Analysis
-
max time kernel
39s -
max time network
41s -
platform
windows10-2004_x64 -
resource
win10v2004-20230703-en -
resource tags
arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system -
submitted
30-07-2023 23:09
Behavioral task
behavioral1
Sample
WSHRat.3.4.1.exe
Resource
win10v2004-20230703-en
8 signatures
1800 seconds
General
-
Target
WSHRat.3.4.1.exe
-
Size
3.5MB
-
MD5
8a470899a6ebb2299b54da55ad3897d2
-
SHA1
1ebafddb262fe912641e260fcf407907ca67fb74
-
SHA256
7e160f885fe15d7f5b67e3d321c1bd8240a63bb80c8156f604829f0cbadba313
-
SHA512
dde4489c467d232c5b8e7930ff0991c33aa1477666984bf69559556229b5a76951015fe38993d7289acb5aa5e9661126ed1ac9878cf44a4fbf9b06e57e1275b4
-
SSDEEP
49152:SMQyNFL4gSeOzD5rbhdU7bSVziW+Gz/6Sq5ms7Otvx2mAmMm0pFZMpTBkRdFFU2:NL4B35rbhCkiStvx2GcFZM1BOU
Score
7/10
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral1/memory/4668-134-0x0000000000800000-0x0000000000B7E000-memory.dmp vmprotect -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
taskmgr.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 3928 taskkill.exe -
Suspicious behavior: EnumeratesProcesses 27 IoCs
Processes:
WSHRat.3.4.1.exetaskmgr.exepid process 4668 WSHRat.3.4.1.exe 2328 taskmgr.exe 2328 taskmgr.exe 2328 taskmgr.exe 2328 taskmgr.exe 2328 taskmgr.exe 2328 taskmgr.exe 2328 taskmgr.exe 2328 taskmgr.exe 2328 taskmgr.exe 2328 taskmgr.exe 2328 taskmgr.exe 2328 taskmgr.exe 2328 taskmgr.exe 2328 taskmgr.exe 2328 taskmgr.exe 2328 taskmgr.exe 2328 taskmgr.exe 2328 taskmgr.exe 2328 taskmgr.exe 2328 taskmgr.exe 2328 taskmgr.exe 2328 taskmgr.exe 2328 taskmgr.exe 2328 taskmgr.exe 2328 taskmgr.exe 2328 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 47 IoCs
Processes:
WSHRat.3.4.1.exeWMIC.exetaskkill.exetaskmgr.exedescription pid process Token: SeDebugPrivilege 4668 WSHRat.3.4.1.exe Token: SeIncreaseQuotaPrivilege 2208 WMIC.exe Token: SeSecurityPrivilege 2208 WMIC.exe Token: SeTakeOwnershipPrivilege 2208 WMIC.exe Token: SeLoadDriverPrivilege 2208 WMIC.exe Token: SeSystemProfilePrivilege 2208 WMIC.exe Token: SeSystemtimePrivilege 2208 WMIC.exe Token: SeProfSingleProcessPrivilege 2208 WMIC.exe Token: SeIncBasePriorityPrivilege 2208 WMIC.exe Token: SeCreatePagefilePrivilege 2208 WMIC.exe Token: SeBackupPrivilege 2208 WMIC.exe Token: SeRestorePrivilege 2208 WMIC.exe Token: SeShutdownPrivilege 2208 WMIC.exe Token: SeDebugPrivilege 2208 WMIC.exe Token: SeSystemEnvironmentPrivilege 2208 WMIC.exe Token: SeRemoteShutdownPrivilege 2208 WMIC.exe Token: SeUndockPrivilege 2208 WMIC.exe Token: SeManageVolumePrivilege 2208 WMIC.exe Token: 33 2208 WMIC.exe Token: 34 2208 WMIC.exe Token: 35 2208 WMIC.exe Token: 36 2208 WMIC.exe Token: SeIncreaseQuotaPrivilege 2208 WMIC.exe Token: SeSecurityPrivilege 2208 WMIC.exe Token: SeTakeOwnershipPrivilege 2208 WMIC.exe Token: SeLoadDriverPrivilege 2208 WMIC.exe Token: SeSystemProfilePrivilege 2208 WMIC.exe Token: SeSystemtimePrivilege 2208 WMIC.exe Token: SeProfSingleProcessPrivilege 2208 WMIC.exe Token: SeIncBasePriorityPrivilege 2208 WMIC.exe Token: SeCreatePagefilePrivilege 2208 WMIC.exe Token: SeBackupPrivilege 2208 WMIC.exe Token: SeRestorePrivilege 2208 WMIC.exe Token: SeShutdownPrivilege 2208 WMIC.exe Token: SeDebugPrivilege 2208 WMIC.exe Token: SeSystemEnvironmentPrivilege 2208 WMIC.exe Token: SeRemoteShutdownPrivilege 2208 WMIC.exe Token: SeUndockPrivilege 2208 WMIC.exe Token: SeManageVolumePrivilege 2208 WMIC.exe Token: 33 2208 WMIC.exe Token: 34 2208 WMIC.exe Token: 35 2208 WMIC.exe Token: 36 2208 WMIC.exe Token: SeDebugPrivilege 3928 taskkill.exe Token: SeDebugPrivilege 2328 taskmgr.exe Token: SeSystemProfilePrivilege 2328 taskmgr.exe Token: SeCreateGlobalPrivilege 2328 taskmgr.exe -
Suspicious use of FindShellTrayWindow 39 IoCs
Processes:
taskmgr.exepid process 2328 taskmgr.exe 2328 taskmgr.exe 2328 taskmgr.exe 2328 taskmgr.exe 2328 taskmgr.exe 2328 taskmgr.exe 2328 taskmgr.exe 2328 taskmgr.exe 2328 taskmgr.exe 2328 taskmgr.exe 2328 taskmgr.exe 2328 taskmgr.exe 2328 taskmgr.exe 2328 taskmgr.exe 2328 taskmgr.exe 2328 taskmgr.exe 2328 taskmgr.exe 2328 taskmgr.exe 2328 taskmgr.exe 2328 taskmgr.exe 2328 taskmgr.exe 2328 taskmgr.exe 2328 taskmgr.exe 2328 taskmgr.exe 2328 taskmgr.exe 2328 taskmgr.exe 2328 taskmgr.exe 2328 taskmgr.exe 2328 taskmgr.exe 2328 taskmgr.exe 2328 taskmgr.exe 2328 taskmgr.exe 2328 taskmgr.exe 2328 taskmgr.exe 2328 taskmgr.exe 2328 taskmgr.exe 2328 taskmgr.exe 2328 taskmgr.exe 2328 taskmgr.exe -
Suspicious use of SendNotifyMessage 38 IoCs
Processes:
taskmgr.exepid process 2328 taskmgr.exe 2328 taskmgr.exe 2328 taskmgr.exe 2328 taskmgr.exe 2328 taskmgr.exe 2328 taskmgr.exe 2328 taskmgr.exe 2328 taskmgr.exe 2328 taskmgr.exe 2328 taskmgr.exe 2328 taskmgr.exe 2328 taskmgr.exe 2328 taskmgr.exe 2328 taskmgr.exe 2328 taskmgr.exe 2328 taskmgr.exe 2328 taskmgr.exe 2328 taskmgr.exe 2328 taskmgr.exe 2328 taskmgr.exe 2328 taskmgr.exe 2328 taskmgr.exe 2328 taskmgr.exe 2328 taskmgr.exe 2328 taskmgr.exe 2328 taskmgr.exe 2328 taskmgr.exe 2328 taskmgr.exe 2328 taskmgr.exe 2328 taskmgr.exe 2328 taskmgr.exe 2328 taskmgr.exe 2328 taskmgr.exe 2328 taskmgr.exe 2328 taskmgr.exe 2328 taskmgr.exe 2328 taskmgr.exe 2328 taskmgr.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
WSHRat.3.4.1.execmd.execmd.exedescription pid process target process PID 4668 wrote to memory of 5036 4668 WSHRat.3.4.1.exe cmd.exe PID 4668 wrote to memory of 5036 4668 WSHRat.3.4.1.exe cmd.exe PID 4668 wrote to memory of 5036 4668 WSHRat.3.4.1.exe cmd.exe PID 5036 wrote to memory of 2208 5036 cmd.exe WMIC.exe PID 5036 wrote to memory of 2208 5036 cmd.exe WMIC.exe PID 5036 wrote to memory of 2208 5036 cmd.exe WMIC.exe PID 4668 wrote to memory of 3872 4668 WSHRat.3.4.1.exe cmd.exe PID 4668 wrote to memory of 3872 4668 WSHRat.3.4.1.exe cmd.exe PID 4668 wrote to memory of 3872 4668 WSHRat.3.4.1.exe cmd.exe PID 3872 wrote to memory of 3928 3872 cmd.exe taskkill.exe PID 3872 wrote to memory of 3928 3872 cmd.exe taskkill.exe PID 3872 wrote to memory of 3928 3872 cmd.exe taskkill.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\WSHRat.3.4.1.exe"C:\Users\Admin\AppData\Local\Temp\WSHRat.3.4.1.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4668 -
C:\Windows\SysWOW64\cmd.exe"cmd" /c wmic csproduct get UUID2⤵
- Suspicious use of WriteProcessMemory
PID:5036 -
C:\Windows\SysWOW64\Wbem\WMIC.exewmic csproduct get UUID3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2208 -
C:\Windows\SysWOW64\cmd.exe"cmd" /c taskkill /F /IM WSHRat.3.4.1.exe2⤵
- Suspicious use of WriteProcessMemory
PID:3872 -
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM WSHRat.3.4.1.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3928
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2328