wshrat | 587dbf7f25e6078a552505be43c9013c5be3ce454ecc5c64edd5a3598325aebf

Analysis

max time kernel
146s
max time network
149s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
29-03-2023 20:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tmp.exe
Size

449KB
MD5

24970aab6d2f2388a1bb986fbc16f56b
SHA1

847986dce6acc5da7c5bab853ab9317035114024
SHA256

587dbf7f25e6078a552505be43c9013c5be3ce454ecc5c64edd5a3598325aebf
SHA512

85bd00115e4097e4d880c5946a7766f34470a3c822b31e8688ce850b5ad2cd05a9234df78f282799cfdba148689417bf46e8aa1f3af18c3f9a950590ca4834b3
SSDEEP

12288:vYxDYzoG3JGoShnxu5uwo3HzZkniGBZwzm0CK2F:vYxd4S9xufezZhGBZwzm9P

Score

10^/10

wshrat persistence trojan

Malware Config

Signatures

WSHRAT
WSHRAT is a variant of Houdini worm and has vbs and js variants.
trojan wshrat

WSHRAT payload 2 IoCs

resource	yara_rule
behavioral1/files/0x000c00000001271d-76.dat	family_wshrat
behavioral1/files/0x0009000000012735-89.dat	family_wshrat

Blocklisted process makes network request 20 IoCs

flow	pid	Process
4	592	wscript.exe
6	592	wscript.exe
7	592	wscript.exe
8	592	wscript.exe
11	592	wscript.exe
12	592	wscript.exe
13	592	wscript.exe
15	592	wscript.exe
16	592	wscript.exe
17	592	wscript.exe
19	592	wscript.exe
20	592	wscript.exe
21	592	wscript.exe
23	592	wscript.exe
24	592	wscript.exe
25	592	wscript.exe
27	592	wscript.exe
28	592	wscript.exe
29	592	wscript.exe
31	592	wscript.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CcxGQ.vbs	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CcxGQ.vbs	wscript.exe

Executes dropped EXE 2 IoCs

pid	Process
1752	dgscfpj.exe
1040	dgscfpj.exe

Loads dropped DLL 6 IoCs

pid	Process
1396	tmp.exe
1396	tmp.exe
1752	dgscfpj.exe
576	WerFault.exe
576	WerFault.exe
576	WerFault.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\software\Wow6432Node\microsoft\windows\currentversion\run	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CcxGQ = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\CcxGQ.vbs\""	wscript.exe
Key created	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\software\microsoft\windows\currentversion\run	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Windows\CurrentVersion\Run\CcxGQ = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\CcxGQ.vbs\""	wscript.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
3	ip-api.com

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1752 set thread context of 1040	1752	dgscfpj.exe	29

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
576	1040	WerFault.exe	29

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
1752	dgscfpj.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 1396 wrote to memory of 1752	1396	tmp.exe	28
PID 1396 wrote to memory of 1752	1396	tmp.exe	28
PID 1396 wrote to memory of 1752	1396	tmp.exe	28
PID 1396 wrote to memory of 1752	1396	tmp.exe	28
PID 1752 wrote to memory of 1040	1752	dgscfpj.exe	29
PID 1752 wrote to memory of 1040	1752	dgscfpj.exe	29
PID 1752 wrote to memory of 1040	1752	dgscfpj.exe	29
PID 1752 wrote to memory of 1040	1752	dgscfpj.exe	29
PID 1752 wrote to memory of 1040	1752	dgscfpj.exe	29
PID 1040 wrote to memory of 592	1040	dgscfpj.exe	30
PID 1040 wrote to memory of 592	1040	dgscfpj.exe	30
PID 1040 wrote to memory of 592	1040	dgscfpj.exe	30
PID 1040 wrote to memory of 592	1040	dgscfpj.exe	30
PID 1040 wrote to memory of 576	1040	dgscfpj.exe	31
PID 1040 wrote to memory of 576	1040	dgscfpj.exe	31
PID 1040 wrote to memory of 576	1040	dgscfpj.exe	31
PID 1040 wrote to memory of 576	1040	dgscfpj.exe	31

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1396
- C:\Users\Admin\AppData\Local\Temp\dgscfpj.exe
  "C:\Users\Admin\AppData\Local\Temp\dgscfpj.exe" C:\Users\Admin\AppData\Local\Temp\bkgirjz.z
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:1752
- - C:\Users\Admin\AppData\Local\Temp\dgscfpj.exe
    "C:\Users\Admin\AppData\Local\Temp\dgscfpj.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1040
  - - C:\Windows\SysWOW64\wscript.exe
      "C:\Windows\System32\wscript.exe" "C:\Users\Admin\AppData\Roaming\CcxGQ.vbs"
      4⤵
      Blocklisted process makes network request
      Drops startup file
      Adds Run key to start application
      PID:592
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1040 -s 608
      4⤵
      Loads dropped DLL
      Program crash
      PID:576

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\QCNSQOTT\json[1].json

Filesize
305B

MD5
9503e14ea14378cadd7d034029a92f19

SHA1
7a57c0c5d074229ec0368f00ae4289ee4cb4f63e

SHA256
8e19896bf0b7b5ae91cc4adf8a16376868731b95517760f0606175bf4ad4a8da

SHA512
10c35cf7aa7b09e81ec0ea15179f4917863b194057482fd5d17cadd8975f756b4b05519e433507f717814acc16dd77a595b854ca353956bbcd416e07d77bb22d

Download Submit
C:\Users\Admin\AppData\Local\Temp\bkgirjz.z

Filesize
5KB

MD5
842d8d3cb11fe23061928b45951bb1bd

SHA1
7a1998e27017f3a716a99fbfcb46f36be1661393

SHA256
36375915292bd24c8e29562c9e6ec35507edd776d29394265e39d86a658b856c

SHA512
8845a7839629be4c0abfc107f80fce54282d29c934d82c86aa06a1f0595c0871e3fb402d06e6e2c21af7cb121446a82e7646bed4d0ba26f77b053dce8d3d01d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\dgscfpj.exe

Filesize
159KB

MD5
cfcfb003ef2e911bab5915217beb2e6f

SHA1
c623bbdd0d4e34c9a4229fa5c29293e56c1f61c9

SHA256
0d81cab9f7ca5ac7c201c4917dfc7beee2ea6ea5fd9f0b23e7b088f084cda92c

SHA512
8cf042ae4df2d167924d99d9d257514474ef2bdf4f8a88188bbc9f1d0080aa2c6096ce824a70d4e1fd11210b4bb94e5fca3f61d00b133b3295f7311946890b8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\dgscfpj.exe

Filesize
159KB

MD5
cfcfb003ef2e911bab5915217beb2e6f

SHA1
c623bbdd0d4e34c9a4229fa5c29293e56c1f61c9

SHA256
0d81cab9f7ca5ac7c201c4917dfc7beee2ea6ea5fd9f0b23e7b088f084cda92c

SHA512
8cf042ae4df2d167924d99d9d257514474ef2bdf4f8a88188bbc9f1d0080aa2c6096ce824a70d4e1fd11210b4bb94e5fca3f61d00b133b3295f7311946890b8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\dgscfpj.exe

Filesize
159KB

MD5
cfcfb003ef2e911bab5915217beb2e6f

SHA1
c623bbdd0d4e34c9a4229fa5c29293e56c1f61c9

SHA256
0d81cab9f7ca5ac7c201c4917dfc7beee2ea6ea5fd9f0b23e7b088f084cda92c

SHA512
8cf042ae4df2d167924d99d9d257514474ef2bdf4f8a88188bbc9f1d0080aa2c6096ce824a70d4e1fd11210b4bb94e5fca3f61d00b133b3295f7311946890b8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\dgscfpj.exe

Filesize
159KB

MD5
cfcfb003ef2e911bab5915217beb2e6f

SHA1
c623bbdd0d4e34c9a4229fa5c29293e56c1f61c9

SHA256
0d81cab9f7ca5ac7c201c4917dfc7beee2ea6ea5fd9f0b23e7b088f084cda92c

SHA512
8cf042ae4df2d167924d99d9d257514474ef2bdf4f8a88188bbc9f1d0080aa2c6096ce824a70d4e1fd11210b4bb94e5fca3f61d00b133b3295f7311946890b8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\zaejhwzrx.hk

Filesize
626KB

MD5
bc9cd2cd8cde0b4957a540e469f68066

SHA1
d9e3c5502c3e8972d8cdf5f7e0949c38e9fc12e1

SHA256
458d8856048ca453cd634e9c46694092ae049adc3cfc16851a71033ee125e476

SHA512
ed66fe78519d3180bf1be9c2c511e94cb06358297e475362dd42f7f0cc81f900337fe60999ea5da4b0a15865bc01352a0b5f2b1c8111688ebb2db43acc5a426d

Download Submit
C:\Users\Admin\AppData\Roaming\CcxGQ.vbs

Filesize
180KB

MD5
c30c220229f3395c538e0008155881d9

SHA1
54920b4a6da2ef1510dd619c41fabe4f9c104a04

SHA256
b74e920938d79ce4669f94d803d10d19c2330b458130b91b6c8f9f41720f8cfe

SHA512
45e7dfa45cf74617abc7a3a6d2b6d47f5548ff4ae57da60efad1a2b445848329cf379c83935f61285187b7eb6c2902c1e9b6d7d3043f0c9735349761049837f9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CcxGQ.vbs

Filesize
180KB

MD5
c30c220229f3395c538e0008155881d9

SHA1
54920b4a6da2ef1510dd619c41fabe4f9c104a04

SHA256
b74e920938d79ce4669f94d803d10d19c2330b458130b91b6c8f9f41720f8cfe

SHA512
45e7dfa45cf74617abc7a3a6d2b6d47f5548ff4ae57da60efad1a2b445848329cf379c83935f61285187b7eb6c2902c1e9b6d7d3043f0c9735349761049837f9

Download Submit
\Users\Admin\AppData\Local\Temp\dgscfpj.exe

Filesize
159KB

MD5
cfcfb003ef2e911bab5915217beb2e6f

SHA1
c623bbdd0d4e34c9a4229fa5c29293e56c1f61c9

SHA256
0d81cab9f7ca5ac7c201c4917dfc7beee2ea6ea5fd9f0b23e7b088f084cda92c

SHA512
8cf042ae4df2d167924d99d9d257514474ef2bdf4f8a88188bbc9f1d0080aa2c6096ce824a70d4e1fd11210b4bb94e5fca3f61d00b133b3295f7311946890b8c

Download Submit
\Users\Admin\AppData\Local\Temp\dgscfpj.exe

Filesize
159KB

MD5
cfcfb003ef2e911bab5915217beb2e6f

SHA1
c623bbdd0d4e34c9a4229fa5c29293e56c1f61c9

SHA256
0d81cab9f7ca5ac7c201c4917dfc7beee2ea6ea5fd9f0b23e7b088f084cda92c

SHA512
8cf042ae4df2d167924d99d9d257514474ef2bdf4f8a88188bbc9f1d0080aa2c6096ce824a70d4e1fd11210b4bb94e5fca3f61d00b133b3295f7311946890b8c

Download Submit
\Users\Admin\AppData\Local\Temp\dgscfpj.exe

Filesize
159KB

MD5
cfcfb003ef2e911bab5915217beb2e6f

SHA1
c623bbdd0d4e34c9a4229fa5c29293e56c1f61c9

SHA256
0d81cab9f7ca5ac7c201c4917dfc7beee2ea6ea5fd9f0b23e7b088f084cda92c

SHA512
8cf042ae4df2d167924d99d9d257514474ef2bdf4f8a88188bbc9f1d0080aa2c6096ce824a70d4e1fd11210b4bb94e5fca3f61d00b133b3295f7311946890b8c

Download Submit
\Users\Admin\AppData\Local\Temp\dgscfpj.exe

Filesize
159KB

MD5
cfcfb003ef2e911bab5915217beb2e6f

SHA1
c623bbdd0d4e34c9a4229fa5c29293e56c1f61c9

SHA256
0d81cab9f7ca5ac7c201c4917dfc7beee2ea6ea5fd9f0b23e7b088f084cda92c

SHA512
8cf042ae4df2d167924d99d9d257514474ef2bdf4f8a88188bbc9f1d0080aa2c6096ce824a70d4e1fd11210b4bb94e5fca3f61d00b133b3295f7311946890b8c

Download Submit
\Users\Admin\AppData\Local\Temp\dgscfpj.exe

Filesize
159KB

MD5
cfcfb003ef2e911bab5915217beb2e6f

SHA1
c623bbdd0d4e34c9a4229fa5c29293e56c1f61c9

SHA256
0d81cab9f7ca5ac7c201c4917dfc7beee2ea6ea5fd9f0b23e7b088f084cda92c

SHA512
8cf042ae4df2d167924d99d9d257514474ef2bdf4f8a88188bbc9f1d0080aa2c6096ce824a70d4e1fd11210b4bb94e5fca3f61d00b133b3295f7311946890b8c

Download Submit
\Users\Admin\AppData\Local\Temp\dgscfpj.exe

Filesize
159KB

MD5
cfcfb003ef2e911bab5915217beb2e6f

SHA1
c623bbdd0d4e34c9a4229fa5c29293e56c1f61c9

SHA256
0d81cab9f7ca5ac7c201c4917dfc7beee2ea6ea5fd9f0b23e7b088f084cda92c

SHA512
8cf042ae4df2d167924d99d9d257514474ef2bdf4f8a88188bbc9f1d0080aa2c6096ce824a70d4e1fd11210b4bb94e5fca3f61d00b133b3295f7311946890b8c

Download Submit
memory/1040-74-0x00000000045E0000-0x000000000466A000-memory.dmp

Filesize
552KB

Download
memory/1040-73-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/1040-80-0x0000000004670000-0x00000000046B0000-memory.dmp

Filesize
256KB

Download
memory/1040-81-0x0000000004670000-0x00000000046B0000-memory.dmp

Filesize
256KB

Download
memory/1040-71-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/1040-68-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download