wshrat | d0ec40d1ae32bddb9159e4daa86d2b15535fe6cd456f8251d78fe64667d8abb1

Analysis

max time kernel
148s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
10/10/2023, 18:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d0ec40d1ae32bddb9159e4daa86d2b15535fe6cd456f8251d78fe64667d8abb1_JC.js
Size

7KB
MD5

4e0ea5c5808c3d0cf7006eb0ef347c4b
SHA1

80f8f2d5b7caf2f13b1edd764e56f46930754edc
SHA256

d0ec40d1ae32bddb9159e4daa86d2b15535fe6cd456f8251d78fe64667d8abb1
SHA512

40745410c37e8cf392c59ca9c8d04779c96624eefe7b8f90f3876f8c54c60518a622db9553b0420f77b34582a586ec68b664089f909e37043a11c0d9734a44d4
SSDEEP

48:iVnz7HAx3ZSGwW6PnWe28gR7osdSrwyNNgnw5:itfHAx3ZzwWKWTnR7o8SrwqNgnw5

Score

10^/10

wshrat xworm persistence rat spyware stealer trojan

Malware Config

Extracted

Family

xworm

Version

3.1

lee44.kozow.com:4548

Mutex

Nkk86vl4S3wOFCBy

Attributes

install_file
USB.exe

aes.plain

Extracted

Family

wshrat

http://chongmei33.publicvm.com:7045

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral2/memory/4560-60-0x0000000000400000-0x0000000000410000-memory.dmp	family_xworm

WSHRAT
WSHRAT is a variant of Houdini worm and has vbs and js variants.
trojan wshrat
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Blocklisted process makes network request 28 IoCs

flow	pid	Process
2	4900	wscript.exe
12	4900	wscript.exe
16	4900	wscript.exe
18	4900	wscript.exe
51	1688	WScript.exe
53	1688	WScript.exe
56	1688	WScript.exe
62	1688	WScript.exe
66	1688	WScript.exe
80	1688	WScript.exe
92	1688	WScript.exe
93	1688	WScript.exe
94	1688	WScript.exe
95	1688	WScript.exe
101	1688	WScript.exe
103	1688	WScript.exe
104	1688	WScript.exe
106	1688	WScript.exe
107	1688	WScript.exe
108	1688	WScript.exe
109	1688	WScript.exe
110	1688	WScript.exe
111	1688	WScript.exe
112	1688	WScript.exe
113	1688	WScript.exe
114	1688	WScript.exe
115	1688	WScript.exe
120	1688	WScript.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Control Panel\International\Geo\Nation	WScript.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\GJNDHQ.vbs	WScript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\GJNDHQ.vbs	WScript.exe

Executes dropped EXE 2 IoCs

pid	Process
3064	VlEV.exe
4560	VlEV.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\GJNDHQ = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\GJNDHQ.vbs\""	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\GJNDHQ = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\GJNDHQ.vbs\""	WScript.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
50	ip-api.com

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3064 set thread context of 4560	3064	VlEV.exe	100

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000_Classes\Local Settings	wscript.exe
Key created	\REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000_Classes\Local Settings	WScript.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
5056	Powershell.exe
5056	Powershell.exe
5056	Powershell.exe
4560	VlEV.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	5056	Powershell.exe
Token: SeDebugPrivilege	4560	VlEV.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4560	VlEV.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 4900 wrote to memory of 1688	4900	wscript.exe	87
PID 4900 wrote to memory of 1688	4900	wscript.exe	87
PID 1688 wrote to memory of 3604	1688	WScript.exe	89
PID 1688 wrote to memory of 3604	1688	WScript.exe	89
PID 3604 wrote to memory of 3064	3604	WScript.exe	90
PID 3604 wrote to memory of 3064	3604	WScript.exe	90
PID 3604 wrote to memory of 3064	3604	WScript.exe	90
PID 3064 wrote to memory of 5056	3064	VlEV.exe	98
PID 3064 wrote to memory of 5056	3064	VlEV.exe	98
PID 3064 wrote to memory of 5056	3064	VlEV.exe	98
PID 3064 wrote to memory of 4560	3064	VlEV.exe	100
PID 3064 wrote to memory of 4560	3064	VlEV.exe	100
PID 3064 wrote to memory of 4560	3064	VlEV.exe	100
PID 3064 wrote to memory of 4560	3064	VlEV.exe	100
PID 3064 wrote to memory of 4560	3064	VlEV.exe	100
PID 3064 wrote to memory of 4560	3064	VlEV.exe	100
PID 3064 wrote to memory of 4560	3064	VlEV.exe	100
PID 3064 wrote to memory of 4560	3064	VlEV.exe	100

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\d0ec40d1ae32bddb9159e4daa86d2b15535fe6cd456f8251d78fe64667d8abb1_JC.js
1⤵
- Blocklisted process makes network request
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4900
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\GJNDHQ.vbs"
  2⤵
  - Blocklisted process makes network request
  - Checks computer location settings
  - Drops startup file
  - Adds Run key to start application
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1688
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\zp.js"
    3⤵
    - Checks computer location settings
    - Suspicious use of WriteProcessMemory
    PID:3604
  - - C:\Users\Admin\AppData\Local\Temp\VlEV.exe
      "C:\Users\Admin\AppData\Local\Temp\VlEV.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:3064
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe
        
        "Powershell.exe" -ExecutionPolicy Bypass -command xHpF2m2TxzO3qr4FIuPswPaRZvbKhAgsHoUgVc5c1AMOAI4xiJqOjlkD3YO/6qULkSENmFl3GsolqcGGkZrBbaRXVu7YY+n3wiyv8wS+UHUpwhx/IX6ZerqvTzuOLuRdO08npei7HwfH2wKRuaecB8P/FVecfW9FoWjF1A6O/68O0qK192cnIhUcctWjx/GW8ULXo/Un0WwvyWYxGKqhFtUjf6hQETjLzO/F68/W3GXggNfn4E0tbsHcWJ4Qs9QeauMywyAB+V1+9Uw+hcoLBpcocrYAhSqf6iaaMKaTanR4JlGBlD4IjJQmV1gvQRYmjDXbZawN8IgwRgaI+xcKtFjiFVvuA6CawFF5jzi4mENimIA39OD54y/zMb7idEh4oTy+f+VDOiQ16HbDvRyX1gv6ar2K+vNdRpiEk+FL75Dwi1y2R1DSLLrnXH75cn9Sxxkx16fkjltmZNwZYnnZc0VCbJz5PE8snBKcKUEemoAvDwcgj8rVX1tuhqqeYXrhP1hn6oaUpa8dLV9GkxPvUPm2U2PxYjlaVQk75pkxpaspctI89cBy4lXgWn0XYPaK1+WjxY5j1F5jeSb75FxuowoTWUXfk8j1s2KbANCsBuN3nd5227aIGAKGm+1kHAm/4MePOuLnj7mVqVrGuW9smZZvnluk2n2p0v6RGPmD818= 'C:\Users\Admin\AppData\Local\Temp\VlEV.exe' 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5056
    - - C:\Users\Admin\AppData\Local\Temp\VlEV.exe
        
        "C:\Users\Admin\AppData\Local\Temp\VlEV.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:4560

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\VlEV.exe.log

Filesize
706B

MD5
2ef5ef69dadb8865b3d5b58c956077b8

SHA1
af2d869bac00685c745652bbd8b3fe82829a8998

SHA256
363502eb2a4e53ba02d2d85412b901fcf8e06de221736bdffa949799ef3d21e3

SHA512
66d4db5dd17d88e1d54ea0df3a7211a503dc4355de701259cefccc9f2e4e3ced9534b700099ffbb089a5a3acb082011c80b61801aa14aff76b379ce8f90d4fd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\MBSMWSRL\json[1].json

Filesize
323B

MD5
0c17abb0ed055fecf0c48bb6e46eb4eb

SHA1
a692730c8ec7353c31b94a888f359edb54aaa4c8

SHA256
f41e99f954e33e7b0e39930ec8620bf29801efc44275c1ee6b5cfa5e1be202c0

SHA512
645a9f2f94461d8a187261b736949df398ece5cfbf1af8653d18d3487ec1269d9f565534c1e249c12f31b3b1a41a8512953b1e991b001fc1360059e3fd494ec3

Download Submit
C:\Users\Admin\AppData\Local\Temp\GJNDHQ.vbs

Filesize
2.6MB

MD5
c5a5637d692b2ef0f06a8b57f41d0f0a

SHA1
0077d8e713abbc0f47e94857567f5ea7ebb4d8d4

SHA256
d037c52f63feb4d4e96ace8ec2f8d36dee6c43fd5f7d0ceca2d4efe45e739c28

SHA512
6b0675dbc433d91445b21778e3f2a5c5fd71ac1995e4cc460958e5a35aea847d5da8cc59fab4cdb71c0d08e567ba76c78100b6afe13c9beb2528f74de2ec96ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\VlEV.exe

Filesize
120KB

MD5
e08df9eff829b60e6fe3196c85b094e3

SHA1
c2ae21853133920d07755740a8af412aff081ea7

SHA256
6915ff9df9d3988134f92fabb72abeaf33fa83e59e46974fa012670714cd705a

SHA512
1287f4be949ad64b5766f754c18e55fa95dc77800e392f332b76ce3e1e60552f6e7cfadc092d0c99fe4b3a94d69747b07b6e411f4a8f87572ab24d8ba659c3bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\VlEV.exe

Filesize
120KB

MD5
e08df9eff829b60e6fe3196c85b094e3

SHA1
c2ae21853133920d07755740a8af412aff081ea7

SHA256
6915ff9df9d3988134f92fabb72abeaf33fa83e59e46974fa012670714cd705a

SHA512
1287f4be949ad64b5766f754c18e55fa95dc77800e392f332b76ce3e1e60552f6e7cfadc092d0c99fe4b3a94d69747b07b6e411f4a8f87572ab24d8ba659c3bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\VlEV.exe

Filesize
120KB

MD5
e08df9eff829b60e6fe3196c85b094e3

SHA1
c2ae21853133920d07755740a8af412aff081ea7

SHA256
6915ff9df9d3988134f92fabb72abeaf33fa83e59e46974fa012670714cd705a

SHA512
1287f4be949ad64b5766f754c18e55fa95dc77800e392f332b76ce3e1e60552f6e7cfadc092d0c99fe4b3a94d69747b07b6e411f4a8f87572ab24d8ba659c3bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\VlEV.exe

Filesize
120KB

MD5
e08df9eff829b60e6fe3196c85b094e3

SHA1
c2ae21853133920d07755740a8af412aff081ea7

SHA256
6915ff9df9d3988134f92fabb72abeaf33fa83e59e46974fa012670714cd705a

SHA512
1287f4be949ad64b5766f754c18e55fa95dc77800e392f332b76ce3e1e60552f6e7cfadc092d0c99fe4b3a94d69747b07b6e411f4a8f87572ab24d8ba659c3bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qzhmuxoc.tyi.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\zp.js

Filesize
182KB

MD5
02a840b65fcdc37ed123d7c9b10b49cf

SHA1
15a7880d6818cd508eb5d95ff2bf5f63e7b5e585

SHA256
9c008420b02c88a8178e47e3749ee1a07de49b9876ab54ce044413e493fa7c07

SHA512
a1e6150934eae914f1e43c8b432174b485996587022df9002c43eb754aef421bfccd5dc49bdc8ecb85bde925a08495bf8254cf9ca8ba477ffa3fd0cdd75fba1c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\GJNDHQ.vbs

Filesize
2.6MB

MD5
c5a5637d692b2ef0f06a8b57f41d0f0a

SHA1
0077d8e713abbc0f47e94857567f5ea7ebb4d8d4

SHA256
d037c52f63feb4d4e96ace8ec2f8d36dee6c43fd5f7d0ceca2d4efe45e739c28

SHA512
6b0675dbc433d91445b21778e3f2a5c5fd71ac1995e4cc460958e5a35aea847d5da8cc59fab4cdb71c0d08e567ba76c78100b6afe13c9beb2528f74de2ec96ca

Download Submit
memory/3064-59-0x0000000004E20000-0x0000000004E2A000-memory.dmp

Filesize
40KB

Download
memory/3064-33-0x00000000029B0000-0x00000000029D0000-memory.dmp

Filesize
128KB

Download
memory/3064-36-0x0000000004E80000-0x0000000004E90000-memory.dmp

Filesize
64KB

Download
memory/3064-39-0x0000000074CD0000-0x0000000075480000-memory.dmp

Filesize
7.7MB

Download
memory/3064-40-0x0000000004FD0000-0x000000000506C000-memory.dmp

Filesize
624KB

Download
memory/3064-44-0x0000000004E80000-0x0000000004E90000-memory.dmp

Filesize
64KB

Download
memory/3064-35-0x0000000004E90000-0x0000000004F22000-memory.dmp

Filesize
584KB

Download
memory/3064-34-0x0000000005440000-0x00000000059E4000-memory.dmp

Filesize
5.6MB

Download
memory/3064-30-0x0000000074CD0000-0x0000000075480000-memory.dmp

Filesize
7.7MB

Download
memory/3064-65-0x0000000074CD0000-0x0000000075480000-memory.dmp

Filesize
7.7MB

Download
memory/3064-31-0x00000000003E0000-0x0000000000404000-memory.dmp

Filesize
144KB

Download
memory/4560-85-0x0000000002700000-0x0000000002710000-memory.dmp

Filesize
64KB

Download
memory/4560-106-0x0000000007F20000-0x0000000007F50000-memory.dmp

Filesize
192KB

Download
memory/4560-105-0x0000000007DB0000-0x0000000007F1E000-memory.dmp

Filesize
1.4MB

Download
memory/4560-60-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/4560-107-0x0000000007F50000-0x0000000007FDC000-memory.dmp

Filesize
560KB

Download
memory/4560-108-0x0000000007FF0000-0x0000000008054000-memory.dmp

Filesize
400KB

Download
memory/4560-109-0x0000000008060000-0x00000000083B4000-memory.dmp

Filesize
3.3MB

Download
memory/4560-64-0x0000000074CD0000-0x0000000075480000-memory.dmp

Filesize
7.7MB

Download
memory/4560-102-0x0000000074CD0000-0x0000000075480000-memory.dmp

Filesize
7.7MB

Download
memory/4560-110-0x0000000002700000-0x0000000002710000-memory.dmp

Filesize
64KB

Download
memory/4560-87-0x00000000061F0000-0x00000000061FA000-memory.dmp

Filesize
40KB

Download
memory/5056-66-0x0000000006080000-0x000000000609E000-memory.dmp

Filesize
120KB

Download
memory/5056-71-0x0000000006630000-0x0000000006662000-memory.dmp

Filesize
200KB

Download
memory/5056-72-0x0000000075580000-0x00000000755CC000-memory.dmp

Filesize
304KB

Download
memory/5056-82-0x0000000007030000-0x000000000704E000-memory.dmp

Filesize
120KB

Download
memory/5056-83-0x0000000074CD0000-0x0000000075480000-memory.dmp

Filesize
7.7MB

Download
memory/5056-84-0x0000000000EA0000-0x0000000000EB0000-memory.dmp

Filesize
64KB

Download
memory/5056-70-0x000000007F210000-0x000000007F220000-memory.dmp

Filesize
64KB

Download
memory/5056-86-0x0000000007050000-0x00000000070F3000-memory.dmp

Filesize
652KB

Download
memory/5056-67-0x0000000006400000-0x000000000644C000-memory.dmp

Filesize
304KB

Download
memory/5056-88-0x00000000079C0000-0x000000000803A000-memory.dmp

Filesize
6.5MB

Download
memory/5056-89-0x0000000007380000-0x000000000739A000-memory.dmp

Filesize
104KB

Download
memory/5056-90-0x00000000073F0000-0x00000000073FA000-memory.dmp

Filesize
40KB

Download
memory/5056-91-0x0000000007600000-0x0000000007696000-memory.dmp

Filesize
600KB

Download
memory/5056-92-0x0000000007580000-0x0000000007591000-memory.dmp

Filesize
68KB

Download
memory/5056-93-0x0000000000EA0000-0x0000000000EB0000-memory.dmp

Filesize
64KB

Download
memory/5056-94-0x0000000000EA0000-0x0000000000EB0000-memory.dmp

Filesize
64KB

Download
memory/5056-95-0x00000000075B0000-0x00000000075BE000-memory.dmp

Filesize
56KB

Download
memory/5056-96-0x00000000075C0000-0x00000000075D4000-memory.dmp

Filesize
80KB

Download
memory/5056-97-0x00000000076C0000-0x00000000076DA000-memory.dmp

Filesize
104KB

Download
memory/5056-98-0x00000000076A0000-0x00000000076A8000-memory.dmp

Filesize
32KB

Download
memory/5056-101-0x0000000074CD0000-0x0000000075480000-memory.dmp

Filesize
7.7MB

Download
memory/5056-54-0x0000000005A80000-0x0000000005DD4000-memory.dmp

Filesize
3.3MB

Download
memory/5056-48-0x0000000005A10000-0x0000000005A76000-memory.dmp

Filesize
408KB

Download
memory/5056-47-0x00000000059A0000-0x0000000005A06000-memory.dmp

Filesize
408KB

Download
memory/5056-46-0x00000000050B0000-0x00000000050D2000-memory.dmp

Filesize
136KB

Download
memory/5056-45-0x00000000051C0000-0x00000000057E8000-memory.dmp

Filesize
6.2MB

Download
memory/5056-43-0x0000000000EA0000-0x0000000000EB0000-memory.dmp

Filesize
64KB

Download
memory/5056-42-0x0000000074CD0000-0x0000000075480000-memory.dmp

Filesize
7.7MB

Download
memory/5056-41-0x0000000002740000-0x0000000002776000-memory.dmp

Filesize
216KB

Download