wshrat | 48b52babdbbc6826bdf0824b0025bb726d9c94441eaa31cdc2fa421f861deedb

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
02-05-2023 20:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

315061606e655e66db6ed9fa5bcbbac33e645c36da0a5730717973b8e323eb0d.vbs
Size

289KB
MD5

ba07223a894931526fd69b0c2b21221d
SHA1

d7b63bb26abca39ef9c5ececa1a7bee5aa68cd15
SHA256

315061606e655e66db6ed9fa5bcbbac33e645c36da0a5730717973b8e323eb0d
SHA512

49611e025ccaa2f79072b3a1ab53b7d3fce2c61602ab6dc03dcf2fe9af862bdcdc35c9a3475c8a89ce99cadc89c20495730c048bd23248d644dee54b9a252799
SSDEEP

384:d7QL+L0YoyzODjxosdoKF5vT8b8Qq6Pu7r7eOFDl7k7EDFh+2O0i99RVz8Jm0Jp1:4

Score

10^/10

wshrat persistence trojan

Malware Config

Extracted

Family

wshrat

http://chongmei33.publicvm.com:7045

Signatures

WSHRAT
WSHRAT is a variant of Houdini worm and has vbs and js variants.
trojan wshrat

Blocklisted process makes network request 26 IoCs

flow	pid	Process
16	1788	WScript.exe
20	1788	WScript.exe
27	1788	WScript.exe
29	1788	WScript.exe
30	1788	WScript.exe
32	1788	WScript.exe
36	1788	WScript.exe
38	1788	WScript.exe
43	1788	WScript.exe
44	1788	WScript.exe
46	1788	WScript.exe
49	1788	WScript.exe
51	1788	WScript.exe
52	1788	WScript.exe
53	1788	WScript.exe
54	1788	WScript.exe
56	1788	WScript.exe
57	1788	WScript.exe
58	1788	WScript.exe
60	1788	WScript.exe
61	1788	WScript.exe
62	1788	WScript.exe
63	1788	WScript.exe
65	1788	WScript.exe
66	1788	WScript.exe
67	1788	WScript.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\315061606e655e66db6ed9fa5bcbbac33e645c36da0a5730717973b8e323eb0d.vbs	WScript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\315061606e655e66db6ed9fa5bcbbac33e645c36da0a5730717973b8e323eb0d.vbs	WScript.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\315061606e655e66db6ed9fa5bcbbac33e645c36da0a5730717973b8e323eb0d = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\315061606e655e66db6ed9fa5bcbbac33e645c36da0a5730717973b8e323eb0d.vbs\""	WScript.exe
Key created	\REGISTRY\MACHINE\software\microsoft\windows\currentversion\run	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\315061606e655e66db6ed9fa5bcbbac33e645c36da0a5730717973b8e323eb0d = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\315061606e655e66db6ed9fa5bcbbac33e645c36da0a5730717973b8e323eb0d.vbs\""	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\software\microsoft\windows\currentversion\run	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\315061606e655e66db6ed9fa5bcbbac33e645c36da0a5730717973b8e323eb0d.vbs"
1⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
PID:1788

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\315061606e655e66db6ed9fa5bcbbac33e645c36da0a5730717973b8e323eb0d.vbs

Filesize
289KB

MD5
ba07223a894931526fd69b0c2b21221d

SHA1
d7b63bb26abca39ef9c5ececa1a7bee5aa68cd15

SHA256
315061606e655e66db6ed9fa5bcbbac33e645c36da0a5730717973b8e323eb0d

SHA512
49611e025ccaa2f79072b3a1ab53b7d3fce2c61602ab6dc03dcf2fe9af862bdcdc35c9a3475c8a89ce99cadc89c20495730c048bd23248d644dee54b9a252799

Download Submit