wshrat | d0ec40d1ae32bddb9159e4daa86d2b15535fe6cd456f8251d78fe64667d8abb1

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
09-10-2023 05:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Cash_Transfer_REF#23284449-9374647.js
Size

7KB
MD5

4e0ea5c5808c3d0cf7006eb0ef347c4b
SHA1

80f8f2d5b7caf2f13b1edd764e56f46930754edc
SHA256

d0ec40d1ae32bddb9159e4daa86d2b15535fe6cd456f8251d78fe64667d8abb1
SHA512

40745410c37e8cf392c59ca9c8d04779c96624eefe7b8f90f3876f8c54c60518a622db9553b0420f77b34582a586ec68b664089f909e37043a11c0d9734a44d4
SSDEEP

48:iVnz7HAx3ZSGwW6PnWe28gR7osdSrwyNNgnw5:itfHAx3ZzwWKWTnR7o8SrwqNgnw5

Score

10^/10

wshrat xworm persistence rat spyware stealer trojan

Malware Config

Extracted

Family

xworm

Version

3.1

lee44.kozow.com:4548

Mutex

Nkk86vl4S3wOFCBy

Attributes

install_file
USB.exe

aes.plain

Extracted

Family

wshrat

http://chongmei33.publicvm.com:7045

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral2/memory/4256-60-0x0000000000400000-0x0000000000410000-memory.dmp	family_xworm

WSHRAT
WSHRAT is a variant of Houdini worm and has vbs and js variants.
trojan wshrat
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Blocklisted process makes network request 17 IoCs

flow	pid	Process
3	2480	wscript.exe
9	2480	wscript.exe
12	2480	wscript.exe
95	2504	WScript.exe
97	2504	WScript.exe
106	2504	WScript.exe
114	2504	WScript.exe
134	2504	WScript.exe
149	2504	WScript.exe
152	2504	WScript.exe
155	2504	WScript.exe
160	2504	WScript.exe
164	2504	WScript.exe
175	2504	WScript.exe
176	2504	WScript.exe
177	2504	WScript.exe
178	2504	WScript.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Control Panel\International\Geo\Nation	WScript.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\GJNDHQ.vbs	WScript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\GJNDHQ.vbs	WScript.exe

Executes dropped EXE 2 IoCs

pid	Process
3468	VlEV.exe
4256	VlEV.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\GJNDHQ = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\GJNDHQ.vbs\""	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\GJNDHQ = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\GJNDHQ.vbs\""	WScript.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
94	ip-api.com

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3468 set thread context of 4256	3468	VlEV.exe	103

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000_Classes\Local Settings	wscript.exe
Key created	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000_Classes\Local Settings	WScript.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
3980	Powershell.exe
3980	Powershell.exe
3980	Powershell.exe
4256	VlEV.exe
4256	VlEV.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	3980	Powershell.exe
Token: SeDebugPrivilege	4256	VlEV.exe
Token: SeManageVolumePrivilege	4756	svchost.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4256	VlEV.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2480 wrote to memory of 2504	2480	wscript.exe	97
PID 2480 wrote to memory of 2504	2480	wscript.exe	97
PID 2504 wrote to memory of 1344	2504	WScript.exe	98
PID 2504 wrote to memory of 1344	2504	WScript.exe	98
PID 1344 wrote to memory of 3468	1344	WScript.exe	99
PID 1344 wrote to memory of 3468	1344	WScript.exe	99
PID 1344 wrote to memory of 3468	1344	WScript.exe	99
PID 3468 wrote to memory of 3980	3468	VlEV.exe	101
PID 3468 wrote to memory of 3980	3468	VlEV.exe	101
PID 3468 wrote to memory of 3980	3468	VlEV.exe	101
PID 3468 wrote to memory of 4256	3468	VlEV.exe	103
PID 3468 wrote to memory of 4256	3468	VlEV.exe	103
PID 3468 wrote to memory of 4256	3468	VlEV.exe	103
PID 3468 wrote to memory of 4256	3468	VlEV.exe	103
PID 3468 wrote to memory of 4256	3468	VlEV.exe	103
PID 3468 wrote to memory of 4256	3468	VlEV.exe	103
PID 3468 wrote to memory of 4256	3468	VlEV.exe	103
PID 3468 wrote to memory of 4256	3468	VlEV.exe	103

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\Cash_Transfer_REF#23284449-9374647.js
1⤵
- Blocklisted process makes network request
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2480
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\GJNDHQ.vbs"
  2⤵
  - Blocklisted process makes network request
  - Checks computer location settings
  - Drops startup file
  - Adds Run key to start application
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2504
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\zp.js"
    3⤵
    - Checks computer location settings
    - Suspicious use of WriteProcessMemory
    PID:1344
  - - C:\Users\Admin\AppData\Local\Temp\VlEV.exe
      "C:\Users\Admin\AppData\Local\Temp\VlEV.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:3468
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe
        
        "Powershell.exe" -ExecutionPolicy Bypass -command xHpF2m2TxzO3qr4FIuPswPaRZvbKhAgsHoUgVc5c1AMOAI4xiJqOjlkD3YO/6qULkSENmFl3GsolqcGGkZrBbaRXVu7YY+n3wiyv8wS+UHUpwhx/IX6ZerqvTzuOLuRdO08npei7HwfH2wKRuaecB8P/FVecfW9FoWjF1A6O/68O0qK192cnIhUcctWjx/GW8ULXo/Un0WwvyWYxGKqhFtUjf6hQETjLzO/F68/W3GXggNfn4E0tbsHcWJ4Qs9QeauMywyAB+V1+9Uw+hcoLBpcocrYAhSqf6iaaMKaTanR4JlGBlD4IjJQmV1gvQRYmjDXbZawN8IgwRgaI+xcKtFjiFVvuA6CawFF5jzi4mENimIA39OD54y/zMb7idEh4oTy+f+VDOiQ16HbDvRyX1gv6ar2K+vNdRpiEk+FL75Dwi1y2R1DSLLrnXH75cn9Sxxkx16fkjltmZNwZYnnZc0VCbJz5PE8snBKcKUEemoAvDwcgj8rVX1tuhqqeYXrhP1hn6oaUpa8dLV9GkxPvUPm2U2PxYjlaVQk75pkxpaspctI89cBy4lXgWn0XYPaK1+WjxY5j1F5jeSb75FxuowoTWUXfk8j1s2KbANCsBuN3nd5227aIGAKGm+1kHAm/4MePOuLnj7mVqVrGuW9smZZvnluk2n2p0v6RGPmD818= 'C:\Users\Admin\AppData\Local\Temp\VlEV.exe' 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3980
    - - C:\Users\Admin\AppData\Local\Temp\VlEV.exe
        
        "C:\Users\Admin\AppData\Local\Temp\VlEV.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:4256

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe
1⤵
PID:1472

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k UnistackSvcGroup
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4756

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\VlEV.exe.log

Filesize
706B

MD5
2ef5ef69dadb8865b3d5b58c956077b8

SHA1
af2d869bac00685c745652bbd8b3fe82829a8998

SHA256
363502eb2a4e53ba02d2d85412b901fcf8e06de221736bdffa949799ef3d21e3

SHA512
66d4db5dd17d88e1d54ea0df3a7211a503dc4355de701259cefccc9f2e4e3ced9534b700099ffbb089a5a3acb082011c80b61801aa14aff76b379ce8f90d4fd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\HEITGDYC\json[1].json

Filesize
323B

MD5
0c17abb0ed055fecf0c48bb6e46eb4eb

SHA1
a692730c8ec7353c31b94a888f359edb54aaa4c8

SHA256
f41e99f954e33e7b0e39930ec8620bf29801efc44275c1ee6b5cfa5e1be202c0

SHA512
645a9f2f94461d8a187261b736949df398ece5cfbf1af8653d18d3487ec1269d9f565534c1e249c12f31b3b1a41a8512953b1e991b001fc1360059e3fd494ec3

Download Submit
C:\Users\Admin\AppData\Local\Temp\GJNDHQ.vbs

Filesize
2.6MB

MD5
c5a5637d692b2ef0f06a8b57f41d0f0a

SHA1
0077d8e713abbc0f47e94857567f5ea7ebb4d8d4

SHA256
d037c52f63feb4d4e96ace8ec2f8d36dee6c43fd5f7d0ceca2d4efe45e739c28

SHA512
6b0675dbc433d91445b21778e3f2a5c5fd71ac1995e4cc460958e5a35aea847d5da8cc59fab4cdb71c0d08e567ba76c78100b6afe13c9beb2528f74de2ec96ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\VlEV.exe

Filesize
120KB

MD5
e08df9eff829b60e6fe3196c85b094e3

SHA1
c2ae21853133920d07755740a8af412aff081ea7

SHA256
6915ff9df9d3988134f92fabb72abeaf33fa83e59e46974fa012670714cd705a

SHA512
1287f4be949ad64b5766f754c18e55fa95dc77800e392f332b76ce3e1e60552f6e7cfadc092d0c99fe4b3a94d69747b07b6e411f4a8f87572ab24d8ba659c3bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\VlEV.exe

Filesize
120KB

MD5
e08df9eff829b60e6fe3196c85b094e3

SHA1
c2ae21853133920d07755740a8af412aff081ea7

SHA256
6915ff9df9d3988134f92fabb72abeaf33fa83e59e46974fa012670714cd705a

SHA512
1287f4be949ad64b5766f754c18e55fa95dc77800e392f332b76ce3e1e60552f6e7cfadc092d0c99fe4b3a94d69747b07b6e411f4a8f87572ab24d8ba659c3bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\VlEV.exe

Filesize
120KB

MD5
e08df9eff829b60e6fe3196c85b094e3

SHA1
c2ae21853133920d07755740a8af412aff081ea7

SHA256
6915ff9df9d3988134f92fabb72abeaf33fa83e59e46974fa012670714cd705a

SHA512
1287f4be949ad64b5766f754c18e55fa95dc77800e392f332b76ce3e1e60552f6e7cfadc092d0c99fe4b3a94d69747b07b6e411f4a8f87572ab24d8ba659c3bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\VlEV.exe

Filesize
120KB

MD5
e08df9eff829b60e6fe3196c85b094e3

SHA1
c2ae21853133920d07755740a8af412aff081ea7

SHA256
6915ff9df9d3988134f92fabb72abeaf33fa83e59e46974fa012670714cd705a

SHA512
1287f4be949ad64b5766f754c18e55fa95dc77800e392f332b76ce3e1e60552f6e7cfadc092d0c99fe4b3a94d69747b07b6e411f4a8f87572ab24d8ba659c3bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_mky0mmkz.mfr.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\zp.js

Filesize
182KB

MD5
02a840b65fcdc37ed123d7c9b10b49cf

SHA1
15a7880d6818cd508eb5d95ff2bf5f63e7b5e585

SHA256
9c008420b02c88a8178e47e3749ee1a07de49b9876ab54ce044413e493fa7c07

SHA512
a1e6150934eae914f1e43c8b432174b485996587022df9002c43eb754aef421bfccd5dc49bdc8ecb85bde925a08495bf8254cf9ca8ba477ffa3fd0cdd75fba1c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\GJNDHQ.vbs

Filesize
2.6MB

MD5
c5a5637d692b2ef0f06a8b57f41d0f0a

SHA1
0077d8e713abbc0f47e94857567f5ea7ebb4d8d4

SHA256
d037c52f63feb4d4e96ace8ec2f8d36dee6c43fd5f7d0ceca2d4efe45e739c28

SHA512
6b0675dbc433d91445b21778e3f2a5c5fd71ac1995e4cc460958e5a35aea847d5da8cc59fab4cdb71c0d08e567ba76c78100b6afe13c9beb2528f74de2ec96ca

Download Submit
memory/3468-33-0x00000000053F0000-0x0000000005482000-memory.dmp

Filesize
584KB

Download
memory/3468-34-0x0000000005300000-0x0000000005310000-memory.dmp

Filesize
64KB

Download
memory/3468-37-0x0000000005530000-0x00000000055CC000-memory.dmp

Filesize
624KB

Download
memory/3468-31-0x00000000058C0000-0x0000000005E64000-memory.dmp

Filesize
5.6MB

Download
memory/3468-30-0x00000000052C0000-0x00000000052E0000-memory.dmp

Filesize
128KB

Download
memory/3468-64-0x00000000743C0000-0x0000000074B70000-memory.dmp

Filesize
7.7MB

Download
memory/3468-41-0x00000000743C0000-0x0000000074B70000-memory.dmp

Filesize
7.7MB

Download
memory/3468-29-0x00000000743C0000-0x0000000074B70000-memory.dmp

Filesize
7.7MB

Download
memory/3468-28-0x0000000000920000-0x0000000000944000-memory.dmp

Filesize
144KB

Download
memory/3468-59-0x0000000005370000-0x000000000537A000-memory.dmp

Filesize
40KB

Download
memory/3468-56-0x0000000005300000-0x0000000005310000-memory.dmp

Filesize
64KB

Download
memory/3980-39-0x00000000743C0000-0x0000000074B70000-memory.dmp

Filesize
7.7MB

Download
memory/3980-96-0x00000000743C0000-0x0000000074B70000-memory.dmp

Filesize
7.7MB

Download
memory/3980-45-0x00000000059D0000-0x0000000005A36000-memory.dmp

Filesize
408KB

Download
memory/3980-57-0x0000000006040000-0x000000000605E000-memory.dmp

Filesize
120KB

Download
memory/3980-58-0x0000000006080000-0x00000000060CC000-memory.dmp

Filesize
304KB

Download
memory/3980-44-0x0000000005770000-0x00000000057D6000-memory.dmp

Filesize
408KB

Download
memory/3980-38-0x0000000004AD0000-0x0000000004B06000-memory.dmp

Filesize
216KB

Download
memory/3980-43-0x0000000004F60000-0x0000000004F82000-memory.dmp

Filesize
136KB

Download
memory/3980-42-0x0000000005140000-0x0000000005768000-memory.dmp

Filesize
6.2MB

Download
memory/3980-40-0x0000000004A80000-0x0000000004A90000-memory.dmp

Filesize
64KB

Download
memory/3980-55-0x0000000005A40000-0x0000000005D94000-memory.dmp

Filesize
3.3MB

Download
memory/3980-66-0x000000007FA10000-0x000000007FA20000-memory.dmp

Filesize
64KB

Download
memory/3980-67-0x0000000006630000-0x0000000006662000-memory.dmp

Filesize
200KB

Download
memory/3980-68-0x00000000701C0000-0x000000007020C000-memory.dmp

Filesize
304KB

Download
memory/3980-78-0x0000000006610000-0x000000000662E000-memory.dmp

Filesize
120KB

Download
memory/3980-79-0x0000000004A80000-0x0000000004A90000-memory.dmp

Filesize
64KB

Download
memory/3980-80-0x00000000072E0000-0x0000000007383000-memory.dmp

Filesize
652KB

Download
memory/3980-81-0x0000000007A10000-0x000000000808A000-memory.dmp

Filesize
6.5MB

Download
memory/3980-82-0x00000000070B0000-0x00000000070CA000-memory.dmp

Filesize
104KB

Download
memory/3980-83-0x00000000073E0000-0x00000000073EA000-memory.dmp

Filesize
40KB

Download
memory/3980-84-0x00000000075F0000-0x0000000007686000-memory.dmp

Filesize
600KB

Download
memory/3980-93-0x0000000007690000-0x0000000007698000-memory.dmp

Filesize
32KB

Download
memory/3980-92-0x00000000076B0000-0x00000000076CA000-memory.dmp

Filesize
104KB

Download
memory/3980-87-0x0000000007570000-0x0000000007581000-memory.dmp

Filesize
68KB

Download
memory/3980-90-0x00000000075A0000-0x00000000075AE000-memory.dmp

Filesize
56KB

Download
memory/3980-91-0x00000000075B0000-0x00000000075C4000-memory.dmp

Filesize
80KB

Download
memory/4256-103-0x0000000007210000-0x000000000737E000-memory.dmp

Filesize
1.4MB

Download
memory/4256-85-0x0000000005160000-0x0000000005170000-memory.dmp

Filesize
64KB

Download
memory/4256-65-0x00000000743C0000-0x0000000074B70000-memory.dmp

Filesize
7.7MB

Download
memory/4256-97-0x00000000743C0000-0x0000000074B70000-memory.dmp

Filesize
7.7MB

Download
memory/4256-100-0x0000000005160000-0x0000000005170000-memory.dmp

Filesize
64KB

Download
memory/4256-60-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/4256-86-0x0000000005BB0000-0x0000000005BBA000-memory.dmp

Filesize
40KB

Download
memory/4256-104-0x0000000007400000-0x0000000007430000-memory.dmp

Filesize
192KB

Download
memory/4756-125-0x000002A5E7A40000-0x000002A5E7A50000-memory.dmp

Filesize
64KB

Download
memory/4756-141-0x000002A5EFDB0000-0x000002A5EFDB1000-memory.dmp

Filesize
4KB

Download
memory/4756-143-0x000002A5EFDE0000-0x000002A5EFDE1000-memory.dmp

Filesize
4KB

Download
memory/4756-144-0x000002A5EFDE0000-0x000002A5EFDE1000-memory.dmp

Filesize
4KB

Download
memory/4756-145-0x000002A5EFEF0000-0x000002A5EFEF1000-memory.dmp

Filesize
4KB

Download