Analysis Overview
SHA256
82a6400e6297ce6dc3f791c98291e7273ec94487172b06d553cbd89287abcc13
Threat Level: Known bad
The file 8a470899a6ebb2299b54da55ad3897d2.bin was found to be: Known bad.
Malicious Activity Summary
WSHRAT payload
Wshrat family
VMProtect packed file
Unsigned PE
Kills process with taskkill
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2023-08-01 01:50
Signatures
WSHRAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Wshrat family
VMProtect packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-08-01 01:50
Reported
2023-08-01 01:52
Platform
win7-20230712-en
Max time kernel
118s
Max time network
123s
Command Line
Signatures
VMProtect packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\7e160f885fe15d7f5b67e3d321c1bd8240a63bb80c8156f604829f0cbadba313.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\7e160f885fe15d7f5b67e3d321c1bd8240a63bb80c8156f604829f0cbadba313.exe
"C:\Users\Admin\AppData\Local\Temp\7e160f885fe15d7f5b67e3d321c1bd8240a63bb80c8156f604829f0cbadba313.exe"
C:\Windows\SysWOW64\cmd.exe
"cmd" /c taskkill /F /IM 7e160f885fe15d7f5b67e3d321c1bd8240a63bb80c8156f604829f0cbadba313.exe
C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM 7e160f885fe15d7f5b67e3d321c1bd8240a63bb80c8156f604829f0cbadba313.exe
Network
Files
memory/2204-53-0x0000000000F90000-0x000000000130E000-memory.dmp
memory/2204-54-0x0000000074C70000-0x000000007535E000-memory.dmp
memory/2204-55-0x0000000074C70000-0x000000007535E000-memory.dmp
memory/2204-56-0x0000000074C70000-0x000000007535E000-memory.dmp
memory/2204-57-0x0000000074C70000-0x000000007535E000-memory.dmp
memory/2204-58-0x00000000050F0000-0x0000000005130000-memory.dmp
memory/2204-59-0x0000000005130000-0x0000000005286000-memory.dmp
memory/2204-60-0x00000000050F0000-0x0000000005130000-memory.dmp
memory/2204-61-0x00000000050F0000-0x0000000005130000-memory.dmp
memory/2204-62-0x0000000074C70000-0x000000007535E000-memory.dmp
memory/2204-63-0x0000000074C70000-0x000000007535E000-memory.dmp
memory/2204-64-0x0000000074C70000-0x000000007535E000-memory.dmp
memory/2204-65-0x00000000050F0000-0x0000000005130000-memory.dmp
memory/2204-66-0x00000000050F0000-0x0000000005130000-memory.dmp
memory/2204-67-0x00000000050F0000-0x0000000005130000-memory.dmp
memory/2204-69-0x0000000074C70000-0x000000007535E000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-08-01 01:50
Reported
2023-08-01 01:52
Platform
win10v2004-20230703-en
Max time kernel
145s
Max time network
142s
Command Line
Signatures
VMProtect packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7e160f885fe15d7f5b67e3d321c1bd8240a63bb80c8156f604829f0cbadba313.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7e160f885fe15d7f5b67e3d321c1bd8240a63bb80c8156f604829f0cbadba313.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\7e160f885fe15d7f5b67e3d321c1bd8240a63bb80c8156f604829f0cbadba313.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1840 wrote to memory of 380 | N/A | C:\Users\Admin\AppData\Local\Temp\7e160f885fe15d7f5b67e3d321c1bd8240a63bb80c8156f604829f0cbadba313.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 1840 wrote to memory of 380 | N/A | C:\Users\Admin\AppData\Local\Temp\7e160f885fe15d7f5b67e3d321c1bd8240a63bb80c8156f604829f0cbadba313.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 1840 wrote to memory of 380 | N/A | C:\Users\Admin\AppData\Local\Temp\7e160f885fe15d7f5b67e3d321c1bd8240a63bb80c8156f604829f0cbadba313.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 380 wrote to memory of 348 | N/A | C:\Windows\SysWOW64\cmd.exe | C:\Windows\SysWOW64\taskkill.exe |
| PID 380 wrote to memory of 348 | N/A | C:\Windows\SysWOW64\cmd.exe | C:\Windows\SysWOW64\taskkill.exe |
| PID 380 wrote to memory of 348 | N/A | C:\Windows\SysWOW64\cmd.exe | C:\Windows\SysWOW64\taskkill.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\7e160f885fe15d7f5b67e3d321c1bd8240a63bb80c8156f604829f0cbadba313.exe
"C:\Users\Admin\AppData\Local\Temp\7e160f885fe15d7f5b67e3d321c1bd8240a63bb80c8156f604829f0cbadba313.exe"
C:\Windows\SysWOW64\cmd.exe
"cmd" /c taskkill /F /IM 7e160f885fe15d7f5b67e3d321c1bd8240a63bb80c8156f604829f0cbadba313.exe
C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM 7e160f885fe15d7f5b67e3d321c1bd8240a63bb80c8156f604829f0cbadba313.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.3.197.209.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 146.78.124.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 208.194.73.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | kingmummylive.com | udp |
| NL | 160.153.133.148:80 | kingmummylive.com | tcp |
| US | 8.8.8.8:53 | 148.133.153.160.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 63.13.109.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 161.252.72.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 27.73.42.20.in-addr.arpa | udp |
Files
memory/1840-133-0x0000000074C20000-0x00000000753D0000-memory.dmp
memory/1840-134-0x0000000000A00000-0x0000000000D7E000-memory.dmp
memory/1840-135-0x0000000074C20000-0x00000000753D0000-memory.dmp
memory/1840-136-0x0000000074C20000-0x00000000753D0000-memory.dmp
memory/1840-137-0x0000000074C20000-0x00000000753D0000-memory.dmp
memory/1840-138-0x0000000005790000-0x00000000057A0000-memory.dmp
memory/1840-139-0x0000000005C10000-0x0000000005CAC000-memory.dmp
memory/1840-140-0x0000000006260000-0x0000000006804000-memory.dmp
memory/1840-141-0x0000000005CB0000-0x0000000005D42000-memory.dmp
memory/1840-142-0x0000000005B80000-0x0000000005B8A000-memory.dmp
memory/1840-143-0x0000000005EA0000-0x0000000005EF6000-memory.dmp
memory/1840-144-0x0000000005790000-0x00000000057A0000-memory.dmp
memory/1840-145-0x0000000074C20000-0x00000000753D0000-memory.dmp
memory/1840-146-0x0000000074C20000-0x00000000753D0000-memory.dmp
memory/1840-147-0x0000000074C20000-0x00000000753D0000-memory.dmp
memory/1840-148-0x0000000005790000-0x00000000057A0000-memory.dmp
memory/1840-149-0x0000000005790000-0x00000000057A0000-memory.dmp
memory/1840-150-0x0000000005790000-0x00000000057A0000-memory.dmp
memory/1840-154-0x0000000074C20000-0x00000000753D0000-memory.dmp