wshrat | a075c57c5e9ab478af53bbfa19faf2fecb404abd0d1ba953e84d347d5093f906

General

Target

a075c57c5e9ab478af53bbfa19faf2fecb404abd0d1ba953e84d347d5093f906_JC.exe
Size

2.1MB
MD5

066dbf69cbfa16c46a2142a257c95f1d
SHA1

0300eb287c3e29642877772c348c6b683b86a305
SHA256

a075c57c5e9ab478af53bbfa19faf2fecb404abd0d1ba953e84d347d5093f906
SHA512

c1874bf3d3c6c56168eec1b18242af7562696e9c556ab7612b4c592b78b76286ce80a44cd55222df39f4e85e27cdf19b084dfd0a24127a73615f04545925da7a
SSDEEP

49152:wkQTArh5KH1JME1y9fb95r/6LGoc30b9KJp9D06dkRNLkL+mrcTuZqy:warh5s41rL6WY6SRpO+dTuZP

Score

10^/10

wshrat trojan

Malware Config

Signatures

WSHRAT
WSHRAT is a variant of Houdini worm and has vbs and js variants.
trojan wshrat

WSHRAT payload 2 IoCs

resource	yara_rule
behavioral2/files/0x0009000000023240-14.dat	family_wshrat
behavioral2/files/0x0002000000022616-18.dat	family_wshrat

Blocklisted process makes network request 11 IoCs

flow	pid	Process
22	8	wscript.exe
23	8	wscript.exe
24	4184	wscript.exe
25	4184	wscript.exe
28	4184	wscript.exe
29	4184	wscript.exe
47	4184	wscript.exe
62	4184	wscript.exe
73	4184	wscript.exe
74	4184	wscript.exe
78	4184	wscript.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Control Panel\International\Geo\Nation	wscript.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
27	ip-api.com

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2704 set thread context of 1252	2704	a075c57c5e9ab478af53bbfa19faf2fecb404abd0d1ba953e84d347d5093f906_JC.exe	78

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Script User-Agent 4 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	24	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	25	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	22	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	23	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2704	a075c57c5e9ab478af53bbfa19faf2fecb404abd0d1ba953e84d347d5093f906_JC.exe
2704	a075c57c5e9ab478af53bbfa19faf2fecb404abd0d1ba953e84d347d5093f906_JC.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2704	a075c57c5e9ab478af53bbfa19faf2fecb404abd0d1ba953e84d347d5093f906_JC.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 2704 wrote to memory of 2028	2704	a075c57c5e9ab478af53bbfa19faf2fecb404abd0d1ba953e84d347d5093f906_JC.exe	77
PID 2704 wrote to memory of 2028	2704	a075c57c5e9ab478af53bbfa19faf2fecb404abd0d1ba953e84d347d5093f906_JC.exe	77
PID 2704 wrote to memory of 2028	2704	a075c57c5e9ab478af53bbfa19faf2fecb404abd0d1ba953e84d347d5093f906_JC.exe	77
PID 2704 wrote to memory of 1252	2704	a075c57c5e9ab478af53bbfa19faf2fecb404abd0d1ba953e84d347d5093f906_JC.exe	78
PID 2704 wrote to memory of 1252	2704	a075c57c5e9ab478af53bbfa19faf2fecb404abd0d1ba953e84d347d5093f906_JC.exe	78
PID 2704 wrote to memory of 1252	2704	a075c57c5e9ab478af53bbfa19faf2fecb404abd0d1ba953e84d347d5093f906_JC.exe	78
PID 2704 wrote to memory of 1252	2704	a075c57c5e9ab478af53bbfa19faf2fecb404abd0d1ba953e84d347d5093f906_JC.exe	78
PID 2704 wrote to memory of 1252	2704	a075c57c5e9ab478af53bbfa19faf2fecb404abd0d1ba953e84d347d5093f906_JC.exe	78
PID 2704 wrote to memory of 1252	2704	a075c57c5e9ab478af53bbfa19faf2fecb404abd0d1ba953e84d347d5093f906_JC.exe	78
PID 2704 wrote to memory of 1252	2704	a075c57c5e9ab478af53bbfa19faf2fecb404abd0d1ba953e84d347d5093f906_JC.exe	78
PID 2704 wrote to memory of 1252	2704	a075c57c5e9ab478af53bbfa19faf2fecb404abd0d1ba953e84d347d5093f906_JC.exe	78
PID 1252 wrote to memory of 8	1252	caspol.exe	88
PID 1252 wrote to memory of 8	1252	caspol.exe	88
PID 1252 wrote to memory of 8	1252	caspol.exe	88
PID 8 wrote to memory of 4184	8	wscript.exe	90
PID 8 wrote to memory of 4184	8	wscript.exe	90
PID 8 wrote to memory of 4184	8	wscript.exe	90

C:\Users\Admin\AppData\Local\Temp\a075c57c5e9ab478af53bbfa19faf2fecb404abd0d1ba953e84d347d5093f906_JC.exe
"C:\Users\Admin\AppData\Local\Temp\a075c57c5e9ab478af53bbfa19faf2fecb404abd0d1ba953e84d347d5093f906_JC.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2704
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe"
  2⤵
  PID:2028
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1252
- - C:\Windows\SysWOW64\wscript.exe
    "C:\Windows\System32\wscript.exe" "C:\Users\Admin\AppData\Roaming\vVqvy.vbs"
    3⤵
    - Blocklisted process makes network request
    - Checks computer location settings
    - Suspicious use of WriteProcessMemory
    PID:8
  - - C:\Windows\SysWOW64\wscript.exe
      "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Local\Temp\vVqvy.vbs"
      4⤵
      Blocklisted process makes network request
      PID:4184

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\FXXN8G02\json[1].json

Filesize
323B

MD5
149c2823b7eadbfb0a82388a2ab9494f

SHA1
415fe979ce5fd0064d2557a48745a3ed1a3fbf9c

SHA256
06fa5d4e7fbfb1efdc19baa034601a894b21cf729785732853ced4bb40aca869

SHA512
f8fb6b7c93c4ab37f6e250ba8ac5c82f6e17fe52156cab81d34e91107d1da716b744bfe02ee0306497a3876d5352af789a1e66dab10e11e22065bac3050475fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\vVqvy.vbs

Filesize
180KB

MD5
9bcc1d31eae798a11b1d50f46b1de92c

SHA1
8bc898b80ead2433ac20eaa9936d2e40ea1db01e

SHA256
cc2ca06bf02d0ba8b9ec6874b734bf6a39f84d536f6bb2d7cc5e3d577697e45b

SHA512
b0a13f056ce07f5bf1360cb9754759c499c1560ed19c684f50774d0d6f72e0669b9e10a243185d9c31555938ae2799a09222236d960fb36f935bda266b764d6d

Download Submit
C:\Users\Admin\AppData\Roaming\vVqvy.vbs

Filesize
180KB

MD5
9bcc1d31eae798a11b1d50f46b1de92c

SHA1
8bc898b80ead2433ac20eaa9936d2e40ea1db01e

SHA256
cc2ca06bf02d0ba8b9ec6874b734bf6a39f84d536f6bb2d7cc5e3d577697e45b

SHA512
b0a13f056ce07f5bf1360cb9754759c499c1560ed19c684f50774d0d6f72e0669b9e10a243185d9c31555938ae2799a09222236d960fb36f935bda266b764d6d

Download Submit
memory/1252-8-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/1252-15-0x0000000074660000-0x0000000074E10000-memory.dmp

Filesize
7.7MB

Download
memory/1252-11-0x0000000074660000-0x0000000074E10000-memory.dmp

Filesize
7.7MB

Download
memory/2704-3-0x0000000005130000-0x0000000005140000-memory.dmp

Filesize
64KB

Download
memory/2704-6-0x0000000002A50000-0x0000000002A5A000-memory.dmp

Filesize
40KB

Download
memory/2704-10-0x0000000074660000-0x0000000074E10000-memory.dmp

Filesize
7.7MB

Download
memory/2704-5-0x0000000005140000-0x000000000533A000-memory.dmp

Filesize
2.0MB

Download
memory/2704-7-0x0000000005130000-0x0000000005140000-memory.dmp

Filesize
64KB

Download
memory/2704-4-0x0000000005540000-0x0000000005AE4000-memory.dmp

Filesize
5.6MB

Download
memory/2704-2-0x0000000005130000-0x0000000005140000-memory.dmp

Filesize
64KB

Download
memory/2704-0-0x0000000074660000-0x0000000074E10000-memory.dmp

Filesize
7.7MB

Download
memory/2704-1-0x0000000005340000-0x0000000005538000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing