Overview

overview

10

Static

static

1

tmp.exe

windows7-x64

10

tmp.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    138s
  • max time network
    143s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230221-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03-04-2023 21:55

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    tmp.exe

  • Size

    449KB

  • MD5

    24970aab6d2f2388a1bb986fbc16f56b

  • SHA1

    847986dce6acc5da7c5bab853ab9317035114024

  • SHA256

    587dbf7f25e6078a552505be43c9013c5be3ce454ecc5c64edd5a3598325aebf

  • SHA512

    85bd00115e4097e4d880c5946a7766f34470a3c822b31e8688ce850b5ad2cd05a9234df78f282799cfdba148689417bf46e8aa1f3af18c3f9a950590ca4834b3

  • SSDEEP

    12288:vYxDYzoG3JGoShnxu5uwo3HzZkniGBZwzm0CK2F:vYxd4S9xufezZhGBZwzm9P

Score
10/10
wshratpersistencetrojan

Malware Config

Extracted

Family

wshrat

C2

http://snkcyp.duckdns.org:3369

Signatures

  • WSHRAT

    WSHRAT is a variant of Houdini worm and has vbs and js variants.

    trojanwshrat
  • WSHRAT payload 2 IoCs
  • Blocklisted process makes network request 7 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\tmp.exe
    "C:\Users\Admin\AppData\Local\Temp\tmp.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4612
    • C:\Users\Admin\AppData\Local\Temp\dgscfpj.exe
      "C:\Users\Admin\AppData\Local\Temp\dgscfpj.exe" C:\Users\Admin\AppData\Local\Temp\bkgirjz.z
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:3472
      • C:\Users\Admin\AppData\Local\Temp\dgscfpj.exe
        "C:\Users\Admin\AppData\Local\Temp\dgscfpj.exe"
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:2984
        • C:\Windows\SysWOW64\wscript.exe
          "C:\Windows\System32\wscript.exe" "C:\Users\Admin\AppData\Roaming\CcxGQ.vbs"
          4⤵
          • Blocklisted process makes network request
          • Drops startup file
          • Adds Run key to start application
          PID:2240
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 2984 -s 1092
          4⤵
          • Program crash
          PID:2440
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 2984 -ip 2984
    1⤵
      PID:2828

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\RUOQG7D6\json[1].json
      Filesize

      305B

      MD5

      9503e14ea14378cadd7d034029a92f19

      SHA1

      7a57c0c5d074229ec0368f00ae4289ee4cb4f63e

      SHA256

      8e19896bf0b7b5ae91cc4adf8a16376868731b95517760f0606175bf4ad4a8da

      SHA512

      10c35cf7aa7b09e81ec0ea15179f4917863b194057482fd5d17cadd8975f756b4b05519e433507f717814acc16dd77a595b854ca353956bbcd416e07d77bb22d

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\bkgirjz.z
      Filesize

      5KB

      MD5

      842d8d3cb11fe23061928b45951bb1bd

      SHA1

      7a1998e27017f3a716a99fbfcb46f36be1661393

      SHA256

      36375915292bd24c8e29562c9e6ec35507edd776d29394265e39d86a658b856c

      SHA512

      8845a7839629be4c0abfc107f80fce54282d29c934d82c86aa06a1f0595c0871e3fb402d06e6e2c21af7cb121446a82e7646bed4d0ba26f77b053dce8d3d01d2

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\dgscfpj.exe
      Filesize

      159KB

      MD5

      cfcfb003ef2e911bab5915217beb2e6f

      SHA1

      c623bbdd0d4e34c9a4229fa5c29293e56c1f61c9

      SHA256

      0d81cab9f7ca5ac7c201c4917dfc7beee2ea6ea5fd9f0b23e7b088f084cda92c

      SHA512

      8cf042ae4df2d167924d99d9d257514474ef2bdf4f8a88188bbc9f1d0080aa2c6096ce824a70d4e1fd11210b4bb94e5fca3f61d00b133b3295f7311946890b8c

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\dgscfpj.exe
      Filesize

      159KB

      MD5

      cfcfb003ef2e911bab5915217beb2e6f

      SHA1

      c623bbdd0d4e34c9a4229fa5c29293e56c1f61c9

      SHA256

      0d81cab9f7ca5ac7c201c4917dfc7beee2ea6ea5fd9f0b23e7b088f084cda92c

      SHA512

      8cf042ae4df2d167924d99d9d257514474ef2bdf4f8a88188bbc9f1d0080aa2c6096ce824a70d4e1fd11210b4bb94e5fca3f61d00b133b3295f7311946890b8c

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\dgscfpj.exe
      Filesize

      159KB

      MD5

      cfcfb003ef2e911bab5915217beb2e6f

      SHA1

      c623bbdd0d4e34c9a4229fa5c29293e56c1f61c9

      SHA256

      0d81cab9f7ca5ac7c201c4917dfc7beee2ea6ea5fd9f0b23e7b088f084cda92c

      SHA512

      8cf042ae4df2d167924d99d9d257514474ef2bdf4f8a88188bbc9f1d0080aa2c6096ce824a70d4e1fd11210b4bb94e5fca3f61d00b133b3295f7311946890b8c

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\zaejhwzrx.hk
      Filesize

      626KB

      MD5

      bc9cd2cd8cde0b4957a540e469f68066

      SHA1

      d9e3c5502c3e8972d8cdf5f7e0949c38e9fc12e1

      SHA256

      458d8856048ca453cd634e9c46694092ae049adc3cfc16851a71033ee125e476

      SHA512

      ed66fe78519d3180bf1be9c2c511e94cb06358297e475362dd42f7f0cc81f900337fe60999ea5da4b0a15865bc01352a0b5f2b1c8111688ebb2db43acc5a426d

      Download Submit

    • C:\Users\Admin\AppData\Roaming\CcxGQ.vbs
      Filesize

      180KB

      MD5

      c30c220229f3395c538e0008155881d9

      SHA1

      54920b4a6da2ef1510dd619c41fabe4f9c104a04

      SHA256

      b74e920938d79ce4669f94d803d10d19c2330b458130b91b6c8f9f41720f8cfe

      SHA512

      45e7dfa45cf74617abc7a3a6d2b6d47f5548ff4ae57da60efad1a2b445848329cf379c83935f61285187b7eb6c2902c1e9b6d7d3043f0c9735349761049837f9

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CcxGQ.vbs
      Filesize

      180KB

      MD5

      c30c220229f3395c538e0008155881d9

      SHA1

      54920b4a6da2ef1510dd619c41fabe4f9c104a04

      SHA256

      b74e920938d79ce4669f94d803d10d19c2330b458130b91b6c8f9f41720f8cfe

      SHA512

      45e7dfa45cf74617abc7a3a6d2b6d47f5548ff4ae57da60efad1a2b445848329cf379c83935f61285187b7eb6c2902c1e9b6d7d3043f0c9735349761049837f9

      Download Submit

    • memory/2984-145-0x0000000000400000-0x000000000049C000-memory.dmp

      Filesize

      624KB

      Download

    • memory/2984-147-0x0000000000400000-0x000000000049C000-memory.dmp

      Filesize

      624KB

      Download

    • memory/2984-149-0x00000000022D0000-0x00000000022E0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2984-150-0x00000000022D0000-0x00000000022E0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2984-151-0x00000000022D0000-0x00000000022E0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2984-144-0x0000000000400000-0x000000000049C000-memory.dmp

      Filesize

      624KB

      Download

    • memory/2984-142-0x0000000000400000-0x000000000049C000-memory.dmp

      Filesize

      624KB

      Download

    • memory/3472-140-0x00000000006C0000-0x00000000006C2000-memory.dmp

      Filesize

      8KB

      Download