Analysis Overview
SHA256
db100634a0d9005c2d6c65827d141a2f18877f1321fc390410a7a50ad8d7074e
Threat Level: Known bad
The file db100634a0d9005c2d6c65827d141a2f18877f1321fc390410a7a50ad8d7074e was found to be: Known bad.
Malicious Activity Summary
suricata: ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm Checkin 1
suricata: ET MALWARE WSHRAT CnC Checkin
WSHRAT
Sets service image path in registry
Blocklisted process makes network request
Checks computer location settings
Drops startup file
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Drops file in Windows directory
Enumerates physical storage devices
Modifies data under HKEY_USERS
Suspicious use of WriteProcessMemory
Checks processor information in registry
Script User-Agent
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-02-05 09:14
Signatures
Analysis: behavioral2
Detonation Overview
Submitted
2022-02-05 09:14
Reported
2022-02-05 09:17
Platform
win10v2004-en-20220112
Max time kernel
150s
Max time network
150s
Command Line
Signatures
WSHRAT
suricata: ET MALWARE WSHRAT CnC Checkin
suricata: ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm Checkin 1
Blocklisted process makes network request
Sets service image path in registry
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\wscript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation | C:\Windows\System32\wscript.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\YuFinegpjv.js | C:\Windows\System32\wscript.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Doc____Porder101##8.js | C:\Windows\system32\wscript.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Doc____Porder101##8.js | C:\Windows\System32\wscript.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\YuFinegpjv.js | C:\Windows\System32\wscript.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\software\microsoft\windows\currentversion\run | C:\Windows\System32\wscript.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\YuFinegpjv = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\YuFinegpjv.js\"" | C:\Windows\System32\wscript.exe | N/A |
| Key created | \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run | C:\Windows\System32\wscript.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Doc____Porder101##8 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Doc____Porder101##8.js\"" | C:\Windows\system32\wscript.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\software\microsoft\windows\currentversion\run | C:\Windows\System32\wscript.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Doc____Porder101##8 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Doc____Porder101##8.js\"" | C:\Windows\System32\wscript.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Doc____Porder101##8 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Doc____Porder101##8.js\"" | C:\Windows\System32\wscript.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\YuFinegpjv = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\YuFinegpjv.js\"" | C:\Windows\System32\wscript.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\software\microsoft\windows\currentversion\run | C:\Windows\system32\wscript.exe | N/A |
| Key created | \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run | C:\Windows\system32\wscript.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Doc____Porder101##8 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Doc____Porder101##8.js\"" | C:\Windows\system32\wscript.exe | N/A |
| Key created | \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run | C:\Windows\System32\wscript.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\State\keyValueLKG.dat | C:\Windows\System32\svchost.exe | N/A |
Enumerates physical storage devices
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\system32\MusNotifyIcon.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Windows\system32\MusNotifyIcon.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PeerInfoCount = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadCount = "0" | C:\Windows\System32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\KVFileExpirationTime = "132887024976909477" | C:\Windows\System32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthID = "2" | C:\Windows\System32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DODownloadMode = "1" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LANConnectionCount = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadRatePct = "100" | C:\Windows\System32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCacheHostBytes = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CacheSizeBytes = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkCnt = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyLanBytes = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkBps = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadPendingCount = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "8.163287" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadCount = "0" | C:\Windows\System32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "1" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\InternetConnectionCount = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkUsageBps = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthlyUploadRestriction = "0" | C:\Windows\System32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DownloadMode_BackCompat = "1" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrBps = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\FrDownloadRatePct = "90" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkBps = "0" | C:\Windows\System32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLinkLocalBytes = "0" | C:\Windows\System32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\GeoVersion_EndpointFullUri = "https://geover.prod.do.dsp.mp.microsoft.com/geoversion" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyInternetBytes = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyGroupBytes = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkCnt = "4" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthID = "1" | C:\Windows\System32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkUsageBps = "0" | C:\Windows\System32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CDNConnectionCount = "0" | C:\Windows\System32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4020" | C:\Windows\System32\svchost.exe | N/A |
Script User-Agent
| Description | Indicator | Process | Target |
| HTTP User-Agent header | WSHRAT|48C8CF8A|RIBCQUHQ|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 5/2/2022|JavaScript-v1.6 | N/A | N/A |
| HTTP User-Agent header | WSHRAT|48C8CF8A|RIBCQUHQ|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 5/2/2022|JavaScript-v1.6 | N/A | N/A |
| HTTP User-Agent header | WSHRAT|48C8CF8A|RIBCQUHQ|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 5/2/2022|JavaScript-v1.6 | N/A | N/A |
| HTTP User-Agent header | WSHRAT|48C8CF8A|RIBCQUHQ|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 5/2/2022|JavaScript-v1.6 | N/A | N/A |
| HTTP User-Agent header | WSHRAT|48C8CF8A|RIBCQUHQ|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 5/2/2022|JavaScript-v1.6 | N/A | N/A |
| HTTP User-Agent header | WSHRAT|48C8CF8A|RIBCQUHQ|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 5/2/2022|JavaScript-v1.6 | N/A | N/A |
| HTTP User-Agent header | WSHRAT|48C8CF8A|RIBCQUHQ|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 5/2/2022|JavaScript-v1.6 | N/A | N/A |
| HTTP User-Agent header | WSHRAT|48C8CF8A|RIBCQUHQ|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 5/2/2022|JavaScript-v1.6 | N/A | N/A |
| HTTP User-Agent header | WSHRAT|48C8CF8A|RIBCQUHQ|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 5/2/2022|JavaScript-v1.6 | N/A | N/A |
| HTTP User-Agent header | WSHRAT|48C8CF8A|RIBCQUHQ|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 5/2/2022|JavaScript-v1.6 | N/A | N/A |
| HTTP User-Agent header | WSHRAT|48C8CF8A|RIBCQUHQ|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 5/2/2022|JavaScript-v1.6 | N/A | N/A |
| HTTP User-Agent header | WSHRAT|48C8CF8A|RIBCQUHQ|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 5/2/2022|JavaScript-v1.6 | N/A | N/A |
| HTTP User-Agent header | WSHRAT|48C8CF8A|RIBCQUHQ|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 5/2/2022|JavaScript-v1.6 | N/A | N/A |
| HTTP User-Agent header | WSHRAT|48C8CF8A|RIBCQUHQ|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 5/2/2022|JavaScript-v1.6 | N/A | N/A |
| HTTP User-Agent header | WSHRAT|48C8CF8A|RIBCQUHQ|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 5/2/2022|JavaScript-v1.6 | N/A | N/A |
| HTTP User-Agent header | WSHRAT|48C8CF8A|RIBCQUHQ|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 5/2/2022|JavaScript-v1.6 | N/A | N/A |
| HTTP User-Agent header | WSHRAT|48C8CF8A|RIBCQUHQ|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 5/2/2022|JavaScript-v1.6 | N/A | N/A |
| HTTP User-Agent header | WSHRAT|48C8CF8A|RIBCQUHQ|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 5/2/2022|JavaScript-v1.6 | N/A | N/A |
| HTTP User-Agent header | WSHRAT|48C8CF8A|RIBCQUHQ|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 5/2/2022|JavaScript-v1.6 | N/A | N/A |
| HTTP User-Agent header | WSHRAT|48C8CF8A|RIBCQUHQ|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 5/2/2022|JavaScript-v1.6 | N/A | N/A |
| HTTP User-Agent header | WSHRAT|48C8CF8A|RIBCQUHQ|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 5/2/2022|JavaScript-v1.6 | N/A | N/A |
| HTTP User-Agent header | WSHRAT|48C8CF8A|RIBCQUHQ|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 5/2/2022|JavaScript-v1.6 | N/A | N/A |
| HTTP User-Agent header | WSHRAT|48C8CF8A|RIBCQUHQ|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 5/2/2022|JavaScript-v1.6 | N/A | N/A |
| HTTP User-Agent header | WSHRAT|48C8CF8A|RIBCQUHQ|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 5/2/2022|JavaScript-v1.6 | N/A | N/A |
| HTTP User-Agent header | WSHRAT|48C8CF8A|RIBCQUHQ|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 5/2/2022|JavaScript-v1.6 | N/A | N/A |
| HTTP User-Agent header | WSHRAT|48C8CF8A|RIBCQUHQ|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 5/2/2022|JavaScript-v1.6 | N/A | N/A |
| HTTP User-Agent header | WSHRAT|48C8CF8A|RIBCQUHQ|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 5/2/2022|JavaScript-v1.6 | N/A | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2928 wrote to memory of 768 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\wscript.exe |
| PID 2928 wrote to memory of 768 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\wscript.exe |
| PID 2928 wrote to memory of 1000 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\wscript.exe |
| PID 2928 wrote to memory of 1000 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\wscript.exe |
| PID 1000 wrote to memory of 3180 | N/A | C:\Windows\System32\wscript.exe | C:\Windows\System32\wscript.exe |
| PID 1000 wrote to memory of 3180 | N/A | C:\Windows\System32\wscript.exe | C:\Windows\System32\wscript.exe |
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\Doc____Porder101##8.js
C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\YuFinegpjv.js"
C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\Doc____Porder101##8.js"
C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\YuFinegpjv.js"
C:\Windows\system32\MusNotifyIcon.exe
%systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 13
C:\Windows\System32\WaaSMedicAgent.exe
C:\Windows\System32\WaaSMedicAgent.exe 5166bf4870172989e5d7d64c8793715e 56J+OO/JnEWglzfMAQ6rcg.0.1.0.0.0
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p
Network
| Country | Destination | Domain | Proto |
| NL | 104.110.191.133:80 | tcp | |
| US | 8.8.8.8:53 | settings-win.data.microsoft.com | udp |
| NL | 104.110.191.133:80 | tcp | |
| US | 52.167.249.196:443 | settings-win.data.microsoft.com | tcp |
| US | 52.167.249.196:443 | settings-win.data.microsoft.com | tcp |
| US | 52.167.249.196:443 | settings-win.data.microsoft.com | tcp |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 104.23.99.190:80 | pastebin.com | tcp |
| US | 104.23.99.190:443 | pastebin.com | tcp |
| US | 52.167.249.196:443 | settings-win.data.microsoft.com | tcp |
| US | 8.8.8.8:53 | pluginsrv2.duckdns.org | udp |
| US | 192.169.69.25:8000 | pluginsrv2.duckdns.org | tcp |
| US | 104.23.99.190:80 | pastebin.com | tcp |
| US | 104.23.99.190:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 159.65.219.192:7777 | tcp | |
| NL | 104.110.191.140:80 | tcp | |
| US | 93.184.221.240:80 | tcp | |
| US | 192.169.69.25:8000 | pluginsrv2.duckdns.org | tcp |
| US | 8.8.8.8:53 | geo.prod.do.dsp.mp.microsoft.com | udp |
| IE | 20.191.46.211:443 | geo.prod.do.dsp.mp.microsoft.com | tcp |
| US | 8.8.8.8:53 | kv801.prod.do.dsp.mp.microsoft.com | udp |
| NL | 184.29.205.60:443 | kv801.prod.do.dsp.mp.microsoft.com | tcp |
| US | 192.169.69.25:8000 | pluginsrv2.duckdns.org | tcp |
| US | 52.167.249.196:443 | settings-win.data.microsoft.com | tcp |
| US | 93.184.221.240:80 | tcp | |
| US | 192.169.69.25:8000 | pluginsrv2.duckdns.org | tcp |
| NL | 104.110.191.140:80 | tcp | |
| US | 192.169.69.25:8000 | pluginsrv2.duckdns.org | tcp |
| US | 192.169.69.25:8000 | pluginsrv2.duckdns.org | tcp |
| US | 159.65.219.192:7777 | tcp | |
| US | 192.169.69.25:8000 | pluginsrv2.duckdns.org | tcp |
| US | 192.169.69.25:8000 | pluginsrv2.duckdns.org | tcp |
| US | 192.169.69.25:8000 | pluginsrv2.duckdns.org | tcp |
| US | 192.169.69.25:8000 | pluginsrv2.duckdns.org | tcp |
| US | 159.65.219.192:7777 | tcp | |
| US | 192.169.69.25:8000 | pluginsrv2.duckdns.org | tcp |
| US | 192.169.69.25:8000 | pluginsrv2.duckdns.org | tcp |
| US | 192.169.69.25:8000 | pluginsrv2.duckdns.org | tcp |
| US | 192.169.69.25:8000 | pluginsrv2.duckdns.org | tcp |
| US | 192.169.69.25:8000 | pluginsrv2.duckdns.org | tcp |
| US | 159.65.219.192:7777 | tcp | |
| US | 192.169.69.25:8000 | pluginsrv2.duckdns.org | tcp |
| US | 192.169.69.25:8000 | pluginsrv2.duckdns.org | tcp |
| US | 192.169.69.25:8000 | pluginsrv2.duckdns.org | tcp |
| US | 192.169.69.25:8000 | pluginsrv2.duckdns.org | tcp |
| US | 192.169.69.25:8000 | pluginsrv2.duckdns.org | tcp |
| US | 159.65.219.192:7777 | tcp | |
| US | 192.169.69.25:8000 | pluginsrv2.duckdns.org | tcp |
| US | 192.169.69.25:8000 | pluginsrv2.duckdns.org | tcp |
| US | 192.169.69.25:8000 | pluginsrv2.duckdns.org | tcp |
| US | 192.169.69.25:8000 | pluginsrv2.duckdns.org | tcp |
| US | 192.169.69.25:8000 | pluginsrv2.duckdns.org | tcp |
| US | 159.65.219.192:7777 | tcp | |
| US | 192.169.69.25:8000 | pluginsrv2.duckdns.org | tcp |
| US | 192.169.69.25:8000 | pluginsrv2.duckdns.org | tcp |
Files
C:\Users\Admin\AppData\Roaming\YuFinegpjv.js
| MD5 | f1e1273b13b9f013be5e0fc8a6f49a59 |
| SHA1 | a298c41196bbeabee79eb780a2887b2c06cfd64d |
| SHA256 | 97cf11223b12f055c5266e161e090d078bbd032f0e0fd1056c6bab013af8d01e |
| SHA512 | f0210650317ed78c2f2894a10b90da3b69bfcc415a3fd2beca442c28337d05671a41158a98ca5da3110046903c699f34daa7cbc6c76521bea859fa8be81d4406 |
C:\Users\Admin\AppData\Roaming\Doc____Porder101##8.js
| MD5 | bfefa71b00bb905af4ad90e0b7743fb5 |
| SHA1 | 43aaed5594d81c929a2f6f38705b618dbfa5917c |
| SHA256 | 8c02d6fbc92c9a740e2096fe9c31c60c409dbf30b07ae51fa3c44dd913524c3f |
| SHA512 | 1ec19752f69e33827f9dbf333bc834f03ae7f1b4ef86a64179b1f559f6e3f6b4bbb27883b6b530f67836fd27f01fbbd0c106b8d14ad002fc3a29a0a76d18c015 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\VMAZW8LB\94cJpJDi[1]
| MD5 | fda44910deb1a460be4ac5d56d61d837 |
| SHA1 | f6d0c643351580307b2eaa6a7560e76965496bc7 |
| SHA256 | 933b971c6388d594a23fa1559825db5bec8ade2db1240aa8fc9d0c684949e8c9 |
| SHA512 | 57dda9aa7c29f960cd7948a4e4567844d3289fa729e9e388e7f4edcbdf16bf6a94536598b4f9ff8942849f1f96bd3c00bc24a75e748a36fbf2a145f63bf904c1 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\GS28O9WE\94cJpJDi[1].txt
| MD5 | 2008964ef2e2c06fb98a35262700d712 |
| SHA1 | 7660a6d1246543385c390fb29b0980ff850519fb |
| SHA256 | 396af765f913e09066e3470e7c3d4e0c678e2cf453445029dab2da1973a1db5b |
| SHA512 | a1ed490ee38dd77fe80dd8da1000fe38a374a210ae5b52d69814aa3b98b1ac6bd34a0ee96e29eafbc2f83b45c6f75fd549c5fe8fb0de6b068eb3e31cd749fb69 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27
| MD5 | 71485d6dad10ceef12040fd711df872a |
| SHA1 | 897a77130781bce4aaeae2ffde5e6944993dbcbc |
| SHA256 | 3e07fbecbbdebe402542141b968ec6dd2fe96c4a48c47563b759ad24c3516f30 |
| SHA512 | 3468983f3e4c64aebfe392735e03f16634e8ec3cc2759ca39eebbfc1676e321602a051ad2b383e01e5e947a0b5007f4994c2e0e06033246d3559692e1b729bd3 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27
| MD5 | acce5950357852e4ed938c9d5e545173 |
| SHA1 | dff82754ba20e92c27e2f560fe7036d1707b4e17 |
| SHA256 | 5fabb5a821446d9e016a2ab1e7272602142c5d9ea0b339b3471df0d5f5788885 |
| SHA512 | 318e836daa4a82bde1c37f7cf6acf6ed4548966358bdc0dbfc9dd8ceae24269ef2d5f7eacf98515c66a81d8bb42a8394354b601abb381acaf8c6d3ce3d397cb2 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Doc____Porder101##8.js
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
Analysis: behavioral1
Detonation Overview
Submitted
2022-02-05 09:14
Reported
2022-02-05 09:17
Platform
win7-en-20211208
Max time kernel
150s
Max time network
146s
Command Line
Signatures
WSHRAT
suricata: ET MALWARE WSHRAT CnC Checkin
suricata: ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm Checkin 1
Blocklisted process makes network request
Drops startup file
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\YuFinegpjv.js | C:\Windows\System32\wscript.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Doc____Porder101##8.js | C:\Windows\system32\wscript.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Doc____Porder101##8.js | C:\Windows\System32\wscript.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\YuFinegpjv.js | C:\Windows\System32\wscript.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Doc____Porder101##8 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Doc____Porder101##8.js\"" | C:\Windows\System32\wscript.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows\CurrentVersion\Run\YuFinegpjv = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\YuFinegpjv.js\"" | C:\Windows\System32\wscript.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows\CurrentVersion\Run\Doc____Porder101##8 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Doc____Porder101##8.js\"" | C:\Windows\system32\wscript.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows\CurrentVersion\Run\Doc____Porder101##8 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Doc____Porder101##8.js\"" | C:\Windows\System32\wscript.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\software\microsoft\windows\currentversion\run | C:\Windows\system32\wscript.exe | N/A |
| Key created | \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run | C:\Windows\system32\wscript.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Doc____Porder101##8 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Doc____Porder101##8.js\"" | C:\Windows\system32\wscript.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\software\microsoft\windows\currentversion\run | C:\Windows\System32\wscript.exe | N/A |
| Key created | \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run | C:\Windows\System32\wscript.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\software\microsoft\windows\currentversion\run | C:\Windows\System32\wscript.exe | N/A |
| Key created | \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run | C:\Windows\System32\wscript.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\YuFinegpjv = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\YuFinegpjv.js\"" | C:\Windows\System32\wscript.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Enumerates physical storage devices
Script User-Agent
| Description | Indicator | Process | Target |
| HTTP User-Agent header | WSHRAT|C435AF30|VQVVOAJK|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 5/2/2022|JavaScript-v1.6 | N/A | N/A |
| HTTP User-Agent header | WSHRAT|C435AF30|VQVVOAJK|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 5/2/2022|JavaScript-v1.6 | N/A | N/A |
| HTTP User-Agent header | WSHRAT|C435AF30|VQVVOAJK|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 5/2/2022|JavaScript-v1.6 | N/A | N/A |
| HTTP User-Agent header | WSHRAT|C435AF30|VQVVOAJK|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 5/2/2022|JavaScript-v1.6 | N/A | N/A |
| HTTP User-Agent header | WSHRAT|C435AF30|VQVVOAJK|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 5/2/2022|JavaScript-v1.6 | N/A | N/A |
| HTTP User-Agent header | WSHRAT|C435AF30|VQVVOAJK|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 5/2/2022|JavaScript-v1.6 | N/A | N/A |
| HTTP User-Agent header | WSHRAT|C435AF30|VQVVOAJK|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 5/2/2022|JavaScript-v1.6 | N/A | N/A |
| HTTP User-Agent header | WSHRAT|C435AF30|VQVVOAJK|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 5/2/2022|JavaScript-v1.6 | N/A | N/A |
| HTTP User-Agent header | WSHRAT|C435AF30|VQVVOAJK|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 5/2/2022|JavaScript-v1.6 | N/A | N/A |
| HTTP User-Agent header | WSHRAT|C435AF30|VQVVOAJK|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 5/2/2022|JavaScript-v1.6 | N/A | N/A |
| HTTP User-Agent header | WSHRAT|C435AF30|VQVVOAJK|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 5/2/2022|JavaScript-v1.6 | N/A | N/A |
| HTTP User-Agent header | WSHRAT|C435AF30|VQVVOAJK|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 5/2/2022|JavaScript-v1.6 | N/A | N/A |
| HTTP User-Agent header | WSHRAT|C435AF30|VQVVOAJK|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 5/2/2022|JavaScript-v1.6 | N/A | N/A |
| HTTP User-Agent header | WSHRAT|C435AF30|VQVVOAJK|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 5/2/2022|JavaScript-v1.6 | N/A | N/A |
| HTTP User-Agent header | WSHRAT|C435AF30|VQVVOAJK|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 5/2/2022|JavaScript-v1.6 | N/A | N/A |
| HTTP User-Agent header | WSHRAT|C435AF30|VQVVOAJK|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 5/2/2022|JavaScript-v1.6 | N/A | N/A |
| HTTP User-Agent header | WSHRAT|C435AF30|VQVVOAJK|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 5/2/2022|JavaScript-v1.6 | N/A | N/A |
| HTTP User-Agent header | WSHRAT|C435AF30|VQVVOAJK|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 5/2/2022|JavaScript-v1.6 | N/A | N/A |
| HTTP User-Agent header | WSHRAT|C435AF30|VQVVOAJK|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 5/2/2022|JavaScript-v1.6 | N/A | N/A |
| HTTP User-Agent header | WSHRAT|C435AF30|VQVVOAJK|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 5/2/2022|JavaScript-v1.6 | N/A | N/A |
| HTTP User-Agent header | WSHRAT|C435AF30|VQVVOAJK|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 5/2/2022|JavaScript-v1.6 | N/A | N/A |
| HTTP User-Agent header | WSHRAT|C435AF30|VQVVOAJK|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 5/2/2022|JavaScript-v1.6 | N/A | N/A |
| HTTP User-Agent header | WSHRAT|C435AF30|VQVVOAJK|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 5/2/2022|JavaScript-v1.6 | N/A | N/A |
| HTTP User-Agent header | WSHRAT|C435AF30|VQVVOAJK|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 5/2/2022|JavaScript-v1.6 | N/A | N/A |
| HTTP User-Agent header | WSHRAT|C435AF30|VQVVOAJK|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 5/2/2022|JavaScript-v1.6 | N/A | N/A |
| HTTP User-Agent header | WSHRAT|C435AF30|VQVVOAJK|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 5/2/2022|JavaScript-v1.6 | N/A | N/A |
| HTTP User-Agent header | WSHRAT|C435AF30|VQVVOAJK|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 5/2/2022|JavaScript-v1.6 | N/A | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1432 wrote to memory of 956 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\wscript.exe |
| PID 1432 wrote to memory of 956 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\wscript.exe |
| PID 1432 wrote to memory of 956 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\wscript.exe |
| PID 1432 wrote to memory of 1104 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\wscript.exe |
| PID 1432 wrote to memory of 1104 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\wscript.exe |
| PID 1432 wrote to memory of 1104 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\wscript.exe |
| PID 1104 wrote to memory of 1280 | N/A | C:\Windows\System32\wscript.exe | C:\Windows\System32\wscript.exe |
| PID 1104 wrote to memory of 1280 | N/A | C:\Windows\System32\wscript.exe | C:\Windows\System32\wscript.exe |
| PID 1104 wrote to memory of 1280 | N/A | C:\Windows\System32\wscript.exe | C:\Windows\System32\wscript.exe |
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\Doc____Porder101##8.js
C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\YuFinegpjv.js"
C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\Doc____Porder101##8.js"
C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\YuFinegpjv.js"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 104.23.98.190:80 | pastebin.com | tcp |
| US | 104.23.98.190:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | pluginsrv2.duckdns.org | udp |
| US | 192.169.69.25:8000 | pluginsrv2.duckdns.org | tcp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 159.65.219.192:7777 | tcp | |
| US | 192.169.69.25:8000 | pluginsrv2.duckdns.org | tcp |
| US | 192.169.69.25:8000 | pluginsrv2.duckdns.org | tcp |
| US | 192.169.69.25:8000 | pluginsrv2.duckdns.org | tcp |
| US | 192.169.69.25:8000 | pluginsrv2.duckdns.org | tcp |
| US | 159.65.219.192:7777 | tcp | |
| US | 192.169.69.25:8000 | pluginsrv2.duckdns.org | tcp |
| US | 192.169.69.25:8000 | pluginsrv2.duckdns.org | tcp |
| US | 192.169.69.25:8000 | pluginsrv2.duckdns.org | tcp |
| US | 192.169.69.25:8000 | pluginsrv2.duckdns.org | tcp |
| US | 159.65.219.192:7777 | tcp | |
| US | 192.169.69.25:8000 | pluginsrv2.duckdns.org | tcp |
| US | 192.169.69.25:8000 | pluginsrv2.duckdns.org | tcp |
| US | 192.169.69.25:8000 | pluginsrv2.duckdns.org | tcp |
| US | 192.169.69.25:8000 | pluginsrv2.duckdns.org | tcp |
| US | 159.65.219.192:7777 | tcp | |
| US | 192.169.69.25:8000 | pluginsrv2.duckdns.org | tcp |
| US | 192.169.69.25:8000 | pluginsrv2.duckdns.org | tcp |
| US | 192.169.69.25:8000 | pluginsrv2.duckdns.org | tcp |
| US | 192.169.69.25:8000 | pluginsrv2.duckdns.org | tcp |
| US | 192.169.69.25:8000 | pluginsrv2.duckdns.org | tcp |
| US | 159.65.219.192:7777 | tcp | |
| US | 192.169.69.25:8000 | pluginsrv2.duckdns.org | tcp |
| US | 192.169.69.25:8000 | pluginsrv2.duckdns.org | tcp |
| US | 192.169.69.25:8000 | pluginsrv2.duckdns.org | tcp |
| US | 192.169.69.25:8000 | pluginsrv2.duckdns.org | tcp |
| US | 159.65.219.192:7777 | tcp | |
| US | 192.169.69.25:8000 | pluginsrv2.duckdns.org | tcp |
| US | 192.169.69.25:8000 | pluginsrv2.duckdns.org | tcp |
| US | 192.169.69.25:8000 | pluginsrv2.duckdns.org | tcp |
| US | 192.169.69.25:8000 | pluginsrv2.duckdns.org | tcp |
| US | 192.169.69.25:8000 | pluginsrv2.duckdns.org | tcp |
| US | 159.65.219.192:7777 | tcp |
Files
memory/1432-53-0x000007FEFBC11000-0x000007FEFBC13000-memory.dmp
C:\Users\Admin\AppData\Roaming\YuFinegpjv.js
| MD5 | f1e1273b13b9f013be5e0fc8a6f49a59 |
| SHA1 | a298c41196bbeabee79eb780a2887b2c06cfd64d |
| SHA256 | 97cf11223b12f055c5266e161e090d078bbd032f0e0fd1056c6bab013af8d01e |
| SHA512 | f0210650317ed78c2f2894a10b90da3b69bfcc415a3fd2beca442c28337d05671a41158a98ca5da3110046903c699f34daa7cbc6c76521bea859fa8be81d4406 |
C:\Users\Admin\AppData\Roaming\Doc____Porder101##8.js
| MD5 | bfefa71b00bb905af4ad90e0b7743fb5 |
| SHA1 | 43aaed5594d81c929a2f6f38705b618dbfa5917c |
| SHA256 | 8c02d6fbc92c9a740e2096fe9c31c60c409dbf30b07ae51fa3c44dd913524c3f |
| SHA512 | 1ec19752f69e33827f9dbf333bc834f03ae7f1b4ef86a64179b1f559f6e3f6b4bbb27883b6b530f67836fd27f01fbbd0c106b8d14ad002fc3a29a0a76d18c015 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\34ZL0Q4Z\94cJpJDi[1]
| MD5 | fda44910deb1a460be4ac5d56d61d837 |
| SHA1 | f6d0c643351580307b2eaa6a7560e76965496bc7 |
| SHA256 | 933b971c6388d594a23fa1559825db5bec8ade2db1240aa8fc9d0c684949e8c9 |
| SHA512 | 57dda9aa7c29f960cd7948a4e4567844d3289fa729e9e388e7f4edcbdf16bf6a94536598b4f9ff8942849f1f96bd3c00bc24a75e748a36fbf2a145f63bf904c1 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\1VSJJWE3\94cJpJDi[1].txt
| MD5 | 2008964ef2e2c06fb98a35262700d712 |
| SHA1 | 7660a6d1246543385c390fb29b0980ff850519fb |
| SHA256 | 396af765f913e09066e3470e7c3d4e0c678e2cf453445029dab2da1973a1db5b |
| SHA512 | a1ed490ee38dd77fe80dd8da1000fe38a374a210ae5b52d69814aa3b98b1ac6bd34a0ee96e29eafbc2f83b45c6f75fd549c5fe8fb0de6b068eb3e31cd749fb69 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Doc____Porder101##8.js
| MD5 | bfefa71b00bb905af4ad90e0b7743fb5 |
| SHA1 | 43aaed5594d81c929a2f6f38705b618dbfa5917c |
| SHA256 | 8c02d6fbc92c9a740e2096fe9c31c60c409dbf30b07ae51fa3c44dd913524c3f |
| SHA512 | 1ec19752f69e33827f9dbf333bc834f03ae7f1b4ef86a64179b1f559f6e3f6b4bbb27883b6b530f67836fd27f01fbbd0c106b8d14ad002fc3a29a0a76d18c015 |