Overview

overview

10

Static

static

1

tmp.exe

windows7-x64

10

tmp.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    137s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-04-2023 08:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    tmp.exe

  • Size

    424KB

  • MD5

    e94871c8a2bc386e5c4310db63c30502

  • SHA1

    8c693844dd55b5427af7476998327dfccec2720e

  • SHA256

    74cbe760521247712b2230fb7e7d6f7aa1ad716c66047197a992e05fde14996b

  • SHA512

    05b4df6e4d85e93b5da002420b47ecd7a6b6ac0d4d41964c0027b179abb1cafd49cc583c94db2a0a7bc503a4eee164fe3b414325aeecbad20128d3faf638e1d7

  • SSDEEP

    6144:/Ya6qtsbZWSoWvYDoykr2U6uV/JytIXbu90ElEGTI6nl5nrDQnveub7Kv:/YktsbZWcvKevytIr1ElW6lRQnHXKv

Score
10/10
wshratpersistencetrojan

Malware Config

Signatures

  • WSHRAT

    WSHRAT is a variant of Houdini worm and has vbs and js variants.

    trojanwshrat
  • WSHRAT payload 2 IoCs
  • Blocklisted process makes network request 7 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\tmp.exe
    "C:\Users\Admin\AppData\Local\Temp\tmp.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1760
    • C:\Users\Admin\AppData\Local\Temp\pemzcp.exe
      "C:\Users\Admin\AppData\Local\Temp\pemzcp.exe" C:\Users\Admin\AppData\Local\Temp\tvpvlhlzhh.our
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:4884
      • C:\Users\Admin\AppData\Local\Temp\pemzcp.exe
        "C:\Users\Admin\AppData\Local\Temp\pemzcp.exe"
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:4548
        • C:\Windows\SysWOW64\wscript.exe
          "C:\Windows\System32\wscript.exe" "C:\Users\Admin\AppData\Roaming\CcxGQ.vbs"
          4⤵
          • Blocklisted process makes network request
          • Drops startup file
          • Adds Run key to start application
          PID:4712
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 4548 -s 964
          4⤵
          • Program crash
          PID:1764
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4548 -ip 4548
    1⤵
      PID:1496

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\4HAJQ22Y\json[1].json
      Filesize

      305B

      MD5

      9503e14ea14378cadd7d034029a92f19

      SHA1

      7a57c0c5d074229ec0368f00ae4289ee4cb4f63e

      SHA256

      8e19896bf0b7b5ae91cc4adf8a16376868731b95517760f0606175bf4ad4a8da

      SHA512

      10c35cf7aa7b09e81ec0ea15179f4917863b194057482fd5d17cadd8975f756b4b05519e433507f717814acc16dd77a595b854ca353956bbcd416e07d77bb22d

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\pemzcp.exe
      Filesize

      87KB

      MD5

      7bfff9a12df035272ddaddd404f1c6e6

      SHA1

      18b54f56ef6988dc2ee74090468a32e4105a0683

      SHA256

      a2a2b6ee856505ba00a047014b498b08c5b1b31c9de29a479abc8a7e437028d4

      SHA512

      3115e9be1959c7f7252775dd7c45c06c0dc621e444a548e72df3ee179fa261f3d502ad21a56948c800619b128b93f6e3c0bf9a419821afbc6abcf7c868ad1618

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\pemzcp.exe
      Filesize

      87KB

      MD5

      7bfff9a12df035272ddaddd404f1c6e6

      SHA1

      18b54f56ef6988dc2ee74090468a32e4105a0683

      SHA256

      a2a2b6ee856505ba00a047014b498b08c5b1b31c9de29a479abc8a7e437028d4

      SHA512

      3115e9be1959c7f7252775dd7c45c06c0dc621e444a548e72df3ee179fa261f3d502ad21a56948c800619b128b93f6e3c0bf9a419821afbc6abcf7c868ad1618

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\pemzcp.exe
      Filesize

      87KB

      MD5

      7bfff9a12df035272ddaddd404f1c6e6

      SHA1

      18b54f56ef6988dc2ee74090468a32e4105a0683

      SHA256

      a2a2b6ee856505ba00a047014b498b08c5b1b31c9de29a479abc8a7e437028d4

      SHA512

      3115e9be1959c7f7252775dd7c45c06c0dc621e444a548e72df3ee179fa261f3d502ad21a56948c800619b128b93f6e3c0bf9a419821afbc6abcf7c868ad1618

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\rxdcvffsg.fh
      Filesize

      626KB

      MD5

      736605109e7bc05c8eb460c2acaae286

      SHA1

      0ae481e139bd84a40981fb6b40a2f137cf546fb9

      SHA256

      0093bdfa0100777972ef906a0e2407598e142bf606c162a649fe7be22f1393e3

      SHA512

      2601760b215b693caee3a895bd7c35f2762edb536dd871ce694631cb426373b19c04844d1c174806240b5dd114db4c15180cf14089a6c137313d56a3f492af76

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\tvpvlhlzhh.our
      Filesize

      5KB

      MD5

      ba0710517f4950ac978205abf24687ad

      SHA1

      40272d8ef1147adf2b75b23420110ecce30d582e

      SHA256

      9261d1885037dd9e396e862957ad781c0ee9988e8e14b6bffd8b721a9679bdcd

      SHA512

      982a519a5c104009ca8f38a58323ba980ed3d41adb4a48b7ad3353d8b7f44f0408a41ccb300772687bd04defa3cede4d5288b03fc66bf32b23ec4bb69f2ef46e

      Download Submit

    • C:\Users\Admin\AppData\Roaming\CcxGQ.vbs
      Filesize

      180KB

      MD5

      c30c220229f3395c538e0008155881d9

      SHA1

      54920b4a6da2ef1510dd619c41fabe4f9c104a04

      SHA256

      b74e920938d79ce4669f94d803d10d19c2330b458130b91b6c8f9f41720f8cfe

      SHA512

      45e7dfa45cf74617abc7a3a6d2b6d47f5548ff4ae57da60efad1a2b445848329cf379c83935f61285187b7eb6c2902c1e9b6d7d3043f0c9735349761049837f9

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CcxGQ.vbs
      Filesize

      180KB

      MD5

      c30c220229f3395c538e0008155881d9

      SHA1

      54920b4a6da2ef1510dd619c41fabe4f9c104a04

      SHA256

      b74e920938d79ce4669f94d803d10d19c2330b458130b91b6c8f9f41720f8cfe

      SHA512

      45e7dfa45cf74617abc7a3a6d2b6d47f5548ff4ae57da60efad1a2b445848329cf379c83935f61285187b7eb6c2902c1e9b6d7d3043f0c9735349761049837f9

      Download Submit

    • memory/4548-143-0x0000000000400000-0x000000000049C000-memory.dmp

      Filesize

      624KB

      Download

    • memory/4548-148-0x0000000004A50000-0x0000000004A60000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4548-149-0x0000000004A50000-0x0000000004A60000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4548-150-0x0000000004A50000-0x0000000004A60000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4548-146-0x0000000000400000-0x000000000049C000-memory.dmp

      Filesize

      624KB

      Download

    • memory/4548-144-0x0000000000400000-0x000000000049C000-memory.dmp

      Filesize

      624KB

      Download

    • memory/4548-141-0x0000000000400000-0x000000000049C000-memory.dmp

      Filesize

      624KB

      Download