Malware Analysis Report

2025-04-14 08:20

Sample ID 250325-xq3m4a1sa1
Target 3aba14649b590ad2ae66902bcb8f5411ec579df5de9e7edb543eafe1183eeec7.zip
SHA256 3aba14649b590ad2ae66902bcb8f5411ec579df5de9e7edb543eafe1183eeec7
Tags
wshrat execution persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3aba14649b590ad2ae66902bcb8f5411ec579df5de9e7edb543eafe1183eeec7

Threat Level: Known bad

The file 3aba14649b590ad2ae66902bcb8f5411ec579df5de9e7edb543eafe1183eeec7.zip was found to be: Known bad.

Malicious Activity Summary

wshrat execution persistence trojan

WSHRAT payload

Wshrat family

WSHRAT

Blocklisted process makes network request

Checks computer location settings

Drops startup file

Looks up external IP address via web service

Adds Run key to start application

Command and Scripting Interpreter: JavaScript

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-03-25 19:04

Signatures

WSHRAT payload

Description Indicator Process Target
N/A N/A N/A N/A

Wshrat family

wshrat

Analysis: behavioral1

Detonation Overview

Submitted

2025-03-25 19:04

Reported

2025-03-25 19:06

Platform

win7-20240903-en

Max time kernel

149s

Max time network

150s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\d56c3c009248c55acb99fa5d7c66ca8d6555a3559b66b69aeff99327aa9e2beb.js

Signatures

WSHRAT

trojan wshrat

WSHRAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Wshrat family

wshrat

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\wscript.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d56c3c009248c55acb99fa5d7c66ca8d6555a3559b66b69aeff99327aa9e2beb.js C:\Windows\system32\wscript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d56c3c009248c55acb99fa5d7c66ca8d6555a3559b66b69aeff99327aa9e2beb.js C:\Windows\System32\wscript.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\d56c3c009248c55acb99fa5d7c66ca8d6555a3559b66b69aeff99327aa9e2beb = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\d56c3c009248c55acb99fa5d7c66ca8d6555a3559b66b69aeff99327aa9e2beb.js\"" C:\Windows\system32\wscript.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\d56c3c009248c55acb99fa5d7c66ca8d6555a3559b66b69aeff99327aa9e2beb = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\d56c3c009248c55acb99fa5d7c66ca8d6555a3559b66b69aeff99327aa9e2beb.js\"" C:\Windows\system32\wscript.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\d56c3c009248c55acb99fa5d7c66ca8d6555a3559b66b69aeff99327aa9e2beb = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\d56c3c009248c55acb99fa5d7c66ca8d6555a3559b66b69aeff99327aa9e2beb.js\"" C:\Windows\System32\wscript.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\d56c3c009248c55acb99fa5d7c66ca8d6555a3559b66b69aeff99327aa9e2beb = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\d56c3c009248c55acb99fa5d7c66ca8d6555a3559b66b69aeff99327aa9e2beb.js\"" C:\Windows\System32\wscript.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Command and Scripting Interpreter: JavaScript

execution

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1860 wrote to memory of 1788 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe
PID 1860 wrote to memory of 1788 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe
PID 1860 wrote to memory of 1788 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\d56c3c009248c55acb99fa5d7c66ca8d6555a3559b66b69aeff99327aa9e2beb.js

C:\Windows\System32\wscript.exe

"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\d56c3c009248c55acb99fa5d7c66ca8d6555a3559b66b69aeff99327aa9e2beb.js"

Network

Country Destination Domain Proto
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 anekemoney.com udp

Files

C:\Users\Admin\AppData\Roaming\d56c3c009248c55acb99fa5d7c66ca8d6555a3559b66b69aeff99327aa9e2beb.js

MD5 2852bd566a1ec01b41c53e4e738c6f4a
SHA1 f777cd9e907866bfb9e5513c94fc84f2dcd2cd3a
SHA256 d56c3c009248c55acb99fa5d7c66ca8d6555a3559b66b69aeff99327aa9e2beb
SHA512 f1a75eb649375c2dd18072977e8ebd04988c705a3ecbca10e5cf5bda1e5886e26d66380467d221efbbaf3137128fda8fe62af61f728769dd47abfd79bf0f7e17

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d56c3c009248c55acb99fa5d7c66ca8d6555a3559b66b69aeff99327aa9e2beb.js

MD5 1cfa0638231ea342d5c4b7e6152a3ddb
SHA1 1a8d8d1966fa6f21576f266725d9f8c15ccadc90
SHA256 43ba3d53e67b2e59e3c53e762d2614b67e283cb478222f888796976de8c04148
SHA512 0b2c9ca230abb34b9c378377bdf19cf9b3370db601a5cd78af218f456d1a23ef68efc592ff121802c090062d2654bd509587d9be16f139c82f864a241e1d0623

Analysis: behavioral2

Detonation Overview

Submitted

2025-03-25 19:04

Reported

2025-03-25 19:06

Platform

win10v2004-20250314-en

Max time kernel

148s

Max time network

155s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\d56c3c009248c55acb99fa5d7c66ca8d6555a3559b66b69aeff99327aa9e2beb.js

Signatures

WSHRAT

trojan wshrat

WSHRAT payload

Description Indicator Process Target
N/A N/A N/A N/A

Wshrat family

wshrat

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\wscript.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation C:\Windows\system32\wscript.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d56c3c009248c55acb99fa5d7c66ca8d6555a3559b66b69aeff99327aa9e2beb.js C:\Windows\system32\wscript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d56c3c009248c55acb99fa5d7c66ca8d6555a3559b66b69aeff99327aa9e2beb.js C:\Windows\System32\wscript.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\d56c3c009248c55acb99fa5d7c66ca8d6555a3559b66b69aeff99327aa9e2beb = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\d56c3c009248c55acb99fa5d7c66ca8d6555a3559b66b69aeff99327aa9e2beb.js\"" C:\Windows\System32\wscript.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\d56c3c009248c55acb99fa5d7c66ca8d6555a3559b66b69aeff99327aa9e2beb = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\d56c3c009248c55acb99fa5d7c66ca8d6555a3559b66b69aeff99327aa9e2beb.js\"" C:\Windows\System32\wscript.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\d56c3c009248c55acb99fa5d7c66ca8d6555a3559b66b69aeff99327aa9e2beb = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\d56c3c009248c55acb99fa5d7c66ca8d6555a3559b66b69aeff99327aa9e2beb.js\"" C:\Windows\system32\wscript.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\d56c3c009248c55acb99fa5d7c66ca8d6555a3559b66b69aeff99327aa9e2beb = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\d56c3c009248c55acb99fa5d7c66ca8d6555a3559b66b69aeff99327aa9e2beb.js\"" C:\Windows\system32\wscript.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Command and Scripting Interpreter: JavaScript

execution

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5728 wrote to memory of 4056 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe
PID 5728 wrote to memory of 4056 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\d56c3c009248c55acb99fa5d7c66ca8d6555a3559b66b69aeff99327aa9e2beb.js

C:\Windows\System32\wscript.exe

"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\d56c3c009248c55acb99fa5d7c66ca8d6555a3559b66b69aeff99327aa9e2beb.js"

Network

Country Destination Domain Proto
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 anekemoney.com udp
US 8.8.8.8:53 anekemoney.com udp
US 8.8.8.8:53 anekemoney.com udp
US 8.8.8.8:53 anekemoney.com udp
US 8.8.8.8:53 anekemoney.com udp
US 8.8.8.8:53 anekemoney.com udp
US 150.171.27.10:443 g.bing.com tcp
US 150.171.27.10:443 g.bing.com tcp
US 150.171.27.10:443 g.bing.com tcp
US 150.171.27.10:443 g.bing.com tcp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 anekemoney.com udp
US 8.8.8.8:53 anekemoney.com udp
US 8.8.8.8:53 anekemoney.com udp
US 8.8.8.8:53 anekemoney.com udp
US 8.8.8.8:53 anekemoney.com udp
US 8.8.8.8:53 anekemoney.com udp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.179.227:80 c.pki.goog tcp
US 8.8.8.8:53 anekemoney.com udp
US 8.8.8.8:53 anekemoney.com udp
US 8.8.8.8:53 anekemoney.com udp
US 8.8.8.8:53 anekemoney.com udp
US 8.8.8.8:53 anekemoney.com udp
US 8.8.8.8:53 anekemoney.com udp
US 8.8.8.8:53 anekemoney.com udp
US 8.8.8.8:53 anekemoney.com udp
US 8.8.8.8:53 anekemoney.com udp
US 8.8.8.8:53 anekemoney.com udp
US 8.8.8.8:53 anekemoney.com udp
US 8.8.8.8:53 anekemoney.com udp
US 8.8.8.8:53 anekemoney.com udp
US 8.8.8.8:53 anekemoney.com udp
US 8.8.8.8:53 anekemoney.com udp
US 8.8.8.8:53 anekemoney.com udp
US 8.8.8.8:53 anekemoney.com udp
US 8.8.8.8:53 anekemoney.com udp

Files

C:\Users\Admin\AppData\Roaming\d56c3c009248c55acb99fa5d7c66ca8d6555a3559b66b69aeff99327aa9e2beb.js

MD5 2852bd566a1ec01b41c53e4e738c6f4a
SHA1 f777cd9e907866bfb9e5513c94fc84f2dcd2cd3a
SHA256 d56c3c009248c55acb99fa5d7c66ca8d6555a3559b66b69aeff99327aa9e2beb
SHA512 f1a75eb649375c2dd18072977e8ebd04988c705a3ecbca10e5cf5bda1e5886e26d66380467d221efbbaf3137128fda8fe62af61f728769dd47abfd79bf0f7e17

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d56c3c009248c55acb99fa5d7c66ca8d6555a3559b66b69aeff99327aa9e2beb.js

MD5 e8a82f1af6daa06fc06dcb7c9ee6cd88
SHA1 76044b98a8957f0927ae7dd51bb10f4b3e6c062b
SHA256 f1ab2ea47658168081690674a8f4abbf0471bff9d29454b034412011a7c54965
SHA512 26d8791f479e5750bdeb1b639ac8640890f7d1ea5887a2cb41dc8dc24bfda44974be38197e87eb553838ec7079bc9fd39e2284696fde90ca8826c0dd9feacf87