Malware Analysis Report

2024-10-19 09:24

Sample ID 230817-wtrjkabg66
Target ORDER-023816.pdf.vbs
SHA256 76ba79480eb105609ad6add997a2c26a1c27e7c0eb97760f49dc8545d8f1a7d0
Tags
wshrat persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

76ba79480eb105609ad6add997a2c26a1c27e7c0eb97760f49dc8545d8f1a7d0

Threat Level: Known bad

The file ORDER-023816.pdf.vbs was found to be: Known bad.

Malicious Activity Summary

wshrat persistence trojan

WSHRAT

Blocklisted process makes network request

Drops startup file

Adds Run key to start application

Enumerates physical storage devices

Modifies registry class

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-08-17 18:13

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-08-17 18:13

Reported

2023-08-17 18:15

Platform

win7-20230712-en

Max time kernel

122s

Max time network

129s

Command Line

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ORDER-023816.pdf.vbs"

Signatures

N/A

Processes

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ORDER-023816.pdf.vbs"

Network

Country Destination Domain Proto
US 8.8.8.8:53 grapemundo.com udp

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2023-08-17 18:13

Reported

2023-08-17 18:16

Platform

win10v2004-20230703-en

Max time kernel

144s

Max time network

151s

Command Line

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ORDER-023816.pdf.vbs"

Signatures

WSHRAT

trojan wshrat

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QWQJBP.vbs C:\Windows\System32\WScript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QWQJBP.vbs C:\Windows\System32\WScript.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\QWQJBP = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\QWQJBP.vbs\"" C:\Windows\System32\WScript.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\QWQJBP = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\QWQJBP.vbs\"" C:\Windows\System32\WScript.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings C:\Windows\System32\WScript.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2592 wrote to memory of 3848 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\WScript.exe
PID 2592 wrote to memory of 3848 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\WScript.exe

Processes

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ORDER-023816.pdf.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\QWQJBP.vbs"

Network

Country Destination Domain Proto
US 8.8.8.8:53 grapemundo.com udp
IN 103.50.163.157:443 grapemundo.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 157.163.50.103.in-addr.arpa udp
US 8.8.8.8:53 142.33.222.23.in-addr.arpa udp
US 8.8.8.8:53 162.25.221.88.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 chongmei33.publicvm.com udp
SG 103.47.144.122:7045 chongmei33.publicvm.com tcp
US 8.8.8.8:53 122.144.47.103.in-addr.arpa udp
SG 103.47.144.122:7045 chongmei33.publicvm.com tcp
SG 103.47.144.122:7045 chongmei33.publicvm.com tcp
SG 103.47.144.122:7045 chongmei33.publicvm.com tcp
SG 103.47.144.122:7045 chongmei33.publicvm.com tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
SG 103.47.144.122:7045 chongmei33.publicvm.com tcp
SG 103.47.144.122:7045 chongmei33.publicvm.com tcp
SG 103.47.144.122:7045 chongmei33.publicvm.com tcp
SG 103.47.144.122:7045 chongmei33.publicvm.com tcp
SG 103.47.144.122:7045 chongmei33.publicvm.com tcp
SG 103.47.144.122:7045 chongmei33.publicvm.com tcp
SG 103.47.144.122:7045 chongmei33.publicvm.com tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
SG 103.47.144.122:7045 chongmei33.publicvm.com tcp
SG 103.47.144.122:7045 chongmei33.publicvm.com tcp
SG 103.47.144.122:7045 chongmei33.publicvm.com tcp
SG 103.47.144.122:7045 chongmei33.publicvm.com tcp
SG 103.47.144.122:7045 chongmei33.publicvm.com tcp
SG 103.47.144.122:7045 chongmei33.publicvm.com tcp
SG 103.47.144.122:7045 chongmei33.publicvm.com tcp
SG 103.47.144.122:7045 chongmei33.publicvm.com tcp
SG 103.47.144.122:7045 chongmei33.publicvm.com tcp
SG 103.47.144.122:7045 chongmei33.publicvm.com tcp
US 8.8.8.8:53 8.173.189.20.in-addr.arpa udp
SG 103.47.144.122:7045 chongmei33.publicvm.com tcp
SG 103.47.144.122:7045 chongmei33.publicvm.com tcp
SG 103.47.144.122:7045 chongmei33.publicvm.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\QWQJBP.vbs

MD5 d87d4c42c10f332a96aa10ffb455f49d
SHA1 c6167ce4e59f14ce826a50e8d32847101e5e9dc8
SHA256 5ad4d5fb75a277e31b05e1a6f19c5fc3c007b5c2be03109d876ca457173a135a
SHA512 d01c7072b7f9e85dbc8f160f0afc17116a5ec5039a1f07a9201d517d8029acc8f31b446ccd66f832eb5ea58c3e88db88b2e442c7965e0318af32852512c3aa8a

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QWQJBP.vbs

MD5 d87d4c42c10f332a96aa10ffb455f49d
SHA1 c6167ce4e59f14ce826a50e8d32847101e5e9dc8
SHA256 5ad4d5fb75a277e31b05e1a6f19c5fc3c007b5c2be03109d876ca457173a135a
SHA512 d01c7072b7f9e85dbc8f160f0afc17116a5ec5039a1f07a9201d517d8029acc8f31b446ccd66f832eb5ea58c3e88db88b2e442c7965e0318af32852512c3aa8a