Malware Analysis Report

2025-04-14 08:31

Sample ID 220205-k7lppaabak
Target db100634a0d9005c2d6c65827d141a2f18877f1321fc390410a7a50ad8d7074e
SHA256 db100634a0d9005c2d6c65827d141a2f18877f1321fc390410a7a50ad8d7074e
Tags
wshrat persistence suricata trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

db100634a0d9005c2d6c65827d141a2f18877f1321fc390410a7a50ad8d7074e

Threat Level: Known bad

The file db100634a0d9005c2d6c65827d141a2f18877f1321fc390410a7a50ad8d7074e was found to be: Known bad.

Malicious Activity Summary

wshrat persistence suricata trojan

suricata: ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm Checkin 1

suricata: ET MALWARE WSHRAT CnC Checkin

WSHRAT

Sets service image path in registry

Blocklisted process makes network request

Checks computer location settings

Drops startup file

Adds Run key to start application

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Drops file in Windows directory

Enumerates physical storage devices

Modifies data under HKEY_USERS

Suspicious use of WriteProcessMemory

Checks processor information in registry

Script User-Agent

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-02-05 09:14

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2022-02-05 09:14

Reported

2022-02-05 09:17

Platform

win10v2004-en-20220112

Max time kernel

150s

Max time network

150s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\Doc____Porder101##8.js

Signatures

WSHRAT

trojan wshrat

suricata: ET MALWARE WSHRAT CnC Checkin

suricata

suricata: ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm Checkin 1

suricata

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\system32\wscript.exe N/A
N/A N/A C:\Windows\system32\wscript.exe N/A
N/A N/A C:\Windows\system32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A

Sets service image path in registry

persistence

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation C:\Windows\system32\wscript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation C:\Windows\System32\wscript.exe N/A

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\YuFinegpjv.js C:\Windows\System32\wscript.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Doc____Porder101##8.js C:\Windows\system32\wscript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Doc____Porder101##8.js C:\Windows\System32\wscript.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\YuFinegpjv.js C:\Windows\System32\wscript.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\software\microsoft\windows\currentversion\run C:\Windows\System32\wscript.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\YuFinegpjv = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\YuFinegpjv.js\"" C:\Windows\System32\wscript.exe N/A
Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run C:\Windows\System32\wscript.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Doc____Porder101##8 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Doc____Porder101##8.js\"" C:\Windows\system32\wscript.exe N/A
Key created \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\software\microsoft\windows\currentversion\run C:\Windows\System32\wscript.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Doc____Porder101##8 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Doc____Porder101##8.js\"" C:\Windows\System32\wscript.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Doc____Porder101##8 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Doc____Porder101##8.js\"" C:\Windows\System32\wscript.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\YuFinegpjv = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\YuFinegpjv.js\"" C:\Windows\System32\wscript.exe N/A
Key created \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\software\microsoft\windows\currentversion\run C:\Windows\system32\wscript.exe N/A
Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run C:\Windows\system32\wscript.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Doc____Porder101##8 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Doc____Porder101##8.js\"" C:\Windows\system32\wscript.exe N/A
Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run C:\Windows\System32\wscript.exe N/A

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\State\keyValueLKG.dat C:\Windows\System32\svchost.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\system32\MusNotifyIcon.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\system32\MusNotifyIcon.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PeerInfoCount = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadCount = "0" C:\Windows\System32\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\System32\WaaSMedicAgent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\System32\WaaSMedicAgent.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\KVFileExpirationTime = "132887024976909477" C:\Windows\System32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthID = "2" C:\Windows\System32\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\System32\WaaSMedicAgent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\System32\WaaSMedicAgent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\System32\WaaSMedicAgent.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DODownloadMode = "1" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LANConnectionCount = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadRatePct = "100" C:\Windows\System32\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\System32\WaaSMedicAgent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\System32\WaaSMedicAgent.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCacheHostBytes = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CacheSizeBytes = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkCnt = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyLanBytes = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkBps = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadPendingCount = "0" C:\Windows\System32\svchost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "8.163287" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadCount = "0" C:\Windows\System32\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\System32\WaaSMedicAgent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\System32\WaaSMedicAgent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\System32\WaaSMedicAgent.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "1" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\InternetConnectionCount = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkUsageBps = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthlyUploadRestriction = "0" C:\Windows\System32\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\System32\WaaSMedicAgent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\System32\WaaSMedicAgent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\System32\WaaSMedicAgent.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DownloadMode_BackCompat = "1" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrBps = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\FrDownloadRatePct = "90" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkBps = "0" C:\Windows\System32\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\System32\WaaSMedicAgent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\System32\WaaSMedicAgent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\System32\WaaSMedicAgent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\System32\WaaSMedicAgent.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLinkLocalBytes = "0" C:\Windows\System32\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\System32\WaaSMedicAgent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\System32\WaaSMedicAgent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\System32\WaaSMedicAgent.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\GeoVersion_EndpointFullUri = "https://geover.prod.do.dsp.mp.microsoft.com/geoversion" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyInternetBytes = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyGroupBytes = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkCnt = "4" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthID = "1" C:\Windows\System32\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\System32\WaaSMedicAgent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\System32\WaaSMedicAgent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\System32\WaaSMedicAgent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\System32\WaaSMedicAgent.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkUsageBps = "0" C:\Windows\System32\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\System32\WaaSMedicAgent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\System32\WaaSMedicAgent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\System32\WaaSMedicAgent.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CDNConnectionCount = "0" C:\Windows\System32\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\System32\WaaSMedicAgent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\System32\WaaSMedicAgent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\System32\WaaSMedicAgent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\System32\WaaSMedicAgent.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4020" C:\Windows\System32\svchost.exe N/A

Script User-Agent

Description Indicator Process Target
HTTP User-Agent header WSHRAT|48C8CF8A|RIBCQUHQ|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 5/2/2022|JavaScript-v1.6 N/A N/A
HTTP User-Agent header WSHRAT|48C8CF8A|RIBCQUHQ|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 5/2/2022|JavaScript-v1.6 N/A N/A
HTTP User-Agent header WSHRAT|48C8CF8A|RIBCQUHQ|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 5/2/2022|JavaScript-v1.6 N/A N/A
HTTP User-Agent header WSHRAT|48C8CF8A|RIBCQUHQ|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 5/2/2022|JavaScript-v1.6 N/A N/A
HTTP User-Agent header WSHRAT|48C8CF8A|RIBCQUHQ|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 5/2/2022|JavaScript-v1.6 N/A N/A
HTTP User-Agent header WSHRAT|48C8CF8A|RIBCQUHQ|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 5/2/2022|JavaScript-v1.6 N/A N/A
HTTP User-Agent header WSHRAT|48C8CF8A|RIBCQUHQ|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 5/2/2022|JavaScript-v1.6 N/A N/A
HTTP User-Agent header WSHRAT|48C8CF8A|RIBCQUHQ|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 5/2/2022|JavaScript-v1.6 N/A N/A
HTTP User-Agent header WSHRAT|48C8CF8A|RIBCQUHQ|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 5/2/2022|JavaScript-v1.6 N/A N/A
HTTP User-Agent header WSHRAT|48C8CF8A|RIBCQUHQ|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 5/2/2022|JavaScript-v1.6 N/A N/A
HTTP User-Agent header WSHRAT|48C8CF8A|RIBCQUHQ|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 5/2/2022|JavaScript-v1.6 N/A N/A
HTTP User-Agent header WSHRAT|48C8CF8A|RIBCQUHQ|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 5/2/2022|JavaScript-v1.6 N/A N/A
HTTP User-Agent header WSHRAT|48C8CF8A|RIBCQUHQ|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 5/2/2022|JavaScript-v1.6 N/A N/A
HTTP User-Agent header WSHRAT|48C8CF8A|RIBCQUHQ|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 5/2/2022|JavaScript-v1.6 N/A N/A
HTTP User-Agent header WSHRAT|48C8CF8A|RIBCQUHQ|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 5/2/2022|JavaScript-v1.6 N/A N/A
HTTP User-Agent header WSHRAT|48C8CF8A|RIBCQUHQ|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 5/2/2022|JavaScript-v1.6 N/A N/A
HTTP User-Agent header WSHRAT|48C8CF8A|RIBCQUHQ|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 5/2/2022|JavaScript-v1.6 N/A N/A
HTTP User-Agent header WSHRAT|48C8CF8A|RIBCQUHQ|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 5/2/2022|JavaScript-v1.6 N/A N/A
HTTP User-Agent header WSHRAT|48C8CF8A|RIBCQUHQ|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 5/2/2022|JavaScript-v1.6 N/A N/A
HTTP User-Agent header WSHRAT|48C8CF8A|RIBCQUHQ|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 5/2/2022|JavaScript-v1.6 N/A N/A
HTTP User-Agent header WSHRAT|48C8CF8A|RIBCQUHQ|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 5/2/2022|JavaScript-v1.6 N/A N/A
HTTP User-Agent header WSHRAT|48C8CF8A|RIBCQUHQ|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 5/2/2022|JavaScript-v1.6 N/A N/A
HTTP User-Agent header WSHRAT|48C8CF8A|RIBCQUHQ|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 5/2/2022|JavaScript-v1.6 N/A N/A
HTTP User-Agent header WSHRAT|48C8CF8A|RIBCQUHQ|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 5/2/2022|JavaScript-v1.6 N/A N/A
HTTP User-Agent header WSHRAT|48C8CF8A|RIBCQUHQ|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 5/2/2022|JavaScript-v1.6 N/A N/A
HTTP User-Agent header WSHRAT|48C8CF8A|RIBCQUHQ|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 5/2/2022|JavaScript-v1.6 N/A N/A
HTTP User-Agent header WSHRAT|48C8CF8A|RIBCQUHQ|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 5/2/2022|JavaScript-v1.6 N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2928 wrote to memory of 768 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe
PID 2928 wrote to memory of 768 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe
PID 2928 wrote to memory of 1000 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe
PID 2928 wrote to memory of 1000 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe
PID 1000 wrote to memory of 3180 N/A C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe
PID 1000 wrote to memory of 3180 N/A C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\Doc____Porder101##8.js

C:\Windows\System32\wscript.exe

"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\YuFinegpjv.js"

C:\Windows\System32\wscript.exe

"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\Doc____Porder101##8.js"

C:\Windows\System32\wscript.exe

"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\YuFinegpjv.js"

C:\Windows\system32\MusNotifyIcon.exe

%systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 13

C:\Windows\System32\WaaSMedicAgent.exe

C:\Windows\System32\WaaSMedicAgent.exe 5166bf4870172989e5d7d64c8793715e 56J+OO/JnEWglzfMAQ6rcg.0.1.0.0.0

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k NetworkService -p

Network

Country Destination Domain Proto
NL 104.110.191.133:80 tcp
US 8.8.8.8:53 settings-win.data.microsoft.com udp
NL 104.110.191.133:80 tcp
US 52.167.249.196:443 settings-win.data.microsoft.com tcp
US 52.167.249.196:443 settings-win.data.microsoft.com tcp
US 52.167.249.196:443 settings-win.data.microsoft.com tcp
US 8.8.8.8:53 pastebin.com udp
US 104.23.99.190:80 pastebin.com tcp
US 104.23.99.190:443 pastebin.com tcp
US 52.167.249.196:443 settings-win.data.microsoft.com tcp
US 8.8.8.8:53 pluginsrv2.duckdns.org udp
US 192.169.69.25:8000 pluginsrv2.duckdns.org tcp
US 104.23.99.190:80 pastebin.com tcp
US 104.23.99.190:443 pastebin.com tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 159.65.219.192:7777 tcp
NL 104.110.191.140:80 tcp
US 93.184.221.240:80 tcp
US 192.169.69.25:8000 pluginsrv2.duckdns.org tcp
US 8.8.8.8:53 geo.prod.do.dsp.mp.microsoft.com udp
IE 20.191.46.211:443 geo.prod.do.dsp.mp.microsoft.com tcp
US 8.8.8.8:53 kv801.prod.do.dsp.mp.microsoft.com udp
NL 184.29.205.60:443 kv801.prod.do.dsp.mp.microsoft.com tcp
US 192.169.69.25:8000 pluginsrv2.duckdns.org tcp
US 52.167.249.196:443 settings-win.data.microsoft.com tcp
US 93.184.221.240:80 tcp
US 192.169.69.25:8000 pluginsrv2.duckdns.org tcp
NL 104.110.191.140:80 tcp
US 192.169.69.25:8000 pluginsrv2.duckdns.org tcp
US 192.169.69.25:8000 pluginsrv2.duckdns.org tcp
US 159.65.219.192:7777 tcp
US 192.169.69.25:8000 pluginsrv2.duckdns.org tcp
US 192.169.69.25:8000 pluginsrv2.duckdns.org tcp
US 192.169.69.25:8000 pluginsrv2.duckdns.org tcp
US 192.169.69.25:8000 pluginsrv2.duckdns.org tcp
US 159.65.219.192:7777 tcp
US 192.169.69.25:8000 pluginsrv2.duckdns.org tcp
US 192.169.69.25:8000 pluginsrv2.duckdns.org tcp
US 192.169.69.25:8000 pluginsrv2.duckdns.org tcp
US 192.169.69.25:8000 pluginsrv2.duckdns.org tcp
US 192.169.69.25:8000 pluginsrv2.duckdns.org tcp
US 159.65.219.192:7777 tcp
US 192.169.69.25:8000 pluginsrv2.duckdns.org tcp
US 192.169.69.25:8000 pluginsrv2.duckdns.org tcp
US 192.169.69.25:8000 pluginsrv2.duckdns.org tcp
US 192.169.69.25:8000 pluginsrv2.duckdns.org tcp
US 192.169.69.25:8000 pluginsrv2.duckdns.org tcp
US 159.65.219.192:7777 tcp
US 192.169.69.25:8000 pluginsrv2.duckdns.org tcp
US 192.169.69.25:8000 pluginsrv2.duckdns.org tcp
US 192.169.69.25:8000 pluginsrv2.duckdns.org tcp
US 192.169.69.25:8000 pluginsrv2.duckdns.org tcp
US 192.169.69.25:8000 pluginsrv2.duckdns.org tcp
US 159.65.219.192:7777 tcp
US 192.169.69.25:8000 pluginsrv2.duckdns.org tcp
US 192.169.69.25:8000 pluginsrv2.duckdns.org tcp

Files

C:\Users\Admin\AppData\Roaming\YuFinegpjv.js

MD5 f1e1273b13b9f013be5e0fc8a6f49a59
SHA1 a298c41196bbeabee79eb780a2887b2c06cfd64d
SHA256 97cf11223b12f055c5266e161e090d078bbd032f0e0fd1056c6bab013af8d01e
SHA512 f0210650317ed78c2f2894a10b90da3b69bfcc415a3fd2beca442c28337d05671a41158a98ca5da3110046903c699f34daa7cbc6c76521bea859fa8be81d4406

C:\Users\Admin\AppData\Roaming\Doc____Porder101##8.js

MD5 bfefa71b00bb905af4ad90e0b7743fb5
SHA1 43aaed5594d81c929a2f6f38705b618dbfa5917c
SHA256 8c02d6fbc92c9a740e2096fe9c31c60c409dbf30b07ae51fa3c44dd913524c3f
SHA512 1ec19752f69e33827f9dbf333bc834f03ae7f1b4ef86a64179b1f559f6e3f6b4bbb27883b6b530f67836fd27f01fbbd0c106b8d14ad002fc3a29a0a76d18c015

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\VMAZW8LB\94cJpJDi[1]

MD5 fda44910deb1a460be4ac5d56d61d837
SHA1 f6d0c643351580307b2eaa6a7560e76965496bc7
SHA256 933b971c6388d594a23fa1559825db5bec8ade2db1240aa8fc9d0c684949e8c9
SHA512 57dda9aa7c29f960cd7948a4e4567844d3289fa729e9e388e7f4edcbdf16bf6a94536598b4f9ff8942849f1f96bd3c00bc24a75e748a36fbf2a145f63bf904c1

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\GS28O9WE\94cJpJDi[1].txt

MD5 2008964ef2e2c06fb98a35262700d712
SHA1 7660a6d1246543385c390fb29b0980ff850519fb
SHA256 396af765f913e09066e3470e7c3d4e0c678e2cf453445029dab2da1973a1db5b
SHA512 a1ed490ee38dd77fe80dd8da1000fe38a374a210ae5b52d69814aa3b98b1ac6bd34a0ee96e29eafbc2f83b45c6f75fd549c5fe8fb0de6b068eb3e31cd749fb69

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27

MD5 71485d6dad10ceef12040fd711df872a
SHA1 897a77130781bce4aaeae2ffde5e6944993dbcbc
SHA256 3e07fbecbbdebe402542141b968ec6dd2fe96c4a48c47563b759ad24c3516f30
SHA512 3468983f3e4c64aebfe392735e03f16634e8ec3cc2759ca39eebbfc1676e321602a051ad2b383e01e5e947a0b5007f4994c2e0e06033246d3559692e1b729bd3

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27

MD5 acce5950357852e4ed938c9d5e545173
SHA1 dff82754ba20e92c27e2f560fe7036d1707b4e17
SHA256 5fabb5a821446d9e016a2ab1e7272602142c5d9ea0b339b3471df0d5f5788885
SHA512 318e836daa4a82bde1c37f7cf6acf6ed4548966358bdc0dbfc9dd8ceae24269ef2d5f7eacf98515c66a81d8bb42a8394354b601abb381acaf8c6d3ce3d397cb2

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Doc____Porder101##8.js

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Analysis: behavioral1

Detonation Overview

Submitted

2022-02-05 09:14

Reported

2022-02-05 09:17

Platform

win7-en-20211208

Max time kernel

150s

Max time network

146s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\Doc____Porder101##8.js

Signatures

WSHRAT

trojan wshrat

suricata: ET MALWARE WSHRAT CnC Checkin

suricata

suricata: ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm Checkin 1

suricata

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\system32\wscript.exe N/A
N/A N/A C:\Windows\system32\wscript.exe N/A
N/A N/A C:\Windows\system32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\YuFinegpjv.js C:\Windows\System32\wscript.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Doc____Porder101##8.js C:\Windows\system32\wscript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Doc____Porder101##8.js C:\Windows\System32\wscript.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\YuFinegpjv.js C:\Windows\System32\wscript.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Doc____Porder101##8 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Doc____Porder101##8.js\"" C:\Windows\System32\wscript.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows\CurrentVersion\Run\YuFinegpjv = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\YuFinegpjv.js\"" C:\Windows\System32\wscript.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows\CurrentVersion\Run\Doc____Porder101##8 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Doc____Porder101##8.js\"" C:\Windows\system32\wscript.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows\CurrentVersion\Run\Doc____Porder101##8 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Doc____Porder101##8.js\"" C:\Windows\System32\wscript.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\software\microsoft\windows\currentversion\run C:\Windows\system32\wscript.exe N/A
Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run C:\Windows\system32\wscript.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Doc____Porder101##8 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Doc____Porder101##8.js\"" C:\Windows\system32\wscript.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\software\microsoft\windows\currentversion\run C:\Windows\System32\wscript.exe N/A
Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run C:\Windows\System32\wscript.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\software\microsoft\windows\currentversion\run C:\Windows\System32\wscript.exe N/A
Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run C:\Windows\System32\wscript.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\YuFinegpjv = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\YuFinegpjv.js\"" C:\Windows\System32\wscript.exe N/A

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Enumerates physical storage devices

Script User-Agent

Description Indicator Process Target
HTTP User-Agent header WSHRAT|C435AF30|VQVVOAJK|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 5/2/2022|JavaScript-v1.6 N/A N/A
HTTP User-Agent header WSHRAT|C435AF30|VQVVOAJK|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 5/2/2022|JavaScript-v1.6 N/A N/A
HTTP User-Agent header WSHRAT|C435AF30|VQVVOAJK|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 5/2/2022|JavaScript-v1.6 N/A N/A
HTTP User-Agent header WSHRAT|C435AF30|VQVVOAJK|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 5/2/2022|JavaScript-v1.6 N/A N/A
HTTP User-Agent header WSHRAT|C435AF30|VQVVOAJK|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 5/2/2022|JavaScript-v1.6 N/A N/A
HTTP User-Agent header WSHRAT|C435AF30|VQVVOAJK|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 5/2/2022|JavaScript-v1.6 N/A N/A
HTTP User-Agent header WSHRAT|C435AF30|VQVVOAJK|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 5/2/2022|JavaScript-v1.6 N/A N/A
HTTP User-Agent header WSHRAT|C435AF30|VQVVOAJK|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 5/2/2022|JavaScript-v1.6 N/A N/A
HTTP User-Agent header WSHRAT|C435AF30|VQVVOAJK|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 5/2/2022|JavaScript-v1.6 N/A N/A
HTTP User-Agent header WSHRAT|C435AF30|VQVVOAJK|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 5/2/2022|JavaScript-v1.6 N/A N/A
HTTP User-Agent header WSHRAT|C435AF30|VQVVOAJK|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 5/2/2022|JavaScript-v1.6 N/A N/A
HTTP User-Agent header WSHRAT|C435AF30|VQVVOAJK|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 5/2/2022|JavaScript-v1.6 N/A N/A
HTTP User-Agent header WSHRAT|C435AF30|VQVVOAJK|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 5/2/2022|JavaScript-v1.6 N/A N/A
HTTP User-Agent header WSHRAT|C435AF30|VQVVOAJK|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 5/2/2022|JavaScript-v1.6 N/A N/A
HTTP User-Agent header WSHRAT|C435AF30|VQVVOAJK|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 5/2/2022|JavaScript-v1.6 N/A N/A
HTTP User-Agent header WSHRAT|C435AF30|VQVVOAJK|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 5/2/2022|JavaScript-v1.6 N/A N/A
HTTP User-Agent header WSHRAT|C435AF30|VQVVOAJK|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 5/2/2022|JavaScript-v1.6 N/A N/A
HTTP User-Agent header WSHRAT|C435AF30|VQVVOAJK|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 5/2/2022|JavaScript-v1.6 N/A N/A
HTTP User-Agent header WSHRAT|C435AF30|VQVVOAJK|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 5/2/2022|JavaScript-v1.6 N/A N/A
HTTP User-Agent header WSHRAT|C435AF30|VQVVOAJK|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 5/2/2022|JavaScript-v1.6 N/A N/A
HTTP User-Agent header WSHRAT|C435AF30|VQVVOAJK|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 5/2/2022|JavaScript-v1.6 N/A N/A
HTTP User-Agent header WSHRAT|C435AF30|VQVVOAJK|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 5/2/2022|JavaScript-v1.6 N/A N/A
HTTP User-Agent header WSHRAT|C435AF30|VQVVOAJK|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 5/2/2022|JavaScript-v1.6 N/A N/A
HTTP User-Agent header WSHRAT|C435AF30|VQVVOAJK|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 5/2/2022|JavaScript-v1.6 N/A N/A
HTTP User-Agent header WSHRAT|C435AF30|VQVVOAJK|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 5/2/2022|JavaScript-v1.6 N/A N/A
HTTP User-Agent header WSHRAT|C435AF30|VQVVOAJK|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 5/2/2022|JavaScript-v1.6 N/A N/A
HTTP User-Agent header WSHRAT|C435AF30|VQVVOAJK|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 5/2/2022|JavaScript-v1.6 N/A N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\Doc____Porder101##8.js

C:\Windows\System32\wscript.exe

"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\YuFinegpjv.js"

C:\Windows\System32\wscript.exe

"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\Doc____Porder101##8.js"

C:\Windows\System32\wscript.exe

"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\YuFinegpjv.js"

Network

Country Destination Domain Proto
US 8.8.8.8:53 pastebin.com udp
US 104.23.98.190:80 pastebin.com tcp
US 104.23.98.190:443 pastebin.com tcp
US 8.8.8.8:53 pluginsrv2.duckdns.org udp
US 192.169.69.25:8000 pluginsrv2.duckdns.org tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 159.65.219.192:7777 tcp
US 192.169.69.25:8000 pluginsrv2.duckdns.org tcp
US 192.169.69.25:8000 pluginsrv2.duckdns.org tcp
US 192.169.69.25:8000 pluginsrv2.duckdns.org tcp
US 192.169.69.25:8000 pluginsrv2.duckdns.org tcp
US 159.65.219.192:7777 tcp
US 192.169.69.25:8000 pluginsrv2.duckdns.org tcp
US 192.169.69.25:8000 pluginsrv2.duckdns.org tcp
US 192.169.69.25:8000 pluginsrv2.duckdns.org tcp
US 192.169.69.25:8000 pluginsrv2.duckdns.org tcp
US 159.65.219.192:7777 tcp
US 192.169.69.25:8000 pluginsrv2.duckdns.org tcp
US 192.169.69.25:8000 pluginsrv2.duckdns.org tcp
US 192.169.69.25:8000 pluginsrv2.duckdns.org tcp
US 192.169.69.25:8000 pluginsrv2.duckdns.org tcp
US 159.65.219.192:7777 tcp
US 192.169.69.25:8000 pluginsrv2.duckdns.org tcp
US 192.169.69.25:8000 pluginsrv2.duckdns.org tcp
US 192.169.69.25:8000 pluginsrv2.duckdns.org tcp
US 192.169.69.25:8000 pluginsrv2.duckdns.org tcp
US 192.169.69.25:8000 pluginsrv2.duckdns.org tcp
US 159.65.219.192:7777 tcp
US 192.169.69.25:8000 pluginsrv2.duckdns.org tcp
US 192.169.69.25:8000 pluginsrv2.duckdns.org tcp
US 192.169.69.25:8000 pluginsrv2.duckdns.org tcp
US 192.169.69.25:8000 pluginsrv2.duckdns.org tcp
US 159.65.219.192:7777 tcp
US 192.169.69.25:8000 pluginsrv2.duckdns.org tcp
US 192.169.69.25:8000 pluginsrv2.duckdns.org tcp
US 192.169.69.25:8000 pluginsrv2.duckdns.org tcp
US 192.169.69.25:8000 pluginsrv2.duckdns.org tcp
US 192.169.69.25:8000 pluginsrv2.duckdns.org tcp
US 159.65.219.192:7777 tcp

Files

memory/1432-53-0x000007FEFBC11000-0x000007FEFBC13000-memory.dmp

C:\Users\Admin\AppData\Roaming\YuFinegpjv.js

MD5 f1e1273b13b9f013be5e0fc8a6f49a59
SHA1 a298c41196bbeabee79eb780a2887b2c06cfd64d
SHA256 97cf11223b12f055c5266e161e090d078bbd032f0e0fd1056c6bab013af8d01e
SHA512 f0210650317ed78c2f2894a10b90da3b69bfcc415a3fd2beca442c28337d05671a41158a98ca5da3110046903c699f34daa7cbc6c76521bea859fa8be81d4406

C:\Users\Admin\AppData\Roaming\Doc____Porder101##8.js

MD5 bfefa71b00bb905af4ad90e0b7743fb5
SHA1 43aaed5594d81c929a2f6f38705b618dbfa5917c
SHA256 8c02d6fbc92c9a740e2096fe9c31c60c409dbf30b07ae51fa3c44dd913524c3f
SHA512 1ec19752f69e33827f9dbf333bc834f03ae7f1b4ef86a64179b1f559f6e3f6b4bbb27883b6b530f67836fd27f01fbbd0c106b8d14ad002fc3a29a0a76d18c015

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\34ZL0Q4Z\94cJpJDi[1]

MD5 fda44910deb1a460be4ac5d56d61d837
SHA1 f6d0c643351580307b2eaa6a7560e76965496bc7
SHA256 933b971c6388d594a23fa1559825db5bec8ade2db1240aa8fc9d0c684949e8c9
SHA512 57dda9aa7c29f960cd7948a4e4567844d3289fa729e9e388e7f4edcbdf16bf6a94536598b4f9ff8942849f1f96bd3c00bc24a75e748a36fbf2a145f63bf904c1

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\1VSJJWE3\94cJpJDi[1].txt

MD5 2008964ef2e2c06fb98a35262700d712
SHA1 7660a6d1246543385c390fb29b0980ff850519fb
SHA256 396af765f913e09066e3470e7c3d4e0c678e2cf453445029dab2da1973a1db5b
SHA512 a1ed490ee38dd77fe80dd8da1000fe38a374a210ae5b52d69814aa3b98b1ac6bd34a0ee96e29eafbc2f83b45c6f75fd549c5fe8fb0de6b068eb3e31cd749fb69

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Doc____Porder101##8.js

MD5 bfefa71b00bb905af4ad90e0b7743fb5
SHA1 43aaed5594d81c929a2f6f38705b618dbfa5917c
SHA256 8c02d6fbc92c9a740e2096fe9c31c60c409dbf30b07ae51fa3c44dd913524c3f
SHA512 1ec19752f69e33827f9dbf333bc834f03ae7f1b4ef86a64179b1f559f6e3f6b4bbb27883b6b530f67836fd27f01fbbd0c106b8d14ad002fc3a29a0a76d18c015