Overview

overview

10

Static

static

10

WSHRat.3.4.1.exe

windows10-2004-x64

7

Resubmissions

30-07-2023 23:09

230730-25hzfsbf59 10

30-07-2023 19:27

230730-x54hyabb92 10

Analysis

  • max time kernel
    39s
  • max time network
    41s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230703-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30-07-2023 23:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    WSHRat.3.4.1.exe

  • Size

    3.5MB

  • MD5

    8a470899a6ebb2299b54da55ad3897d2

  • SHA1

    1ebafddb262fe912641e260fcf407907ca67fb74

  • SHA256

    7e160f885fe15d7f5b67e3d321c1bd8240a63bb80c8156f604829f0cbadba313

  • SHA512

    dde4489c467d232c5b8e7930ff0991c33aa1477666984bf69559556229b5a76951015fe38993d7289acb5aa5e9661126ed1ac9878cf44a4fbf9b06e57e1275b4

  • SSDEEP

    49152:SMQyNFL4gSeOzD5rbhdU7bSVziW+Gz/6Sq5ms7Otvx2mAmMm0pFZMpTBkRdFFU2:NL4B35rbhCkiStvx2GcFZM1BOU

Score
7/10
vmprotect

Malware Config

Signatures

  • VMProtect packed file 1 IoCs

    Detects executables packed with VMProtect commercial packer.

    vmprotect
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Kills process with taskkill 1 IoCs
    evasion
  • Suspicious behavior: EnumeratesProcesses 27 IoCs
  • Suspicious use of AdjustPrivilegeToken 47 IoCs
  • Suspicious use of FindShellTrayWindow 39 IoCs
  • Suspicious use of SendNotifyMessage 38 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\WSHRat.3.4.1.exe
    "C:\Users\Admin\AppData\Local\Temp\WSHRat.3.4.1.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4668
    • C:\Windows\SysWOW64\cmd.exe
      "cmd" /c wmic csproduct get UUID
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:5036
      • C:\Windows\SysWOW64\Wbem\WMIC.exe
        wmic csproduct get UUID
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:2208
    • C:\Windows\SysWOW64\cmd.exe
      "cmd" /c taskkill /F /IM WSHRat.3.4.1.exe
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3872
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /F /IM WSHRat.3.4.1.exe
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:3928
  • C:\Windows\system32\taskmgr.exe
    "C:\Windows\system32\taskmgr.exe" /4
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:2328

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2328-149-0x000001AA82DE0000-0x000001AA82DE1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2328-161-0x000001AA82DE0000-0x000001AA82DE1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2328-160-0x000001AA82DE0000-0x000001AA82DE1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2328-159-0x000001AA82DE0000-0x000001AA82DE1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2328-156-0x000001AA82DE0000-0x000001AA82DE1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2328-157-0x000001AA82DE0000-0x000001AA82DE1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2328-158-0x000001AA82DE0000-0x000001AA82DE1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2328-155-0x000001AA82DE0000-0x000001AA82DE1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2328-151-0x000001AA82DE0000-0x000001AA82DE1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2328-150-0x000001AA82DE0000-0x000001AA82DE1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4668-139-0x0000000005A80000-0x0000000005B12000-memory.dmp

    Filesize

    584KB

    Download

  • memory/4668-140-0x0000000005990000-0x000000000599A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/4668-145-0x00000000055D0000-0x00000000055E0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4668-148-0x0000000074510000-0x0000000074CC0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4668-143-0x0000000074510000-0x0000000074CC0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4668-142-0x00000000055D0000-0x00000000055E0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4668-141-0x0000000005C70000-0x0000000005CC6000-memory.dmp

    Filesize

    344KB

    Download

  • memory/4668-144-0x0000000005420000-0x0000000005421000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4668-133-0x0000000074510000-0x0000000074CC0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4668-138-0x0000000006030000-0x00000000065D4000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/4668-137-0x00000000059E0000-0x0000000005A7C000-memory.dmp

    Filesize

    624KB

    Download

  • memory/4668-136-0x00000000055D0000-0x00000000055E0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4668-135-0x0000000005420000-0x0000000005421000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4668-134-0x0000000000800000-0x0000000000B7E000-memory.dmp

    Filesize

    3.5MB

    Download