Malware Analysis Report

2025-04-14 08:22

Sample ID 220205-pl9xlsbce5
Target 9a71ffc2221a9aacc9b8a47fbad7a199f531b7ed98e945c3f8a4eb174d6695c9
SHA256 9a71ffc2221a9aacc9b8a47fbad7a199f531b7ed98e945c3f8a4eb174d6695c9
Tags
wshrat persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9a71ffc2221a9aacc9b8a47fbad7a199f531b7ed98e945c3f8a4eb174d6695c9

Threat Level: Known bad

The file 9a71ffc2221a9aacc9b8a47fbad7a199f531b7ed98e945c3f8a4eb174d6695c9 was found to be: Known bad.

Malicious Activity Summary

wshrat persistence trojan

WSHRAT

Blocklisted process makes network request

Checks computer location settings

Drops startup file

Adds Run key to start application

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Drops file in Windows directory

Enumerates physical storage devices

Script User-Agent

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-02-05 12:26

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-02-05 12:26

Reported

2022-02-05 12:29

Platform

win7-en-20211208

Max time kernel

152s

Max time network

146s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\P0@#200120200409.js

Signatures

WSHRAT

trojan wshrat

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\system32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\system32\wscript.exe N/A
N/A N/A C:\Windows\system32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xZRxruWFfi.js C:\Windows\System32\wscript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xZRxruWFfi.js C:\Windows\System32\wscript.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\P0@#200120200409.js C:\Windows\system32\wscript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\P0@#200120200409.js C:\Windows\System32\wscript.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\P0@#200120200409 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\P0@#200120200409.js\"" C:\Windows\system32\wscript.exe N/A
Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run C:\Windows\system32\wscript.exe N/A
Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run C:\Windows\System32\wscript.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\software\microsoft\windows\currentversion\run C:\Windows\System32\wscript.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\xZRxruWFfi = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\xZRxruWFfi.js\"" C:\Windows\System32\wscript.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\software\microsoft\windows\currentversion\run C:\Windows\system32\wscript.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\P0@#200120200409 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\P0@#200120200409.js\"" C:\Windows\system32\wscript.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\software\microsoft\windows\currentversion\run C:\Windows\System32\wscript.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\P0@#200120200409 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\P0@#200120200409.js\"" C:\Windows\System32\wscript.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\P0@#200120200409 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\P0@#200120200409.js\"" C:\Windows\System32\wscript.exe N/A
Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run C:\Windows\System32\wscript.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xZRxruWFfi = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\xZRxruWFfi.js\"" C:\Windows\System32\wscript.exe N/A

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Enumerates physical storage devices

Script User-Agent

Description Indicator Process Target
HTTP User-Agent header WSHRAT|8C677431|QSKGHMYQ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 5/2/2022|JavaScript-v1.6 N/A N/A
HTTP User-Agent header WSHRAT|8C677431|QSKGHMYQ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 5/2/2022|JavaScript-v1.6 N/A N/A
HTTP User-Agent header WSHRAT|8C677431|QSKGHMYQ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 5/2/2022|JavaScript-v1.6 N/A N/A
HTTP User-Agent header WSHRAT|8C677431|QSKGHMYQ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 5/2/2022|JavaScript-v1.6 N/A N/A
HTTP User-Agent header WSHRAT|8C677431|QSKGHMYQ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 5/2/2022|JavaScript-v1.6 N/A N/A
HTTP User-Agent header WSHRAT|8C677431|QSKGHMYQ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 5/2/2022|JavaScript-v1.6 N/A N/A
HTTP User-Agent header WSHRAT|8C677431|QSKGHMYQ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 5/2/2022|JavaScript-v1.6 N/A N/A
HTTP User-Agent header WSHRAT|8C677431|QSKGHMYQ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 5/2/2022|JavaScript-v1.6 N/A N/A
HTTP User-Agent header WSHRAT|8C677431|QSKGHMYQ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 5/2/2022|JavaScript-v1.6 N/A N/A
HTTP User-Agent header WSHRAT|8C677431|QSKGHMYQ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 5/2/2022|JavaScript-v1.6 N/A N/A
HTTP User-Agent header WSHRAT|8C677431|QSKGHMYQ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 5/2/2022|JavaScript-v1.6 N/A N/A
HTTP User-Agent header WSHRAT|8C677431|QSKGHMYQ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 5/2/2022|JavaScript-v1.6 N/A N/A
HTTP User-Agent header WSHRAT|8C677431|QSKGHMYQ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 5/2/2022|JavaScript-v1.6 N/A N/A
HTTP User-Agent header WSHRAT|8C677431|QSKGHMYQ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 5/2/2022|JavaScript-v1.6 N/A N/A
HTTP User-Agent header WSHRAT|8C677431|QSKGHMYQ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 5/2/2022|JavaScript-v1.6 N/A N/A
HTTP User-Agent header WSHRAT|8C677431|QSKGHMYQ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 5/2/2022|JavaScript-v1.6 N/A N/A
HTTP User-Agent header WSHRAT|8C677431|QSKGHMYQ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 5/2/2022|JavaScript-v1.6 N/A N/A
HTTP User-Agent header WSHRAT|8C677431|QSKGHMYQ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 5/2/2022|JavaScript-v1.6 N/A N/A
HTTP User-Agent header WSHRAT|8C677431|QSKGHMYQ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 5/2/2022|JavaScript-v1.6 N/A N/A
HTTP User-Agent header WSHRAT|8C677431|QSKGHMYQ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 5/2/2022|JavaScript-v1.6 N/A N/A
HTTP User-Agent header WSHRAT|8C677431|QSKGHMYQ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 5/2/2022|JavaScript-v1.6 N/A N/A
HTTP User-Agent header WSHRAT|8C677431|QSKGHMYQ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 5/2/2022|JavaScript-v1.6 N/A N/A
HTTP User-Agent header WSHRAT|8C677431|QSKGHMYQ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 5/2/2022|JavaScript-v1.6 N/A N/A
HTTP User-Agent header WSHRAT|8C677431|QSKGHMYQ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 5/2/2022|JavaScript-v1.6 N/A N/A
HTTP User-Agent header WSHRAT|8C677431|QSKGHMYQ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 5/2/2022|JavaScript-v1.6 N/A N/A
HTTP User-Agent header WSHRAT|8C677431|QSKGHMYQ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 5/2/2022|JavaScript-v1.6 N/A N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\P0@#200120200409.js

C:\Windows\System32\wscript.exe

"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\xZRxruWFfi.js"

C:\Windows\System32\wscript.exe

"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\P0@#200120200409.js"

C:\Windows\System32\wscript.exe

"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\xZRxruWFfi.js"

Network

Country Destination Domain Proto
US 8.8.8.8:53 pluginsrv2.duckdns.org udp
US 8.8.8.8:53 pastebin.com udp
US 104.23.99.190:80 pastebin.com tcp
US 192.169.69.25:8000 pluginsrv2.duckdns.org tcp
US 104.23.99.190:443 pastebin.com tcp
US 104.23.99.190:443 pastebin.com tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 159.65.219.192:7777 tcp
US 192.169.69.25:8000 pluginsrv2.duckdns.org tcp
US 192.169.69.25:8000 pluginsrv2.duckdns.org tcp
US 192.169.69.25:8000 pluginsrv2.duckdns.org tcp
US 192.169.69.25:8000 pluginsrv2.duckdns.org tcp
US 159.65.219.192:7777 tcp
US 192.169.69.25:8000 pluginsrv2.duckdns.org tcp
US 192.169.69.25:8000 pluginsrv2.duckdns.org tcp
US 192.169.69.25:8000 pluginsrv2.duckdns.org tcp
US 192.169.69.25:8000 pluginsrv2.duckdns.org tcp
US 192.169.69.25:8000 pluginsrv2.duckdns.org tcp
US 159.65.219.192:7777 tcp
US 192.169.69.25:8000 pluginsrv2.duckdns.org tcp
US 192.169.69.25:8000 pluginsrv2.duckdns.org tcp
US 192.169.69.25:8000 pluginsrv2.duckdns.org tcp
US 192.169.69.25:8000 pluginsrv2.duckdns.org tcp
US 159.65.219.192:7777 tcp
US 192.169.69.25:8000 pluginsrv2.duckdns.org tcp
US 192.169.69.25:8000 pluginsrv2.duckdns.org tcp
US 192.169.69.25:8000 pluginsrv2.duckdns.org tcp
US 192.169.69.25:8000 pluginsrv2.duckdns.org tcp
US 192.169.69.25:8000 pluginsrv2.duckdns.org tcp
US 159.65.219.192:7777 tcp
US 192.169.69.25:8000 pluginsrv2.duckdns.org tcp
US 192.169.69.25:8000 pluginsrv2.duckdns.org tcp
US 192.169.69.25:8000 pluginsrv2.duckdns.org tcp
US 192.169.69.25:8000 pluginsrv2.duckdns.org tcp
US 159.65.219.192:7777 tcp
US 192.169.69.25:8000 pluginsrv2.duckdns.org tcp
US 192.169.69.25:8000 pluginsrv2.duckdns.org tcp
US 192.169.69.25:8000 pluginsrv2.duckdns.org tcp

Files

memory/756-55-0x000007FEFB781000-0x000007FEFB783000-memory.dmp

C:\Users\Admin\AppData\Roaming\xZRxruWFfi.js

MD5 51db8b0ff407e9dc26fb5433e092d8d0
SHA1 febb66e89ad02bee67909bcbfa868193634e39e8
SHA256 7dd4c6903150d5a41e212435b5dbef07f1939d801eae10038612c358c5a70ea8
SHA512 1dd4cad5ef60f4a26e9891c4b3f1eb1e9f3592b69e2964a3c4decca17606d48a14385e502c9a5adbd8fc2003b62e4d14be7cf6dded3b067e6e104f143050efa3

C:\Users\Admin\AppData\Roaming\P0@#200120200409.js

MD5 50f553d2ed9cfadd009151764d850f87
SHA1 92c353b3b343821bc6fe4e7d753718566d89fd73
SHA256 bf87bfb35a8c6a0a0c62c5375320b49af8d39c619a549ad51e1b41d69d70da1e
SHA512 18a597600a4ced59507b23f0a15f1f500228872744e8473a553a085b68a66d6eab2fff2770f4348c4f2a8197594f150f02243cbcd11d920f30b954741984af35

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T7QQD7BH\fRGiDvu2[1]

MD5 fda44910deb1a460be4ac5d56d61d837
SHA1 f6d0c643351580307b2eaa6a7560e76965496bc7
SHA256 933b971c6388d594a23fa1559825db5bec8ade2db1240aa8fc9d0c684949e8c9
SHA512 57dda9aa7c29f960cd7948a4e4567844d3289fa729e9e388e7f4edcbdf16bf6a94536598b4f9ff8942849f1f96bd3c00bc24a75e748a36fbf2a145f63bf904c1

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\YFMJZ4T6\fRGiDvu2[1].txt

MD5 2008964ef2e2c06fb98a35262700d712
SHA1 7660a6d1246543385c390fb29b0980ff850519fb
SHA256 396af765f913e09066e3470e7c3d4e0c678e2cf453445029dab2da1973a1db5b
SHA512 a1ed490ee38dd77fe80dd8da1000fe38a374a210ae5b52d69814aa3b98b1ac6bd34a0ee96e29eafbc2f83b45c6f75fd549c5fe8fb0de6b068eb3e31cd749fb69

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27

MD5 71485d6dad10ceef12040fd711df872a
SHA1 897a77130781bce4aaeae2ffde5e6944993dbcbc
SHA256 3e07fbecbbdebe402542141b968ec6dd2fe96c4a48c47563b759ad24c3516f30
SHA512 3468983f3e4c64aebfe392735e03f16634e8ec3cc2759ca39eebbfc1676e321602a051ad2b383e01e5e947a0b5007f4994c2e0e06033246d3559692e1b729bd3

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27

MD5 11685fdb6ae1d6353ba3ced7e4b277db
SHA1 b4155ee14055fd3458b3eaf2036757fdbbe98a2a
SHA256 6e90bff28132b2b44023041f1912f9ea0a5ef48a3e3a8065eec43fdc66d5ec4e
SHA512 10924260534b5cae190a1b829ff15c9d1861bf3770bf1c40f555a2dcf80bb1bfd6623edc23e7c8014bd5fb51f5dcb1cb3139c4a851837abc29731fa822e072ed

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 33807592640aa357cafb73b0399b1b0e
SHA1 4bb367471bd574e5a38222295e7dc52be25b6680
SHA256 8163bcf7cc7337ae31178fed685aad26f8537c9bf1e6dd180b5fae95bf1b0666
SHA512 0bf8bacb37c0215ccd0508824fb3a2b5040b17a529bf74b01e8b564ffb5e883278e032f6a74de06b190036f6d0d0674f54d13a6eadee7f608449b9ad3d7899ad

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\P0@#200120200409.js

MD5 50f553d2ed9cfadd009151764d850f87
SHA1 92c353b3b343821bc6fe4e7d753718566d89fd73
SHA256 bf87bfb35a8c6a0a0c62c5375320b49af8d39c619a549ad51e1b41d69d70da1e
SHA512 18a597600a4ced59507b23f0a15f1f500228872744e8473a553a085b68a66d6eab2fff2770f4348c4f2a8197594f150f02243cbcd11d920f30b954741984af35

Analysis: behavioral2

Detonation Overview

Submitted

2022-02-05 12:26

Reported

2022-02-05 12:28

Platform

win10v2004-en-20220113

Max time kernel

150s

Max time network

155s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\P0@#200120200409.js

Signatures

WSHRAT

trojan wshrat

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\system32\wscript.exe N/A
N/A N/A C:\Windows\system32\wscript.exe N/A
N/A N/A C:\Windows\system32\wscript.exe N/A
N/A N/A C:\Windows\system32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation C:\Windows\system32\wscript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation C:\Windows\System32\wscript.exe N/A

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xZRxruWFfi.js C:\Windows\System32\wscript.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\P0@#200120200409.js C:\Windows\system32\wscript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\P0@#200120200409.js C:\Windows\System32\wscript.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xZRxruWFfi.js C:\Windows\System32\wscript.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\software\microsoft\windows\currentversion\run C:\Windows\System32\wscript.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xZRxruWFfi = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\xZRxruWFfi.js\"" C:\Windows\System32\wscript.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xZRxruWFfi = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\xZRxruWFfi.js\"" C:\Windows\System32\wscript.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\P0@#200120200409 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\P0@#200120200409.js\"" C:\Windows\system32\wscript.exe N/A
Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run C:\Windows\System32\wscript.exe N/A
Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run C:\Windows\System32\wscript.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\software\microsoft\windows\currentversion\run C:\Windows\system32\wscript.exe N/A
Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run C:\Windows\system32\wscript.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\P0@#200120200409 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\P0@#200120200409.js\"" C:\Windows\system32\wscript.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\software\microsoft\windows\currentversion\run C:\Windows\System32\wscript.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\P0@#200120200409 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\P0@#200120200409.js\"" C:\Windows\System32\wscript.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\P0@#200120200409 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\P0@#200120200409.js\"" C:\Windows\System32\wscript.exe N/A

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\WindowsUpdate.log C:\Windows\system32\svchost.exe N/A

Enumerates physical storage devices

Script User-Agent

Description Indicator Process Target
HTTP User-Agent header WSHRAT|5C0A896F|JDQPXOPR|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 5/2/2022|JavaScript-v1.6 N/A N/A
HTTP User-Agent header WSHRAT|5C0A896F|JDQPXOPR|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 5/2/2022|JavaScript-v1.6 N/A N/A
HTTP User-Agent header WSHRAT|5C0A896F|JDQPXOPR|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 5/2/2022|JavaScript-v1.6 N/A N/A
HTTP User-Agent header WSHRAT|5C0A896F|JDQPXOPR|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 5/2/2022|JavaScript-v1.6 N/A N/A
HTTP User-Agent header WSHRAT|5C0A896F|JDQPXOPR|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 5/2/2022|JavaScript-v1.6 N/A N/A
HTTP User-Agent header WSHRAT|5C0A896F|JDQPXOPR|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 5/2/2022|JavaScript-v1.6 N/A N/A
HTTP User-Agent header WSHRAT|5C0A896F|JDQPXOPR|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 5/2/2022|JavaScript-v1.6 N/A N/A
HTTP User-Agent header WSHRAT|5C0A896F|JDQPXOPR|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 5/2/2022|JavaScript-v1.6 N/A N/A
HTTP User-Agent header WSHRAT|5C0A896F|JDQPXOPR|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 5/2/2022|JavaScript-v1.6 N/A N/A
HTTP User-Agent header WSHRAT|5C0A896F|JDQPXOPR|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 5/2/2022|JavaScript-v1.6 N/A N/A
HTTP User-Agent header WSHRAT|5C0A896F|JDQPXOPR|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 5/2/2022|JavaScript-v1.6 N/A N/A
HTTP User-Agent header WSHRAT|5C0A896F|JDQPXOPR|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 5/2/2022|JavaScript-v1.6 N/A N/A
HTTP User-Agent header WSHRAT|5C0A896F|JDQPXOPR|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 5/2/2022|JavaScript-v1.6 N/A N/A
HTTP User-Agent header WSHRAT|5C0A896F|JDQPXOPR|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 5/2/2022|JavaScript-v1.6 N/A N/A
HTTP User-Agent header WSHRAT|5C0A896F|JDQPXOPR|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 5/2/2022|JavaScript-v1.6 N/A N/A
HTTP User-Agent header WSHRAT|5C0A896F|JDQPXOPR|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 5/2/2022|JavaScript-v1.6 N/A N/A
HTTP User-Agent header WSHRAT|5C0A896F|JDQPXOPR|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 5/2/2022|JavaScript-v1.6 N/A N/A
HTTP User-Agent header WSHRAT|5C0A896F|JDQPXOPR|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 5/2/2022|JavaScript-v1.6 N/A N/A
HTTP User-Agent header WSHRAT|5C0A896F|JDQPXOPR|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 5/2/2022|JavaScript-v1.6 N/A N/A
HTTP User-Agent header WSHRAT|5C0A896F|JDQPXOPR|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 5/2/2022|JavaScript-v1.6 N/A N/A
HTTP User-Agent header WSHRAT|5C0A896F|JDQPXOPR|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 5/2/2022|JavaScript-v1.6 N/A N/A
HTTP User-Agent header WSHRAT|5C0A896F|JDQPXOPR|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 5/2/2022|JavaScript-v1.6 N/A N/A
HTTP User-Agent header WSHRAT|5C0A896F|JDQPXOPR|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 5/2/2022|JavaScript-v1.6 N/A N/A
HTTP User-Agent header WSHRAT|5C0A896F|JDQPXOPR|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 5/2/2022|JavaScript-v1.6 N/A N/A
HTTP User-Agent header WSHRAT|5C0A896F|JDQPXOPR|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 5/2/2022|JavaScript-v1.6 N/A N/A
HTTP User-Agent header WSHRAT|5C0A896F|JDQPXOPR|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 5/2/2022|JavaScript-v1.6 N/A N/A
HTTP User-Agent header WSHRAT|5C0A896F|JDQPXOPR|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 5/2/2022|JavaScript-v1.6 N/A N/A
HTTP User-Agent header WSHRAT|5C0A896F|JDQPXOPR|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 5/2/2022|JavaScript-v1.6 N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1660 wrote to memory of 2224 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe
PID 1660 wrote to memory of 2224 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe
PID 1660 wrote to memory of 4712 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe
PID 1660 wrote to memory of 4712 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe
PID 4712 wrote to memory of 1392 N/A C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe
PID 4712 wrote to memory of 1392 N/A C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\P0@#200120200409.js

C:\Windows\System32\wscript.exe

"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\xZRxruWFfi.js"

C:\Windows\System32\wscript.exe

"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\P0@#200120200409.js"

C:\Windows\System32\wscript.exe

"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\xZRxruWFfi.js"

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv

Network

Country Destination Domain Proto
US 8.8.8.8:53 pastebin.com udp
US 104.23.99.190:80 pastebin.com tcp
US 104.23.99.190:443 pastebin.com tcp
US 8.8.8.8:53 pluginsrv2.duckdns.org udp
US 192.169.69.25:8000 pluginsrv2.duckdns.org tcp
US 8.8.8.8:53 settings-win.data.microsoft.com udp
US 52.167.249.196:443 settings-win.data.microsoft.com tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 159.65.219.192:7777 tcp
US 52.167.249.196:443 settings-win.data.microsoft.com tcp
US 192.169.69.25:8000 pluginsrv2.duckdns.org tcp
US 192.169.69.25:8000 pluginsrv2.duckdns.org tcp
US 192.169.69.25:8000 pluginsrv2.duckdns.org tcp
US 52.167.249.196:443 settings-win.data.microsoft.com tcp
US 52.167.249.196:443 settings-win.data.microsoft.com tcp
US 52.167.249.196:443 settings-win.data.microsoft.com tcp
US 192.169.69.25:8000 pluginsrv2.duckdns.org tcp
US 192.169.69.25:8000 pluginsrv2.duckdns.org tcp
US 159.65.219.192:7777 tcp
US 192.169.69.25:8000 pluginsrv2.duckdns.org tcp
US 192.169.69.25:8000 pluginsrv2.duckdns.org tcp
US 192.169.69.25:8000 pluginsrv2.duckdns.org tcp
US 192.169.69.25:8000 pluginsrv2.duckdns.org tcp
US 192.169.69.25:8000 pluginsrv2.duckdns.org tcp
US 159.65.219.192:7777 tcp
US 192.169.69.25:8000 pluginsrv2.duckdns.org tcp
US 192.169.69.25:8000 pluginsrv2.duckdns.org tcp
US 192.169.69.25:8000 pluginsrv2.duckdns.org tcp
US 192.169.69.25:8000 pluginsrv2.duckdns.org tcp
US 159.65.219.192:7777 tcp
US 192.169.69.25:8000 pluginsrv2.duckdns.org tcp
US 192.169.69.25:8000 pluginsrv2.duckdns.org tcp
US 192.169.69.25:8000 pluginsrv2.duckdns.org tcp
US 192.169.69.25:8000 pluginsrv2.duckdns.org tcp
US 192.169.69.25:8000 pluginsrv2.duckdns.org tcp
US 159.65.219.192:7777 tcp
US 192.169.69.25:8000 pluginsrv2.duckdns.org tcp
US 192.169.69.25:8000 pluginsrv2.duckdns.org tcp
US 192.169.69.25:8000 pluginsrv2.duckdns.org tcp
US 192.169.69.25:8000 pluginsrv2.duckdns.org tcp
US 192.169.69.25:8000 pluginsrv2.duckdns.org tcp
US 159.65.219.192:7777 tcp
US 192.169.69.25:8000 pluginsrv2.duckdns.org tcp
US 192.169.69.25:8000 pluginsrv2.duckdns.org tcp
US 192.169.69.25:8000 pluginsrv2.duckdns.org tcp

Files

C:\Users\Admin\AppData\Roaming\xZRxruWFfi.js

MD5 51db8b0ff407e9dc26fb5433e092d8d0
SHA1 febb66e89ad02bee67909bcbfa868193634e39e8
SHA256 7dd4c6903150d5a41e212435b5dbef07f1939d801eae10038612c358c5a70ea8
SHA512 1dd4cad5ef60f4a26e9891c4b3f1eb1e9f3592b69e2964a3c4decca17606d48a14385e502c9a5adbd8fc2003b62e4d14be7cf6dded3b067e6e104f143050efa3

C:\Users\Admin\AppData\Roaming\P0@#200120200409.js

MD5 50f553d2ed9cfadd009151764d850f87
SHA1 92c353b3b343821bc6fe4e7d753718566d89fd73
SHA256 bf87bfb35a8c6a0a0c62c5375320b49af8d39c619a549ad51e1b41d69d70da1e
SHA512 18a597600a4ced59507b23f0a15f1f500228872744e8473a553a085b68a66d6eab2fff2770f4348c4f2a8197594f150f02243cbcd11d920f30b954741984af35

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\K6H59MEI\fRGiDvu2[1]

MD5 fda44910deb1a460be4ac5d56d61d837
SHA1 f6d0c643351580307b2eaa6a7560e76965496bc7
SHA256 933b971c6388d594a23fa1559825db5bec8ade2db1240aa8fc9d0c684949e8c9
SHA512 57dda9aa7c29f960cd7948a4e4567844d3289fa729e9e388e7f4edcbdf16bf6a94536598b4f9ff8942849f1f96bd3c00bc24a75e748a36fbf2a145f63bf904c1

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\OMK7HR9K\fRGiDvu2[1].txt

MD5 2008964ef2e2c06fb98a35262700d712
SHA1 7660a6d1246543385c390fb29b0980ff850519fb
SHA256 396af765f913e09066e3470e7c3d4e0c678e2cf453445029dab2da1973a1db5b
SHA512 a1ed490ee38dd77fe80dd8da1000fe38a374a210ae5b52d69814aa3b98b1ac6bd34a0ee96e29eafbc2f83b45c6f75fd549c5fe8fb0de6b068eb3e31cd749fb69

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\P0@#200120200409.js

MD5 50f553d2ed9cfadd009151764d850f87
SHA1 92c353b3b343821bc6fe4e7d753718566d89fd73
SHA256 bf87bfb35a8c6a0a0c62c5375320b49af8d39c619a549ad51e1b41d69d70da1e
SHA512 18a597600a4ced59507b23f0a15f1f500228872744e8473a553a085b68a66d6eab2fff2770f4348c4f2a8197594f150f02243cbcd11d920f30b954741984af35

memory/4520-135-0x0000022073D70000-0x0000022073D80000-memory.dmp

memory/4520-142-0x00000220769F0000-0x00000220769F4000-memory.dmp