Analysis
-
max time kernel
148s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
14-05-2023 01:18
Static task
static1
Behavioral task
behavioral1
Sample
b6e0c17a224fe0df6f58add122e0420aad76a697c1d7634aa0cfe2f5dc84dc2b.exe
Resource
win10v2004-20230220-en
General
-
Target
b6e0c17a224fe0df6f58add122e0420aad76a697c1d7634aa0cfe2f5dc84dc2b.exe
-
Size
541KB
-
MD5
c159fc653a86ef3eab80e5d06b9cfa2c
-
SHA1
f95b35bcd8528dafda2b8fd53bed2bab150676e3
-
SHA256
b6e0c17a224fe0df6f58add122e0420aad76a697c1d7634aa0cfe2f5dc84dc2b
-
SHA512
78ee8d1c957f21e6023f4c9096f63c9bc697620cfc7584bb937b4cffb792f312c8fd0cb586c0aa4f43ddf8e622042f2c85852f10018e0c5799d6dd02903ab9f2
-
SSDEEP
12288:lBXSh9d55EWf6bkHXgtQZDsfDfWXWBt9ExkUp8ZbcoahOOufKlgc+ABeaESJAzEM:7QZQz8Du4
Malware Config
Signatures
-
WSHRAT payload 3 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\lRDdN.vbs family_wshrat C:\Users\Admin\lRDdN.vbs family_wshrat C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lRDdN.vbs family_wshrat -
Blocklisted process makes network request 10 IoCs
Processes:
wscript.exewscript.exeWScript.exeflow pid process 8 4148 wscript.exe 9 4148 wscript.exe 14 4152 wscript.exe 16 4152 wscript.exe 19 1580 WScript.exe 28 1580 WScript.exe 41 1580 WScript.exe 45 1580 WScript.exe 57 1580 WScript.exe 58 1580 WScript.exe -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
b6e0c17a224fe0df6f58add122e0420aad76a697c1d7634aa0cfe2f5dc84dc2b.exewscript.exewscript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation b6e0c17a224fe0df6f58add122e0420aad76a697c1d7634aa0cfe2f5dc84dc2b.exe Key value queried \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation wscript.exe Key value queried \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation wscript.exe -
Drops startup file 3 IoCs
Processes:
wscript.exewscript.exeWScript.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lRDdN.vbs wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lRDdN.vbs wscript.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windows.js WScript.exe -
Adds Run key to start application 2 TTPs 10 IoCs
Processes:
wscript.exewscript.exeWScript.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lRDdN = "wscript.exe //B \"C:\\Users\\Admin\\lRDdN.vbs\"" wscript.exe Key created \REGISTRY\MACHINE\software\WOW6432Node\microsoft\windows\currentversion\run wscript.exe Key created \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lRDdN = "wscript.exe //B \"C:\\Users\\Admin\\lRDdN.vbs\"" wscript.exe Key created \REGISTRY\MACHINE\software\WOW6432Node\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\lRDdN = "wscript.exe //B \"C:\\Users\\Admin\\lRDdN.vbs\"" wscript.exe Key created \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Windows\CurrentVersion\Run WScript.exe Set value (str) \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BXBCC2V24Z = "\"C:\\Users\\Admin\\AppData\\Roaming\\windows.js\"" WScript.exe Key created \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\lRDdN = "wscript.exe //B \"C:\\Users\\Admin\\lRDdN.vbs\"" wscript.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 1 IoCs
Processes:
wscript.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings wscript.exe -
Script User-Agent 4 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 9 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 14 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 16 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 8 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
b6e0c17a224fe0df6f58add122e0420aad76a697c1d7634aa0cfe2f5dc84dc2b.exewscript.exewscript.exedescription pid process target process PID 4400 wrote to memory of 4148 4400 b6e0c17a224fe0df6f58add122e0420aad76a697c1d7634aa0cfe2f5dc84dc2b.exe wscript.exe PID 4400 wrote to memory of 4148 4400 b6e0c17a224fe0df6f58add122e0420aad76a697c1d7634aa0cfe2f5dc84dc2b.exe wscript.exe PID 4400 wrote to memory of 4148 4400 b6e0c17a224fe0df6f58add122e0420aad76a697c1d7634aa0cfe2f5dc84dc2b.exe wscript.exe PID 4148 wrote to memory of 4152 4148 wscript.exe wscript.exe PID 4148 wrote to memory of 4152 4148 wscript.exe wscript.exe PID 4148 wrote to memory of 4152 4148 wscript.exe wscript.exe PID 4152 wrote to memory of 1580 4152 wscript.exe WScript.exe PID 4152 wrote to memory of 1580 4152 wscript.exe WScript.exe PID 4152 wrote to memory of 1580 4152 wscript.exe WScript.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b6e0c17a224fe0df6f58add122e0420aad76a697c1d7634aa0cfe2f5dc84dc2b.exe"C:\Users\Admin\AppData\Local\Temp\b6e0c17a224fe0df6f58add122e0420aad76a697c1d7634aa0cfe2f5dc84dc2b.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\wscript.exe"C:\Windows\System32\wscript.exe" "C:\Users\Admin\AppData\Roaming\lRDdN.vbs"2⤵
- Blocklisted process makes network request
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\lRDdN.vbs"3⤵
- Blocklisted process makes network request
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\windows.js"4⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lRDdN.vbsMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lRDdN.vbsFilesize
185KB
MD543fca5129026c9b6b49ce26c27759df2
SHA146a4acdd5faae42e04ba753f69e6e777324ae8e9
SHA256a6772f8687d81d92138a6cfa10ead2b3c409a0884053a1600c640ae65eea517e
SHA512c465b24ebba4ce399e7e8605b8b93993e92916b653c42c470e9168a8a9573bfc42bb1dc730674e1fc7656453820fc3a19240514c1bd2b8acf32d87ffa09cf228
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windows.jsFilesize
3KB
MD514d1d9d3dc5e8d0eac04d5b78645a2ea
SHA1aa14b5a613919e41c4d97fef48ff1a24ff06fd2b
SHA25692d5609974d3d52dc028185e819111679f0ff052c1e3b951e2eee9b18e361f36
SHA512e13cc2ca8b4dc4564a2176e4bc06d2a3271a957918cb84589402462ea2fe33782eb92ab1575187ab07ac3e270e8301607bff6b7ccb1dd688666be940716f092c
-
C:\Users\Admin\AppData\Roaming\lRDdN.vbsFilesize
185KB
MD543fca5129026c9b6b49ce26c27759df2
SHA146a4acdd5faae42e04ba753f69e6e777324ae8e9
SHA256a6772f8687d81d92138a6cfa10ead2b3c409a0884053a1600c640ae65eea517e
SHA512c465b24ebba4ce399e7e8605b8b93993e92916b653c42c470e9168a8a9573bfc42bb1dc730674e1fc7656453820fc3a19240514c1bd2b8acf32d87ffa09cf228
-
C:\Users\Admin\lRDdN.vbsFilesize
185KB
MD543fca5129026c9b6b49ce26c27759df2
SHA146a4acdd5faae42e04ba753f69e6e777324ae8e9
SHA256a6772f8687d81d92138a6cfa10ead2b3c409a0884053a1600c640ae65eea517e
SHA512c465b24ebba4ce399e7e8605b8b93993e92916b653c42c470e9168a8a9573bfc42bb1dc730674e1fc7656453820fc3a19240514c1bd2b8acf32d87ffa09cf228
-
C:\Users\Admin\windows.jsFilesize
3KB
MD514d1d9d3dc5e8d0eac04d5b78645a2ea
SHA1aa14b5a613919e41c4d97fef48ff1a24ff06fd2b
SHA25692d5609974d3d52dc028185e819111679f0ff052c1e3b951e2eee9b18e361f36
SHA512e13cc2ca8b4dc4564a2176e4bc06d2a3271a957918cb84589402462ea2fe33782eb92ab1575187ab07ac3e270e8301607bff6b7ccb1dd688666be940716f092c
-
memory/4400-133-0x0000000001510000-0x0000000001520000-memory.dmpFilesize
64KB