wshrat | 74cbe760521247712b2230fb7e7d6f7aa1ad716c66047197a992e05fde14996b

Analysis

max time kernel
141s
max time network
136s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
22-04-2023 08:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tmp.exe
Size

424KB
MD5

e94871c8a2bc386e5c4310db63c30502
SHA1

8c693844dd55b5427af7476998327dfccec2720e
SHA256

74cbe760521247712b2230fb7e7d6f7aa1ad716c66047197a992e05fde14996b
SHA512

05b4df6e4d85e93b5da002420b47ecd7a6b6ac0d4d41964c0027b179abb1cafd49cc583c94db2a0a7bc503a4eee164fe3b414325aeecbad20128d3faf638e1d7
SSDEEP

6144:/Ya6qtsbZWSoWvYDoykr2U6uV/JytIXbu90ElEGTI6nl5nrDQnveub7Kv:/YktsbZWcvKevytIr1ElW6lRQnHXKv

Score

10^/10

wshrat persistence trojan

Malware Config

Signatures

WSHRAT
WSHRAT is a variant of Houdini worm and has vbs and js variants.
trojan wshrat

WSHRAT payload 2 IoCs

resource	yara_rule
behavioral1/files/0x000c00000001398f-77.dat	family_wshrat
behavioral1/files/0x0006000000014187-92.dat	family_wshrat

Blocklisted process makes network request 6 IoCs

flow	pid	Process
4	1916	wscript.exe
6	1916	wscript.exe
10	1916	wscript.exe
11	1916	wscript.exe
13	1916	wscript.exe
14	1916	wscript.exe

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CcxGQ.vbs	wscript.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CcxGQ.vbs	wscript.exe

Executes dropped EXE 2 IoCs

pid	Process
1204	pemzcp.exe
1708	pemzcp.exe

Loads dropped DLL 5 IoCs

pid	Process
1712	tmp.exe
1204	pemzcp.exe
828	WerFault.exe
828	WerFault.exe
828	WerFault.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CcxGQ = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\CcxGQ.vbs\""	wscript.exe
Key created	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\software\microsoft\windows\currentversion\run	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Windows\CurrentVersion\Run\CcxGQ = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\CcxGQ.vbs\""	wscript.exe
Key created	\REGISTRY\MACHINE\software\Wow6432Node\microsoft\windows\currentversion\run	wscript.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
3	ip-api.com

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1204 set thread context of 1708	1204	pemzcp.exe	28

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
828	1708	WerFault.exe	28

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
1204	pemzcp.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 1712 wrote to memory of 1204	1712	tmp.exe	27
PID 1712 wrote to memory of 1204	1712	tmp.exe	27
PID 1712 wrote to memory of 1204	1712	tmp.exe	27
PID 1712 wrote to memory of 1204	1712	tmp.exe	27
PID 1204 wrote to memory of 1708	1204	pemzcp.exe	28
PID 1204 wrote to memory of 1708	1204	pemzcp.exe	28
PID 1204 wrote to memory of 1708	1204	pemzcp.exe	28
PID 1204 wrote to memory of 1708	1204	pemzcp.exe	28
PID 1204 wrote to memory of 1708	1204	pemzcp.exe	28
PID 1708 wrote to memory of 1916	1708	pemzcp.exe	29
PID 1708 wrote to memory of 1916	1708	pemzcp.exe	29
PID 1708 wrote to memory of 1916	1708	pemzcp.exe	29
PID 1708 wrote to memory of 1916	1708	pemzcp.exe	29
PID 1708 wrote to memory of 828	1708	pemzcp.exe	30
PID 1708 wrote to memory of 828	1708	pemzcp.exe	30
PID 1708 wrote to memory of 828	1708	pemzcp.exe	30
PID 1708 wrote to memory of 828	1708	pemzcp.exe	30

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1712
- C:\Users\Admin\AppData\Local\Temp\pemzcp.exe
  "C:\Users\Admin\AppData\Local\Temp\pemzcp.exe" C:\Users\Admin\AppData\Local\Temp\tvpvlhlzhh.our
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:1204
- - C:\Users\Admin\AppData\Local\Temp\pemzcp.exe
    "C:\Users\Admin\AppData\Local\Temp\pemzcp.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1708
  - - C:\Windows\SysWOW64\wscript.exe
      "C:\Windows\System32\wscript.exe" "C:\Users\Admin\AppData\Roaming\CcxGQ.vbs"
      4⤵
      Blocklisted process makes network request
      Drops startup file
      Adds Run key to start application
      PID:1916
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1708 -s 608
      4⤵
      Loads dropped DLL
      Program crash
      PID:828

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\EV74ZOZO\json[1].json

Filesize
305B

MD5
9503e14ea14378cadd7d034029a92f19

SHA1
7a57c0c5d074229ec0368f00ae4289ee4cb4f63e

SHA256
8e19896bf0b7b5ae91cc4adf8a16376868731b95517760f0606175bf4ad4a8da

SHA512
10c35cf7aa7b09e81ec0ea15179f4917863b194057482fd5d17cadd8975f756b4b05519e433507f717814acc16dd77a595b854ca353956bbcd416e07d77bb22d

Download Submit
C:\Users\Admin\AppData\Local\Temp\pemzcp.exe

Filesize
87KB

MD5
7bfff9a12df035272ddaddd404f1c6e6

SHA1
18b54f56ef6988dc2ee74090468a32e4105a0683

SHA256
a2a2b6ee856505ba00a047014b498b08c5b1b31c9de29a479abc8a7e437028d4

SHA512
3115e9be1959c7f7252775dd7c45c06c0dc621e444a548e72df3ee179fa261f3d502ad21a56948c800619b128b93f6e3c0bf9a419821afbc6abcf7c868ad1618

Download Submit
C:\Users\Admin\AppData\Local\Temp\pemzcp.exe

Filesize
87KB

MD5
7bfff9a12df035272ddaddd404f1c6e6

SHA1
18b54f56ef6988dc2ee74090468a32e4105a0683

SHA256
a2a2b6ee856505ba00a047014b498b08c5b1b31c9de29a479abc8a7e437028d4

SHA512
3115e9be1959c7f7252775dd7c45c06c0dc621e444a548e72df3ee179fa261f3d502ad21a56948c800619b128b93f6e3c0bf9a419821afbc6abcf7c868ad1618

Download Submit
C:\Users\Admin\AppData\Local\Temp\pemzcp.exe

Filesize
87KB

MD5
7bfff9a12df035272ddaddd404f1c6e6

SHA1
18b54f56ef6988dc2ee74090468a32e4105a0683

SHA256
a2a2b6ee856505ba00a047014b498b08c5b1b31c9de29a479abc8a7e437028d4

SHA512
3115e9be1959c7f7252775dd7c45c06c0dc621e444a548e72df3ee179fa261f3d502ad21a56948c800619b128b93f6e3c0bf9a419821afbc6abcf7c868ad1618

Download Submit
C:\Users\Admin\AppData\Local\Temp\rxdcvffsg.fh

Filesize
626KB

MD5
736605109e7bc05c8eb460c2acaae286

SHA1
0ae481e139bd84a40981fb6b40a2f137cf546fb9

SHA256
0093bdfa0100777972ef906a0e2407598e142bf606c162a649fe7be22f1393e3

SHA512
2601760b215b693caee3a895bd7c35f2762edb536dd871ce694631cb426373b19c04844d1c174806240b5dd114db4c15180cf14089a6c137313d56a3f492af76

Download Submit
C:\Users\Admin\AppData\Local\Temp\tvpvlhlzhh.our

Filesize
5KB

MD5
ba0710517f4950ac978205abf24687ad

SHA1
40272d8ef1147adf2b75b23420110ecce30d582e

SHA256
9261d1885037dd9e396e862957ad781c0ee9988e8e14b6bffd8b721a9679bdcd

SHA512
982a519a5c104009ca8f38a58323ba980ed3d41adb4a48b7ad3353d8b7f44f0408a41ccb300772687bd04defa3cede4d5288b03fc66bf32b23ec4bb69f2ef46e

Download Submit
C:\Users\Admin\AppData\Roaming\CcxGQ.vbs

Filesize
180KB

MD5
c30c220229f3395c538e0008155881d9

SHA1
54920b4a6da2ef1510dd619c41fabe4f9c104a04

SHA256
b74e920938d79ce4669f94d803d10d19c2330b458130b91b6c8f9f41720f8cfe

SHA512
45e7dfa45cf74617abc7a3a6d2b6d47f5548ff4ae57da60efad1a2b445848329cf379c83935f61285187b7eb6c2902c1e9b6d7d3043f0c9735349761049837f9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CcxGQ.vbs

Filesize
180KB

MD5
c30c220229f3395c538e0008155881d9

SHA1
54920b4a6da2ef1510dd619c41fabe4f9c104a04

SHA256
b74e920938d79ce4669f94d803d10d19c2330b458130b91b6c8f9f41720f8cfe

SHA512
45e7dfa45cf74617abc7a3a6d2b6d47f5548ff4ae57da60efad1a2b445848329cf379c83935f61285187b7eb6c2902c1e9b6d7d3043f0c9735349761049837f9

Download Submit
\Users\Admin\AppData\Local\Temp\pemzcp.exe

Filesize
87KB

MD5
7bfff9a12df035272ddaddd404f1c6e6

SHA1
18b54f56ef6988dc2ee74090468a32e4105a0683

SHA256
a2a2b6ee856505ba00a047014b498b08c5b1b31c9de29a479abc8a7e437028d4

SHA512
3115e9be1959c7f7252775dd7c45c06c0dc621e444a548e72df3ee179fa261f3d502ad21a56948c800619b128b93f6e3c0bf9a419821afbc6abcf7c868ad1618

Download Submit
\Users\Admin\AppData\Local\Temp\pemzcp.exe

Filesize
87KB

MD5
7bfff9a12df035272ddaddd404f1c6e6

SHA1
18b54f56ef6988dc2ee74090468a32e4105a0683

SHA256
a2a2b6ee856505ba00a047014b498b08c5b1b31c9de29a479abc8a7e437028d4

SHA512
3115e9be1959c7f7252775dd7c45c06c0dc621e444a548e72df3ee179fa261f3d502ad21a56948c800619b128b93f6e3c0bf9a419821afbc6abcf7c868ad1618

Download Submit
\Users\Admin\AppData\Local\Temp\pemzcp.exe

Filesize
87KB

MD5
7bfff9a12df035272ddaddd404f1c6e6

SHA1
18b54f56ef6988dc2ee74090468a32e4105a0683

SHA256
a2a2b6ee856505ba00a047014b498b08c5b1b31c9de29a479abc8a7e437028d4

SHA512
3115e9be1959c7f7252775dd7c45c06c0dc621e444a548e72df3ee179fa261f3d502ad21a56948c800619b128b93f6e3c0bf9a419821afbc6abcf7c868ad1618

Download Submit
\Users\Admin\AppData\Local\Temp\pemzcp.exe

Filesize
87KB

MD5
7bfff9a12df035272ddaddd404f1c6e6

SHA1
18b54f56ef6988dc2ee74090468a32e4105a0683

SHA256
a2a2b6ee856505ba00a047014b498b08c5b1b31c9de29a479abc8a7e437028d4

SHA512
3115e9be1959c7f7252775dd7c45c06c0dc621e444a548e72df3ee179fa261f3d502ad21a56948c800619b128b93f6e3c0bf9a419821afbc6abcf7c868ad1618

Download Submit
\Users\Admin\AppData\Local\Temp\pemzcp.exe

Filesize
87KB

MD5
7bfff9a12df035272ddaddd404f1c6e6

SHA1
18b54f56ef6988dc2ee74090468a32e4105a0683

SHA256
a2a2b6ee856505ba00a047014b498b08c5b1b31c9de29a479abc8a7e437028d4

SHA512
3115e9be1959c7f7252775dd7c45c06c0dc621e444a548e72df3ee179fa261f3d502ad21a56948c800619b128b93f6e3c0bf9a419821afbc6abcf7c868ad1618

Download Submit
memory/1204-62-0x0000000000270000-0x0000000000272000-memory.dmp

Filesize
8KB

Download
memory/1708-71-0x0000000004660000-0x00000000046EA000-memory.dmp

Filesize
552KB

Download
memory/1708-73-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/1708-75-0x0000000004590000-0x00000000045D0000-memory.dmp

Filesize
256KB

Download
memory/1708-74-0x0000000004590000-0x00000000045D0000-memory.dmp

Filesize
256KB

Download
memory/1708-76-0x0000000004590000-0x00000000045D0000-memory.dmp

Filesize
256KB

Download
memory/1708-69-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/1708-66-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download