wshrat | af225710834945af83a66163ffe1549d64c624d5d95f527fdd7eced708497fc4

Analysis

max time kernel
146s
max time network
149s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
24-05-2023 15:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Purchase_Order.xls.vbs
Size

527KB
MD5

8faf36edfae1ec0e8eccd3c562c03903
SHA1

0c44c3c6291c67c4eae6e1f8238f098adaee1a32
SHA256

1c546a6548beda639640ebfbb52abd5f6013c33500172cfccf0e8716c96bb196
SHA512

a54ea5e74c1320259b23d43e2eaadf83cf0705306df6dd1ba4bd4e9d77889d04449aa5161ad33165814a8b0f7baf41567537b721a048222f655216d1efdca56b
SSDEEP

384:Lu1hvWiWMmkNULg4viK3Ai44MXziJGUSJ0Pw6qVskjhj6Zxc6Xx0f3+hFx+gItIL:cvO

Score

10^/10

wshrat persistence trojan

Malware Config

Extracted

Family

wshrat

http://chongmei33.publicvm.com:7045

Signatures

WSHRAT
WSHRAT is a variant of Houdini worm and has vbs and js variants.
trojan wshrat

Blocklisted process makes network request 22 IoCs

flow	pid	Process
4	1124	WScript.exe
5	1124	WScript.exe
6	1124	WScript.exe
9	1124	WScript.exe
10	1124	WScript.exe
11	1124	WScript.exe
13	1124	WScript.exe
14	1124	WScript.exe
15	1124	WScript.exe
17	1124	WScript.exe
18	1124	WScript.exe
19	1124	WScript.exe
21	1124	WScript.exe
22	1124	WScript.exe
23	1124	WScript.exe
25	1124	WScript.exe
26	1124	WScript.exe
27	1124	WScript.exe
29	1124	WScript.exe
30	1124	WScript.exe
31	1124	WScript.exe
33	1124	WScript.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Purchase_Order.xls.vbs	WScript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Purchase_Order.xls.vbs	WScript.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2961826002-3968192592-354541192-1000\software\microsoft\windows\currentversion\run	WScript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2961826002-3968192592-354541192-1000\Software\Microsoft\Windows\CurrentVersion\Run\Purchase_Order = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\Purchase_Order.xls.vbs\""	WScript.exe
Key created	\REGISTRY\MACHINE\software\microsoft\windows\currentversion\run	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Purchase_Order = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\Purchase_Order.xls.vbs\""	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Purchase_Order.xls.vbs"
1⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
PID:1124

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Purchase_Order.xls.vbs

Filesize
527KB

MD5
8faf36edfae1ec0e8eccd3c562c03903

SHA1
0c44c3c6291c67c4eae6e1f8238f098adaee1a32

SHA256
1c546a6548beda639640ebfbb52abd5f6013c33500172cfccf0e8716c96bb196

SHA512
a54ea5e74c1320259b23d43e2eaadf83cf0705306df6dd1ba4bd4e9d77889d04449aa5161ad33165814a8b0f7baf41567537b721a048222f655216d1efdca56b

Download Submit