Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
22-11-2024 21:15
Static task
static1
Behavioral task
behavioral1
Sample
62a67c42c309613f6bdd8dca730e8a03d2ad7067d89c57b5a980da1e37e33645.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
62a67c42c309613f6bdd8dca730e8a03d2ad7067d89c57b5a980da1e37e33645.exe
Resource
win10v2004-20241007-en
General
-
Target
62a67c42c309613f6bdd8dca730e8a03d2ad7067d89c57b5a980da1e37e33645.exe
-
Size
1.6MB
-
MD5
de9603fb21ef4f79df4f0447c8a302e5
-
SHA1
1525867c63fa3d4de01161d5a362b429b3eba6cd
-
SHA256
62a67c42c309613f6bdd8dca730e8a03d2ad7067d89c57b5a980da1e37e33645
-
SHA512
5d8981224ca6b51c0cfe615c1ec5a0f4aa74bc1d52654aa1b191eddd8cb6def25971b1a74052f9d9bafcd37893f23be97b2d512e0cab47413d8780e17ce1db96
-
SSDEEP
24576:5AOcZ1svEiDery6uC+7CzDZS7ske7Cx38CJfyESnSUA6WftHb5pO0i0buNTbeUKI:zJEiyhz1S7ZsHEcSUA6WN3O31eb6ThZx
Malware Config
Signatures
-
WSHRAT payload 1 IoCs
resource yara_rule behavioral1/files/0x003500000001659b-87.dat family_wshrat -
Wshrat family
-
Blocklisted process makes network request 12 IoCs
flow pid Process 4 1664 wscript.exe 7 1664 wscript.exe 9 752 wscript.exe 10 752 wscript.exe 12 1664 wscript.exe 14 752 wscript.exe 16 1664 wscript.exe 17 752 wscript.exe 22 1664 wscript.exe 24 752 wscript.exe 26 1664 wscript.exe 27 752 wscript.exe -
Drops startup file 4 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OPAFu.vbs wscript.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EkoHX.vbs wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EkoHX.vbs wscript.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OPAFu.vbs wscript.exe -
Executes dropped EXE 2 IoCs
pid Process 2564 WHS2.0.exe 3036 wcnaumia.pif -
Loads dropped DLL 9 IoCs
pid Process 2644 62a67c42c309613f6bdd8dca730e8a03d2ad7067d89c57b5a980da1e37e33645.exe 2644 62a67c42c309613f6bdd8dca730e8a03d2ad7067d89c57b5a980da1e37e33645.exe 2644 62a67c42c309613f6bdd8dca730e8a03d2ad7067d89c57b5a980da1e37e33645.exe 2644 62a67c42c309613f6bdd8dca730e8a03d2ad7067d89c57b5a980da1e37e33645.exe 2644 62a67c42c309613f6bdd8dca730e8a03d2ad7067d89c57b5a980da1e37e33645.exe 2644 62a67c42c309613f6bdd8dca730e8a03d2ad7067d89c57b5a980da1e37e33645.exe 2644 62a67c42c309613f6bdd8dca730e8a03d2ad7067d89c57b5a980da1e37e33645.exe 2644 62a67c42c309613f6bdd8dca730e8a03d2ad7067d89c57b5a980da1e37e33645.exe 2644 62a67c42c309613f6bdd8dca730e8a03d2ad7067d89c57b5a980da1e37e33645.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\EkoHX = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\EkoHX.vbs\"" wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\EkoHX = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\EkoHX.vbs\"" wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\OPAFu = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\OPAFu.vbs\"" wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\OPAFu = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\OPAFu.vbs\"" wscript.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 3 ip-api.com -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3036 set thread context of 2792 3036 wcnaumia.pif 34 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 62a67c42c309613f6bdd8dca730e8a03d2ad7067d89c57b5a980da1e37e33645.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WHS2.0.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wcnaumia.pif Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegSvcs.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 2792 RegSvcs.exe 2792 RegSvcs.exe 2792 RegSvcs.exe 2792 RegSvcs.exe -
Suspicious use of WriteProcessMemory 25 IoCs
description pid Process procid_target PID 2644 wrote to memory of 2564 2644 62a67c42c309613f6bdd8dca730e8a03d2ad7067d89c57b5a980da1e37e33645.exe 30 PID 2644 wrote to memory of 2564 2644 62a67c42c309613f6bdd8dca730e8a03d2ad7067d89c57b5a980da1e37e33645.exe 30 PID 2644 wrote to memory of 2564 2644 62a67c42c309613f6bdd8dca730e8a03d2ad7067d89c57b5a980da1e37e33645.exe 30 PID 2644 wrote to memory of 2564 2644 62a67c42c309613f6bdd8dca730e8a03d2ad7067d89c57b5a980da1e37e33645.exe 30 PID 2644 wrote to memory of 3036 2644 62a67c42c309613f6bdd8dca730e8a03d2ad7067d89c57b5a980da1e37e33645.exe 31 PID 2644 wrote to memory of 3036 2644 62a67c42c309613f6bdd8dca730e8a03d2ad7067d89c57b5a980da1e37e33645.exe 31 PID 2644 wrote to memory of 3036 2644 62a67c42c309613f6bdd8dca730e8a03d2ad7067d89c57b5a980da1e37e33645.exe 31 PID 2644 wrote to memory of 3036 2644 62a67c42c309613f6bdd8dca730e8a03d2ad7067d89c57b5a980da1e37e33645.exe 31 PID 2564 wrote to memory of 1664 2564 WHS2.0.exe 32 PID 2564 wrote to memory of 1664 2564 WHS2.0.exe 32 PID 2564 wrote to memory of 1664 2564 WHS2.0.exe 32 PID 2564 wrote to memory of 1664 2564 WHS2.0.exe 32 PID 3036 wrote to memory of 2792 3036 wcnaumia.pif 34 PID 3036 wrote to memory of 2792 3036 wcnaumia.pif 34 PID 3036 wrote to memory of 2792 3036 wcnaumia.pif 34 PID 3036 wrote to memory of 2792 3036 wcnaumia.pif 34 PID 3036 wrote to memory of 2792 3036 wcnaumia.pif 34 PID 3036 wrote to memory of 2792 3036 wcnaumia.pif 34 PID 3036 wrote to memory of 2792 3036 wcnaumia.pif 34 PID 3036 wrote to memory of 2792 3036 wcnaumia.pif 34 PID 3036 wrote to memory of 2792 3036 wcnaumia.pif 34 PID 2792 wrote to memory of 752 2792 RegSvcs.exe 35 PID 2792 wrote to memory of 752 2792 RegSvcs.exe 35 PID 2792 wrote to memory of 752 2792 RegSvcs.exe 35 PID 2792 wrote to memory of 752 2792 RegSvcs.exe 35
Processes
-
C:\Users\Admin\AppData\Local\Temp\62a67c42c309613f6bdd8dca730e8a03d2ad7067d89c57b5a980da1e37e33645.exe"C:\Users\Admin\AppData\Local\Temp\62a67c42c309613f6bdd8dca730e8a03d2ad7067d89c57b5a980da1e37e33645.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2644 -
C:\74800197\WHS2.0.exe"C:\74800197\WHS2.0.exe" Community portal – Bulletin board,2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2564 -
C:\Windows\SysWOW64\wscript.exe"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Roaming\EkoHX.vbs3⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:1664
-
-
-
C:\74800197\wcnaumia.pif"C:\74800197\wcnaumia.pif" fhmoqoe.prw2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3036 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"3⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2792 -
C:\Windows\SysWOW64\wscript.exe"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Roaming\OPAFu.vbs4⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:752
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.0MB
MD580eee5b692798640be0b6d0ca2f8768c
SHA1c39d4b5b048194ef1acdecc8b7cab27e63bc0402
SHA2569b6c1dad4b42a308e4fade72da97589161c7cc37c5d926353f216e1903ec9780
SHA512c587cc27b96fa66a1188947b85f9f27ea61e502e21456411536f48e533377e80301a4fe82eba451d82c1d12b9c5368336d166542d44f12b990a73d10382612d8
-
Filesize
47KB
MD5808bdb5b8f93f34c6d64bb48283776ec
SHA1e3f096b0ea493885ba3e1058594c2d48d4ea89c9
SHA256799a62dc96ba037ccec9ca7a417a4c5428454a3f52c7b4444f728d79b5f06fd7
SHA51297582524e55fbb90185dd4e5c8eb6ea5e1a57aa5354278878786881593ef2bd85f3fba8ef6a94d89b8f9dc14c07ee85553e58fa00dd64adfe73d954f3a4af0ff
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\633SXO0D\json[1].json
Filesize291B
MD5c085beeb6f771b90fed94c1d940f97f6
SHA144a994d9175d6abaa9a3b5718e242fa659aed66a
SHA256ff5681f440a7a4b019a4a59f43ad414393321d1eb6dc3874cea0a84e73a83c51
SHA5129d000581b287cd3d5464c33c260008090369a4f5f380b7cfa72eb0fc3221ce0e07df0387f6d3d6b38253c215250ac873dec0f52c501e3d6312f0a5437723a76a
-
Filesize
180KB
MD5952b1cbd78885f81760a77dc3b453fd3
SHA14af75b46620b063fc23652c3ecaa3b4081074572
SHA256fe3f15e4a3d59457c16fb955e38be8df4bfe3a0978a2b09c85705f14bb6d751d
SHA5121d6f2f6d91f88725b9515b2877348616dee3d96b862014f6c6b54f41b18835483cdf5b6294e99e0fdff17d80d79b27ac70638cab6376b15526b87b592313b837
-
Filesize
527KB
MD540acb53d42e4b4d20a0111e6dd847606
SHA1d010be1ba9ceea60098bebbfee425c0cda66b9a2
SHA256213d841404449d68dd9f50c18f7259074c43df2fd5221f0bbd34d2e89b611b73
SHA512a7834c27ab5e432a9243376fc7b058e819c56290580f96c28dcd61ca6356d4a7507f907373635cfec933c2fb916cbd07abb50ef39b7b1416c665c77b3930794d
-
Filesize
758KB
MD51d7071dd5cda216508b235c0e2318b05
SHA10b972fbc1ea8a47204b2a187e608744a4e947bc2
SHA256788edeacd860a1a3bb22b839c1ecf408227e1e14bbe0b1baf55824075161f996
SHA51265965d2de629024773dddf5f8f37d40a15afc51cbaec48c8cda3b0763e9391e065c5ee6ab81b7f4e53ab1f531ef53bb9dccd9ddd4a1c9423922eebf37e544118