wshrat | fe7cb98f06f1cc388f492f98af7dddb68423afd87e431d2bb36a8a68cc0d1471

Analysis

max time kernel
145s
max time network
153s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
06-02-2024 15:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

94cedbf96e556f012c1eab9e9b82fb7f.exe
Size

951KB
MD5

94cedbf96e556f012c1eab9e9b82fb7f
SHA1

a2f162aac845998fda8f69f3a3874357994fe749
SHA256

fe7cb98f06f1cc388f492f98af7dddb68423afd87e431d2bb36a8a68cc0d1471
SHA512

9daf76cd62777d5c411479cf396fef1c9ec569cf6949e30eda3449daf6aa44b88efcbeb654fc86703fb7e015126d83c18743fbe0dc56c0d9a1708dee46f5934f
SSDEEP

24576:SLqbFG0dJ0rk90xHSPJGiyLrLYzfjNOBR3jRl6aGgKEDiQsr:NAHXUzbNMR17pS

Score

10^/10

wshrat persistence trojan

Malware Config

Signatures

WSHRAT
WSHRAT is a variant of Houdini worm and has vbs and js variants.
trojan wshrat

WSHRAT payload 1 IoCs

resource	yara_rule
behavioral1/files/0x0008000000012243-5.dat	family_wshrat

Blocklisted process makes network request 8 IoCs

flow	pid	Process
4	2712	wscript.exe
6	2712	wscript.exe
9	2712	wscript.exe
10	2712	wscript.exe
11	2712	wscript.exe
12	2712	wscript.exe
13	2712	wscript.exe
15	2712	wscript.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NGYgx.vbs	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NGYgx.vbs	wscript.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\NGYgx = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\NGYgx.vbs\""	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NGYgx = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\NGYgx.vbs\""	wscript.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
3	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2300 wrote to memory of 2712	2300	94cedbf96e556f012c1eab9e9b82fb7f.exe	28
PID 2300 wrote to memory of 2712	2300	94cedbf96e556f012c1eab9e9b82fb7f.exe	28
PID 2300 wrote to memory of 2712	2300	94cedbf96e556f012c1eab9e9b82fb7f.exe	28

C:\Users\Admin\AppData\Local\Temp\94cedbf96e556f012c1eab9e9b82fb7f.exe
"C:\Users\Admin\AppData\Local\Temp\94cedbf96e556f012c1eab9e9b82fb7f.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2300
- C:\Windows\System32\wscript.exe
  "C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Roaming\NGYgx.vbs
  2⤵
  - Blocklisted process makes network request
  - Drops startup file
  - Adds Run key to start application
  PID:2712

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\NGYgx.vbs

Filesize
180KB

MD5
0ae1f09d92f4a783e55ea78b0c66a84e

SHA1
15b9db15e28f014360a7825bf8c955932845681d

SHA256
6285f4369da554005e93a5903a3e23b77b48c8f80e15b5b4ae3d3c8d80647bbd

SHA512
3aac6c831239d3905d19b8aca3a6aada8878f039e256f0e05cd52db47b0fd5131c06cb0b95f19425bddbe4aaa0ca3ec850d5a94e86ff2b84758eb6342b0dc600

Download Submit
memory/2300-0-0x0000000000EA0000-0x0000000000EAA000-memory.dmp

Filesize
40KB

Download
memory/2300-1-0x000007FEF5850000-0x000007FEF623C000-memory.dmp

Filesize
9.9MB

Download
memory/2300-2-0x000000001B1E0000-0x000000001B260000-memory.dmp

Filesize
512KB

Download
memory/2300-3-0x000000001A9E0000-0x000000001AA6A000-memory.dmp

Filesize
552KB

Download
memory/2300-6-0x000007FEF5850000-0x000007FEF623C000-memory.dmp

Filesize
9.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads