wshrat | 62a67c42c309613f6bdd8dca730e8a03d2ad7067d89c57b5a980da1e37e33645

General

Target

62a67c42c309613f6bdd8dca730e8a03d2ad7067d89c57b5a980da1e37e33645.exe
Size

1.6MB
MD5

de9603fb21ef4f79df4f0447c8a302e5
SHA1

1525867c63fa3d4de01161d5a362b429b3eba6cd
SHA256

62a67c42c309613f6bdd8dca730e8a03d2ad7067d89c57b5a980da1e37e33645
SHA512

5d8981224ca6b51c0cfe615c1ec5a0f4aa74bc1d52654aa1b191eddd8cb6def25971b1a74052f9d9bafcd37893f23be97b2d512e0cab47413d8780e17ce1db96
SSDEEP

24576:5AOcZ1svEiDery6uC+7CzDZS7ske7Cx38CJfyESnSUA6WftHb5pO0i0buNTbeUKI:zJEiyhz1S7ZsHEcSUA6WN3O31eb6ThZx

Score

10^/10

wshrat discovery persistence trojan

Malware Config

Signatures

WSHRAT
WSHRAT is a variant of Houdini worm and has vbs and js variants.
trojan wshrat

WSHRAT payload 1 IoCs

resource	yara_rule
behavioral2/files/0x0007000000023cae-75.dat	family_wshrat

Wshrat family
wshrat

Blocklisted process makes network request 12 IoCs

flow	pid	Process
9	2004	wscript.exe
13	2004	wscript.exe
19	2512	wscript.exe
20	2512	wscript.exe
25	2004	wscript.exe
31	2512	wscript.exe
40	2004	wscript.exe
41	2512	wscript.exe
45	2004	wscript.exe
46	2512	wscript.exe
53	2004	wscript.exe
54	2512	wscript.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	WHS2.0.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	62a67c42c309613f6bdd8dca730e8a03d2ad7067d89c57b5a980da1e37e33645.exe

Drops startup file 4 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EkoHX.vbs	wscript.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OPAFu.vbs	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OPAFu.vbs	wscript.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EkoHX.vbs	wscript.exe

Executes dropped EXE 2 IoCs

pid	Process
8	WHS2.0.exe
3556	wcnaumia.pif

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\EkoHX = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\EkoHX.vbs\""	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\EkoHX = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\EkoHX.vbs\""	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OPAFu = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\OPAFu.vbs\""	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\OPAFu = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\OPAFu.vbs\""	wscript.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
8	ip-api.com

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3556 set thread context of 1672	3556	wcnaumia.pif	87

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	62a67c42c309613f6bdd8dca730e8a03d2ad7067d89c57b5a980da1e37e33645.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WHS2.0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wcnaumia.pif
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wscript.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1672	RegSvcs.exe
1672	RegSvcs.exe
1672	RegSvcs.exe
1672	RegSvcs.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 4224 wrote to memory of 8	4224	62a67c42c309613f6bdd8dca730e8a03d2ad7067d89c57b5a980da1e37e33645.exe	82
PID 4224 wrote to memory of 8	4224	62a67c42c309613f6bdd8dca730e8a03d2ad7067d89c57b5a980da1e37e33645.exe	82
PID 4224 wrote to memory of 8	4224	62a67c42c309613f6bdd8dca730e8a03d2ad7067d89c57b5a980da1e37e33645.exe	82
PID 4224 wrote to memory of 3556	4224	62a67c42c309613f6bdd8dca730e8a03d2ad7067d89c57b5a980da1e37e33645.exe	84
PID 4224 wrote to memory of 3556	4224	62a67c42c309613f6bdd8dca730e8a03d2ad7067d89c57b5a980da1e37e33645.exe	84
PID 4224 wrote to memory of 3556	4224	62a67c42c309613f6bdd8dca730e8a03d2ad7067d89c57b5a980da1e37e33645.exe	84
PID 8 wrote to memory of 2004	8	WHS2.0.exe	85
PID 8 wrote to memory of 2004	8	WHS2.0.exe	85
PID 8 wrote to memory of 2004	8	WHS2.0.exe	85
PID 3556 wrote to memory of 1672	3556	wcnaumia.pif	87
PID 3556 wrote to memory of 1672	3556	wcnaumia.pif	87
PID 3556 wrote to memory of 1672	3556	wcnaumia.pif	87
PID 3556 wrote to memory of 1672	3556	wcnaumia.pif	87
PID 3556 wrote to memory of 1672	3556	wcnaumia.pif	87
PID 1672 wrote to memory of 2512	1672	RegSvcs.exe	88
PID 1672 wrote to memory of 2512	1672	RegSvcs.exe	88
PID 1672 wrote to memory of 2512	1672	RegSvcs.exe	88

C:\Users\Admin\AppData\Local\Temp\62a67c42c309613f6bdd8dca730e8a03d2ad7067d89c57b5a980da1e37e33645.exe
"C:\Users\Admin\AppData\Local\Temp\62a67c42c309613f6bdd8dca730e8a03d2ad7067d89c57b5a980da1e37e33645.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4224
- C:\74800197\WHS2.0.exe
  "C:\74800197\WHS2.0.exe" Community portal â€“ Bulletin board,
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:8
- - C:\Windows\SysWOW64\wscript.exe
    "C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Roaming\EkoHX.vbs
    3⤵
    - Blocklisted process makes network request
    - Drops startup file
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    PID:2004
- C:\74800197\wcnaumia.pif
  "C:\74800197\wcnaumia.pif" fhmoqoe.prw
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3556
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1672
  - - C:\Windows\SysWOW64\wscript.exe
      "C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Roaming\OPAFu.vbs
      4⤵
      Blocklisted process makes network request
      Drops startup file
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      PID:2512

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\74800197\WHS2.0.exe

Filesize
527KB

MD5
40acb53d42e4b4d20a0111e6dd847606

SHA1
d010be1ba9ceea60098bebbfee425c0cda66b9a2

SHA256
213d841404449d68dd9f50c18f7259074c43df2fd5221f0bbd34d2e89b611b73

SHA512
a7834c27ab5e432a9243376fc7b058e819c56290580f96c28dcd61ca6356d4a7507f907373635cfec933c2fb916cbd07abb50ef39b7b1416c665c77b3930794d

Download Submit
C:\74800197\envmhh.cos

Filesize
1.0MB

MD5
80eee5b692798640be0b6d0ca2f8768c

SHA1
c39d4b5b048194ef1acdecc8b7cab27e63bc0402

SHA256
9b6c1dad4b42a308e4fade72da97589161c7cc37c5d926353f216e1903ec9780

SHA512
c587cc27b96fa66a1188947b85f9f27ea61e502e21456411536f48e533377e80301a4fe82eba451d82c1d12b9c5368336d166542d44f12b990a73d10382612d8

Download Submit
C:\74800197\vijppg.txt

Filesize
47KB

MD5
808bdb5b8f93f34c6d64bb48283776ec

SHA1
e3f096b0ea493885ba3e1058594c2d48d4ea89c9

SHA256
799a62dc96ba037ccec9ca7a417a4c5428454a3f52c7b4444f728d79b5f06fd7

SHA512
97582524e55fbb90185dd4e5c8eb6ea5e1a57aa5354278878786881593ef2bd85f3fba8ef6a94d89b8f9dc14c07ee85553e58fa00dd64adfe73d954f3a4af0ff

Download Submit
C:\74800197\wcnaumia.pif

Filesize
758KB

MD5
1d7071dd5cda216508b235c0e2318b05

SHA1
0b972fbc1ea8a47204b2a187e608744a4e947bc2

SHA256
788edeacd860a1a3bb22b839c1ecf408227e1e14bbe0b1baf55824075161f996

SHA512
65965d2de629024773dddf5f8f37d40a15afc51cbaec48c8cda3b0763e9391e065c5ee6ab81b7f4e53ab1f531ef53bb9dccd9ddd4a1c9423922eebf37e544118

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\DQ67RYHS\json[1].json

Filesize
291B

MD5
c085beeb6f771b90fed94c1d940f97f6

SHA1
44a994d9175d6abaa9a3b5718e242fa659aed66a

SHA256
ff5681f440a7a4b019a4a59f43ad414393321d1eb6dc3874cea0a84e73a83c51

SHA512
9d000581b287cd3d5464c33c260008090369a4f5f380b7cfa72eb0fc3221ce0e07df0387f6d3d6b38253c215250ac873dec0f52c501e3d6312f0a5437723a76a

Download Submit
C:\Users\Admin\AppData\Roaming\EkoHX.vbs

Filesize
180KB

MD5
952b1cbd78885f81760a77dc3b453fd3

SHA1
4af75b46620b063fc23652c3ecaa3b4081074572

SHA256
fe3f15e4a3d59457c16fb955e38be8df4bfe3a0978a2b09c85705f14bb6d751d

SHA512
1d6f2f6d91f88725b9515b2877348616dee3d96b862014f6c6b54f41b18835483cdf5b6294e99e0fdff17d80d79b27ac70638cab6376b15526b87b592313b837

Download Submit
memory/8-64-0x0000000073412000-0x0000000073413000-memory.dmp

Filesize
4KB

Download
memory/8-69-0x0000000073410000-0x00000000739C1000-memory.dmp

Filesize
5.7MB

Download
memory/8-70-0x0000000073410000-0x00000000739C1000-memory.dmp

Filesize
5.7MB

Download
memory/8-74-0x0000000073410000-0x00000000739C1000-memory.dmp

Filesize
5.7MB

Download
memory/1672-85-0x0000000000800000-0x0000000000EDA000-memory.dmp

Filesize
6.9MB

Download
memory/1672-86-0x0000000000800000-0x000000000088A000-memory.dmp

Filesize
552KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads