wshrat | 1c546a6548beda639640ebfbb52abd5f6013c33500172cfccf0e8716c96bb196

Analysis

max time kernel
138s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
07/05/2023, 09:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PurchaseOrder.xls.vbs
Size

527KB
MD5

8faf36edfae1ec0e8eccd3c562c03903
SHA1

0c44c3c6291c67c4eae6e1f8238f098adaee1a32
SHA256

1c546a6548beda639640ebfbb52abd5f6013c33500172cfccf0e8716c96bb196
SHA512

a54ea5e74c1320259b23d43e2eaadf83cf0705306df6dd1ba4bd4e9d77889d04449aa5161ad33165814a8b0f7baf41567537b721a048222f655216d1efdca56b
SSDEEP

384:Lu1hvWiWMmkNULg4viK3Ai44MXziJGUSJ0Pw6qVskjhj6Zxc6Xx0f3+hFx+gItIL:cvO

Score

10^/10

wshrat persistence trojan

Malware Config

Extracted

Family

wshrat

http://chongmei33.publicvm.com:7045

Signatures

WSHRAT
WSHRAT is a variant of Houdini worm and has vbs and js variants.
trojan wshrat

Blocklisted process makes network request 8 IoCs

flow	pid	Process
5	4112	WScript.exe
15	4112	WScript.exe
21	4112	WScript.exe
23	4112	WScript.exe
45	4112	WScript.exe
46	4112	WScript.exe
49	4112	WScript.exe
58	4112	WScript.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PurchaseOrder.xls.vbs	WScript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PurchaseOrder.xls.vbs	WScript.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\software\microsoft\windows\currentversion\run	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PurchaseOrder = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\PurchaseOrder.xls.vbs\""	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\software\microsoft\windows\currentversion\run	WScript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PurchaseOrder = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\PurchaseOrder.xls.vbs\""	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\PurchaseOrder.xls.vbs"
1⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
PID:4112

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PurchaseOrder.xls.vbs

Filesize
527KB

MD5
8faf36edfae1ec0e8eccd3c562c03903

SHA1
0c44c3c6291c67c4eae6e1f8238f098adaee1a32

SHA256
1c546a6548beda639640ebfbb52abd5f6013c33500172cfccf0e8716c96bb196

SHA512
a54ea5e74c1320259b23d43e2eaadf83cf0705306df6dd1ba4bd4e9d77889d04449aa5161ad33165814a8b0f7baf41567537b721a048222f655216d1efdca56b

Download Submit