Overview

overview

10

Static

static

1

38bd5894a8...bf.vbs

windows7-x64

10

38bd5894a8...bf.vbs

windows10-2004-x64

10

Analysis

  • max time kernel
    142s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30-12-2023 15:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    38bd5894a8e1c294b4ea9f3809a1bb7d987af8db390063603c2fca96df2a77bf.vbs

  • Size

    254KB

  • MD5

    bfb4e820b764be9c6ca3a7be5afdc124

  • SHA1

    21e8d148050fa80830ee64cbf99d67292a21fabc

  • SHA256

    38bd5894a8e1c294b4ea9f3809a1bb7d987af8db390063603c2fca96df2a77bf

  • SHA512

    506a151144d5323156066d1a746bd3d9e14b99a170d1e89d9424a5a98dd05a794ab0aa32766b073f58ad866716ef25972b3a44a9d56fad80003c0abf13ced27f

  • SSDEEP

    6144:ywKmqM4d6gb5mjTS8EoL36Uc2TEspbmWVX7FilDCtzQbxkGsg5:QdeTSWdI8mWVM+OGHs

Score
10/10
wshratpersistencetrojan

Malware Config

Extracted

Family

wshrat

C2

http://poseidon99.duckdns.org:4758

Signatures

  • WSHRAT

    WSHRAT is a variant of Houdini worm and has vbs and js variants.

    trojanwshrat
  • Blocklisted process makes network request 13 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 13 IoCs
  • Suspicious use of SendNotifyMessage 13 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\38bd5894a8e1c294b4ea9f3809a1bb7d987af8db390063603c2fca96df2a77bf.vbs"
    1⤵
    • Blocklisted process makes network request
    • Checks computer location settings
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1656
    • C:\Windows\System32\wscript.exe
      "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\skbgbpTewK.vbs"
      2⤵
        PID:1400
    • C:\Windows\system32\taskmgr.exe
      "C:\Windows\system32\taskmgr.exe" /7
      1⤵
        PID:5040
      • C:\Windows\system32\taskmgr.exe
        "C:\Windows\system32\taskmgr.exe" /7
        1⤵
          PID:2260
        • C:\Windows\system32\taskmgr.exe
          "C:\Windows\system32\taskmgr.exe" /7
          1⤵
          • Checks SCSI registry key(s)
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          PID:1452

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\L3T8W3B4\json[1].json
          Filesize

          313B

          MD5

          bee55e52500f967c3d9402e05dd57f65

          SHA1

          d8dc65ec97c6288e1fd10b8c4f8502e5a8a5bbf6

          SHA256

          b90eae4b05d321efc4519963349c1775dcea8e3b0ae53b50285545380b6539c0

          SHA512

          b8624a934fb74760f5b231ca97e89074b227ad9fe3bb08b01a81cf35760f06b346f395cf6683df5881dc429ae77af0d0a07cfeb9c9ec127e4e917191bf8c91da

          Download Submit

        • C:\Users\Admin\AppData\Roaming\skbgbpTewK.vbs
          Filesize

          6KB

          MD5

          66121bf8c5e18b7814b69a483f7b126f

          SHA1

          382910b59dd360c5e394a27717f7fcee6c10ef59

          SHA256

          41677f6a37375aa6a7abb978d9c017132aec64e8fb989096ccaf40a314e1e019

          SHA512

          7a46ef5590caf7970451d49028d3294034c90c297feeff2ea99d5311cdaf81bc92de080469fcb8fdd3c08001f9dbd222260b8764bf68d1013cf1e35b10253255

          Download Submit