Analysis Overview
SHA256
b6af270fde44e8fe7757806eafa906fe59418d54e8d3c6a87c8d0242ced2a371
Threat Level: Known bad
The file b6af270fde44e8fe7757806eafa906fe59418d54e8d3c6a87c8d0242ced2a371 was found to be: Known bad.
Malicious Activity Summary
WSHRAT Payload
WSHRAT
NanoCore
Executes dropped EXE
UPX packed file
Blocklisted process makes network request
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Drops startup file
Loads dropped DLL
Reads user/profile data of web browsers
Looks up external IP address via web service
Adds Run key to start application
Accesses Microsoft Outlook profiles
Checks whether UAC is enabled
Suspicious use of SetThreadContext
Drops file in Windows directory
Enumerates physical storage devices
Modifies data under HKEY_USERS
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
outlook_office_path
outlook_win_path
Checks processor information in registry
Suspicious behavior: GetForegroundWindowSpam
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-02-05 11:01
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-02-05 11:01
Reported
2022-02-05 11:03
Platform
win7-en-20211208
Max time kernel
144s
Max time network
130s
Command Line
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\img-Z27093627.pdf.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\img-Z27093627.pdf.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\img-Z27093627.pdf.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1048 set thread context of 2016 | N/A | C:\Users\Admin\AppData\Local\Temp\img-Z27093627.pdf.exe | C:\Users\Admin\AppData\Local\Temp\img-Z27093627.pdf.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\img-Z27093627.pdf.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\img-Z27093627.pdf.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\img-Z27093627.pdf.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\img-Z27093627.pdf.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\img-Z27093627.pdf.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1048 wrote to memory of 2016 | N/A | C:\Users\Admin\AppData\Local\Temp\img-Z27093627.pdf.exe | C:\Users\Admin\AppData\Local\Temp\img-Z27093627.pdf.exe |
| PID 1048 wrote to memory of 2016 | N/A | C:\Users\Admin\AppData\Local\Temp\img-Z27093627.pdf.exe | C:\Users\Admin\AppData\Local\Temp\img-Z27093627.pdf.exe |
| PID 1048 wrote to memory of 2016 | N/A | C:\Users\Admin\AppData\Local\Temp\img-Z27093627.pdf.exe | C:\Users\Admin\AppData\Local\Temp\img-Z27093627.pdf.exe |
| PID 1048 wrote to memory of 2016 | N/A | C:\Users\Admin\AppData\Local\Temp\img-Z27093627.pdf.exe | C:\Users\Admin\AppData\Local\Temp\img-Z27093627.pdf.exe |
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\img-Z27093627.pdf.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\img-Z27093627.pdf.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\img-Z27093627.pdf.exe
"C:\Users\Admin\AppData\Local\Temp\img-Z27093627.pdf.exe"
C:\Users\Admin\AppData\Local\Temp\img-Z27093627.pdf.exe
"C:\Users\Admin\AppData\Local\Temp\img-Z27093627.pdf.exe"
Network
Files
memory/1048-54-0x0000000000230000-0x0000000000231000-memory.dmp
memory/1048-55-0x0000000075F81000-0x0000000075F83000-memory.dmp
memory/1048-56-0x0000000000260000-0x0000000000266000-memory.dmp
memory/2016-57-0x0000000000400000-0x00000000004AD000-memory.dmp
memory/2016-60-0x0000000000380000-0x0000000000383000-memory.dmp
memory/2016-59-0x0000000000380000-0x0000000000383000-memory.dmp
memory/2016-61-0x0000000000380000-0x0000000000383000-memory.dmp
memory/2016-62-0x0000000000380000-0x0000000000383000-memory.dmp
memory/2016-63-0x0000000000380000-0x0000000000383000-memory.dmp
memory/2016-64-0x0000000000380000-0x0000000000383000-memory.dmp
memory/2016-65-0x0000000000380000-0x0000000000383000-memory.dmp
memory/2016-66-0x0000000000380000-0x0000000000383000-memory.dmp
memory/2016-67-0x0000000000380000-0x0000000000383000-memory.dmp
memory/2016-68-0x0000000000380000-0x0000000000383000-memory.dmp
memory/2016-69-0x0000000002010000-0x0000000002011000-memory.dmp
memory/2016-70-0x0000000002011000-0x0000000002012000-memory.dmp
memory/2016-71-0x0000000002012000-0x0000000002013000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-02-05 11:01
Reported
2022-02-05 11:04
Platform
win10v2004-en-20220112
Max time kernel
142s
Max time network
157s
Command Line
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1892 set thread context of 2292 | N/A | C:\Users\Admin\AppData\Local\Temp\img-Z27093627.pdf.exe | C:\Users\Admin\AppData\Local\Temp\img-Z27093627.pdf.exe |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\State\keyValueLKG.dat | C:\Windows\System32\svchost.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\system32\MusNotifyIcon.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Windows\system32\MusNotifyIcon.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrCnt = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\GeoVersion_EndpointFullUri = "https://geover.prod.do.dsp.mp.microsoft.com/geoversion" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CacheSizeBytes = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LANConnectionCount = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkBps = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyLanBytes = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\FrDownloadRatePct = "90" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadRatePct = "100" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadCount = "0" | C:\Windows\System32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyInternetBytes = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLinkLocalBytes = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCacheHostBytes = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthID = "2" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\KVFileExpirationTime = "132887089248311711" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "1" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadCount = "0" | C:\Windows\System32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCdnBytes = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkCnt = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PeerInfoCount = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4012" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLanBytes = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\BkDownloadRatePct = "45" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadCount = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DownloadMode_BackCompat = "1" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyInternetBytes = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrBps = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkBps = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LinkLocalConnectionCount = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkUsageBps = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadPendingCount = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadPendingCount = "0" | C:\Windows\System32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Settings | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DODownloadMode = "1" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyGroupBytes = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\Geo_EndpointFullUri = "https://geo.prod.do.dsp.mp.microsoft.com/geo" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CDNConnectionCount = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\GroupConnectionCount = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\InternetConnectionCount = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkUsageBps = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkBps = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthlyUploadRestriction = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "5.263206" | C:\Windows\System32\svchost.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\img-Z27093627.pdf.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\img-Z27093627.pdf.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\img-Z27093627.pdf.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1892 wrote to memory of 2292 | N/A | C:\Users\Admin\AppData\Local\Temp\img-Z27093627.pdf.exe | C:\Users\Admin\AppData\Local\Temp\img-Z27093627.pdf.exe |
| PID 1892 wrote to memory of 2292 | N/A | C:\Users\Admin\AppData\Local\Temp\img-Z27093627.pdf.exe | C:\Users\Admin\AppData\Local\Temp\img-Z27093627.pdf.exe |
| PID 1892 wrote to memory of 2292 | N/A | C:\Users\Admin\AppData\Local\Temp\img-Z27093627.pdf.exe | C:\Users\Admin\AppData\Local\Temp\img-Z27093627.pdf.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\img-Z27093627.pdf.exe
"C:\Users\Admin\AppData\Local\Temp\img-Z27093627.pdf.exe"
C:\Users\Admin\AppData\Local\Temp\img-Z27093627.pdf.exe
"C:\Users\Admin\AppData\Local\Temp\img-Z27093627.pdf.exe"
C:\Windows\system32\MusNotifyIcon.exe
%systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 13
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | settings-win.data.microsoft.com | udp |
| NL | 20.73.194.208:443 | settings-win.data.microsoft.com | tcp |
| US | 209.197.3.8:80 | tcp | |
| NL | 20.73.194.208:443 | settings-win.data.microsoft.com | tcp |
| NL | 20.73.194.208:443 | settings-win.data.microsoft.com | tcp |
| NL | 104.80.224.57:443 | tcp | |
| US | 209.197.3.8:80 | tcp | |
| US | 8.8.8.8:53 | settings-win.data.microsoft.com | udp |
| NL | 20.73.194.208:443 | settings-win.data.microsoft.com | tcp |
| NL | 20.73.194.208:443 | settings-win.data.microsoft.com | tcp |
| US | 8.8.8.8:53 | geo.prod.do.dsp.mp.microsoft.com | udp |
| US | 52.184.216.226:443 | geo.prod.do.dsp.mp.microsoft.com | tcp |
| US | 8.8.8.8:53 | kv801.prod.do.dsp.mp.microsoft.com | udp |
| NL | 184.29.205.60:443 | kv801.prod.do.dsp.mp.microsoft.com | tcp |
| NL | 20.73.194.208:443 | settings-win.data.microsoft.com | tcp |
Files
memory/1892-130-0x0000000002350000-0x0000000002550000-memory.dmp
memory/1892-131-0x0000000002350000-0x0000000002550000-memory.dmp
memory/1892-132-0x0000000002350000-0x0000000002550000-memory.dmp
memory/2292-133-0x0000000000400000-0x00000000004AD000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2022-02-05 11:01
Reported
2022-02-05 11:03
Platform
win7-en-20211208
Max time kernel
149s
Max time network
139s
Command Line
Signatures
NanoCore
WSHRAT
WSHRAT Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WScript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WScript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WScript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WScript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WScript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WScript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WScript.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\server.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\server1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\svchost.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\opxTE.vbs | C:\Windows\SysWOW64\WScript.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\opxTE.vbs | C:\Windows\SysWOW64\WScript.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\img-Z27093628.pdf.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\img-Z27093628.pdf.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\img-Z27093628.pdf.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\img-Z27093628.pdf.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\img-Z27093628.pdf.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\software\microsoft\windows\currentversion\run | C:\Windows\SysWOW64\WScript.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows\CurrentVersion\Run\opxTE = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\opxTE.vbs\"" | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key created | \REGISTRY\MACHINE\software\Wow6432Node\microsoft\windows\currentversion\run | C:\Windows\SysWOW64\WScript.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\opxTE = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\opxTE.vbs\"" | C:\Windows\SysWOW64\WScript.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Defender Updater = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cc3a68ce1dad95ce662e1c51f1568e3a.exe / start" | C:\Users\Admin\AppData\Local\Temp\server.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\svchost.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2024 set thread context of 1600 | N/A | C:\Users\Admin\AppData\Local\Temp\img-Z27093628.pdf.exe | C:\Users\Admin\AppData\Local\Temp\img-Z27093628.pdf.exe |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\img-Z27093628.pdf.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\svchost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\svchost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\svchost.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\svchost.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\img-Z27093628.pdf.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\svchost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\server.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\img-Z27093628.pdf.exe
"C:\Users\Admin\AppData\Local\Temp\img-Z27093628.pdf.exe"
C:\Users\Admin\AppData\Local\Temp\img-Z27093628.pdf.exe
"C:\Users\Admin\AppData\Local\Temp\img-Z27093628.pdf.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\server1.exe
"C:\Users\Admin\AppData\Local\Temp\server1.exe"
C:\Users\Admin\AppData\Local\Temp\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\svchost.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\opxTE.vbs"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | blackhil.ddns.net | udp |
| US | 184.105.237.199:53896 | blackhil.ddns.net | tcp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | blackhil.ddns.net | udp |
| US | 184.105.237.199:1334 | blackhil.ddns.net | tcp |
| US | 8.8.8.8:53 | blackhil.ddns.net | udp |
| US | 184.105.237.199:53896 | blackhil.ddns.net | tcp |
| US | 8.8.8.8:53 | blackhil.ddns.net | udp |
| US | 184.105.237.199:53896 | blackhil.ddns.net | tcp |
| US | 8.8.8.8:53 | rajas.com.my | udp |
| MY | 103.6.196.76:80 | rajas.com.my | tcp |
| N/A | 127.0.0.1:53896 | tcp | |
| MY | 103.6.196.76:80 | rajas.com.my | tcp |
| N/A | 127.0.0.1:53896 | tcp | |
| N/A | 127.0.0.1:53896 | tcp | |
| MY | 103.6.196.76:80 | rajas.com.my | tcp |
| US | 184.105.237.199:1334 | blackhil.ddns.net | tcp |
| US | 8.8.8.8:53 | blackhil.ddns.net | udp |
| US | 184.105.237.199:53896 | blackhil.ddns.net | tcp |
| US | 8.8.8.8:53 | blackhil.ddns.net | udp |
| US | 184.105.237.199:53896 | blackhil.ddns.net | tcp |
| MY | 103.6.196.76:80 | rajas.com.my | tcp |
| US | 8.8.8.8:53 | blackhil.ddns.net | udp |
| US | 184.105.237.199:53896 | blackhil.ddns.net | tcp |
| N/A | 127.0.0.1:53896 | tcp | |
| N/A | 127.0.0.1:53896 | tcp | |
| US | 184.105.237.199:1334 | blackhil.ddns.net | tcp |
| N/A | 127.0.0.1:53896 | tcp | |
| US | 8.8.8.8:53 | blackhil.ddns.net | udp |
| US | 184.105.237.199:53896 | blackhil.ddns.net | tcp |
| US | 8.8.8.8:53 | blackhil.ddns.net | udp |
| US | 184.105.237.199:53896 | blackhil.ddns.net | tcp |
| US | 8.8.8.8:53 | blackhil.ddns.net | udp |
| US | 184.105.237.199:53896 | blackhil.ddns.net | tcp |
| MY | 103.6.196.76:80 | rajas.com.my | tcp |
| N/A | 127.0.0.1:53896 | tcp | |
| US | 184.105.237.199:1334 | blackhil.ddns.net | tcp |
| N/A | 127.0.0.1:53896 | tcp | |
| N/A | 127.0.0.1:53896 | tcp | |
| US | 8.8.8.8:53 | blackhil.ddns.net | udp |
| US | 184.105.237.199:53896 | blackhil.ddns.net | tcp |
| US | 8.8.8.8:53 | blackhil.ddns.net | udp |
| US | 184.105.237.199:53896 | blackhil.ddns.net | tcp |
| US | 8.8.8.8:53 | blackhil.ddns.net | udp |
| US | 184.105.237.199:53896 | blackhil.ddns.net | tcp |
| US | 184.105.237.199:1334 | blackhil.ddns.net | tcp |
| N/A | 127.0.0.1:53896 | tcp | |
| N/A | 127.0.0.1:53896 | tcp | |
| N/A | 127.0.0.1:53896 | tcp | |
| US | 8.8.8.8:53 | blackhil.ddns.net | udp |
| US | 184.105.237.199:53896 | blackhil.ddns.net | tcp |
| US | 8.8.8.8:53 | blackhil.ddns.net | udp |
| US | 184.105.237.199:53896 | blackhil.ddns.net | tcp |
| US | 184.105.237.199:1334 | blackhil.ddns.net | tcp |
| NL | 8.248.3.254:80 | tcp | |
| US | 8.8.8.8:53 | blackhil.ddns.net | udp |
| US | 184.105.237.199:53896 | blackhil.ddns.net | tcp |
| N/A | 127.0.0.1:53896 | tcp |
Files
memory/2024-53-0x0000000000230000-0x0000000000231000-memory.dmp
memory/2024-54-0x00000000751B1000-0x00000000751B3000-memory.dmp
memory/2024-55-0x00000000003E0000-0x00000000003E6000-memory.dmp
memory/1600-57-0x0000000000400000-0x00000000005C0000-memory.dmp
memory/1600-59-0x0000000001E90000-0x0000000001E93000-memory.dmp
memory/1600-58-0x0000000001E90000-0x0000000001E93000-memory.dmp
memory/1600-60-0x0000000001E90000-0x0000000001E93000-memory.dmp
memory/1600-62-0x0000000001E90000-0x0000000001E93000-memory.dmp
memory/1600-63-0x0000000001E90000-0x0000000001E93000-memory.dmp
memory/1600-61-0x0000000001E90000-0x0000000001E93000-memory.dmp
memory/1600-65-0x0000000001E90000-0x0000000001E93000-memory.dmp
memory/1600-66-0x0000000001E90000-0x0000000001E93000-memory.dmp
memory/1600-67-0x0000000001E90000-0x0000000001E93000-memory.dmp
memory/1600-64-0x0000000001E90000-0x0000000001E93000-memory.dmp
memory/1600-68-0x0000000002350000-0x0000000002351000-memory.dmp
\Users\Admin\AppData\Local\Temp\server.exe
| MD5 | 0e8b49b3d9227a40be1266063b013371 |
| SHA1 | d1665de48fc77fa70099dacbe9321d5cee170fae |
| SHA256 | a79d6ed879410a1193774ac6a64b51043e568eef40076df0057c152cabc58f61 |
| SHA512 | c9fadda7f02780b71561ff416ed8d2487dfa6245c431385af481b1ac1df6b504e006d7e7b99c117ce6cf1aa86eb9f5eb2f724529b3da978806af01c92abc6efc |
C:\Users\Admin\AppData\Local\Temp\server.exe
| MD5 | 0e8b49b3d9227a40be1266063b013371 |
| SHA1 | d1665de48fc77fa70099dacbe9321d5cee170fae |
| SHA256 | a79d6ed879410a1193774ac6a64b51043e568eef40076df0057c152cabc58f61 |
| SHA512 | c9fadda7f02780b71561ff416ed8d2487dfa6245c431385af481b1ac1df6b504e006d7e7b99c117ce6cf1aa86eb9f5eb2f724529b3da978806af01c92abc6efc |
C:\Users\Admin\AppData\Local\Temp\server.exe
| MD5 | 0e8b49b3d9227a40be1266063b013371 |
| SHA1 | d1665de48fc77fa70099dacbe9321d5cee170fae |
| SHA256 | a79d6ed879410a1193774ac6a64b51043e568eef40076df0057c152cabc58f61 |
| SHA512 | c9fadda7f02780b71561ff416ed8d2487dfa6245c431385af481b1ac1df6b504e006d7e7b99c117ce6cf1aa86eb9f5eb2f724529b3da978806af01c92abc6efc |
memory/1504-72-0x0000000000380000-0x000000000039A000-memory.dmp
\Users\Admin\AppData\Local\Temp\server1.exe
| MD5 | 82f7e10ddeb06d7ac706f8053f7be9ab |
| SHA1 | c0aa068d29b7812a4097f024f717fbb75d006ecb |
| SHA256 | 7bdf4741a02e5879afa0b5c4248b9d12d8f5aff1b82a0113d8b8e9a63c7ce9ab |
| SHA512 | 44577b1002a4b430700150bdaba1f70245d153d8a5c5cda456df4a292ce65238a7531a126d13e17accefb1d499ca5e24753f3625ed586110d55c8d65558fc290 |
C:\Users\Admin\AppData\Local\Temp\server1.exe
| MD5 | 82f7e10ddeb06d7ac706f8053f7be9ab |
| SHA1 | c0aa068d29b7812a4097f024f717fbb75d006ecb |
| SHA256 | 7bdf4741a02e5879afa0b5c4248b9d12d8f5aff1b82a0113d8b8e9a63c7ce9ab |
| SHA512 | 44577b1002a4b430700150bdaba1f70245d153d8a5c5cda456df4a292ce65238a7531a126d13e17accefb1d499ca5e24753f3625ed586110d55c8d65558fc290 |
\Users\Admin\AppData\Local\Temp\server1.exe
| MD5 | 82f7e10ddeb06d7ac706f8053f7be9ab |
| SHA1 | c0aa068d29b7812a4097f024f717fbb75d006ecb |
| SHA256 | 7bdf4741a02e5879afa0b5c4248b9d12d8f5aff1b82a0113d8b8e9a63c7ce9ab |
| SHA512 | 44577b1002a4b430700150bdaba1f70245d153d8a5c5cda456df4a292ce65238a7531a126d13e17accefb1d499ca5e24753f3625ed586110d55c8d65558fc290 |
C:\Users\Admin\AppData\Local\Temp\server1.exe
| MD5 | 82f7e10ddeb06d7ac706f8053f7be9ab |
| SHA1 | c0aa068d29b7812a4097f024f717fbb75d006ecb |
| SHA256 | 7bdf4741a02e5879afa0b5c4248b9d12d8f5aff1b82a0113d8b8e9a63c7ce9ab |
| SHA512 | 44577b1002a4b430700150bdaba1f70245d153d8a5c5cda456df4a292ce65238a7531a126d13e17accefb1d499ca5e24753f3625ed586110d55c8d65558fc290 |
\Users\Admin\AppData\Local\Temp\svchost.exe
| MD5 | a436e690055e9a46e93d529afb1d5095 |
| SHA1 | 095610080d02e5de31c3f7c56b55577b8a795250 |
| SHA256 | fb7636c9233719102f95dce7009b2ede5e9ff7d3a15d6e9b2fde8d3152f72f60 |
| SHA512 | 22195596e74e83cef0977fccbecf3cffd89b72d266112416216c3fe6bfa358b4868bb324fd37d29c5148562c03bc8e05bb76407b5b7b48acd4b16aec273a1b54 |
C:\Users\Admin\AppData\Local\Temp\svchost.exe
| MD5 | a436e690055e9a46e93d529afb1d5095 |
| SHA1 | 095610080d02e5de31c3f7c56b55577b8a795250 |
| SHA256 | fb7636c9233719102f95dce7009b2ede5e9ff7d3a15d6e9b2fde8d3152f72f60 |
| SHA512 | 22195596e74e83cef0977fccbecf3cffd89b72d266112416216c3fe6bfa358b4868bb324fd37d29c5148562c03bc8e05bb76407b5b7b48acd4b16aec273a1b54 |
C:\Users\Admin\AppData\Local\Temp\svchost.exe
| MD5 | a436e690055e9a46e93d529afb1d5095 |
| SHA1 | 095610080d02e5de31c3f7c56b55577b8a795250 |
| SHA256 | fb7636c9233719102f95dce7009b2ede5e9ff7d3a15d6e9b2fde8d3152f72f60 |
| SHA512 | 22195596e74e83cef0977fccbecf3cffd89b72d266112416216c3fe6bfa358b4868bb324fd37d29c5148562c03bc8e05bb76407b5b7b48acd4b16aec273a1b54 |
\Users\Admin\AppData\Local\Temp\svchost.exe
| MD5 | a436e690055e9a46e93d529afb1d5095 |
| SHA1 | 095610080d02e5de31c3f7c56b55577b8a795250 |
| SHA256 | fb7636c9233719102f95dce7009b2ede5e9ff7d3a15d6e9b2fde8d3152f72f60 |
| SHA512 | 22195596e74e83cef0977fccbecf3cffd89b72d266112416216c3fe6bfa358b4868bb324fd37d29c5148562c03bc8e05bb76407b5b7b48acd4b16aec273a1b54 |
memory/268-83-0x00000000005C0000-0x00000000005C1000-memory.dmp
memory/464-85-0x0000000000130000-0x0000000000131000-memory.dmp
C:\Users\Admin\AppData\Roaming\opxTE.vbs
| MD5 | 358d63d1074cc5c25a3893a744d2c63f |
| SHA1 | aef18c3ad7190795e05d0ddbc9eecf0faac365a5 |
| SHA256 | 6a92b629a1ca59b6fc91d09c01e1afbd0588ef0e699475bc096eb0f13c396e45 |
| SHA512 | 9db134036de548723d5ddf0cdc6de8b1125fb3bffa31a5d412892a18bcfe501bca66157289a0ec61f4cc5ac9ea840404ff87e9d05b5ae1e4fc027d41ed1c3cdc |
memory/1504-88-0x00000000009B0000-0x00000000009B1000-memory.dmp
memory/1504-89-0x00000000009B5000-0x00000000009C6000-memory.dmp
Analysis: behavioral4
Detonation Overview
Submitted
2022-02-05 11:01
Reported
2022-02-05 11:03
Platform
win10v2004-en-20220113
Max time kernel
2s
Max time network
8s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\img-Z27093628.pdf.exe
"C:\Users\Admin\AppData\Local\Temp\img-Z27093628.pdf.exe"