wshrat | c74a818acd59f33c6ce25d4633b419c7b15ae75fe083609a673156a568fa289c

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
01-06-2023 14:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ORDER-236001.doc.js
Size

7KB
MD5

8ae3d8d8684a7a259e5d243428e279d3
SHA1

f237d2c8577581534e990c41877830e70047640f
SHA256

c74a818acd59f33c6ce25d4633b419c7b15ae75fe083609a673156a568fa289c
SHA512

569b4c43617af037f892b347e7bef019bd1dc5b79c91ec60c57d0732e87318a0612e9b1011a64cc6cf8ca487f470b51123f8e87c40c3ab658f52a4be96655e24
SSDEEP

96:3MNivAvpQLI+/P6JhKI9itBiLWPxD3K303zPY:LAvpeI8iJArvg

Score

10^/10

wshrat persistence trojan

Malware Config

Extracted

Family

wshrat

http://chongmei33.publicvm.com:7045

Signatures

WSHRAT
WSHRAT is a variant of Houdini worm and has vbs and js variants.
trojan wshrat

Blocklisted process makes network request 25 IoCs

Processes:

wscript.exeWScript.exe

flow	pid	process
8	4712	wscript.exe
11	4712	wscript.exe
13	4712	wscript.exe
22	4124	WScript.exe
47	4124	WScript.exe
58	4124	WScript.exe
59	4124	WScript.exe
64	4124	WScript.exe
69	4124	WScript.exe
74	4124	WScript.exe
76	4124	WScript.exe
78	4124	WScript.exe
79	4124	WScript.exe
80	4124	WScript.exe
82	4124	WScript.exe
84	4124	WScript.exe
85	4124	WScript.exe
88	4124	WScript.exe
91	4124	WScript.exe
92	4124	WScript.exe
93	4124	WScript.exe
95	4124	WScript.exe
97	4124	WScript.exe
98	4124	WScript.exe
99	4124	WScript.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

wscript.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\Control Panel\International\Geo\Nation	wscript.exe

Drops startup file 2 IoCs

Processes:

WScript.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ZLVPRD.vbs	WScript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ZLVPRD.vbs	WScript.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

WScript.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ZLVPRD = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\ZLVPRD.vbs\""	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\software\microsoft\windows\currentversion\run	WScript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ZLVPRD = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\ZLVPRD.vbs\""	WScript.exe
Key created	\REGISTRY\MACHINE\software\microsoft\windows\currentversion\run	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Modifies registry class 1 IoCs

Processes:

wscript.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000_Classes\Local Settings wscript.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000_Classes\Local Settings	wscript.exe

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

wscript.exe

description	pid	process	target process
PID 4712 wrote to memory of 4124	4712	wscript.exe	WScript.exe
PID 4712 wrote to memory of 4124	4712	wscript.exe	WScript.exe

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\ORDER-236001.doc.js
1⤵
- Blocklisted process makes network request
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4712

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ZLVPRD.vbs"
2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
PID:4124

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ZLVPRD.vbs
Filesize
238KB

MD5
9e6396c0f6372ad9dabf49ac46c37b19

SHA1
532916ba3e0eb3e75bba96e46c10f28732f800cc

SHA256
cde3243e5d239396688c6a7bac14a6baf46e60a242fe4788c063ccb3bf0a0e49

SHA512
8fed54f8f61bf40f65689838782b59e4240f644841cf1f3667cf95789c75430c2143cc913493188d948e9c3a441251b702583380a80b9096904c91997c40a95f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ZLVPRD.vbs
Filesize
238KB

MD5
9e6396c0f6372ad9dabf49ac46c37b19

SHA1
532916ba3e0eb3e75bba96e46c10f28732f800cc

SHA256
cde3243e5d239396688c6a7bac14a6baf46e60a242fe4788c063ccb3bf0a0e49

SHA512
8fed54f8f61bf40f65689838782b59e4240f644841cf1f3667cf95789c75430c2143cc913493188d948e9c3a441251b702583380a80b9096904c91997c40a95f

Download Submit