Analysis Overview
SHA256
46648093234287c679db48c441de8f2d12306a3c8299b4d30e3fcf0057bcd633
Threat Level: Known bad
The file IMG-9877-PO-PDF-LIST9576867.js was found to be: Known bad.
Malicious Activity Summary
WSHRAT
WSHRAT Payload
Blocklisted process makes network request
Executes dropped EXE
Loads dropped DLL
Drops startup file
Adds Run key to start application
Looks up external IP address via web service
Suspicious use of SetThreadContext
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2021-10-21 18:21
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2021-10-21 18:21
Reported
2021-10-21 18:23
Platform
win7-en-20211014
Max time kernel
151s
Max time network
151s
Command Line
Signatures
WSHRAT
WSHRAT Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\wscript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wscript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wscript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wscript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wscript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wscript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wscript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wscript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wscript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wscript.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\IMG-9877-PO-PDF-LIST9576867.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\61849594\WHS2.0.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\61849594\gmebm.pif | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EkoHX.vbs | C:\Windows\SysWOW64\wscript.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EkoHX.vbs | C:\Windows\SysWOW64\wscript.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OPAFu.vbs | C:\Windows\SysWOW64\wscript.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OPAFu.vbs | C:\Windows\SysWOW64\wscript.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\IMG-9877-PO-PDF-LIST9576867.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\IMG-9877-PO-PDF-LIST9576867.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\IMG-9877-PO-PDF-LIST9576867.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\IMG-9877-PO-PDF-LIST9576867.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\IMG-9877-PO-PDF-LIST9576867.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\IMG-9877-PO-PDF-LIST9576867.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\IMG-9877-PO-PDF-LIST9576867.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\IMG-9877-PO-PDF-LIST9576867.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\IMG-9877-PO-PDF-LIST9576867.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\software\Wow6432Node\microsoft\windows\currentversion\run | C:\Windows\SysWOW64\wscript.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\EkoHX = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\EkoHX.vbs\"" | C:\Windows\SysWOW64\wscript.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\software\microsoft\windows\currentversion\run | C:\Windows\SysWOW64\wscript.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Windows\CurrentVersion\Run\OPAFu = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\OPAFu.vbs\"" | C:\Windows\SysWOW64\wscript.exe | N/A |
| Key created | \REGISTRY\MACHINE\software\Wow6432Node\microsoft\windows\currentversion\run | C:\Windows\SysWOW64\wscript.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\OPAFu = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\OPAFu.vbs\"" | C:\Windows\SysWOW64\wscript.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\software\microsoft\windows\currentversion\run | C:\Windows\SysWOW64\wscript.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Windows\CurrentVersion\Run\EkoHX = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\EkoHX.vbs\"" | C:\Windows\SysWOW64\wscript.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 436 set thread context of 1384 | N/A | C:\Users\Admin\AppData\Roaming\61849594\gmebm.pif | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\IMG-9877-PO-PDF-LIST9576867.js
C:\Users\Admin\AppData\Roaming\IMG-9877-PO-PDF-LIST9576867.exe
"C:\Users\Admin\AppData\Roaming\IMG-9877-PO-PDF-LIST9576867.exe"
C:\Users\Admin\AppData\Roaming\61849594\WHS2.0.exe
"C:\Users\Admin\AppData\Roaming\61849594\WHS2.0.exe" ... that Dmitri Smirnov (pictured) composed the Triple Concerto No.
C:\Users\Admin\AppData\Roaming\61849594\gmebm.pif
"C:\Users\Admin\AppData\Roaming\61849594\gmebm.pif" qardexmt.mdc
C:\Windows\SysWOW64\wscript.exe
"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Roaming\EkoHX.vbs
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Windows\SysWOW64\wscript.exe
"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Roaming\OPAFu.vbs
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | concideritdone.duckdns.org | udp |
| US | 8.8.8.8:53 | concideritdone.duckdns.org | udp |
| US | 156.96.151.237:5001 | concideritdone.duckdns.org | tcp |
| US | 156.96.151.237:5001 | concideritdone.duckdns.org | tcp |
| US | 156.96.151.237:5001 | concideritdone.duckdns.org | tcp |
| US | 156.96.151.237:5001 | concideritdone.duckdns.org | tcp |
| US | 156.96.151.237:5001 | concideritdone.duckdns.org | tcp |
| US | 156.96.151.237:5001 | concideritdone.duckdns.org | tcp |
| US | 156.96.151.237:5001 | concideritdone.duckdns.org | tcp |
| US | 156.96.151.237:5001 | concideritdone.duckdns.org | tcp |
Files
memory/580-55-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\IMG-9877-PO-PDF-LIST9576867.exe
| MD5 | 4183142d3de98c340787c751ae2f8d03 |
| SHA1 | 7b7161f73a3100eea2d67fbdf66488f322408c55 |
| SHA256 | c9589679c82039bc1fccaf2c300d564e969c651fc6fb440260e222690f3586bb |
| SHA512 | 8648129e13d7285b7d7d38c3627365f97a79e027173f794a82450bd56f1b0ef35f97a6ebf3c9b59bdf4b0991d95caf7ca3d93bd9c5afe29c03a0a42bdc557a88 |
memory/580-57-0x0000000075B71000-0x0000000075B73000-memory.dmp
C:\Users\Admin\AppData\Roaming\IMG-9877-PO-PDF-LIST9576867.exe
| MD5 | 4183142d3de98c340787c751ae2f8d03 |
| SHA1 | 7b7161f73a3100eea2d67fbdf66488f322408c55 |
| SHA256 | c9589679c82039bc1fccaf2c300d564e969c651fc6fb440260e222690f3586bb |
| SHA512 | 8648129e13d7285b7d7d38c3627365f97a79e027173f794a82450bd56f1b0ef35f97a6ebf3c9b59bdf4b0991d95caf7ca3d93bd9c5afe29c03a0a42bdc557a88 |
\Users\Admin\AppData\Roaming\61849594\WHS2.0.exe
| MD5 | 40acb53d42e4b4d20a0111e6dd847606 |
| SHA1 | d010be1ba9ceea60098bebbfee425c0cda66b9a2 |
| SHA256 | 213d841404449d68dd9f50c18f7259074c43df2fd5221f0bbd34d2e89b611b73 |
| SHA512 | a7834c27ab5e432a9243376fc7b058e819c56290580f96c28dcd61ca6356d4a7507f907373635cfec933c2fb916cbd07abb50ef39b7b1416c665c77b3930794d |
\Users\Admin\AppData\Roaming\61849594\WHS2.0.exe
| MD5 | 40acb53d42e4b4d20a0111e6dd847606 |
| SHA1 | d010be1ba9ceea60098bebbfee425c0cda66b9a2 |
| SHA256 | 213d841404449d68dd9f50c18f7259074c43df2fd5221f0bbd34d2e89b611b73 |
| SHA512 | a7834c27ab5e432a9243376fc7b058e819c56290580f96c28dcd61ca6356d4a7507f907373635cfec933c2fb916cbd07abb50ef39b7b1416c665c77b3930794d |
\Users\Admin\AppData\Roaming\61849594\WHS2.0.exe
| MD5 | 40acb53d42e4b4d20a0111e6dd847606 |
| SHA1 | d010be1ba9ceea60098bebbfee425c0cda66b9a2 |
| SHA256 | 213d841404449d68dd9f50c18f7259074c43df2fd5221f0bbd34d2e89b611b73 |
| SHA512 | a7834c27ab5e432a9243376fc7b058e819c56290580f96c28dcd61ca6356d4a7507f907373635cfec933c2fb916cbd07abb50ef39b7b1416c665c77b3930794d |
\Users\Admin\AppData\Roaming\61849594\WHS2.0.exe
| MD5 | 40acb53d42e4b4d20a0111e6dd847606 |
| SHA1 | d010be1ba9ceea60098bebbfee425c0cda66b9a2 |
| SHA256 | 213d841404449d68dd9f50c18f7259074c43df2fd5221f0bbd34d2e89b611b73 |
| SHA512 | a7834c27ab5e432a9243376fc7b058e819c56290580f96c28dcd61ca6356d4a7507f907373635cfec933c2fb916cbd07abb50ef39b7b1416c665c77b3930794d |
\Users\Admin\AppData\Roaming\61849594\WHS2.0.exe
| MD5 | 40acb53d42e4b4d20a0111e6dd847606 |
| SHA1 | d010be1ba9ceea60098bebbfee425c0cda66b9a2 |
| SHA256 | 213d841404449d68dd9f50c18f7259074c43df2fd5221f0bbd34d2e89b611b73 |
| SHA512 | a7834c27ab5e432a9243376fc7b058e819c56290580f96c28dcd61ca6356d4a7507f907373635cfec933c2fb916cbd07abb50ef39b7b1416c665c77b3930794d |
memory/1644-64-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\61849594\WHS2.0.exe
| MD5 | 40acb53d42e4b4d20a0111e6dd847606 |
| SHA1 | d010be1ba9ceea60098bebbfee425c0cda66b9a2 |
| SHA256 | 213d841404449d68dd9f50c18f7259074c43df2fd5221f0bbd34d2e89b611b73 |
| SHA512 | a7834c27ab5e432a9243376fc7b058e819c56290580f96c28dcd61ca6356d4a7507f907373635cfec933c2fb916cbd07abb50ef39b7b1416c665c77b3930794d |
C:\Users\Admin\AppData\Roaming\61849594\WHS2.0.exe
| MD5 | 40acb53d42e4b4d20a0111e6dd847606 |
| SHA1 | d010be1ba9ceea60098bebbfee425c0cda66b9a2 |
| SHA256 | 213d841404449d68dd9f50c18f7259074c43df2fd5221f0bbd34d2e89b611b73 |
| SHA512 | a7834c27ab5e432a9243376fc7b058e819c56290580f96c28dcd61ca6356d4a7507f907373635cfec933c2fb916cbd07abb50ef39b7b1416c665c77b3930794d |
\Users\Admin\AppData\Roaming\61849594\gmebm.pif
| MD5 | 1d7071dd5cda216508b235c0e2318b05 |
| SHA1 | 0b972fbc1ea8a47204b2a187e608744a4e947bc2 |
| SHA256 | 788edeacd860a1a3bb22b839c1ecf408227e1e14bbe0b1baf55824075161f996 |
| SHA512 | 65965d2de629024773dddf5f8f37d40a15afc51cbaec48c8cda3b0763e9391e065c5ee6ab81b7f4e53ab1f531ef53bb9dccd9ddd4a1c9423922eebf37e544118 |
\Users\Admin\AppData\Roaming\61849594\gmebm.pif
| MD5 | 1d7071dd5cda216508b235c0e2318b05 |
| SHA1 | 0b972fbc1ea8a47204b2a187e608744a4e947bc2 |
| SHA256 | 788edeacd860a1a3bb22b839c1ecf408227e1e14bbe0b1baf55824075161f996 |
| SHA512 | 65965d2de629024773dddf5f8f37d40a15afc51cbaec48c8cda3b0763e9391e065c5ee6ab81b7f4e53ab1f531ef53bb9dccd9ddd4a1c9423922eebf37e544118 |
\Users\Admin\AppData\Roaming\61849594\gmebm.pif
| MD5 | 1d7071dd5cda216508b235c0e2318b05 |
| SHA1 | 0b972fbc1ea8a47204b2a187e608744a4e947bc2 |
| SHA256 | 788edeacd860a1a3bb22b839c1ecf408227e1e14bbe0b1baf55824075161f996 |
| SHA512 | 65965d2de629024773dddf5f8f37d40a15afc51cbaec48c8cda3b0763e9391e065c5ee6ab81b7f4e53ab1f531ef53bb9dccd9ddd4a1c9423922eebf37e544118 |
\Users\Admin\AppData\Roaming\61849594\gmebm.pif
| MD5 | 1d7071dd5cda216508b235c0e2318b05 |
| SHA1 | 0b972fbc1ea8a47204b2a187e608744a4e947bc2 |
| SHA256 | 788edeacd860a1a3bb22b839c1ecf408227e1e14bbe0b1baf55824075161f996 |
| SHA512 | 65965d2de629024773dddf5f8f37d40a15afc51cbaec48c8cda3b0763e9391e065c5ee6ab81b7f4e53ab1f531ef53bb9dccd9ddd4a1c9423922eebf37e544118 |
C:\Users\Admin\AppData\Roaming\61849594\gmebm.pif
| MD5 | 1d7071dd5cda216508b235c0e2318b05 |
| SHA1 | 0b972fbc1ea8a47204b2a187e608744a4e947bc2 |
| SHA256 | 788edeacd860a1a3bb22b839c1ecf408227e1e14bbe0b1baf55824075161f996 |
| SHA512 | 65965d2de629024773dddf5f8f37d40a15afc51cbaec48c8cda3b0763e9391e065c5ee6ab81b7f4e53ab1f531ef53bb9dccd9ddd4a1c9423922eebf37e544118 |
memory/436-71-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\61849594\qardexmt.mdc
| MD5 | f27a77b9bfeae77c1615e60bcffd751d |
| SHA1 | 269b839f255d2ed838b6847d7eef644a9e0d83ff |
| SHA256 | c9e9898d9a9f16a2eeb18911162d81d9c0d305f689d0f16a6da16aad04e06489 |
| SHA512 | da05da38700bb0cf4a9cb6b4b3f1306eef2fb7b81cedcf25fbf1dcda75d3c85d7eadc72c8efff73c556d36d310fc365194f34ab33c3828e4776f05c060f479ca |
memory/1644-76-0x0000000000370000-0x0000000000371000-memory.dmp
C:\Users\Admin\AppData\Roaming\61849594\aolgrnrpt.log
| MD5 | a1e3f47b52737f7a0d5136b89369b2f2 |
| SHA1 | 37cd3f1073d88e938023915a4196b3ffcbe0dad9 |
| SHA256 | 6ca30a0b9918922c3c3408b48399736998d41b34c2345e9cec712ac132c95ae0 |
| SHA512 | 22ad5473ecc6bb9046f93378a4810ea1966b68567e7875e59b23a62180c62b81a4ae52a4fdfbdeb0bcba524b40223b000158e77067ebf3c5242098a6bff3725e |
C:\Users\Admin\AppData\Roaming\61849594\amihgkew.urb
| MD5 | 393bff19f709832ddbd70230f2ccc714 |
| SHA1 | 8f605c8557d61a1049f4bd0614165f713b6dcecd |
| SHA256 | 6e21b346428b764227858b3c69e6c96ce4bf275715cc3b129065dcc41eace024 |
| SHA512 | b00f498f8576e38edf094ca0337b406d8890f76829e0941fc6974ca4ca9fb20290c928990bcf37a748423a52ac509f8661cb0337df6b003322951acb71923130 |
memory/1572-79-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\EkoHX.vbs
| MD5 | 952b1cbd78885f81760a77dc3b453fd3 |
| SHA1 | 4af75b46620b063fc23652c3ecaa3b4081074572 |
| SHA256 | fe3f15e4a3d59457c16fb955e38be8df4bfe3a0978a2b09c85705f14bb6d751d |
| SHA512 | 1d6f2f6d91f88725b9515b2877348616dee3d96b862014f6c6b54f41b18835483cdf5b6294e99e0fdff17d80d79b27ac70638cab6376b15526b87b592313b837 |
memory/1384-81-0x0000000000270000-0x000000000089E000-memory.dmp
memory/1384-82-0x0000000000270000-0x000000000089E000-memory.dmp
memory/1384-83-0x00000000002F42AE-mapping.dmp
memory/1384-85-0x0000000000270000-0x000000000089E000-memory.dmp
memory/296-87-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\OPAFu.vbs
| MD5 | 952b1cbd78885f81760a77dc3b453fd3 |
| SHA1 | 4af75b46620b063fc23652c3ecaa3b4081074572 |
| SHA256 | fe3f15e4a3d59457c16fb955e38be8df4bfe3a0978a2b09c85705f14bb6d751d |
| SHA512 | 1d6f2f6d91f88725b9515b2877348616dee3d96b862014f6c6b54f41b18835483cdf5b6294e99e0fdff17d80d79b27ac70638cab6376b15526b87b592313b837 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RHI8KPQK\json[1].json
| MD5 | 0c17abb0ed055fecf0c48bb6e46eb4eb |
| SHA1 | a692730c8ec7353c31b94a888f359edb54aaa4c8 |
| SHA256 | f41e99f954e33e7b0e39930ec8620bf29801efc44275c1ee6b5cfa5e1be202c0 |
| SHA512 | 645a9f2f94461d8a187261b736949df398ece5cfbf1af8653d18d3487ec1269d9f565534c1e249c12f31b3b1a41a8512953b1e991b001fc1360059e3fd494ec3 |
Analysis: behavioral2
Detonation Overview
Submitted
2021-10-21 18:21
Reported
2021-10-21 18:23
Platform
win10-en-20210920
Max time kernel
130s
Max time network
145s
Command Line
Signatures
WSHRAT
WSHRAT Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\wscript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wscript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wscript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wscript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wscript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wscript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wscript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wscript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wscript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wscript.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\IMG-9877-PO-PDF-LIST9576867.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\61849594\WHS2.0.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\61849594\gmebm.pif | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EkoHX.vbs | C:\Windows\SysWOW64\wscript.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EkoHX.vbs | C:\Windows\SysWOW64\wscript.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OPAFu.vbs | C:\Windows\SysWOW64\wscript.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OPAFu.vbs | C:\Windows\SysWOW64\wscript.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\OPAFu = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\OPAFu.vbs\"" | C:\Windows\SysWOW64\wscript.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\software\microsoft\windows\currentversion\run | C:\Windows\SysWOW64\wscript.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows\CurrentVersion\Run\EkoHX = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\EkoHX.vbs\"" | C:\Windows\SysWOW64\wscript.exe | N/A |
| Key created | \REGISTRY\MACHINE\software\WOW6432Node\microsoft\windows\currentversion\run | C:\Windows\SysWOW64\wscript.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\EkoHX = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\EkoHX.vbs\"" | C:\Windows\SysWOW64\wscript.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\software\microsoft\windows\currentversion\run | C:\Windows\SysWOW64\wscript.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows\CurrentVersion\Run\OPAFu = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\OPAFu.vbs\"" | C:\Windows\SysWOW64\wscript.exe | N/A |
| Key created | \REGISTRY\MACHINE\software\WOW6432Node\microsoft\windows\currentversion\run | C:\Windows\SysWOW64\wscript.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 940 set thread context of 1484 | N/A | C:\Users\Admin\AppData\Roaming\61849594\gmebm.pif | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\IMG-9877-PO-PDF-LIST9576867.js
C:\Users\Admin\AppData\Roaming\IMG-9877-PO-PDF-LIST9576867.exe
"C:\Users\Admin\AppData\Roaming\IMG-9877-PO-PDF-LIST9576867.exe"
C:\Users\Admin\AppData\Roaming\61849594\WHS2.0.exe
"C:\Users\Admin\AppData\Roaming\61849594\WHS2.0.exe" ... that Dmitri Smirnov (pictured) composed the Triple Concerto No.
C:\Users\Admin\AppData\Roaming\61849594\gmebm.pif
"C:\Users\Admin\AppData\Roaming\61849594\gmebm.pif" qardexmt.mdc
C:\Windows\SysWOW64\wscript.exe
"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Roaming\EkoHX.vbs
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Windows\SysWOW64\wscript.exe
"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Roaming\OPAFu.vbs
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | concideritdone.duckdns.org | udp |
| US | 156.96.151.237:5001 | concideritdone.duckdns.org | tcp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 156.96.151.237:5001 | concideritdone.duckdns.org | tcp |
| US | 156.96.151.237:5001 | concideritdone.duckdns.org | tcp |
| US | 8.8.8.8:53 | time.windows.com | udp |
| US | 156.96.151.237:5001 | concideritdone.duckdns.org | tcp |
| NL | 20.101.57.9:123 | time.windows.com | udp |
| US | 156.96.151.237:5001 | concideritdone.duckdns.org | tcp |
| US | 156.96.151.237:5001 | concideritdone.duckdns.org | tcp |
| US | 156.96.151.237:5001 | concideritdone.duckdns.org | tcp |
| US | 156.96.151.237:5001 | concideritdone.duckdns.org | tcp |
Files
memory/3852-115-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\IMG-9877-PO-PDF-LIST9576867.exe
| MD5 | 4183142d3de98c340787c751ae2f8d03 |
| SHA1 | 7b7161f73a3100eea2d67fbdf66488f322408c55 |
| SHA256 | c9589679c82039bc1fccaf2c300d564e969c651fc6fb440260e222690f3586bb |
| SHA512 | 8648129e13d7285b7d7d38c3627365f97a79e027173f794a82450bd56f1b0ef35f97a6ebf3c9b59bdf4b0991d95caf7ca3d93bd9c5afe29c03a0a42bdc557a88 |
C:\Users\Admin\AppData\Roaming\IMG-9877-PO-PDF-LIST9576867.exe
| MD5 | 4183142d3de98c340787c751ae2f8d03 |
| SHA1 | 7b7161f73a3100eea2d67fbdf66488f322408c55 |
| SHA256 | c9589679c82039bc1fccaf2c300d564e969c651fc6fb440260e222690f3586bb |
| SHA512 | 8648129e13d7285b7d7d38c3627365f97a79e027173f794a82450bd56f1b0ef35f97a6ebf3c9b59bdf4b0991d95caf7ca3d93bd9c5afe29c03a0a42bdc557a88 |
memory/1140-118-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\61849594\WHS2.0.exe
| MD5 | 40acb53d42e4b4d20a0111e6dd847606 |
| SHA1 | d010be1ba9ceea60098bebbfee425c0cda66b9a2 |
| SHA256 | 213d841404449d68dd9f50c18f7259074c43df2fd5221f0bbd34d2e89b611b73 |
| SHA512 | a7834c27ab5e432a9243376fc7b058e819c56290580f96c28dcd61ca6356d4a7507f907373635cfec933c2fb916cbd07abb50ef39b7b1416c665c77b3930794d |
C:\Users\Admin\AppData\Roaming\61849594\WHS2.0.exe
| MD5 | 40acb53d42e4b4d20a0111e6dd847606 |
| SHA1 | d010be1ba9ceea60098bebbfee425c0cda66b9a2 |
| SHA256 | 213d841404449d68dd9f50c18f7259074c43df2fd5221f0bbd34d2e89b611b73 |
| SHA512 | a7834c27ab5e432a9243376fc7b058e819c56290580f96c28dcd61ca6356d4a7507f907373635cfec933c2fb916cbd07abb50ef39b7b1416c665c77b3930794d |
memory/940-121-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\61849594\gmebm.pif
| MD5 | 1d7071dd5cda216508b235c0e2318b05 |
| SHA1 | 0b972fbc1ea8a47204b2a187e608744a4e947bc2 |
| SHA256 | 788edeacd860a1a3bb22b839c1ecf408227e1e14bbe0b1baf55824075161f996 |
| SHA512 | 65965d2de629024773dddf5f8f37d40a15afc51cbaec48c8cda3b0763e9391e065c5ee6ab81b7f4e53ab1f531ef53bb9dccd9ddd4a1c9423922eebf37e544118 |
C:\Users\Admin\AppData\Roaming\61849594\gmebm.pif
| MD5 | 1d7071dd5cda216508b235c0e2318b05 |
| SHA1 | 0b972fbc1ea8a47204b2a187e608744a4e947bc2 |
| SHA256 | 788edeacd860a1a3bb22b839c1ecf408227e1e14bbe0b1baf55824075161f996 |
| SHA512 | 65965d2de629024773dddf5f8f37d40a15afc51cbaec48c8cda3b0763e9391e065c5ee6ab81b7f4e53ab1f531ef53bb9dccd9ddd4a1c9423922eebf37e544118 |
C:\Users\Admin\AppData\Roaming\61849594\qardexmt.mdc
| MD5 | f27a77b9bfeae77c1615e60bcffd751d |
| SHA1 | 269b839f255d2ed838b6847d7eef644a9e0d83ff |
| SHA256 | c9e9898d9a9f16a2eeb18911162d81d9c0d305f689d0f16a6da16aad04e06489 |
| SHA512 | da05da38700bb0cf4a9cb6b4b3f1306eef2fb7b81cedcf25fbf1dcda75d3c85d7eadc72c8efff73c556d36d310fc365194f34ab33c3828e4776f05c060f479ca |
memory/1140-125-0x00000000025E0000-0x00000000025E1000-memory.dmp
memory/1608-126-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\EkoHX.vbs
| MD5 | 952b1cbd78885f81760a77dc3b453fd3 |
| SHA1 | 4af75b46620b063fc23652c3ecaa3b4081074572 |
| SHA256 | fe3f15e4a3d59457c16fb955e38be8df4bfe3a0978a2b09c85705f14bb6d751d |
| SHA512 | 1d6f2f6d91f88725b9515b2877348616dee3d96b862014f6c6b54f41b18835483cdf5b6294e99e0fdff17d80d79b27ac70638cab6376b15526b87b592313b837 |
C:\Users\Admin\AppData\Roaming\61849594\aolgrnrpt.log
| MD5 | a1e3f47b52737f7a0d5136b89369b2f2 |
| SHA1 | 37cd3f1073d88e938023915a4196b3ffcbe0dad9 |
| SHA256 | 6ca30a0b9918922c3c3408b48399736998d41b34c2345e9cec712ac132c95ae0 |
| SHA512 | 22ad5473ecc6bb9046f93378a4810ea1966b68567e7875e59b23a62180c62b81a4ae52a4fdfbdeb0bcba524b40223b000158e77067ebf3c5242098a6bff3725e |
C:\Users\Admin\AppData\Roaming\61849594\amihgkew.urb
| MD5 | 393bff19f709832ddbd70230f2ccc714 |
| SHA1 | 8f605c8557d61a1049f4bd0614165f713b6dcecd |
| SHA256 | 6e21b346428b764227858b3c69e6c96ce4bf275715cc3b129065dcc41eace024 |
| SHA512 | b00f498f8576e38edf094ca0337b406d8890f76829e0941fc6974ca4ca9fb20290c928990bcf37a748423a52ac509f8661cb0337df6b003322951acb71923130 |
memory/1484-130-0x0000000001300000-0x0000000001891000-memory.dmp
memory/1484-131-0x00000000013842AE-mapping.dmp
memory/496-134-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\OPAFu.vbs
| MD5 | 952b1cbd78885f81760a77dc3b453fd3 |
| SHA1 | 4af75b46620b063fc23652c3ecaa3b4081074572 |
| SHA256 | fe3f15e4a3d59457c16fb955e38be8df4bfe3a0978a2b09c85705f14bb6d751d |
| SHA512 | 1d6f2f6d91f88725b9515b2877348616dee3d96b862014f6c6b54f41b18835483cdf5b6294e99e0fdff17d80d79b27ac70638cab6376b15526b87b592313b837 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\QT2UOKDP\json[1].json
| MD5 | 149c2823b7eadbfb0a82388a2ab9494f |
| SHA1 | 415fe979ce5fd0064d2557a48745a3ed1a3fbf9c |
| SHA256 | 06fa5d4e7fbfb1efdc19baa034601a894b21cf729785732853ced4bb40aca869 |
| SHA512 | f8fb6b7c93c4ab37f6e250ba8ac5c82f6e17fe52156cab81d34e91107d1da716b744bfe02ee0306497a3876d5352af789a1e66dab10e11e22065bac3050475fe |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\HBPS4WXS\json[1].json
| MD5 | 149c2823b7eadbfb0a82388a2ab9494f |
| SHA1 | 415fe979ce5fd0064d2557a48745a3ed1a3fbf9c |
| SHA256 | 06fa5d4e7fbfb1efdc19baa034601a894b21cf729785732853ced4bb40aca869 |
| SHA512 | f8fb6b7c93c4ab37f6e250ba8ac5c82f6e17fe52156cab81d34e91107d1da716b744bfe02ee0306497a3876d5352af789a1e66dab10e11e22065bac3050475fe |