wshrat | 4d88ae29c1596311d3af9d226e386732fcc7c201f20cfbc8bf39f2bba6ba4aae

Analysis

max time kernel
146s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
06-06-2023 01:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5a6374adb1371c63cace395445818f4b83dcdd2494da86062b0ab3cbfb201e0b.vbs
Size

9KB
MD5

b66938f8b8ab81aef4aceeea87bbe7b5
SHA1

2f140f44c2f74ecff2e24dcb0b3fbd72080e090a
SHA256

5a6374adb1371c63cace395445818f4b83dcdd2494da86062b0ab3cbfb201e0b
SHA512

0f449d44022e9abec453180dae1f25e06fb538359c6cc52f3eb6efafb9b339f293f733284c73ac2b793fac97aee92df01eeed524c361ac0f7c35664a97dfd0bc
SSDEEP

48:bnlrCVFFIlV2rVboysaqbwYHppKZ2I0wiin5I2c1YleGE/+:jlrCnFSmzs/3IKin5I2c1Yle9m

Score

10^/10

wshrat persistence trojan

Malware Config

Extracted

Family

wshrat

http://chongmei33.publicvm.com:7045

Signatures

WSHRAT
WSHRAT is a variant of Houdini worm and has vbs and js variants.
trojan wshrat

Blocklisted process makes network request 25 IoCs

flow	pid	Process
4	3304	WScript.exe
8	3304	WScript.exe
28	3304	WScript.exe
31	3304	WScript.exe
40	1900	WScript.exe
48	1900	WScript.exe
51	1900	WScript.exe
52	1900	WScript.exe
64	1900	WScript.exe
66	1900	WScript.exe
69	1900	WScript.exe
70	1900	WScript.exe
71	1900	WScript.exe
72	1900	WScript.exe
73	1900	WScript.exe
74	1900	WScript.exe
75	1900	WScript.exe
76	1900	WScript.exe
77	1900	WScript.exe
78	1900	WScript.exe
79	1900	WScript.exe
80	1900	WScript.exe
81	1900	WScript.exe
82	1900	WScript.exe
83	1900	WScript.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	WScript.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\GHMIYQ.vbs	WScript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\GHMIYQ.vbs	WScript.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\software\microsoft\windows\currentversion\run	WScript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\GHMIYQ = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\GHMIYQ.vbs\""	WScript.exe
Key created	\REGISTRY\MACHINE\software\microsoft\windows\currentversion\run	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\GHMIYQ = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\GHMIYQ.vbs\""	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings	WScript.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 3304 wrote to memory of 1900	3304	WScript.exe	87
PID 3304 wrote to memory of 1900	3304	WScript.exe	87

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5a6374adb1371c63cace395445818f4b83dcdd2494da86062b0ab3cbfb201e0b.vbs"
1⤵
- Blocklisted process makes network request
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3304
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\GHMIYQ.vbs"
  2⤵
  - Blocklisted process makes network request
  - Drops startup file
  - Adds Run key to start application
  PID:1900

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\GHMIYQ.vbs

Filesize
238KB

MD5
9e6396c0f6372ad9dabf49ac46c37b19

SHA1
532916ba3e0eb3e75bba96e46c10f28732f800cc

SHA256
cde3243e5d239396688c6a7bac14a6baf46e60a242fe4788c063ccb3bf0a0e49

SHA512
8fed54f8f61bf40f65689838782b59e4240f644841cf1f3667cf95789c75430c2143cc913493188d948e9c3a441251b702583380a80b9096904c91997c40a95f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\GHMIYQ.vbs

Filesize
238KB

MD5
9e6396c0f6372ad9dabf49ac46c37b19

SHA1
532916ba3e0eb3e75bba96e46c10f28732f800cc

SHA256
cde3243e5d239396688c6a7bac14a6baf46e60a242fe4788c063ccb3bf0a0e49

SHA512
8fed54f8f61bf40f65689838782b59e4240f644841cf1f3667cf95789c75430c2143cc913493188d948e9c3a441251b702583380a80b9096904c91997c40a95f

Download Submit