Malware Analysis Report

2024-10-23 22:01

Sample ID 230726-qv8xcaca95
Target NA_4b88ca8115abf6400f900d9ee_JC.js
SHA256 4b88ca8115abf6400f900d9eeadd9793806c3c4314868bb6080e88b697ecef1a
Tags
wshrat persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4b88ca8115abf6400f900d9eeadd9793806c3c4314868bb6080e88b697ecef1a

Threat Level: Known bad

The file NA_4b88ca8115abf6400f900d9ee_JC.js was found to be: Known bad.

Malicious Activity Summary

wshrat persistence trojan

WSHRAT payload

WSHRAT

Blocklisted process makes network request

Executes dropped EXE

Checks computer location settings

Drops startup file

Adds Run key to start application

Looks up external IP address via web service

Suspicious use of SetThreadContext

Enumerates physical storage devices

Modifies registry class

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-07-26 13:36

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2023-07-26 13:36

Reported

2023-07-26 13:38

Platform

win10v2004-20230703-en

Max time kernel

12s

Max time network

27s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\NA_4b88ca8115abf6400f900d9ee_JC.js

Signatures

WSHRAT

trojan wshrat

WSHRAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\system32\wscript.exe N/A
N/A N/A C:\Windows\system32\wscript.exe N/A
N/A N/A C:\Windows\system32\wscript.exe N/A
N/A N/A C:\Windows\System32\WScript.exe N/A
N/A N/A C:\Windows\System32\WScript.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\Control Panel\International\Geo\Nation C:\Windows\system32\wscript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\Control Panel\International\Geo\Nation C:\Windows\System32\WScript.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TDSRZR.vbs C:\Windows\System32\WScript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TDSRZR.vbs C:\Windows\System32\WScript.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TDSRZR = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\TDSRZR.vbs\"" C:\Windows\System32\WScript.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\software\microsoft\windows\currentversion\run C:\Windows\System32\WScript.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TDSRZR = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\TDSRZR.vbs\"" C:\Windows\System32\WScript.exe N/A
Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run C:\Windows\System32\WScript.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2140 set thread context of 1540 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Users\Admin\AppData\Local\Temp\svchost.exe

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings C:\Windows\system32\wscript.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4304 wrote to memory of 2040 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\WScript.exe
PID 4304 wrote to memory of 2040 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\WScript.exe
PID 2040 wrote to memory of 2140 N/A C:\Windows\System32\WScript.exe C:\Users\Admin\AppData\Local\Temp\svchost.exe
PID 2040 wrote to memory of 2140 N/A C:\Windows\System32\WScript.exe C:\Users\Admin\AppData\Local\Temp\svchost.exe
PID 2040 wrote to memory of 2140 N/A C:\Windows\System32\WScript.exe C:\Users\Admin\AppData\Local\Temp\svchost.exe
PID 2140 wrote to memory of 1540 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Users\Admin\AppData\Local\Temp\svchost.exe
PID 2140 wrote to memory of 1540 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Users\Admin\AppData\Local\Temp\svchost.exe
PID 2140 wrote to memory of 1540 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Users\Admin\AppData\Local\Temp\svchost.exe
PID 2140 wrote to memory of 1540 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Users\Admin\AppData\Local\Temp\svchost.exe
PID 2140 wrote to memory of 1540 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Users\Admin\AppData\Local\Temp\svchost.exe
PID 2140 wrote to memory of 1540 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Users\Admin\AppData\Local\Temp\svchost.exe
PID 2140 wrote to memory of 1540 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Users\Admin\AppData\Local\Temp\svchost.exe
PID 2140 wrote to memory of 1540 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Users\Admin\AppData\Local\Temp\svchost.exe

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\NA_4b88ca8115abf6400f900d9ee_JC.js

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\TDSRZR.vbs"

C:\Users\Admin\AppData\Local\Temp\svchost.exe

"C:\Users\Admin\AppData\Local\Temp\svchost.exe"

C:\Users\Admin\AppData\Local\Temp\svchost.exe

"C:\Users\Admin\AppData\Local\Temp\svchost.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 grapemundo.com udp
IN 103.50.163.157:443 grapemundo.com tcp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 8.3.197.209.in-addr.arpa udp
US 8.8.8.8:53 157.163.50.103.in-addr.arpa udp
US 8.8.8.8:53 139.228.2.23.in-addr.arpa udp
US 8.8.8.8:53 215.74.101.95.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 chongmei33.publicvm.com udp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
SG 103.47.144.81:7045 chongmei33.publicvm.com tcp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\TDSRZR.vbs

MD5 b4e275c4a325bf17b288ea6c854bd212
SHA1 ddce3daa82a4015984bce3299df5d271b1323818
SHA256 038338d42952e0223dbdd077fa5b0cc4b0fe7309767a3ee5afebbbc34325fede
SHA512 92a0d1052f0b0b38e691ef5858cdcdd29a41bdea29a91eeccd1f2c1c0eccfceeddfdd34d500c6a5be806db46d297bdc6e0a0ec81e64131bd837c28daac5ea452

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TDSRZR.vbs

MD5 b4e275c4a325bf17b288ea6c854bd212
SHA1 ddce3daa82a4015984bce3299df5d271b1323818
SHA256 038338d42952e0223dbdd077fa5b0cc4b0fe7309767a3ee5afebbbc34325fede
SHA512 92a0d1052f0b0b38e691ef5858cdcdd29a41bdea29a91eeccd1f2c1c0eccfceeddfdd34d500c6a5be806db46d297bdc6e0a0ec81e64131bd837c28daac5ea452

C:\Users\Admin\AppData\Local\Temp\svchost.exe

MD5 fa69bac4daea669b2d78160d164e64c9
SHA1 77e7fbdba131f0cc1fbbf3d717dc38041e6ad84f
SHA256 dcea423e04900e53f42a70574841d10cb7b3cd168d64d92a58da864079dc394e
SHA512 ddf7f040d0d8a3f98dee9591220bd208b83b0f2aa3fd4b783446c72e8d07a73a2826964a98b512f41796f2d2cc11b4ce18df0c989a45f60bfbbacdc60ea14b45

C:\Users\Admin\AppData\Local\Temp\svchost.exe

MD5 fa69bac4daea669b2d78160d164e64c9
SHA1 77e7fbdba131f0cc1fbbf3d717dc38041e6ad84f
SHA256 dcea423e04900e53f42a70574841d10cb7b3cd168d64d92a58da864079dc394e
SHA512 ddf7f040d0d8a3f98dee9591220bd208b83b0f2aa3fd4b783446c72e8d07a73a2826964a98b512f41796f2d2cc11b4ce18df0c989a45f60bfbbacdc60ea14b45

C:\Users\Admin\AppData\Local\Temp\svchost.exe

MD5 fa69bac4daea669b2d78160d164e64c9
SHA1 77e7fbdba131f0cc1fbbf3d717dc38041e6ad84f
SHA256 dcea423e04900e53f42a70574841d10cb7b3cd168d64d92a58da864079dc394e
SHA512 ddf7f040d0d8a3f98dee9591220bd208b83b0f2aa3fd4b783446c72e8d07a73a2826964a98b512f41796f2d2cc11b4ce18df0c989a45f60bfbbacdc60ea14b45

memory/2140-157-0x00000000750A0000-0x0000000075850000-memory.dmp

memory/2140-158-0x0000000000C40000-0x0000000000CFA000-memory.dmp

memory/2140-159-0x00000000063B0000-0x0000000006954000-memory.dmp

memory/2140-161-0x0000000005E00000-0x0000000005E92000-memory.dmp

memory/2140-162-0x0000000006320000-0x0000000006332000-memory.dmp

memory/2140-163-0x0000000006A00000-0x0000000006A9C000-memory.dmp

memory/2140-164-0x0000000006340000-0x0000000006363000-memory.dmp

memory/2140-165-0x0000000006340000-0x0000000006363000-memory.dmp

memory/2140-169-0x0000000006340000-0x0000000006363000-memory.dmp

memory/2140-167-0x0000000006340000-0x0000000006363000-memory.dmp

memory/2140-171-0x0000000006340000-0x0000000006363000-memory.dmp

memory/2140-173-0x0000000006340000-0x0000000006363000-memory.dmp

memory/2140-175-0x0000000006340000-0x0000000006363000-memory.dmp

memory/2140-177-0x0000000006340000-0x0000000006363000-memory.dmp

memory/2140-179-0x0000000006340000-0x0000000006363000-memory.dmp

memory/2140-181-0x0000000006340000-0x0000000006363000-memory.dmp

memory/2140-183-0x0000000006340000-0x0000000006363000-memory.dmp

memory/2140-185-0x0000000006340000-0x0000000006363000-memory.dmp

memory/2140-187-0x0000000006340000-0x0000000006363000-memory.dmp

memory/2140-189-0x0000000006340000-0x0000000006363000-memory.dmp

memory/2140-193-0x0000000006340000-0x0000000006363000-memory.dmp

memory/2140-191-0x0000000006340000-0x0000000006363000-memory.dmp

memory/2140-195-0x0000000006340000-0x0000000006363000-memory.dmp

memory/2140-197-0x0000000006340000-0x0000000006363000-memory.dmp

memory/2140-199-0x0000000006340000-0x0000000006363000-memory.dmp

memory/2140-201-0x0000000006340000-0x0000000006363000-memory.dmp

memory/2140-203-0x0000000006340000-0x0000000006363000-memory.dmp

memory/2140-205-0x0000000006340000-0x0000000006363000-memory.dmp

memory/2140-207-0x0000000006340000-0x0000000006363000-memory.dmp

memory/2140-209-0x0000000006340000-0x0000000006363000-memory.dmp

memory/2140-211-0x0000000006340000-0x0000000006363000-memory.dmp

memory/2140-213-0x0000000006340000-0x0000000006363000-memory.dmp

memory/2140-214-0x0000000006380000-0x0000000006381000-memory.dmp

memory/1540-215-0x0000000000400000-0x0000000000444000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\svchost.exe

MD5 fa69bac4daea669b2d78160d164e64c9
SHA1 77e7fbdba131f0cc1fbbf3d717dc38041e6ad84f
SHA256 dcea423e04900e53f42a70574841d10cb7b3cd168d64d92a58da864079dc394e
SHA512 ddf7f040d0d8a3f98dee9591220bd208b83b0f2aa3fd4b783446c72e8d07a73a2826964a98b512f41796f2d2cc11b4ce18df0c989a45f60bfbbacdc60ea14b45

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\svchost.exe.log

MD5 add49c9ba7072711d6da25976d348247
SHA1 754edca64e1a053a8ca357b40e8a7a4ff5fea217
SHA256 361f4c916558316756d415bd64821ef1eead2d451e5d9cc38fe533b0f56574a6
SHA512 a95f88d0ca27b69636ed9a12f5b40d0abe1568415f41c57848f251dc55a5b0dbd015f15a2ff1c7aa4bc92b98d0d9c99a4bb814f49ff2319132b552af09a533ef

memory/2140-219-0x00000000750A0000-0x0000000075850000-memory.dmp

memory/1540-220-0x00000000750A0000-0x0000000075850000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2023-07-26 13:36

Reported

2023-07-26 13:38

Platform

win7-20230712-en

Max time kernel

120s

Max time network

123s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\NA_4b88ca8115abf6400f900d9ee_JC.js

Signatures

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\system32\wscript.exe N/A
N/A N/A C:\Windows\system32\wscript.exe N/A
N/A N/A C:\Windows\system32\wscript.exe N/A
N/A N/A C:\Windows\system32\wscript.exe N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\NA_4b88ca8115abf6400f900d9ee_JC.js

Network

Country Destination Domain Proto
US 8.8.8.8:53 grapemundo.com udp
IN 103.50.163.157:443 grapemundo.com tcp
IN 103.50.163.157:443 grapemundo.com tcp
IN 103.50.163.157:443 grapemundo.com tcp
IN 103.50.163.157:443 grapemundo.com tcp

Files

N/A