Overview

overview

10

Static

static

3

dridex

windows10-1703-x64

10

Analysis

  • max time kernel
    143s
  • max time network
    152s
  • platform
    windows10-1703_x64
  • resource
    win10-20230703-en
  • resource tags

    arch:x64arch:x86image:win10-20230703-enlocale:en-usos:windows10-1703-x64system
  • submitted
    18-07-2023 09:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    bfffba7e6f2b39c8c465c75738d3393bffa25873f0ce255183deada13c04fe29.exe

  • Size

    528KB

  • MD5

    dcc686cb21dfa32e9de87a6d8e7456fb

  • SHA1

    00d1b251532dcb72ac2053df95342402f5694478

  • SHA256

    bfffba7e6f2b39c8c465c75738d3393bffa25873f0ce255183deada13c04fe29

  • SHA512

    a39320b0c28581ac7fd37ccdd11ed00143ef421d397bde698a5cfd9955ff0ca2153a73bb69b001699db23c19cd9fd941007e9234a13ee510f67a9ccd602d24f3

  • SSDEEP

    12288:aFqCpVo8XtPVn4LWXzm+gBuISj4ttT/SLs7jzG01s6siESyHQT58SkErYGELLyQl:8pC+b6Ewb/3

Score
10/10
wshratpersistencetrojan

Malware Config

Extracted

Family

wshrat

C2

http://45.90.222.131:7121

Signatures

  • WSHRAT

    WSHRAT is a variant of Houdini worm and has vbs and js variants.

    trojanwshrat
  • WSHRAT payload 2 IoCs
  • Blocklisted process makes network request 20 IoCs
  • Drops startup file 2 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Script User-Agent 1 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\bfffba7e6f2b39c8c465c75738d3393bffa25873f0ce255183deada13c04fe29.exe
    "C:\Users\Admin\AppData\Local\Temp\bfffba7e6f2b39c8c465c75738d3393bffa25873f0ce255183deada13c04fe29.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4404
    • C:\Windows\SysWOW64\wscript.exe
      "C:\Windows\System32\wscript.exe" "C:\Users\Admin\AppData\Roaming\XcJBL.vbs"
      2⤵
      • Blocklisted process makes network request
      • Drops startup file
      • Adds Run key to start application
      PID:2924

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\KFR0RUGG\json[1].json
    Filesize

    323B

    MD5

    149c2823b7eadbfb0a82388a2ab9494f

    SHA1

    415fe979ce5fd0064d2557a48745a3ed1a3fbf9c

    SHA256

    06fa5d4e7fbfb1efdc19baa034601a894b21cf729785732853ced4bb40aca869

    SHA512

    f8fb6b7c93c4ab37f6e250ba8ac5c82f6e17fe52156cab81d34e91107d1da716b744bfe02ee0306497a3876d5352af789a1e66dab10e11e22065bac3050475fe

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XcJBL.vbs
    Filesize

    180KB

    MD5

    c437bda2e3045d21e7300dd3bb844cbb

    SHA1

    89fda9b463529b2309b8e1bd859f0cdeb2a8203f

    SHA256

    418839201445990cb7a747fe696d8b8377dcbef9378989c639d2c5a23da3d7fa

    SHA512

    d3de6c2cc4093478c65fa2a889b92d9a2ea3c6cc85edb5bd3b861bde2114fec2892236a41331998ea2bf48dd4b367d84d77cc46022e6d9cf7d30e90d09edecb8

    Download Submit

  • C:\Users\Admin\AppData\Roaming\XcJBL.vbs
    Filesize

    180KB

    MD5

    c437bda2e3045d21e7300dd3bb844cbb

    SHA1

    89fda9b463529b2309b8e1bd859f0cdeb2a8203f

    SHA256

    418839201445990cb7a747fe696d8b8377dcbef9378989c639d2c5a23da3d7fa

    SHA512

    d3de6c2cc4093478c65fa2a889b92d9a2ea3c6cc85edb5bd3b861bde2114fec2892236a41331998ea2bf48dd4b367d84d77cc46022e6d9cf7d30e90d09edecb8

    Download Submit

  • memory/4404-122-0x0000000000C20000-0x0000000000CAA000-memory.dmp

    Filesize

    552KB

    Download

  • memory/4404-123-0x0000000074010000-0x00000000746FE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/4404-127-0x0000000074010000-0x00000000746FE000-memory.dmp

    Filesize

    6.9MB

    Download