wshrat | d81692de8fd3c96833905542934bb5c75fcdd5408c34f1406cca410b5fe6511c

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230221-en
resource tags

arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
submitted
31-05-2023 08:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ORDER-230531AS.vbs
Size

9KB
MD5

f1d9251929145c7232d1004d6bf309c5
SHA1

f549e8742fe833551d57ef95900fb627921b8049
SHA256

d81692de8fd3c96833905542934bb5c75fcdd5408c34f1406cca410b5fe6511c
SHA512

e36be73daffafc58f790225829f7c3a717f94f8069b340f20175653d7416e2be7eda3cf39fc53c2a9b5c135d4c13aee4c3b6787bd84669c7d3c2a71e8be031cd
SSDEEP

48:0Hd230PPDakG+biHd23gPxBl2akG+biHd23g0BXXakG+bgBP30PPDakG+3p3QxBJ:0Et0R3S6G

Score

10^/10

wshrat persistence trojan

Malware Config

Extracted

Family

wshrat

http://chongmei33.publicvm.com:7045

Signatures

WSHRAT
WSHRAT is a variant of Houdini worm and has vbs and js variants.
trojan wshrat

Blocklisted process makes network request 28 IoCs

Processes:

WScript.exeWScript.exe

flow	pid	process
3	4580	WScript.exe
6	4580	WScript.exe
8	4580	WScript.exe
10	4580	WScript.exe
21	4252	WScript.exe
23	4252	WScript.exe
30	4252	WScript.exe
36	4252	WScript.exe
39	4252	WScript.exe
46	4252	WScript.exe
47	4252	WScript.exe
50	4252	WScript.exe
55	4252	WScript.exe
58	4252	WScript.exe
63	4252	WScript.exe
64	4252	WScript.exe
68	4252	WScript.exe
69	4252	WScript.exe
70	4252	WScript.exe
72	4252	WScript.exe
73	4252	WScript.exe
74	4252	WScript.exe
75	4252	WScript.exe
77	4252	WScript.exe
78	4252	WScript.exe
79	4252	WScript.exe
81	4252	WScript.exe
82	4252	WScript.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WScript.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	WScript.exe

Drops startup file 2 IoCs

Processes:

WScript.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EKGGHK.vbs	WScript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EKGGHK.vbs	WScript.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

WScript.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\EKGGHK = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\EKGGHK.vbs\""	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\software\microsoft\windows\currentversion\run	WScript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\EKGGHK = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\EKGGHK.vbs\""	WScript.exe
Key created	\REGISTRY\MACHINE\software\microsoft\windows\currentversion\run	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Modifies registry class 1 IoCs

Processes:

WScript.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings WScript.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings	WScript.exe

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

WScript.exe

description	pid	process	target process
PID 4580 wrote to memory of 4252	4580	WScript.exe	WScript.exe
PID 4580 wrote to memory of 4252	4580	WScript.exe	WScript.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ORDER-230531AS.vbs"
1⤵
- Blocklisted process makes network request
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4580

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\EKGGHK.vbs"
2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
PID:4252

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\EKGGHK.vbs
Filesize
238KB

MD5
9e6396c0f6372ad9dabf49ac46c37b19

SHA1
532916ba3e0eb3e75bba96e46c10f28732f800cc

SHA256
cde3243e5d239396688c6a7bac14a6baf46e60a242fe4788c063ccb3bf0a0e49

SHA512
8fed54f8f61bf40f65689838782b59e4240f644841cf1f3667cf95789c75430c2143cc913493188d948e9c3a441251b702583380a80b9096904c91997c40a95f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EKGGHK.vbs
Filesize
238KB

MD5
9e6396c0f6372ad9dabf49ac46c37b19

SHA1
532916ba3e0eb3e75bba96e46c10f28732f800cc

SHA256
cde3243e5d239396688c6a7bac14a6baf46e60a242fe4788c063ccb3bf0a0e49

SHA512
8fed54f8f61bf40f65689838782b59e4240f644841cf1f3667cf95789c75430c2143cc913493188d948e9c3a441251b702583380a80b9096904c91997c40a95f

Download Submit