Overview

overview

10

Static

static

3

263d8628ff...f4.exe

windows7-x64

10

263d8628ff...f4.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    144s
  • max time network
    158s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230915-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12-10-2023 13:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    263d8628ff6e9c99318da99bb42007f4.exe

  • Size

    2.0MB

  • MD5

    263d8628ff6e9c99318da99bb42007f4

  • SHA1

    c0450285843855e54b2b5aa7ee8d1a2f524218e9

  • SHA256

    bb1a60d48e67a57b363bc312e01f4d91a7dae7e4a11653156e554d468578e8f2

  • SHA512

    93d6a334ea62a876bab4c2c904b515fae2de919f9d5813123fbf38a02e76f02f026528d8db031e01baa525edad242683a689418eab8d3f8aab489d55c45b8114

  • SSDEEP

    1536:waXjwDPE6yzTBMfT9/8n+NwRw7ySsgWNybmXfaKHFjyRcf7tZ4G5tJJmmrvf/Fco:NYPFyzTBMfw+N/Zs/N4ovsWZ93co

Score
10/10
wshrattrojan

Malware Config

Signatures

  • WSHRAT

    WSHRAT is a variant of Houdini worm and has vbs and js variants.

    trojanwshrat
  • WSHRAT payload 2 IoCs
  • Blocklisted process makes network request 11 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Script User-Agent 4 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\263d8628ff6e9c99318da99bb42007f4.exe
    "C:\Users\Admin\AppData\Local\Temp\263d8628ff6e9c99318da99bb42007f4.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1148
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1644
      • C:\Windows\SysWOW64\wscript.exe
        "C:\Windows\System32\wscript.exe" "C:\Users\Admin\AppData\Roaming\PmdRD.vbs"
        3⤵
        • Blocklisted process makes network request
        • Checks computer location settings
        • Suspicious use of WriteProcessMemory
        PID:4848
        • C:\Windows\SysWOW64\wscript.exe
          "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Local\Temp\PmdRD.vbs"
          4⤵
          • Blocklisted process makes network request
          PID:3916

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\YF4PBZEL\json[1].json
    Filesize

    323B

    MD5

    149c2823b7eadbfb0a82388a2ab9494f

    SHA1

    415fe979ce5fd0064d2557a48745a3ed1a3fbf9c

    SHA256

    06fa5d4e7fbfb1efdc19baa034601a894b21cf729785732853ced4bb40aca869

    SHA512

    f8fb6b7c93c4ab37f6e250ba8ac5c82f6e17fe52156cab81d34e91107d1da716b744bfe02ee0306497a3876d5352af789a1e66dab10e11e22065bac3050475fe

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\PmdRD.vbs
    Filesize

    180KB

    MD5

    9bcc1d31eae798a11b1d50f46b1de92c

    SHA1

    8bc898b80ead2433ac20eaa9936d2e40ea1db01e

    SHA256

    cc2ca06bf02d0ba8b9ec6874b734bf6a39f84d536f6bb2d7cc5e3d577697e45b

    SHA512

    b0a13f056ce07f5bf1360cb9754759c499c1560ed19c684f50774d0d6f72e0669b9e10a243185d9c31555938ae2799a09222236d960fb36f935bda266b764d6d

    Download Submit

  • C:\Users\Admin\AppData\Roaming\PmdRD.vbs
    Filesize

    180KB

    MD5

    9bcc1d31eae798a11b1d50f46b1de92c

    SHA1

    8bc898b80ead2433ac20eaa9936d2e40ea1db01e

    SHA256

    cc2ca06bf02d0ba8b9ec6874b734bf6a39f84d536f6bb2d7cc5e3d577697e45b

    SHA512

    b0a13f056ce07f5bf1360cb9754759c499c1560ed19c684f50774d0d6f72e0669b9e10a243185d9c31555938ae2799a09222236d960fb36f935bda266b764d6d

    Download Submit

  • memory/1148-0-0x00000000746D0000-0x0000000074E80000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/1148-1-0x0000000000290000-0x0000000000498000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1148-2-0x0000000002840000-0x0000000002852000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1148-5-0x00000000746D0000-0x0000000074E80000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/1644-3-0x0000000000400000-0x000000000048A000-memory.dmp

    Filesize

    552KB

    Download

  • memory/1644-6-0x00000000746D0000-0x0000000074E80000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/1644-9-0x00000000746D0000-0x0000000074E80000-memory.dmp

    Filesize

    7.7MB

    Download