Analysis Overview
SHA256
7e160f885fe15d7f5b67e3d321c1bd8240a63bb80c8156f604829f0cbadba313
Threat Level: Known bad
The file WSHRat.3.4.1.exe was found to be: Known bad.
Malicious Activity Summary
Wshrat family
WSHRAT payload
VMProtect packed file
Unsigned PE
Kills process with taskkill
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2023-07-30 20:52
Signatures
WSHRAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Wshrat family
VMProtect packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-07-30 20:52
Reported
2023-07-30 20:54
Platform
win7-20230712-en
Max time kernel
119s
Max time network
122s
Command Line
Signatures
VMProtect packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\WSHRat.3.4.1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\WSHRat.3.4.1.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\WSHRat.3.4.1.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2976 wrote to memory of 2932 | N/A | C:\Users\Admin\AppData\Local\Temp\WSHRat.3.4.1.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 2976 wrote to memory of 2932 | N/A | C:\Users\Admin\AppData\Local\Temp\WSHRat.3.4.1.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 2976 wrote to memory of 2932 | N/A | C:\Users\Admin\AppData\Local\Temp\WSHRat.3.4.1.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 2976 wrote to memory of 2932 | N/A | C:\Users\Admin\AppData\Local\Temp\WSHRat.3.4.1.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 2932 wrote to memory of 2916 | N/A | C:\Windows\SysWOW64\cmd.exe | C:\Windows\SysWOW64\taskkill.exe |
| PID 2932 wrote to memory of 2916 | N/A | C:\Windows\SysWOW64\cmd.exe | C:\Windows\SysWOW64\taskkill.exe |
| PID 2932 wrote to memory of 2916 | N/A | C:\Windows\SysWOW64\cmd.exe | C:\Windows\SysWOW64\taskkill.exe |
| PID 2932 wrote to memory of 2916 | N/A | C:\Windows\SysWOW64\cmd.exe | C:\Windows\SysWOW64\taskkill.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\WSHRat.3.4.1.exe
"C:\Users\Admin\AppData\Local\Temp\WSHRat.3.4.1.exe"
C:\Windows\SysWOW64\cmd.exe
"cmd" /c taskkill /F /IM WSHRat.3.4.1.exe
C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM WSHRat.3.4.1.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | kingmummylive.com | udp |
| NL | 160.153.133.148:80 | kingmummylive.com | tcp |
Files
memory/2976-54-0x0000000000D50000-0x00000000010CE000-memory.dmp
memory/2976-55-0x00000000746E0000-0x0000000074DCE000-memory.dmp
memory/2976-56-0x00000000746E0000-0x0000000074DCE000-memory.dmp
memory/2976-57-0x00000000746E0000-0x0000000074DCE000-memory.dmp
memory/2976-58-0x00000000001B0000-0x00000000001B1000-memory.dmp
memory/2976-59-0x0000000005350000-0x0000000005390000-memory.dmp
memory/2976-60-0x0000000005390000-0x00000000054E6000-memory.dmp
memory/2976-61-0x0000000005350000-0x0000000005390000-memory.dmp
memory/2976-62-0x0000000005350000-0x0000000005390000-memory.dmp
memory/2976-63-0x00000000746E0000-0x0000000074DCE000-memory.dmp
memory/2976-64-0x0000000005350000-0x0000000005390000-memory.dmp
memory/2976-65-0x0000000005350000-0x0000000005390000-memory.dmp
memory/2976-66-0x0000000005350000-0x0000000005390000-memory.dmp
memory/2976-69-0x00000000746E0000-0x0000000074DCE000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-07-30 20:52
Reported
2023-07-30 20:54
Platform
win10v2004-20230703-en
Max time kernel
142s
Max time network
147s
Command Line
Signatures
VMProtect packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\WSHRat.3.4.1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\WSHRat.3.4.1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\WSHRat.3.4.1.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\WSHRat.3.4.1.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2740 wrote to memory of 3976 | N/A | C:\Users\Admin\AppData\Local\Temp\WSHRat.3.4.1.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 2740 wrote to memory of 3976 | N/A | C:\Users\Admin\AppData\Local\Temp\WSHRat.3.4.1.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 2740 wrote to memory of 3976 | N/A | C:\Users\Admin\AppData\Local\Temp\WSHRat.3.4.1.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 3976 wrote to memory of 3924 | N/A | C:\Windows\SysWOW64\cmd.exe | C:\Windows\SysWOW64\taskkill.exe |
| PID 3976 wrote to memory of 3924 | N/A | C:\Windows\SysWOW64\cmd.exe | C:\Windows\SysWOW64\taskkill.exe |
| PID 3976 wrote to memory of 3924 | N/A | C:\Windows\SysWOW64\cmd.exe | C:\Windows\SysWOW64\taskkill.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\WSHRat.3.4.1.exe
"C:\Users\Admin\AppData\Local\Temp\WSHRat.3.4.1.exe"
C:\Windows\SysWOW64\cmd.exe
"cmd" /c taskkill /F /IM WSHRat.3.4.1.exe
C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM WSHRat.3.4.1.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 23.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 254.177.238.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 158.240.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 54.120.234.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.1.85.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.136.104.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | kingmummylive.com | udp |
| NL | 160.153.133.148:80 | kingmummylive.com | tcp |
| US | 8.8.8.8:53 | 148.133.153.160.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 254.109.26.67.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.3.197.209.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 160.252.72.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 170.117.168.52.in-addr.arpa | udp |
Files
memory/2740-134-0x0000000000950000-0x0000000000CCE000-memory.dmp
memory/2740-133-0x0000000074BF0000-0x00000000753A0000-memory.dmp
memory/2740-135-0x0000000005570000-0x0000000005571000-memory.dmp
memory/2740-136-0x0000000005570000-0x0000000005571000-memory.dmp
memory/2740-137-0x00000000058E0000-0x00000000058F0000-memory.dmp
memory/2740-138-0x0000000005B50000-0x0000000005BEC000-memory.dmp
memory/2740-139-0x00000000061A0000-0x0000000006744000-memory.dmp
memory/2740-140-0x0000000005BF0000-0x0000000005C82000-memory.dmp
memory/2740-141-0x0000000005860000-0x000000000586A000-memory.dmp
memory/2740-142-0x0000000005E10000-0x0000000005E66000-memory.dmp
memory/2740-143-0x00000000058E0000-0x00000000058F0000-memory.dmp
memory/2740-144-0x0000000074BF0000-0x00000000753A0000-memory.dmp
memory/2740-145-0x0000000005570000-0x0000000005571000-memory.dmp
memory/2740-146-0x00000000058E0000-0x00000000058F0000-memory.dmp
memory/2740-147-0x00000000058E0000-0x00000000058F0000-memory.dmp
memory/2740-148-0x00000000058E0000-0x00000000058F0000-memory.dmp
memory/2740-149-0x00000000058E0000-0x00000000058F0000-memory.dmp
memory/2740-150-0x00000000058E0000-0x00000000058F0000-memory.dmp
memory/2740-153-0x00000000058E0000-0x00000000058F0000-memory.dmp
memory/2740-155-0x0000000074BF0000-0x00000000753A0000-memory.dmp