Malware Analysis Report

2024-10-19 09:24

Sample ID 230820-nl53zsfa77
Target ORDER-230918PA.XLS.js
SHA256 fba9f9a0ff16e84ba7fc7b57850f86a1865391ac840f340f6fab233339b20919
Tags
wshrat persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

fba9f9a0ff16e84ba7fc7b57850f86a1865391ac840f340f6fab233339b20919

Threat Level: Known bad

The file ORDER-230918PA.XLS.js was found to be: Known bad.

Malicious Activity Summary

wshrat persistence trojan

WSHRAT

Blocklisted process makes network request

Drops startup file

Adds Run key to start application

Enumerates physical storage devices

Modifies registry class

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-08-20 11:30

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-08-20 11:30

Reported

2023-08-20 11:32

Platform

win7-20230712-en

Max time kernel

121s

Max time network

127s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\ORDER-230918PA.XLS.js

Signatures

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\system32\wscript.exe N/A
N/A N/A C:\Windows\system32\wscript.exe N/A
N/A N/A C:\Windows\system32\wscript.exe N/A
N/A N/A C:\Windows\system32\wscript.exe N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\ORDER-230918PA.XLS.js

Network

Country Destination Domain Proto
US 8.8.8.8:53 grapemundo.com udp
IN 103.50.163.157:443 grapemundo.com tcp
IN 103.50.163.157:443 grapemundo.com tcp
IN 103.50.163.157:443 grapemundo.com tcp
IN 103.50.163.157:443 grapemundo.com tcp

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2023-08-20 11:30

Reported

2023-08-20 11:32

Platform

win10v2004-20230703-en

Max time kernel

151s

Max time network

159s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\ORDER-230918PA.XLS.js

Signatures

WSHRAT

trojan wshrat

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WOAHUS.vbs C:\Windows\System32\WScript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WOAHUS.vbs C:\Windows\System32\WScript.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WOAHUS = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\WOAHUS.vbs\"" C:\Windows\System32\WScript.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WOAHUS = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\WOAHUS.vbs\"" C:\Windows\System32\WScript.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000_Classes\Local Settings C:\Windows\system32\wscript.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4164 wrote to memory of 4800 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\WScript.exe
PID 4164 wrote to memory of 4800 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\WScript.exe

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\ORDER-230918PA.XLS.js

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\WOAHUS.vbs"

Network

Country Destination Domain Proto
US 8.8.8.8:53 grapemundo.com udp
IN 103.50.163.157:443 grapemundo.com tcp
US 8.8.8.8:53 157.163.50.103.in-addr.arpa udp
US 8.8.8.8:53 142.33.222.23.in-addr.arpa udp
US 8.8.8.8:53 68.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 chongmei33.publicvm.com udp
SG 103.47.144.40:7045 chongmei33.publicvm.com tcp
US 8.8.8.8:53 40.144.47.103.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
SG 103.47.144.40:7045 chongmei33.publicvm.com tcp
SG 103.47.144.40:7045 chongmei33.publicvm.com tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
SG 103.47.144.40:7045 chongmei33.publicvm.com tcp
SG 103.47.144.40:7045 chongmei33.publicvm.com tcp
SG 103.47.144.40:7045 chongmei33.publicvm.com tcp
SG 103.47.144.40:7045 chongmei33.publicvm.com tcp
SG 103.47.144.40:7045 chongmei33.publicvm.com tcp
SG 103.47.144.40:7045 chongmei33.publicvm.com tcp
SG 103.47.144.40:7045 chongmei33.publicvm.com tcp
SG 103.47.144.40:7045 chongmei33.publicvm.com tcp
SG 103.47.144.40:7045 chongmei33.publicvm.com tcp
SG 103.47.144.40:7045 chongmei33.publicvm.com tcp
SG 103.47.144.40:7045 chongmei33.publicvm.com tcp
SG 103.47.144.40:7045 chongmei33.publicvm.com tcp
SG 103.47.144.40:7045 chongmei33.publicvm.com tcp
SG 103.47.144.40:7045 chongmei33.publicvm.com tcp
SG 103.47.144.40:7045 chongmei33.publicvm.com tcp
SG 103.47.144.40:7045 chongmei33.publicvm.com tcp
SG 103.47.144.40:7045 chongmei33.publicvm.com tcp
SG 103.47.144.40:7045 chongmei33.publicvm.com tcp
SG 103.47.144.40:7045 chongmei33.publicvm.com tcp
US 8.8.8.8:53 15.173.189.20.in-addr.arpa udp
SG 103.47.144.40:7045 chongmei33.publicvm.com tcp
SG 103.47.144.40:7045 chongmei33.publicvm.com tcp
SG 103.47.144.40:7045 chongmei33.publicvm.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\WOAHUS.vbs

MD5 69ac7e038effb4a60a906bb43ccae6fb
SHA1 9bef6b5ff1bd0c6ec5e57efae80d4d303d5582a7
SHA256 61b43d95f7c0e0cb258513ef2d81d3a482b7e39f31cd039252ca05f72997d93c
SHA512 8f48438ec155af7bd6fe2213b8cd42b58407472f7988dc6ad3916c443d55fa240bbb9cf2e7e306bcaa872a51a73a6a8c5f0b36af9dd4ccbeecab81f32cd8929f

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WOAHUS.vbs

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e