e5

      SHA512

      ff215bd7134041387cf21279c0e8873f7465ab29e9d791e64679b6b20a217740a9d727e83b30075c1ddc5b1a1d4b6ad8eb7d5cd8994a75b58f75376467152592

      Download Submit

    • C:\Users\Admin\AppData\Roaming\CcxGQ.vbs
      Filesize

      180KB

      MD5

      c30c220229f3395c538e0008155881d9

      SHA1

      54920b4a6da2ef1510dd619c41fabe4f9c104a04

      SHA256

      b74e920938d79ce4669f94d803d10d19c2330b458130b91b6c8f9f41720f8cfe

      SHA512

      45e7dfa45cf74617abc7a3a6d2b6d47f5548ff4ae57da60efad1a2b445848329cf379c83935f61285187b7eb6c2902c1e9b6d7d3043f0c9735349761049837f9

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CcxGQ.vbs
      Filesize

      180KB

      MD5

      c30c220229f3395c538e0008155881d9

      SHA1

      54920b4a6da2ef1510dd619c41fabe4f9c104a04

      SHA256

      b74e920938d79ce4669f94d803d10d19c2330b458130b91b6c8f9f41720f8cfe

      SHA512

      45e7dfa45cf74617abc7a3a6d2b6d47f5548ff4ae57da60efad1a2b445848329cf379c83935f61285187b7eb6c2902c1e9b6d7d3043f0c9735349761049837f9

      Download Submit

    • memory/3604-141-0x0000000000480000-0x0000000000482000-memory.dmp

      Filesize

      8KB

      Download

    • memory/3644-146-0x0000000000400000-0x000000000049C000-memory.dmp

      Filesize

      624KB

      Download

    • memory/3644-149-0x0000000004B30000-0x0000000004B40000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3644-150-0x0000000004B30000-0x0000000004B40000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3644-151-0x0000000004B30000-0x0000000004B40000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3644-148-0x0000000000400000-0x000000000049C000-memory.dmp

      Filesize

      624KB

      Download

    • memory/3644-144-0x0000000000400000-0x000000000049C000-memory.dmp

      Filesize

      624KB

      Download

    • memory/3644-142-0x0000000000400000-0x000000000049C000-memory.dmp

      Filesize

      624KB

      Download