wshrat | bc29798c8671a3ac240a0d34e8f99003466ede8cf6902f8de9c0e9e640dd454b

General

Target

4b88ca8115abf6400f900d9eeadd9793806c3c4314868bb6080e88b697ecef1a.js
Size

7KB
MD5

6b57f84625e48278f611de466e10dea9
SHA1

61432ddbd911264ce613f1549ab33f9635d446dd
SHA256

4b88ca8115abf6400f900d9eeadd9793806c3c4314868bb6080e88b697ecef1a
SHA512

6608bff89995d80ef243bdff96c2dd9a1f29a377fdf128e819d0ffde30ef23befbe8af4ca5550692052d34223839d54d016d6a4ac6a14d3559fc36aeaff782aa
SSDEEP

96:MUf+CjnaYRApwXr7HRPNYtQH3srX2zWwPhHr/trkOHr+wc+i:O3PN

Score

10^/10

wshrat persistence trojan

Malware Config

Extracted

Family

wshrat

C2

http://chongmei33.publicvm.com:7045

Signatures

WSHRAT
WSHRAT is a variant of Houdini worm and has vbs and js variants.
trojan wshrat

WSHRAT payload 2 IoCs

resource	yara_rule
behavioral2/files/0x0006000000023225-143.dat	family_wshrat
behavioral2/files/0x0007000000023226-144.dat	family_wshrat

Blocklisted process makes network request 6 IoCs

flow	pid	Process
4	4472	wscript.exe
8	4472	wscript.exe
10	4472	wscript.exe
29	2884	WScript.exe
31	2884	WScript.exe
34	2884	WScript.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\Control Panel\International\Geo\Nation	WScript.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TDSRZR.vbs	WScript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TDSRZR.vbs	WScript.exe

Executes dropped EXE 3 IoCs

pid	Process
4028	svchost.exe
4812	svchost.exe
4904	svchost.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\software\microsoft\windows\currentversion\run	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TDSRZR = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\TDSRZR.vbs\""	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\software\microsoft\windows\currentversion\run	WScript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TDSRZR = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\TDSRZR.vbs\""	WScript.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
28	ip-api.com

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4028 set thread context of 4904	4028	svchost.exe	96

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000_Classes\Local Settings	wscript.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4028	svchost.exe
4028	svchost.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4028	svchost.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 4472 wrote to memory of 2884	4472	wscript.exe	86
PID 4472 wrote to memory of 2884	4472	wscript.exe	86
PID 2884 wrote to memory of 4028	2884	WScript.exe	87
PID 2884 wrote to memory of 4028	2884	WScript.exe	87
PID 2884 wrote to memory of 4028	2884	WScript.exe	87
PID 4028 wrote to memory of 4812	4028	svchost.exe	95
PID 4028 wrote to memory of 4812	4028	svchost.exe	95
PID 4028 wrote to memory of 4812	4028	svchost.exe	95
PID 4028 wrote to memory of 4904	4028	svchost.exe	96
PID 4028 wrote to memory of 4904	4028	svchost.exe	96
PID 4028 wrote to memory of 4904	4028	svchost.exe	96
PID 4028 wrote to memory of 4904	4028	svchost.exe	96
PID 4028 wrote to memory of 4904	4028	svchost.exe	96
PID 4028 wrote to memory of 4904	4028	svchost.exe	96
PID 4028 wrote to memory of 4904	4028	svchost.exe	96
PID 4028 wrote to memory of 4904	4028	svchost.exe	96

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\4b88ca8115abf6400f900d9eeadd9793806c3c4314868bb6080e88b697ecef1a.js
1⤵
- Blocklisted process makes network request
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4472
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\TDSRZR.vbs"
  2⤵
  - Blocklisted process makes network request
  - Checks computer location settings
  - Drops startup file
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2884
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4028
  - - C:\Users\Admin\AppData\Local\Temp\svchost.exe
      "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
      4⤵
      Executes dropped EXE
      PID:4812
  - - C:\Users\Admin\AppData\Local\Temp\svchost.exe
      "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
      4⤵
      Executes dropped EXE
      PID:4904

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\svchost.exe.log

Filesize
1KB

MD5
add49c9ba7072711d6da25976d348247

SHA1
754edca64e1a053a8ca357b40e8a7a4ff5fea217

SHA256
361f4c916558316756d415bd64821ef1eead2d451e5d9cc38fe533b0f56574a6

SHA512
a95f88d0ca27b69636ed9a12f5b40d0abe1568415f41c57848f251dc55a5b0dbd015f15a2ff1c7aa4bc92b98d0d9c99a4bb814f49ff2319132b552af09a533ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\TDSRZR.vbs

Filesize
1.1MB

MD5
b4e275c4a325bf17b288ea6c854bd212

SHA1
ddce3daa82a4015984bce3299df5d271b1323818

SHA256
038338d42952e0223dbdd077fa5b0cc4b0fe7309767a3ee5afebbbc34325fede

SHA512
92a0d1052f0b0b38e691ef5858cdcdd29a41bdea29a91eeccd1f2c1c0eccfceeddfdd34d500c6a5be806db46d297bdc6e0a0ec81e64131bd837c28daac5ea452

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe

Filesize
721KB

MD5
fa69bac4daea669b2d78160d164e64c9

SHA1
77e7fbdba131f0cc1fbbf3d717dc38041e6ad84f

SHA256
dcea423e04900e53f42a70574841d10cb7b3cd168d64d92a58da864079dc394e

SHA512
ddf7f040d0d8a3f98dee9591220bd208b83b0f2aa3fd4b783446c72e8d07a73a2826964a98b512f41796f2d2cc11b4ce18df0c989a45f60bfbbacdc60ea14b45

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe

Filesize
721KB

MD5
fa69bac4daea669b2d78160d164e64c9

SHA1
77e7fbdba131f0cc1fbbf3d717dc38041e6ad84f

SHA256
dcea423e04900e53f42a70574841d10cb7b3cd168d64d92a58da864079dc394e

SHA512
ddf7f040d0d8a3f98dee9591220bd208b83b0f2aa3fd4b783446c72e8d07a73a2826964a98b512f41796f2d2cc11b4ce18df0c989a45f60bfbbacdc60ea14b45

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe

Filesize
721KB

MD5
fa69bac4daea669b2d78160d164e64c9

SHA1
77e7fbdba131f0cc1fbbf3d717dc38041e6ad84f

SHA256
dcea423e04900e53f42a70574841d10cb7b3cd168d64d92a58da864079dc394e

SHA512
ddf7f040d0d8a3f98dee9591220bd208b83b0f2aa3fd4b783446c72e8d07a73a2826964a98b512f41796f2d2cc11b4ce18df0c989a45f60bfbbacdc60ea14b45

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe

Filesize
721KB

MD5
fa69bac4daea669b2d78160d164e64c9

SHA1
77e7fbdba131f0cc1fbbf3d717dc38041e6ad84f

SHA256
dcea423e04900e53f42a70574841d10cb7b3cd168d64d92a58da864079dc394e

SHA512
ddf7f040d0d8a3f98dee9591220bd208b83b0f2aa3fd4b783446c72e8d07a73a2826964a98b512f41796f2d2cc11b4ce18df0c989a45f60bfbbacdc60ea14b45

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe

Filesize
721KB

MD5
fa69bac4daea669b2d78160d164e64c9

SHA1
77e7fbdba131f0cc1fbbf3d717dc38041e6ad84f

SHA256
dcea423e04900e53f42a70574841d10cb7b3cd168d64d92a58da864079dc394e

SHA512
ddf7f040d0d8a3f98dee9591220bd208b83b0f2aa3fd4b783446c72e8d07a73a2826964a98b512f41796f2d2cc11b4ce18df0c989a45f60bfbbacdc60ea14b45

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TDSRZR.vbs

Filesize
1.1MB

MD5
b4e275c4a325bf17b288ea6c854bd212

SHA1
ddce3daa82a4015984bce3299df5d271b1323818

SHA256
038338d42952e0223dbdd077fa5b0cc4b0fe7309767a3ee5afebbbc34325fede

SHA512
92a0d1052f0b0b38e691ef5858cdcdd29a41bdea29a91eeccd1f2c1c0eccfceeddfdd34d500c6a5be806db46d297bdc6e0a0ec81e64131bd837c28daac5ea452

Download Submit
memory/4028-182-0x0000000005AD0000-0x0000000005AF3000-memory.dmp

Filesize
140KB

Download
memory/4028-193-0x0000000005AD0000-0x0000000005AF3000-memory.dmp

Filesize
140KB

Download
memory/4028-163-0x0000000006160000-0x00000000061FC000-memory.dmp

Filesize
624KB

Download
memory/4028-165-0x0000000005AD0000-0x0000000005AF3000-memory.dmp

Filesize
140KB

Download
memory/4028-166-0x0000000005AD0000-0x0000000005AF3000-memory.dmp

Filesize
140KB

Download
memory/4028-168-0x0000000005AD0000-0x0000000005AF3000-memory.dmp

Filesize
140KB

Download
memory/4028-174-0x0000000005AD0000-0x0000000005AF3000-memory.dmp

Filesize
140KB

Download
memory/4028-172-0x0000000005AD0000-0x0000000005AF3000-memory.dmp

Filesize
140KB

Download
memory/4028-170-0x0000000005AD0000-0x0000000005AF3000-memory.dmp

Filesize
140KB

Download
memory/4028-176-0x0000000005AD0000-0x0000000005AF3000-memory.dmp

Filesize
140KB

Download
memory/4028-178-0x0000000005AD0000-0x0000000005AF3000-memory.dmp

Filesize
140KB

Download
memory/4028-180-0x0000000005AD0000-0x0000000005AF3000-memory.dmp

Filesize
140KB

Download
memory/4028-186-0x0000000005AD0000-0x0000000005AF3000-memory.dmp

Filesize
140KB

Download
memory/4028-184-0x0000000005AD0000-0x0000000005AF3000-memory.dmp

Filesize
140KB

Download
memory/4028-161-0x0000000005600000-0x0000000005692000-memory.dmp

Filesize
584KB

Download
memory/4028-189-0x0000000005AD0000-0x0000000005AF3000-memory.dmp

Filesize
140KB

Download
memory/4028-191-0x0000000005AD0000-0x0000000005AF3000-memory.dmp

Filesize
140KB

Download
memory/4028-162-0x0000000005AB0000-0x0000000005AC2000-memory.dmp

Filesize
72KB

Download
memory/4028-195-0x0000000005AD0000-0x0000000005AF3000-memory.dmp

Filesize
140KB

Download
memory/4028-197-0x0000000005AD0000-0x0000000005AF3000-memory.dmp

Filesize
140KB

Download
memory/4028-199-0x0000000005AD0000-0x0000000005AF3000-memory.dmp

Filesize
140KB

Download
memory/4028-201-0x0000000005AD0000-0x0000000005AF3000-memory.dmp

Filesize
140KB

Download
memory/4028-203-0x0000000005AD0000-0x0000000005AF3000-memory.dmp

Filesize
140KB

Download
memory/4028-205-0x0000000005AD0000-0x0000000005AF3000-memory.dmp

Filesize
140KB

Download
memory/4028-207-0x0000000005AD0000-0x0000000005AF3000-memory.dmp

Filesize
140KB

Download
memory/4028-213-0x0000000005AD0000-0x0000000005AF3000-memory.dmp

Filesize
140KB

Download
memory/4028-211-0x0000000005AD0000-0x0000000005AF3000-memory.dmp

Filesize
140KB

Download
memory/4028-209-0x0000000005AD0000-0x0000000005AF3000-memory.dmp

Filesize
140KB

Download
memory/4028-215-0x0000000005AD0000-0x0000000005AF3000-memory.dmp

Filesize
140KB

Download
memory/4028-216-0x0000000005B00000-0x0000000005B01000-memory.dmp

Filesize
4KB

Download
memory/4028-159-0x0000000005BB0000-0x0000000006154000-memory.dmp

Filesize
5.6MB

Download
memory/4028-223-0x0000000074570000-0x0000000074D20000-memory.dmp

Filesize
7.7MB

Download
memory/4028-157-0x0000000074570000-0x0000000074D20000-memory.dmp

Filesize
7.7MB

Download
memory/4028-158-0x00000000003C0000-0x000000000047A000-memory.dmp

Filesize
744KB

Download
memory/4904-218-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4904-222-0x0000000074570000-0x0000000074D20000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads