Malware Analysis Report

2025-04-14 08:22

Sample ID 220205-pystvsbfep
Target 93c0dcd6c6420eb0d4e4dedcb7aa04a16710e144126eda8008ba19d1eb98da0b
SHA256 93c0dcd6c6420eb0d4e4dedcb7aa04a16710e144126eda8008ba19d1eb98da0b
Tags
wshrat persistence suricata trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

93c0dcd6c6420eb0d4e4dedcb7aa04a16710e144126eda8008ba19d1eb98da0b

Threat Level: Known bad

The file 93c0dcd6c6420eb0d4e4dedcb7aa04a16710e144126eda8008ba19d1eb98da0b was found to be: Known bad.

Malicious Activity Summary

wshrat persistence suricata trojan

suricata: ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm Checkin 1

WSHRAT

suricata: ET MALWARE WSHRAT CnC Checkin

Blocklisted process makes network request

Checks computer location settings

Drops startup file

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Adds Run key to start application

Drops file in Windows directory

Enumerates physical storage devices

Checks processor information in registry

Script User-Agent

Suspicious use of WriteProcessMemory

Modifies data under HKEY_USERS

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-02-05 12:44

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-02-05 12:44

Reported

2022-02-05 12:47

Platform

win7-en-20211208

Max time kernel

143s

Max time network

129s

Command Line

C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\93c0dcd6c6420eb0d4e4dedcb7aa04a16710e144126eda8008ba19d1eb98da0b.zip

Signatures

N/A

Processes

C:\Windows\Explorer.exe

C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\93c0dcd6c6420eb0d4e4dedcb7aa04a16710e144126eda8008ba19d1eb98da0b.zip

Network

N/A

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2022-02-05 12:44

Reported

2022-02-05 12:47

Platform

win10v2004-en-20220112

Max time kernel

134s

Max time network

159s

Command Line

C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\93c0dcd6c6420eb0d4e4dedcb7aa04a16710e144126eda8008ba19d1eb98da0b.zip

Signatures

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\State\keyValueLKG.dat C:\Windows\System32\svchost.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\system32\MusNotifyIcon.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\system32\MusNotifyIcon.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\GroupConnectionCount = "0" C:\Windows\System32\svchost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "3.191429" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCdnBytes = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyGroupBytes = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CDNConnectionCount = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4060" C:\Windows\System32\svchost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\GeoVersion_EndpointFullUri = "https://geover.prod.do.dsp.mp.microsoft.com/geoversion" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadCount = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadPendingCount = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LANConnectionCount = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\InternetConnectionCount = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkUsageBps = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkBps = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrBps = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkBps = "0" C:\Windows\System32\svchost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\Geo_EndpointFullUri = "https://geo.prod.do.dsp.mp.microsoft.com/geo" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PeerInfoCount = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkUsageBps = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadCount = "0" C:\Windows\System32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DownloadMode_BackCompat = "1" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyLanBytes = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkBps = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\FrDownloadRatePct = "90" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthlyUploadRestriction = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DODownloadMode = "1" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyInternetBytes = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCacheHostBytes = "0" C:\Windows\System32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "1" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadRatePct = "100" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\KVFileExpirationTime = "132887151185295388" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LinkLocalConnectionCount = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\BkDownloadRatePct = "45" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLanBytes = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLinkLocalBytes = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrCnt = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkCnt = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthID = "2" C:\Windows\System32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization C:\Windows\System32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Settings C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyInternetBytes = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CacheSizeBytes = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadPendingCount = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadCount = "0" C:\Windows\System32\svchost.exe N/A

Processes

C:\Windows\Explorer.exe

C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\93c0dcd6c6420eb0d4e4dedcb7aa04a16710e144126eda8008ba19d1eb98da0b.zip

C:\Windows\system32\MusNotifyIcon.exe

%systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 13

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k NetworkService -p

Network

Country Destination Domain Proto
US 8.8.8.8:53 settings-win.data.microsoft.com udp
US 52.167.17.97:443 settings-win.data.microsoft.com tcp
US 52.167.17.97:443 settings-win.data.microsoft.com tcp
US 52.167.17.97:443 settings-win.data.microsoft.com tcp
US 52.167.17.97:443 settings-win.data.microsoft.com tcp
US 8.8.8.8:53 geo.prod.do.dsp.mp.microsoft.com udp
US 52.184.216.226:443 geo.prod.do.dsp.mp.microsoft.com tcp
US 8.8.8.8:53 kv801.prod.do.dsp.mp.microsoft.com udp
NL 184.29.205.60:443 kv801.prod.do.dsp.mp.microsoft.com tcp
US 8.8.8.8:53 settings-win.data.microsoft.com udp
NL 20.73.194.208:443 settings-win.data.microsoft.com tcp

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2022-02-05 12:44

Reported

2022-02-05 12:47

Platform

win7-en-20211208

Max time kernel

150s

Max time network

146s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\New0rder101299.js

Signatures

WSHRAT

trojan wshrat

suricata: ET MALWARE WSHRAT CnC Checkin

suricata

suricata: ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm Checkin 1

suricata

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\system32\wscript.exe N/A
N/A N/A C:\Windows\system32\wscript.exe N/A
N/A N/A C:\Windows\system32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RSiNMwxGAI.js C:\Windows\System32\wscript.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\New0rder101299.js C:\Windows\system32\wscript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\New0rder101299.js C:\Windows\System32\wscript.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RSiNMwxGAI.js C:\Windows\System32\wscript.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\software\microsoft\windows\currentversion\run C:\Windows\System32\wscript.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\software\microsoft\windows\currentversion\run C:\Windows\system32\wscript.exe N/A
Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run C:\Windows\system32\wscript.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\software\microsoft\windows\currentversion\run C:\Windows\System32\wscript.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\New0rder101299 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\New0rder101299.js\"" C:\Windows\system32\wscript.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows\CurrentVersion\Run\New0rder101299 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\New0rder101299.js\"" C:\Windows\System32\wscript.exe N/A
Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run C:\Windows\System32\wscript.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\New0rder101299 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\New0rder101299.js\"" C:\Windows\System32\wscript.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows\CurrentVersion\Run\RSiNMwxGAI = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\RSiNMwxGAI.js\"" C:\Windows\System32\wscript.exe N/A
Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run C:\Windows\System32\wscript.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RSiNMwxGAI = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\RSiNMwxGAI.js\"" C:\Windows\System32\wscript.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows\CurrentVersion\Run\New0rder101299 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\New0rder101299.js\"" C:\Windows\system32\wscript.exe N/A

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Enumerates physical storage devices

Script User-Agent

Description Indicator Process Target
HTTP User-Agent header WSHRAT|C435AF30|VQVVOAJK|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 5/2/2022|JavaScript-v1.6 N/A N/A
HTTP User-Agent header WSHRAT|C435AF30|VQVVOAJK|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 5/2/2022|JavaScript-v1.6 N/A N/A
HTTP User-Agent header WSHRAT|C435AF30|VQVVOAJK|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 5/2/2022|JavaScript-v1.6 N/A N/A
HTTP User-Agent header WSHRAT|C435AF30|VQVVOAJK|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 5/2/2022|JavaScript-v1.6 N/A N/A
HTTP User-Agent header WSHRAT|C435AF30|VQVVOAJK|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 5/2/2022|JavaScript-v1.6 N/A N/A
HTTP User-Agent header WSHRAT|C435AF30|VQVVOAJK|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 5/2/2022|JavaScript-v1.6 N/A N/A
HTTP User-Agent header WSHRAT|C435AF30|VQVVOAJK|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 5/2/2022|JavaScript-v1.6 N/A N/A
HTTP User-Agent header WSHRAT|C435AF30|VQVVOAJK|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 5/2/2022|JavaScript-v1.6 N/A N/A
HTTP User-Agent header WSHRAT|C435AF30|VQVVOAJK|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 5/2/2022|JavaScript-v1.6 N/A N/A
HTTP User-Agent header WSHRAT|C435AF30|VQVVOAJK|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 5/2/2022|JavaScript-v1.6 N/A N/A
HTTP User-Agent header WSHRAT|C435AF30|VQVVOAJK|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 5/2/2022|JavaScript-v1.6 N/A N/A
HTTP User-Agent header WSHRAT|C435AF30|VQVVOAJK|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 5/2/2022|JavaScript-v1.6 N/A N/A
HTTP User-Agent header WSHRAT|C435AF30|VQVVOAJK|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 5/2/2022|JavaScript-v1.6 N/A N/A
HTTP User-Agent header WSHRAT|C435AF30|VQVVOAJK|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 5/2/2022|JavaScript-v1.6 N/A N/A
HTTP User-Agent header WSHRAT|C435AF30|VQVVOAJK|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 5/2/2022|JavaScript-v1.6 N/A N/A
HTTP User-Agent header WSHRAT|C435AF30|VQVVOAJK|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 5/2/2022|JavaScript-v1.6 N/A N/A
HTTP User-Agent header WSHRAT|C435AF30|VQVVOAJK|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 5/2/2022|JavaScript-v1.6 N/A N/A
HTTP User-Agent header WSHRAT|C435AF30|VQVVOAJK|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 5/2/2022|JavaScript-v1.6 N/A N/A
HTTP User-Agent header WSHRAT|C435AF30|VQVVOAJK|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 5/2/2022|JavaScript-v1.6 N/A N/A
HTTP User-Agent header WSHRAT|C435AF30|VQVVOAJK|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 5/2/2022|JavaScript-v1.6 N/A N/A
HTTP User-Agent header WSHRAT|C435AF30|VQVVOAJK|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 5/2/2022|JavaScript-v1.6 N/A N/A
HTTP User-Agent header WSHRAT|C435AF30|VQVVOAJK|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 5/2/2022|JavaScript-v1.6 N/A N/A
HTTP User-Agent header WSHRAT|C435AF30|VQVVOAJK|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 5/2/2022|JavaScript-v1.6 N/A N/A
HTTP User-Agent header WSHRAT|C435AF30|VQVVOAJK|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 5/2/2022|JavaScript-v1.6 N/A N/A
HTTP User-Agent header WSHRAT|C435AF30|VQVVOAJK|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 5/2/2022|JavaScript-v1.6 N/A N/A
HTTP User-Agent header WSHRAT|C435AF30|VQVVOAJK|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 5/2/2022|JavaScript-v1.6 N/A N/A
HTTP User-Agent header WSHRAT|C435AF30|VQVVOAJK|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 5/2/2022|JavaScript-v1.6 N/A N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\New0rder101299.js

C:\Windows\System32\wscript.exe

"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\RSiNMwxGAI.js"

C:\Windows\System32\wscript.exe

"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\New0rder101299.js"

C:\Windows\System32\wscript.exe

"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\RSiNMwxGAI.js"

Network

Country Destination Domain Proto
US 8.8.8.8:53 pastebin.com udp
US 104.23.98.190:80 pastebin.com tcp
US 104.23.98.190:443 pastebin.com tcp
US 8.8.8.8:53 pluginsrv2.duckdns.org udp
US 192.169.69.25:8000 pluginsrv2.duckdns.org tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 159.65.219.192:7777 tcp
US 192.169.69.25:8000 pluginsrv2.duckdns.org tcp
US 192.169.69.25:8000 pluginsrv2.duckdns.org tcp
US 192.169.69.25:8000 pluginsrv2.duckdns.org tcp
US 192.169.69.25:8000 pluginsrv2.duckdns.org tcp
US 159.65.219.192:7777 tcp
US 192.169.69.25:8000 pluginsrv2.duckdns.org tcp
US 192.169.69.25:8000 pluginsrv2.duckdns.org tcp
US 192.169.69.25:8000 pluginsrv2.duckdns.org tcp
US 192.169.69.25:8000 pluginsrv2.duckdns.org tcp
US 159.65.219.192:7777 tcp
US 192.169.69.25:8000 pluginsrv2.duckdns.org tcp
US 192.169.69.25:8000 pluginsrv2.duckdns.org tcp
US 192.169.69.25:8000 pluginsrv2.duckdns.org tcp
US 192.169.69.25:8000 pluginsrv2.duckdns.org tcp
US 159.65.219.192:7777 tcp
US 192.169.69.25:8000 pluginsrv2.duckdns.org tcp
US 192.169.69.25:8000 pluginsrv2.duckdns.org tcp
US 192.169.69.25:8000 pluginsrv2.duckdns.org tcp
US 192.169.69.25:8000 pluginsrv2.duckdns.org tcp
US 192.169.69.25:8000 pluginsrv2.duckdns.org tcp
US 159.65.219.192:7777 tcp
US 192.169.69.25:8000 pluginsrv2.duckdns.org tcp
US 192.169.69.25:8000 pluginsrv2.duckdns.org tcp
US 192.169.69.25:8000 pluginsrv2.duckdns.org tcp
US 192.169.69.25:8000 pluginsrv2.duckdns.org tcp
US 159.65.219.192:7777 tcp
US 192.169.69.25:8000 pluginsrv2.duckdns.org tcp
US 192.169.69.25:8000 pluginsrv2.duckdns.org tcp
US 192.169.69.25:8000 pluginsrv2.duckdns.org tcp
US 192.169.69.25:8000 pluginsrv2.duckdns.org tcp
US 192.169.69.25:8000 pluginsrv2.duckdns.org tcp
US 159.65.219.192:7777 tcp

Files

memory/2016-53-0x000007FEFB591000-0x000007FEFB593000-memory.dmp

C:\Users\Admin\AppData\Roaming\RSiNMwxGAI.js

MD5 92174ec0aadd62600767793076bcb99f
SHA1 f7348a4c0c746d5224a775eb643d4bcd29cec049
SHA256 ba5bf590d92abb7192bae9c006204d159ec670c7747322de1a1df6336bb98937
SHA512 9f74a0af54c8ac0d0674ac52d9ee500373d89f2000f25bebc041defed3623e6441800b6f1e381048b4a000624b962459a45d9dd62bdd9c11fedd6ad8e62c660e

C:\Users\Admin\AppData\Roaming\New0rder101299.js

MD5 85283ce784b3405eb5dc4333c40047b8
SHA1 9f130b7c4c09369e12b9c6994fea2d63238dd2b5
SHA256 6fe23db1a528a2dc2f437cb5529eefe1f7ebde45116d2d6b18dc5535cc2e6d29
SHA512 30b5a6265eb5a357e7444f40b041944c96c9c2abd8ca06724b75d65e9a18f2968b7dc69d080eb2b27364c06fd9ebac9ba9b76293963f1662c1a5a8a371e55907

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\34ZL0Q4Z\7R8hcpCS[1]

MD5 fda44910deb1a460be4ac5d56d61d837
SHA1 f6d0c643351580307b2eaa6a7560e76965496bc7
SHA256 933b971c6388d594a23fa1559825db5bec8ade2db1240aa8fc9d0c684949e8c9
SHA512 57dda9aa7c29f960cd7948a4e4567844d3289fa729e9e388e7f4edcbdf16bf6a94536598b4f9ff8942849f1f96bd3c00bc24a75e748a36fbf2a145f63bf904c1

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\1VSJJWE3\7R8hcpCS[1].txt

MD5 2008964ef2e2c06fb98a35262700d712
SHA1 7660a6d1246543385c390fb29b0980ff850519fb
SHA256 396af765f913e09066e3470e7c3d4e0c678e2cf453445029dab2da1973a1db5b
SHA512 a1ed490ee38dd77fe80dd8da1000fe38a374a210ae5b52d69814aa3b98b1ac6bd34a0ee96e29eafbc2f83b45c6f75fd549c5fe8fb0de6b068eb3e31cd749fb69

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\New0rder101299.js

MD5 85283ce784b3405eb5dc4333c40047b8
SHA1 9f130b7c4c09369e12b9c6994fea2d63238dd2b5
SHA256 6fe23db1a528a2dc2f437cb5529eefe1f7ebde45116d2d6b18dc5535cc2e6d29
SHA512 30b5a6265eb5a357e7444f40b041944c96c9c2abd8ca06724b75d65e9a18f2968b7dc69d080eb2b27364c06fd9ebac9ba9b76293963f1662c1a5a8a371e55907

Analysis: behavioral4

Detonation Overview

Submitted

2022-02-05 12:44

Reported

2022-02-05 12:47

Platform

win10v2004-en-20220113

Max time kernel

154s

Max time network

160s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\New0rder101299.js

Signatures

WSHRAT

trojan wshrat

suricata: ET MALWARE WSHRAT CnC Checkin

suricata

suricata: ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm Checkin 1

suricata

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\system32\wscript.exe N/A
N/A N/A C:\Windows\system32\wscript.exe N/A
N/A N/A C:\Windows\system32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation C:\Windows\system32\wscript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation C:\Windows\System32\wscript.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RSiNMwxGAI.js C:\Windows\System32\wscript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RSiNMwxGAI.js C:\Windows\System32\wscript.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\New0rder101299.js C:\Windows\system32\wscript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\New0rder101299.js C:\Windows\System32\wscript.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run C:\Windows\System32\wscript.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\software\microsoft\windows\currentversion\run C:\Windows\system32\wscript.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\New0rder101299 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\New0rder101299.js\"" C:\Windows\System32\wscript.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RSiNMwxGAI = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\RSiNMwxGAI.js\"" C:\Windows\System32\wscript.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RSiNMwxGAI = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\RSiNMwxGAI.js\"" C:\Windows\System32\wscript.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\New0rder101299 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\New0rder101299.js\"" C:\Windows\system32\wscript.exe N/A
Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run C:\Windows\system32\wscript.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\New0rder101299 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\New0rder101299.js\"" C:\Windows\system32\wscript.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\software\microsoft\windows\currentversion\run C:\Windows\System32\wscript.exe N/A
Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run C:\Windows\System32\wscript.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\New0rder101299 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\New0rder101299.js\"" C:\Windows\System32\wscript.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\software\microsoft\windows\currentversion\run C:\Windows\System32\wscript.exe N/A

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\WindowsUpdate.log C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb C:\Windows\system32\svchost.exe N/A

Enumerates physical storage devices

Script User-Agent

Description Indicator Process Target
HTTP User-Agent header WSHRAT|5C0A896F|JDQPXOPR|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 5/2/2022|JavaScript-v1.6 N/A N/A
HTTP User-Agent header WSHRAT|5C0A896F|JDQPXOPR|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 5/2/2022|JavaScript-v1.6 N/A N/A
HTTP User-Agent header WSHRAT|5C0A896F|JDQPXOPR|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 5/2/2022|JavaScript-v1.6 N/A N/A
HTTP User-Agent header WSHRAT|5C0A896F|JDQPXOPR|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 5/2/2022|JavaScript-v1.6 N/A N/A
HTTP User-Agent header WSHRAT|5C0A896F|JDQPXOPR|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 5/2/2022|JavaScript-v1.6 N/A N/A
HTTP User-Agent header WSHRAT|5C0A896F|JDQPXOPR|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 5/2/2022|JavaScript-v1.6 N/A N/A
HTTP User-Agent header WSHRAT|5C0A896F|JDQPXOPR|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 5/2/2022|JavaScript-v1.6 N/A N/A
HTTP User-Agent header WSHRAT|5C0A896F|JDQPXOPR|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 5/2/2022|JavaScript-v1.6 N/A N/A
HTTP User-Agent header WSHRAT|5C0A896F|JDQPXOPR|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 5/2/2022|JavaScript-v1.6 N/A N/A
HTTP User-Agent header WSHRAT|5C0A896F|JDQPXOPR|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 5/2/2022|JavaScript-v1.6 N/A N/A
HTTP User-Agent header WSHRAT|5C0A896F|JDQPXOPR|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 5/2/2022|JavaScript-v1.6 N/A N/A
HTTP User-Agent header WSHRAT|5C0A896F|JDQPXOPR|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 5/2/2022|JavaScript-v1.6 N/A N/A
HTTP User-Agent header WSHRAT|5C0A896F|JDQPXOPR|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 5/2/2022|JavaScript-v1.6 N/A N/A
HTTP User-Agent header WSHRAT|5C0A896F|JDQPXOPR|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 5/2/2022|JavaScript-v1.6 N/A N/A
HTTP User-Agent header WSHRAT|5C0A896F|JDQPXOPR|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 5/2/2022|JavaScript-v1.6 N/A N/A
HTTP User-Agent header WSHRAT|5C0A896F|JDQPXOPR|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 5/2/2022|JavaScript-v1.6 N/A N/A
HTTP User-Agent header WSHRAT|5C0A896F|JDQPXOPR|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 5/2/2022|JavaScript-v1.6 N/A N/A
HTTP User-Agent header WSHRAT|5C0A896F|JDQPXOPR|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 5/2/2022|JavaScript-v1.6 N/A N/A
HTTP User-Agent header WSHRAT|5C0A896F|JDQPXOPR|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 5/2/2022|JavaScript-v1.6 N/A N/A
HTTP User-Agent header WSHRAT|5C0A896F|JDQPXOPR|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 5/2/2022|JavaScript-v1.6 N/A N/A
HTTP User-Agent header WSHRAT|5C0A896F|JDQPXOPR|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 5/2/2022|JavaScript-v1.6 N/A N/A
HTTP User-Agent header WSHRAT|5C0A896F|JDQPXOPR|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 5/2/2022|JavaScript-v1.6 N/A N/A
HTTP User-Agent header WSHRAT|5C0A896F|JDQPXOPR|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 5/2/2022|JavaScript-v1.6 N/A N/A
HTTP User-Agent header WSHRAT|5C0A896F|JDQPXOPR|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 5/2/2022|JavaScript-v1.6 N/A N/A
HTTP User-Agent header WSHRAT|5C0A896F|JDQPXOPR|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 5/2/2022|JavaScript-v1.6 N/A N/A
HTTP User-Agent header WSHRAT|5C0A896F|JDQPXOPR|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 5/2/2022|JavaScript-v1.6 N/A N/A
HTTP User-Agent header WSHRAT|5C0A896F|JDQPXOPR|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 5/2/2022|JavaScript-v1.6 N/A N/A
HTTP User-Agent header WSHRAT|5C0A896F|JDQPXOPR|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 5/2/2022|JavaScript-v1.6 N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4736 wrote to memory of 5060 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe
PID 4736 wrote to memory of 5060 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe
PID 4736 wrote to memory of 4424 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe
PID 4736 wrote to memory of 4424 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe
PID 4424 wrote to memory of 2380 N/A C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe
PID 4424 wrote to memory of 2380 N/A C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\New0rder101299.js

C:\Windows\System32\wscript.exe

"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\RSiNMwxGAI.js"

C:\Windows\System32\wscript.exe

"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\New0rder101299.js"

C:\Windows\System32\wscript.exe

"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\RSiNMwxGAI.js"

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv

Network

Country Destination Domain Proto
US 8.8.8.8:53 pastebin.com udp
US 104.23.99.190:80 pastebin.com tcp
US 104.23.99.190:443 pastebin.com tcp
US 8.8.8.8:53 pluginsrv2.duckdns.org udp
US 192.169.69.25:8000 pluginsrv2.duckdns.org tcp
US 8.8.8.8:53 settings-win.data.microsoft.com udp
US 52.167.249.196:443 settings-win.data.microsoft.com tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 159.65.219.192:7777 tcp
US 52.167.249.196:443 settings-win.data.microsoft.com tcp
US 192.169.69.25:8000 pluginsrv2.duckdns.org tcp
US 192.169.69.25:8000 pluginsrv2.duckdns.org tcp
US 52.167.249.196:443 settings-win.data.microsoft.com tcp
US 52.167.249.196:443 settings-win.data.microsoft.com tcp
US 52.167.249.196:443 settings-win.data.microsoft.com tcp
US 192.169.69.25:8000 pluginsrv2.duckdns.org tcp
US 192.169.69.25:8000 pluginsrv2.duckdns.org tcp
US 192.169.69.25:8000 pluginsrv2.duckdns.org tcp
US 159.65.219.192:7777 tcp
US 192.169.69.25:8000 pluginsrv2.duckdns.org tcp
US 192.169.69.25:8000 pluginsrv2.duckdns.org tcp
US 192.169.69.25:8000 pluginsrv2.duckdns.org tcp
US 192.169.69.25:8000 pluginsrv2.duckdns.org tcp
US 159.65.219.192:7777 tcp
US 192.169.69.25:8000 pluginsrv2.duckdns.org tcp
US 192.169.69.25:8000 pluginsrv2.duckdns.org tcp
US 192.169.69.25:8000 pluginsrv2.duckdns.org tcp
US 192.169.69.25:8000 pluginsrv2.duckdns.org tcp
US 192.169.69.25:8000 pluginsrv2.duckdns.org tcp
US 159.65.219.192:7777 tcp
US 192.169.69.25:8000 pluginsrv2.duckdns.org tcp
US 192.169.69.25:8000 pluginsrv2.duckdns.org tcp
US 192.169.69.25:8000 pluginsrv2.duckdns.org tcp
US 192.169.69.25:8000 pluginsrv2.duckdns.org tcp
US 192.169.69.25:8000 pluginsrv2.duckdns.org tcp
US 159.65.219.192:7777 tcp
US 192.169.69.25:8000 pluginsrv2.duckdns.org tcp
BE 67.27.153.254:80 tcp
US 192.169.69.25:8000 pluginsrv2.duckdns.org tcp
BE 67.27.153.254:80 tcp
BE 67.27.153.254:80 tcp
US 192.169.69.25:8000 pluginsrv2.duckdns.org tcp
US 192.169.69.25:8000 pluginsrv2.duckdns.org tcp
US 192.169.69.25:8000 pluginsrv2.duckdns.org tcp
US 159.65.219.192:7777 tcp
US 192.169.69.25:8000 pluginsrv2.duckdns.org tcp
US 192.169.69.25:8000 pluginsrv2.duckdns.org tcp
US 192.169.69.25:8000 pluginsrv2.duckdns.org tcp

Files

C:\Users\Admin\AppData\Roaming\RSiNMwxGAI.js

MD5 92174ec0aadd62600767793076bcb99f
SHA1 f7348a4c0c746d5224a775eb643d4bcd29cec049
SHA256 ba5bf590d92abb7192bae9c006204d159ec670c7747322de1a1df6336bb98937
SHA512 9f74a0af54c8ac0d0674ac52d9ee500373d89f2000f25bebc041defed3623e6441800b6f1e381048b4a000624b962459a45d9dd62bdd9c11fedd6ad8e62c660e

C:\Users\Admin\AppData\Roaming\New0rder101299.js

MD5 85283ce784b3405eb5dc4333c40047b8
SHA1 9f130b7c4c09369e12b9c6994fea2d63238dd2b5
SHA256 6fe23db1a528a2dc2f437cb5529eefe1f7ebde45116d2d6b18dc5535cc2e6d29
SHA512 30b5a6265eb5a357e7444f40b041944c96c9c2abd8ca06724b75d65e9a18f2968b7dc69d080eb2b27364c06fd9ebac9ba9b76293963f1662c1a5a8a371e55907

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\K6H59MEI\7R8hcpCS[1]

MD5 fda44910deb1a460be4ac5d56d61d837
SHA1 f6d0c643351580307b2eaa6a7560e76965496bc7
SHA256 933b971c6388d594a23fa1559825db5bec8ade2db1240aa8fc9d0c684949e8c9
SHA512 57dda9aa7c29f960cd7948a4e4567844d3289fa729e9e388e7f4edcbdf16bf6a94536598b4f9ff8942849f1f96bd3c00bc24a75e748a36fbf2a145f63bf904c1

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\OMK7HR9K\7R8hcpCS[1].txt

MD5 2008964ef2e2c06fb98a35262700d712
SHA1 7660a6d1246543385c390fb29b0980ff850519fb
SHA256 396af765f913e09066e3470e7c3d4e0c678e2cf453445029dab2da1973a1db5b
SHA512 a1ed490ee38dd77fe80dd8da1000fe38a374a210ae5b52d69814aa3b98b1ac6bd34a0ee96e29eafbc2f83b45c6f75fd549c5fe8fb0de6b068eb3e31cd749fb69

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\New0rder101299.js

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/2016-411-0x0000020D18DC0000-0x0000020D18DD0000-memory.dmp

memory/2016-418-0x0000020D1BB20000-0x0000020D1BB24000-memory.dmp