Analysis Overview
SHA256
3c4d393a4d8d7a7e535f5fb6c5be4c99e5b039f96bc9ba7126fb317b64364cfc
Threat Level: Known bad
The file 3c4d393a4d8d7a7e535f5fb6c5be4c99e5b039f96bc9ba7126fb317b64364cfc was found to be: Known bad.
Malicious Activity Summary
WSHRAT
Blocklisted process makes network request
Checks computer location settings
Drops startup file
Legitimate hosting services abused for malware hosting/C2
Adds Run key to start application
Looks up external IP address via web service
Drops file in Windows directory
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Script User-Agent
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-02-05 16:40
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-02-05 16:40
Reported
2022-02-05 16:42
Platform
win7-en-20211208
Max time kernel
149s
Max time network
147s
Command Line
Signatures
WSHRAT
Blocklisted process makes network request
Drops startup file
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\New0rder04202012.js | C:\Windows\System32\wscript.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VQRpXFxKoe.js | C:\Windows\System32\wscript.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VQRpXFxKoe.js | C:\Windows\System32\wscript.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\New0rder04202012.js | C:\Windows\system32\wscript.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\New0rder04202012 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\New0rder04202012.js\"" | C:\Windows\System32\wscript.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\software\microsoft\windows\currentversion\run | C:\Windows\System32\wscript.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\VQRpXFxKoe = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\VQRpXFxKoe.js\"" | C:\Windows\System32\wscript.exe | N/A |
| Key created | \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run | C:\Windows\System32\wscript.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\VQRpXFxKoe = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\VQRpXFxKoe.js\"" | C:\Windows\System32\wscript.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\New0rder04202012 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\New0rder04202012.js\"" | C:\Windows\system32\wscript.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\software\microsoft\windows\currentversion\run | C:\Windows\System32\wscript.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\software\microsoft\windows\currentversion\run | C:\Windows\system32\wscript.exe | N/A |
| Key created | \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run | C:\Windows\system32\wscript.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\New0rder04202012 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\New0rder04202012.js\"" | C:\Windows\system32\wscript.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\New0rder04202012 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\New0rder04202012.js\"" | C:\Windows\System32\wscript.exe | N/A |
| Key created | \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run | C:\Windows\System32\wscript.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Enumerates physical storage devices
Script User-Agent
| Description | Indicator | Process | Target |
| HTTP User-Agent header | WSHRAT|8C677431|QSKGHMYQ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 5/2/2022|JavaScript-v1.6 | N/A | N/A |
| HTTP User-Agent header | WSHRAT|8C677431|QSKGHMYQ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 5/2/2022|JavaScript-v1.6 | N/A | N/A |
| HTTP User-Agent header | WSHRAT|8C677431|QSKGHMYQ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 5/2/2022|JavaScript-v1.6 | N/A | N/A |
| HTTP User-Agent header | WSHRAT|8C677431|QSKGHMYQ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 5/2/2022|JavaScript-v1.6 | N/A | N/A |
| HTTP User-Agent header | WSHRAT|8C677431|QSKGHMYQ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 5/2/2022|JavaScript-v1.6 | N/A | N/A |
| HTTP User-Agent header | WSHRAT|8C677431|QSKGHMYQ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 5/2/2022|JavaScript-v1.6 | N/A | N/A |
| HTTP User-Agent header | WSHRAT|8C677431|QSKGHMYQ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 5/2/2022|JavaScript-v1.6 | N/A | N/A |
| HTTP User-Agent header | WSHRAT|8C677431|QSKGHMYQ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 5/2/2022|JavaScript-v1.6 | N/A | N/A |
| HTTP User-Agent header | WSHRAT|8C677431|QSKGHMYQ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 5/2/2022|JavaScript-v1.6 | N/A | N/A |
| HTTP User-Agent header | WSHRAT|8C677431|QSKGHMYQ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 5/2/2022|JavaScript-v1.6 | N/A | N/A |
| HTTP User-Agent header | WSHRAT|8C677431|QSKGHMYQ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 5/2/2022|JavaScript-v1.6 | N/A | N/A |
| HTTP User-Agent header | WSHRAT|8C677431|QSKGHMYQ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 5/2/2022|JavaScript-v1.6 | N/A | N/A |
| HTTP User-Agent header | WSHRAT|8C677431|QSKGHMYQ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 5/2/2022|JavaScript-v1.6 | N/A | N/A |
| HTTP User-Agent header | WSHRAT|8C677431|QSKGHMYQ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 5/2/2022|JavaScript-v1.6 | N/A | N/A |
| HTTP User-Agent header | WSHRAT|8C677431|QSKGHMYQ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 5/2/2022|JavaScript-v1.6 | N/A | N/A |
| HTTP User-Agent header | WSHRAT|8C677431|QSKGHMYQ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 5/2/2022|JavaScript-v1.6 | N/A | N/A |
| HTTP User-Agent header | WSHRAT|8C677431|QSKGHMYQ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 5/2/2022|JavaScript-v1.6 | N/A | N/A |
| HTTP User-Agent header | WSHRAT|8C677431|QSKGHMYQ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 5/2/2022|JavaScript-v1.6 | N/A | N/A |
| HTTP User-Agent header | WSHRAT|8C677431|QSKGHMYQ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 5/2/2022|JavaScript-v1.6 | N/A | N/A |
| HTTP User-Agent header | WSHRAT|8C677431|QSKGHMYQ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 5/2/2022|JavaScript-v1.6 | N/A | N/A |
| HTTP User-Agent header | WSHRAT|8C677431|QSKGHMYQ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 5/2/2022|JavaScript-v1.6 | N/A | N/A |
| HTTP User-Agent header | WSHRAT|8C677431|QSKGHMYQ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 5/2/2022|JavaScript-v1.6 | N/A | N/A |
| HTTP User-Agent header | WSHRAT|8C677431|QSKGHMYQ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 5/2/2022|JavaScript-v1.6 | N/A | N/A |
| HTTP User-Agent header | WSHRAT|8C677431|QSKGHMYQ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 5/2/2022|JavaScript-v1.6 | N/A | N/A |
| HTTP User-Agent header | WSHRAT|8C677431|QSKGHMYQ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 5/2/2022|JavaScript-v1.6 | N/A | N/A |
| HTTP User-Agent header | WSHRAT|8C677431|QSKGHMYQ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 5/2/2022|JavaScript-v1.6 | N/A | N/A |
| HTTP User-Agent header | WSHRAT|8C677431|QSKGHMYQ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 5/2/2022|JavaScript-v1.6 | N/A | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1440 wrote to memory of 624 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\wscript.exe |
| PID 1440 wrote to memory of 624 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\wscript.exe |
| PID 1440 wrote to memory of 624 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\wscript.exe |
| PID 1440 wrote to memory of 1848 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\wscript.exe |
| PID 1440 wrote to memory of 1848 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\wscript.exe |
| PID 1440 wrote to memory of 1848 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\wscript.exe |
| PID 1848 wrote to memory of 1108 | N/A | C:\Windows\System32\wscript.exe | C:\Windows\System32\wscript.exe |
| PID 1848 wrote to memory of 1108 | N/A | C:\Windows\System32\wscript.exe | C:\Windows\System32\wscript.exe |
| PID 1848 wrote to memory of 1108 | N/A | C:\Windows\System32\wscript.exe | C:\Windows\System32\wscript.exe |
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\New0rder04202012.js
C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\VQRpXFxKoe.js"
C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\New0rder04202012.js"
C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\VQRpXFxKoe.js"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 104.23.99.190:80 | pastebin.com | tcp |
| US | 104.23.99.190:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | pluginsrv2.duckdns.org | udp |
| US | 192.169.69.25:8000 | pluginsrv2.duckdns.org | tcp |
| US | 104.23.99.190:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 159.65.219.192:7777 | tcp | |
| US | 192.169.69.25:8000 | pluginsrv2.duckdns.org | tcp |
| US | 192.169.69.25:8000 | pluginsrv2.duckdns.org | tcp |
| US | 192.169.69.25:8000 | pluginsrv2.duckdns.org | tcp |
| US | 192.169.69.25:8000 | pluginsrv2.duckdns.org | tcp |
| US | 159.65.219.192:7777 | tcp | |
| US | 192.169.69.25:8000 | pluginsrv2.duckdns.org | tcp |
| US | 192.169.69.25:8000 | pluginsrv2.duckdns.org | tcp |
| US | 192.169.69.25:8000 | pluginsrv2.duckdns.org | tcp |
| US | 192.169.69.25:8000 | pluginsrv2.duckdns.org | tcp |
| US | 159.65.219.192:7777 | tcp | |
| US | 192.169.69.25:8000 | pluginsrv2.duckdns.org | tcp |
| US | 192.169.69.25:8000 | pluginsrv2.duckdns.org | tcp |
| US | 192.169.69.25:8000 | pluginsrv2.duckdns.org | tcp |
| US | 192.169.69.25:8000 | pluginsrv2.duckdns.org | tcp |
| US | 159.65.219.192:7777 | tcp | |
| US | 192.169.69.25:8000 | pluginsrv2.duckdns.org | tcp |
| US | 192.169.69.25:8000 | pluginsrv2.duckdns.org | tcp |
| US | 192.169.69.25:8000 | pluginsrv2.duckdns.org | tcp |
| US | 192.169.69.25:8000 | pluginsrv2.duckdns.org | tcp |
| US | 192.169.69.25:8000 | pluginsrv2.duckdns.org | tcp |
| US | 159.65.219.192:7777 | tcp | |
| US | 192.169.69.25:8000 | pluginsrv2.duckdns.org | tcp |
| US | 192.169.69.25:8000 | pluginsrv2.duckdns.org | tcp |
| US | 192.169.69.25:8000 | pluginsrv2.duckdns.org | tcp |
| US | 192.169.69.25:8000 | pluginsrv2.duckdns.org | tcp |
| US | 159.65.219.192:7777 | tcp | |
| US | 192.169.69.25:8000 | pluginsrv2.duckdns.org | tcp |
| US | 192.169.69.25:8000 | pluginsrv2.duckdns.org | tcp |
| US | 192.169.69.25:8000 | pluginsrv2.duckdns.org | tcp |
| US | 192.169.69.25:8000 | pluginsrv2.duckdns.org | tcp |
| US | 192.169.69.25:8000 | pluginsrv2.duckdns.org | tcp |
| US | 159.65.219.192:7777 | tcp |
Files
memory/1440-55-0x000007FEFBD71000-0x000007FEFBD73000-memory.dmp
C:\Users\Admin\AppData\Roaming\VQRpXFxKoe.js
| MD5 | 9cd3652dcdda5c46166d031a36adc6ff |
| SHA1 | 0bb84d0e02d04cccc00eb906de035a1f1d0b924f |
| SHA256 | 72bcc845e81e46498d69496e4eed26b0b15982705417aef0a5c72a8bed8b3715 |
| SHA512 | 42b75dd0ecb67ba5f6a0894b101acd03071fbbc556dd9258dc8144b34b7417082efb7513c55899169e614b3beaa5dca8d9174e529aec3dc1f1984c7f8810202a |
C:\Users\Admin\AppData\Roaming\New0rder04202012.js
| MD5 | e23b5b84e026514e3aaa4bb5c592b632 |
| SHA1 | b7ce80e71024621004d7658ae9d2eb4133c06dba |
| SHA256 | 807f51f6b359e2eed175d4bb28cc94da5c48390867013e5f8cc9155356509406 |
| SHA512 | b66de6f76d2a372db84c0821046dd3e72eb53ab6fc0a76032e40f5125c46ea31827823fb05cb295eac8051badeb10b7012a09a3af0eeb6985bcd3905b843286e |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T7QQD7BH\94cJpJDi[1]
| MD5 | fda44910deb1a460be4ac5d56d61d837 |
| SHA1 | f6d0c643351580307b2eaa6a7560e76965496bc7 |
| SHA256 | 933b971c6388d594a23fa1559825db5bec8ade2db1240aa8fc9d0c684949e8c9 |
| SHA512 | 57dda9aa7c29f960cd7948a4e4567844d3289fa729e9e388e7f4edcbdf16bf6a94536598b4f9ff8942849f1f96bd3c00bc24a75e748a36fbf2a145f63bf904c1 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\YFMJZ4T6\94cJpJDi[1].txt
| MD5 | 2008964ef2e2c06fb98a35262700d712 |
| SHA1 | 7660a6d1246543385c390fb29b0980ff850519fb |
| SHA256 | 396af765f913e09066e3470e7c3d4e0c678e2cf453445029dab2da1973a1db5b |
| SHA512 | a1ed490ee38dd77fe80dd8da1000fe38a374a210ae5b52d69814aa3b98b1ac6bd34a0ee96e29eafbc2f83b45c6f75fd549c5fe8fb0de6b068eb3e31cd749fb69 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27
| MD5 | a1ef4d7e0b627235a325139a66a1020b |
| SHA1 | fa67962fbf641ac868afff55bb6efc5ed7789ffb |
| SHA256 | d1532712bbd0f036beff1c0245095303a3cb1e3a8f93c8ec9ee3a7123720303f |
| SHA512 | 28dae1e83ff8edc476f9efdf129e3522220a6ac7a483c2ccf5db8d0879122e828cbf118a626a3e8e15c17f8e80c8e40f5737d826769068d15a78ee5b99f5f864 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27
| MD5 | 71485d6dad10ceef12040fd711df872a |
| SHA1 | 897a77130781bce4aaeae2ffde5e6944993dbcbc |
| SHA256 | 3e07fbecbbdebe402542141b968ec6dd2fe96c4a48c47563b759ad24c3516f30 |
| SHA512 | 3468983f3e4c64aebfe392735e03f16634e8ec3cc2759ca39eebbfc1676e321602a051ad2b383e01e5e947a0b5007f4994c2e0e06033246d3559692e1b729bd3 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 8537074162622df00de7740c597303c7 |
| SHA1 | cb9c66cd06242c899b3a207b02d8776c0ac76a37 |
| SHA256 | bc66e5b5de339ad0c2e0adab3ba032e511a64627a32e6eec031a9c80d05d6536 |
| SHA512 | 0441e31b2c1e9b05ba91d368a79bc7dbf56590b10eb5b7aaf270805d68f91919443d9410290c104ec34ac771de9ab0e4c4b24ead60f025bf46b95983768f7fbc |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\New0rder04202012.js
| MD5 | e23b5b84e026514e3aaa4bb5c592b632 |
| SHA1 | b7ce80e71024621004d7658ae9d2eb4133c06dba |
| SHA256 | 807f51f6b359e2eed175d4bb28cc94da5c48390867013e5f8cc9155356509406 |
| SHA512 | b66de6f76d2a372db84c0821046dd3e72eb53ab6fc0a76032e40f5125c46ea31827823fb05cb295eac8051badeb10b7012a09a3af0eeb6985bcd3905b843286e |
Analysis: behavioral2
Detonation Overview
Submitted
2022-02-05 16:40
Reported
2022-02-05 16:43
Platform
win10v2004-en-20220113
Max time kernel
155s
Max time network
160s
Command Line
Signatures
WSHRAT
Blocklisted process makes network request
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\wscript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation | C:\Windows\System32\wscript.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VQRpXFxKoe.js | C:\Windows\System32\wscript.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VQRpXFxKoe.js | C:\Windows\System32\wscript.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\New0rder04202012.js | C:\Windows\system32\wscript.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\New0rder04202012.js | C:\Windows\System32\wscript.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\software\microsoft\windows\currentversion\run | C:\Windows\System32\wscript.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\VQRpXFxKoe = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\VQRpXFxKoe.js\"" | C:\Windows\System32\wscript.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\software\microsoft\windows\currentversion\run | C:\Windows\system32\wscript.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\software\microsoft\windows\currentversion\run | C:\Windows\System32\wscript.exe | N/A |
| Key created | \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run | C:\Windows\System32\wscript.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\New0rder04202012 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\New0rder04202012.js\"" | C:\Windows\System32\wscript.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\VQRpXFxKoe = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\VQRpXFxKoe.js\"" | C:\Windows\System32\wscript.exe | N/A |
| Key created | \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run | C:\Windows\System32\wscript.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\New0rder04202012 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\New0rder04202012.js\"" | C:\Windows\system32\wscript.exe | N/A |
| Key created | \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run | C:\Windows\system32\wscript.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\New0rder04202012 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\New0rder04202012.js\"" | C:\Windows\system32\wscript.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\New0rder04202012 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\New0rder04202012.js\"" | C:\Windows\System32\wscript.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\SoftwareDistribution\DataStore\DataStore.edb | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\SoftwareDistribution\ReportingEvents.log | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\WindowsUpdate.log | C:\Windows\system32\svchost.exe | N/A |
Enumerates physical storage devices
Script User-Agent
| Description | Indicator | Process | Target |
| HTTP User-Agent header | WSHRAT|5C0A896F|JDQPXOPR|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 5/2/2022|JavaScript-v1.6 | N/A | N/A |
| HTTP User-Agent header | WSHRAT|5C0A896F|JDQPXOPR|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 5/2/2022|JavaScript-v1.6 | N/A | N/A |
| HTTP User-Agent header | WSHRAT|5C0A896F|JDQPXOPR|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 5/2/2022|JavaScript-v1.6 | N/A | N/A |
| HTTP User-Agent header | WSHRAT|5C0A896F|JDQPXOPR|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 5/2/2022|JavaScript-v1.6 | N/A | N/A |
| HTTP User-Agent header | WSHRAT|5C0A896F|JDQPXOPR|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 5/2/2022|JavaScript-v1.6 | N/A | N/A |
| HTTP User-Agent header | WSHRAT|5C0A896F|JDQPXOPR|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 5/2/2022|JavaScript-v1.6 | N/A | N/A |
| HTTP User-Agent header | WSHRAT|5C0A896F|JDQPXOPR|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 5/2/2022|JavaScript-v1.6 | N/A | N/A |
| HTTP User-Agent header | WSHRAT|5C0A896F|JDQPXOPR|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 5/2/2022|JavaScript-v1.6 | N/A | N/A |
| HTTP User-Agent header | WSHRAT|5C0A896F|JDQPXOPR|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 5/2/2022|JavaScript-v1.6 | N/A | N/A |
| HTTP User-Agent header | WSHRAT|5C0A896F|JDQPXOPR|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 5/2/2022|JavaScript-v1.6 | N/A | N/A |
| HTTP User-Agent header | WSHRAT|5C0A896F|JDQPXOPR|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 5/2/2022|JavaScript-v1.6 | N/A | N/A |
| HTTP User-Agent header | WSHRAT|5C0A896F|JDQPXOPR|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 5/2/2022|JavaScript-v1.6 | N/A | N/A |
| HTTP User-Agent header | WSHRAT|5C0A896F|JDQPXOPR|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 5/2/2022|JavaScript-v1.6 | N/A | N/A |
| HTTP User-Agent header | WSHRAT|5C0A896F|JDQPXOPR|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 5/2/2022|JavaScript-v1.6 | N/A | N/A |
| HTTP User-Agent header | WSHRAT|5C0A896F|JDQPXOPR|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 5/2/2022|JavaScript-v1.6 | N/A | N/A |
| HTTP User-Agent header | WSHRAT|5C0A896F|JDQPXOPR|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 5/2/2022|JavaScript-v1.6 | N/A | N/A |
| HTTP User-Agent header | WSHRAT|5C0A896F|JDQPXOPR|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 5/2/2022|JavaScript-v1.6 | N/A | N/A |
| HTTP User-Agent header | WSHRAT|5C0A896F|JDQPXOPR|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 5/2/2022|JavaScript-v1.6 | N/A | N/A |
| HTTP User-Agent header | WSHRAT|5C0A896F|JDQPXOPR|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 5/2/2022|JavaScript-v1.6 | N/A | N/A |
| HTTP User-Agent header | WSHRAT|5C0A896F|JDQPXOPR|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 5/2/2022|JavaScript-v1.6 | N/A | N/A |
| HTTP User-Agent header | WSHRAT|5C0A896F|JDQPXOPR|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 5/2/2022|JavaScript-v1.6 | N/A | N/A |
| HTTP User-Agent header | WSHRAT|5C0A896F|JDQPXOPR|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 5/2/2022|JavaScript-v1.6 | N/A | N/A |
| HTTP User-Agent header | WSHRAT|5C0A896F|JDQPXOPR|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 5/2/2022|JavaScript-v1.6 | N/A | N/A |
| HTTP User-Agent header | WSHRAT|5C0A896F|JDQPXOPR|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 5/2/2022|JavaScript-v1.6 | N/A | N/A |
| HTTP User-Agent header | WSHRAT|5C0A896F|JDQPXOPR|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 5/2/2022|JavaScript-v1.6 | N/A | N/A |
| HTTP User-Agent header | WSHRAT|5C0A896F|JDQPXOPR|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 5/2/2022|JavaScript-v1.6 | N/A | N/A |
| HTTP User-Agent header | WSHRAT|5C0A896F|JDQPXOPR|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 5/2/2022|JavaScript-v1.6 | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 5024 wrote to memory of 4800 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\wscript.exe |
| PID 5024 wrote to memory of 4800 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\wscript.exe |
| PID 5024 wrote to memory of 4912 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\wscript.exe |
| PID 5024 wrote to memory of 4912 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\wscript.exe |
| PID 4912 wrote to memory of 3556 | N/A | C:\Windows\System32\wscript.exe | C:\Windows\System32\wscript.exe |
| PID 4912 wrote to memory of 3556 | N/A | C:\Windows\System32\wscript.exe | C:\Windows\System32\wscript.exe |
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\New0rder04202012.js
C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\VQRpXFxKoe.js"
C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\New0rder04202012.js"
C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\VQRpXFxKoe.js"
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 104.23.99.190:80 | pastebin.com | tcp |
| US | 104.23.99.190:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | pluginsrv2.duckdns.org | udp |
| US | 192.169.69.25:8000 | pluginsrv2.duckdns.org | tcp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 159.65.219.192:7777 | tcp | |
| US | 8.8.8.8:53 | settings-win.data.microsoft.com | udp |
| NL | 20.73.194.208:443 | settings-win.data.microsoft.com | tcp |
| US | 192.169.69.25:8000 | pluginsrv2.duckdns.org | tcp |
| NL | 20.73.194.208:443 | settings-win.data.microsoft.com | tcp |
| US | 192.169.69.25:8000 | pluginsrv2.duckdns.org | tcp |
| US | 13.107.4.50:80 | tcp | |
| US | 13.107.4.50:80 | tcp | |
| US | 192.169.69.25:8000 | pluginsrv2.duckdns.org | tcp |
| NL | 20.73.194.208:443 | settings-win.data.microsoft.com | tcp |
| NL | 20.73.194.208:443 | settings-win.data.microsoft.com | tcp |
| NL | 20.73.194.208:443 | settings-win.data.microsoft.com | tcp |
| US | 192.169.69.25:8000 | pluginsrv2.duckdns.org | tcp |
| US | 159.65.219.192:7777 | tcp | |
| US | 192.169.69.25:8000 | pluginsrv2.duckdns.org | tcp |
| US | 192.169.69.25:8000 | pluginsrv2.duckdns.org | tcp |
| US | 192.169.69.25:8000 | pluginsrv2.duckdns.org | tcp |
| US | 192.169.69.25:8000 | pluginsrv2.duckdns.org | tcp |
| US | 192.169.69.25:8000 | pluginsrv2.duckdns.org | tcp |
| US | 159.65.219.192:7777 | tcp | |
| US | 192.169.69.25:8000 | pluginsrv2.duckdns.org | tcp |
| US | 192.169.69.25:8000 | pluginsrv2.duckdns.org | tcp |
| US | 192.169.69.25:8000 | pluginsrv2.duckdns.org | tcp |
| US | 192.169.69.25:8000 | pluginsrv2.duckdns.org | tcp |
| US | 192.169.69.25:8000 | pluginsrv2.duckdns.org | tcp |
| US | 159.65.219.192:7777 | tcp | |
| US | 192.169.69.25:8000 | pluginsrv2.duckdns.org | tcp |
| US | 192.169.69.25:8000 | pluginsrv2.duckdns.org | tcp |
| US | 192.169.69.25:8000 | pluginsrv2.duckdns.org | tcp |
| US | 192.169.69.25:8000 | pluginsrv2.duckdns.org | tcp |
| US | 192.169.69.25:8000 | pluginsrv2.duckdns.org | tcp |
| US | 159.65.219.192:7777 | tcp | |
| US | 192.169.69.25:8000 | pluginsrv2.duckdns.org | tcp |
| US | 192.169.69.25:8000 | pluginsrv2.duckdns.org | tcp |
| US | 192.169.69.25:8000 | pluginsrv2.duckdns.org | tcp |
| US | 192.169.69.25:8000 | pluginsrv2.duckdns.org | tcp |
| US | 159.65.219.192:7777 | tcp | |
| US | 192.169.69.25:8000 | pluginsrv2.duckdns.org | tcp |
| US | 192.169.69.25:8000 | pluginsrv2.duckdns.org | tcp |
| US | 192.169.69.25:8000 | pluginsrv2.duckdns.org | tcp |
| US | 192.169.69.25:8000 | tcp |
Files
C:\Users\Admin\AppData\Roaming\VQRpXFxKoe.js
| MD5 | 9cd3652dcdda5c46166d031a36adc6ff |
| SHA1 | 0bb84d0e02d04cccc00eb906de035a1f1d0b924f |
| SHA256 | 72bcc845e81e46498d69496e4eed26b0b15982705417aef0a5c72a8bed8b3715 |
| SHA512 | 42b75dd0ecb67ba5f6a0894b101acd03071fbbc556dd9258dc8144b34b7417082efb7513c55899169e614b3beaa5dca8d9174e529aec3dc1f1984c7f8810202a |
C:\Users\Admin\AppData\Roaming\New0rder04202012.js
| MD5 | e23b5b84e026514e3aaa4bb5c592b632 |
| SHA1 | b7ce80e71024621004d7658ae9d2eb4133c06dba |
| SHA256 | 807f51f6b359e2eed175d4bb28cc94da5c48390867013e5f8cc9155356509406 |
| SHA512 | b66de6f76d2a372db84c0821046dd3e72eb53ab6fc0a76032e40f5125c46ea31827823fb05cb295eac8051badeb10b7012a09a3af0eeb6985bcd3905b843286e |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\K6H59MEI\94cJpJDi[1]
| MD5 | fda44910deb1a460be4ac5d56d61d837 |
| SHA1 | f6d0c643351580307b2eaa6a7560e76965496bc7 |
| SHA256 | 933b971c6388d594a23fa1559825db5bec8ade2db1240aa8fc9d0c684949e8c9 |
| SHA512 | 57dda9aa7c29f960cd7948a4e4567844d3289fa729e9e388e7f4edcbdf16bf6a94536598b4f9ff8942849f1f96bd3c00bc24a75e748a36fbf2a145f63bf904c1 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\OMK7HR9K\94cJpJDi[1].txt
| MD5 | 2008964ef2e2c06fb98a35262700d712 |
| SHA1 | 7660a6d1246543385c390fb29b0980ff850519fb |
| SHA256 | 396af765f913e09066e3470e7c3d4e0c678e2cf453445029dab2da1973a1db5b |
| SHA512 | a1ed490ee38dd77fe80dd8da1000fe38a374a210ae5b52d69814aa3b98b1ac6bd34a0ee96e29eafbc2f83b45c6f75fd549c5fe8fb0de6b068eb3e31cd749fb69 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\New0rder04202012.js
| MD5 | e23b5b84e026514e3aaa4bb5c592b632 |
| SHA1 | b7ce80e71024621004d7658ae9d2eb4133c06dba |
| SHA256 | 807f51f6b359e2eed175d4bb28cc94da5c48390867013e5f8cc9155356509406 |
| SHA512 | b66de6f76d2a372db84c0821046dd3e72eb53ab6fc0a76032e40f5125c46ea31827823fb05cb295eac8051badeb10b7012a09a3af0eeb6985bcd3905b843286e |
memory/3560-135-0x000001BEE4DA0000-0x000001BEE4DB0000-memory.dmp
memory/3560-142-0x000001BEE7A20000-0x000001BEE7A24000-memory.dmp