Malware Analysis Report

2025-04-14 08:31

Sample ID 220205-t6nx4adch7
Target 3c4d393a4d8d7a7e535f5fb6c5be4c99e5b039f96bc9ba7126fb317b64364cfc
SHA256 3c4d393a4d8d7a7e535f5fb6c5be4c99e5b039f96bc9ba7126fb317b64364cfc
Tags
wshrat persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3c4d393a4d8d7a7e535f5fb6c5be4c99e5b039f96bc9ba7126fb317b64364cfc

Threat Level: Known bad

The file 3c4d393a4d8d7a7e535f5fb6c5be4c99e5b039f96bc9ba7126fb317b64364cfc was found to be: Known bad.

Malicious Activity Summary

wshrat persistence trojan

WSHRAT

Blocklisted process makes network request

Checks computer location settings

Drops startup file

Legitimate hosting services abused for malware hosting/C2

Adds Run key to start application

Looks up external IP address via web service

Drops file in Windows directory

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Script User-Agent

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-02-05 16:40

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-02-05 16:40

Reported

2022-02-05 16:42

Platform

win7-en-20211208

Max time kernel

149s

Max time network

147s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\New0rder04202012.js

Signatures

WSHRAT

trojan wshrat

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\system32\wscript.exe N/A
N/A N/A C:\Windows\system32\wscript.exe N/A
N/A N/A C:\Windows\system32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\New0rder04202012.js C:\Windows\System32\wscript.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VQRpXFxKoe.js C:\Windows\System32\wscript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VQRpXFxKoe.js C:\Windows\System32\wscript.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\New0rder04202012.js C:\Windows\system32\wscript.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\New0rder04202012 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\New0rder04202012.js\"" C:\Windows\System32\wscript.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\software\microsoft\windows\currentversion\run C:\Windows\System32\wscript.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\VQRpXFxKoe = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\VQRpXFxKoe.js\"" C:\Windows\System32\wscript.exe N/A
Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run C:\Windows\System32\wscript.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\VQRpXFxKoe = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\VQRpXFxKoe.js\"" C:\Windows\System32\wscript.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\New0rder04202012 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\New0rder04202012.js\"" C:\Windows\system32\wscript.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\software\microsoft\windows\currentversion\run C:\Windows\System32\wscript.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\software\microsoft\windows\currentversion\run C:\Windows\system32\wscript.exe N/A
Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run C:\Windows\system32\wscript.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\New0rder04202012 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\New0rder04202012.js\"" C:\Windows\system32\wscript.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\New0rder04202012 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\New0rder04202012.js\"" C:\Windows\System32\wscript.exe N/A
Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run C:\Windows\System32\wscript.exe N/A

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Enumerates physical storage devices

Script User-Agent

Description Indicator Process Target
HTTP User-Agent header WSHRAT|8C677431|QSKGHMYQ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 5/2/2022|JavaScript-v1.6 N/A N/A
HTTP User-Agent header WSHRAT|8C677431|QSKGHMYQ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 5/2/2022|JavaScript-v1.6 N/A N/A
HTTP User-Agent header WSHRAT|8C677431|QSKGHMYQ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 5/2/2022|JavaScript-v1.6 N/A N/A
HTTP User-Agent header WSHRAT|8C677431|QSKGHMYQ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 5/2/2022|JavaScript-v1.6 N/A N/A
HTTP User-Agent header WSHRAT|8C677431|QSKGHMYQ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 5/2/2022|JavaScript-v1.6 N/A N/A
HTTP User-Agent header WSHRAT|8C677431|QSKGHMYQ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 5/2/2022|JavaScript-v1.6 N/A N/A
HTTP User-Agent header WSHRAT|8C677431|QSKGHMYQ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 5/2/2022|JavaScript-v1.6 N/A N/A
HTTP User-Agent header WSHRAT|8C677431|QSKGHMYQ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 5/2/2022|JavaScript-v1.6 N/A N/A
HTTP User-Agent header WSHRAT|8C677431|QSKGHMYQ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 5/2/2022|JavaScript-v1.6 N/A N/A
HTTP User-Agent header WSHRAT|8C677431|QSKGHMYQ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 5/2/2022|JavaScript-v1.6 N/A N/A
HTTP User-Agent header WSHRAT|8C677431|QSKGHMYQ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 5/2/2022|JavaScript-v1.6 N/A N/A
HTTP User-Agent header WSHRAT|8C677431|QSKGHMYQ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 5/2/2022|JavaScript-v1.6 N/A N/A
HTTP User-Agent header WSHRAT|8C677431|QSKGHMYQ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 5/2/2022|JavaScript-v1.6 N/A N/A
HTTP User-Agent header WSHRAT|8C677431|QSKGHMYQ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 5/2/2022|JavaScript-v1.6 N/A N/A
HTTP User-Agent header WSHRAT|8C677431|QSKGHMYQ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 5/2/2022|JavaScript-v1.6 N/A N/A
HTTP User-Agent header WSHRAT|8C677431|QSKGHMYQ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 5/2/2022|JavaScript-v1.6 N/A N/A
HTTP User-Agent header WSHRAT|8C677431|QSKGHMYQ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 5/2/2022|JavaScript-v1.6 N/A N/A
HTTP User-Agent header WSHRAT|8C677431|QSKGHMYQ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 5/2/2022|JavaScript-v1.6 N/A N/A
HTTP User-Agent header WSHRAT|8C677431|QSKGHMYQ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 5/2/2022|JavaScript-v1.6 N/A N/A
HTTP User-Agent header WSHRAT|8C677431|QSKGHMYQ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 5/2/2022|JavaScript-v1.6 N/A N/A
HTTP User-Agent header WSHRAT|8C677431|QSKGHMYQ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 5/2/2022|JavaScript-v1.6 N/A N/A
HTTP User-Agent header WSHRAT|8C677431|QSKGHMYQ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 5/2/2022|JavaScript-v1.6 N/A N/A
HTTP User-Agent header WSHRAT|8C677431|QSKGHMYQ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 5/2/2022|JavaScript-v1.6 N/A N/A
HTTP User-Agent header WSHRAT|8C677431|QSKGHMYQ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 5/2/2022|JavaScript-v1.6 N/A N/A
HTTP User-Agent header WSHRAT|8C677431|QSKGHMYQ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 5/2/2022|JavaScript-v1.6 N/A N/A
HTTP User-Agent header WSHRAT|8C677431|QSKGHMYQ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 5/2/2022|JavaScript-v1.6 N/A N/A
HTTP User-Agent header WSHRAT|8C677431|QSKGHMYQ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 5/2/2022|JavaScript-v1.6 N/A N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\New0rder04202012.js

C:\Windows\System32\wscript.exe

"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\VQRpXFxKoe.js"

C:\Windows\System32\wscript.exe

"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\New0rder04202012.js"

C:\Windows\System32\wscript.exe

"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\VQRpXFxKoe.js"

Network

Country Destination Domain Proto
US 8.8.8.8:53 pastebin.com udp
US 104.23.99.190:80 pastebin.com tcp
US 104.23.99.190:443 pastebin.com tcp
US 8.8.8.8:53 pluginsrv2.duckdns.org udp
US 192.169.69.25:8000 pluginsrv2.duckdns.org tcp
US 104.23.99.190:443 pastebin.com tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 159.65.219.192:7777 tcp
US 192.169.69.25:8000 pluginsrv2.duckdns.org tcp
US 192.169.69.25:8000 pluginsrv2.duckdns.org tcp
US 192.169.69.25:8000 pluginsrv2.duckdns.org tcp
US 192.169.69.25:8000 pluginsrv2.duckdns.org tcp
US 159.65.219.192:7777 tcp
US 192.169.69.25:8000 pluginsrv2.duckdns.org tcp
US 192.169.69.25:8000 pluginsrv2.duckdns.org tcp
US 192.169.69.25:8000 pluginsrv2.duckdns.org tcp
US 192.169.69.25:8000 pluginsrv2.duckdns.org tcp
US 159.65.219.192:7777 tcp
US 192.169.69.25:8000 pluginsrv2.duckdns.org tcp
US 192.169.69.25:8000 pluginsrv2.duckdns.org tcp
US 192.169.69.25:8000 pluginsrv2.duckdns.org tcp
US 192.169.69.25:8000 pluginsrv2.duckdns.org tcp
US 159.65.219.192:7777 tcp
US 192.169.69.25:8000 pluginsrv2.duckdns.org tcp
US 192.169.69.25:8000 pluginsrv2.duckdns.org tcp
US 192.169.69.25:8000 pluginsrv2.duckdns.org tcp
US 192.169.69.25:8000 pluginsrv2.duckdns.org tcp
US 192.169.69.25:8000 pluginsrv2.duckdns.org tcp
US 159.65.219.192:7777 tcp
US 192.169.69.25:8000 pluginsrv2.duckdns.org tcp
US 192.169.69.25:8000 pluginsrv2.duckdns.org tcp
US 192.169.69.25:8000 pluginsrv2.duckdns.org tcp
US 192.169.69.25:8000 pluginsrv2.duckdns.org tcp
US 159.65.219.192:7777 tcp
US 192.169.69.25:8000 pluginsrv2.duckdns.org tcp
US 192.169.69.25:8000 pluginsrv2.duckdns.org tcp
US 192.169.69.25:8000 pluginsrv2.duckdns.org tcp
US 192.169.69.25:8000 pluginsrv2.duckdns.org tcp
US 192.169.69.25:8000 pluginsrv2.duckdns.org tcp
US 159.65.219.192:7777 tcp

Files

memory/1440-55-0x000007FEFBD71000-0x000007FEFBD73000-memory.dmp

C:\Users\Admin\AppData\Roaming\VQRpXFxKoe.js

MD5 9cd3652dcdda5c46166d031a36adc6ff
SHA1 0bb84d0e02d04cccc00eb906de035a1f1d0b924f
SHA256 72bcc845e81e46498d69496e4eed26b0b15982705417aef0a5c72a8bed8b3715
SHA512 42b75dd0ecb67ba5f6a0894b101acd03071fbbc556dd9258dc8144b34b7417082efb7513c55899169e614b3beaa5dca8d9174e529aec3dc1f1984c7f8810202a

C:\Users\Admin\AppData\Roaming\New0rder04202012.js

MD5 e23b5b84e026514e3aaa4bb5c592b632
SHA1 b7ce80e71024621004d7658ae9d2eb4133c06dba
SHA256 807f51f6b359e2eed175d4bb28cc94da5c48390867013e5f8cc9155356509406
SHA512 b66de6f76d2a372db84c0821046dd3e72eb53ab6fc0a76032e40f5125c46ea31827823fb05cb295eac8051badeb10b7012a09a3af0eeb6985bcd3905b843286e

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T7QQD7BH\94cJpJDi[1]

MD5 fda44910deb1a460be4ac5d56d61d837
SHA1 f6d0c643351580307b2eaa6a7560e76965496bc7
SHA256 933b971c6388d594a23fa1559825db5bec8ade2db1240aa8fc9d0c684949e8c9
SHA512 57dda9aa7c29f960cd7948a4e4567844d3289fa729e9e388e7f4edcbdf16bf6a94536598b4f9ff8942849f1f96bd3c00bc24a75e748a36fbf2a145f63bf904c1

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\YFMJZ4T6\94cJpJDi[1].txt

MD5 2008964ef2e2c06fb98a35262700d712
SHA1 7660a6d1246543385c390fb29b0980ff850519fb
SHA256 396af765f913e09066e3470e7c3d4e0c678e2cf453445029dab2da1973a1db5b
SHA512 a1ed490ee38dd77fe80dd8da1000fe38a374a210ae5b52d69814aa3b98b1ac6bd34a0ee96e29eafbc2f83b45c6f75fd549c5fe8fb0de6b068eb3e31cd749fb69

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27

MD5 a1ef4d7e0b627235a325139a66a1020b
SHA1 fa67962fbf641ac868afff55bb6efc5ed7789ffb
SHA256 d1532712bbd0f036beff1c0245095303a3cb1e3a8f93c8ec9ee3a7123720303f
SHA512 28dae1e83ff8edc476f9efdf129e3522220a6ac7a483c2ccf5db8d0879122e828cbf118a626a3e8e15c17f8e80c8e40f5737d826769068d15a78ee5b99f5f864

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27

MD5 71485d6dad10ceef12040fd711df872a
SHA1 897a77130781bce4aaeae2ffde5e6944993dbcbc
SHA256 3e07fbecbbdebe402542141b968ec6dd2fe96c4a48c47563b759ad24c3516f30
SHA512 3468983f3e4c64aebfe392735e03f16634e8ec3cc2759ca39eebbfc1676e321602a051ad2b383e01e5e947a0b5007f4994c2e0e06033246d3559692e1b729bd3

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8537074162622df00de7740c597303c7
SHA1 cb9c66cd06242c899b3a207b02d8776c0ac76a37
SHA256 bc66e5b5de339ad0c2e0adab3ba032e511a64627a32e6eec031a9c80d05d6536
SHA512 0441e31b2c1e9b05ba91d368a79bc7dbf56590b10eb5b7aaf270805d68f91919443d9410290c104ec34ac771de9ab0e4c4b24ead60f025bf46b95983768f7fbc

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\New0rder04202012.js

MD5 e23b5b84e026514e3aaa4bb5c592b632
SHA1 b7ce80e71024621004d7658ae9d2eb4133c06dba
SHA256 807f51f6b359e2eed175d4bb28cc94da5c48390867013e5f8cc9155356509406
SHA512 b66de6f76d2a372db84c0821046dd3e72eb53ab6fc0a76032e40f5125c46ea31827823fb05cb295eac8051badeb10b7012a09a3af0eeb6985bcd3905b843286e

Analysis: behavioral2

Detonation Overview

Submitted

2022-02-05 16:40

Reported

2022-02-05 16:43

Platform

win10v2004-en-20220113

Max time kernel

155s

Max time network

160s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\New0rder04202012.js

Signatures

WSHRAT

trojan wshrat

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\system32\wscript.exe N/A
N/A N/A C:\Windows\system32\wscript.exe N/A
N/A N/A C:\Windows\system32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation C:\Windows\system32\wscript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation C:\Windows\System32\wscript.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VQRpXFxKoe.js C:\Windows\System32\wscript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VQRpXFxKoe.js C:\Windows\System32\wscript.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\New0rder04202012.js C:\Windows\system32\wscript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\New0rder04202012.js C:\Windows\System32\wscript.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\software\microsoft\windows\currentversion\run C:\Windows\System32\wscript.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\VQRpXFxKoe = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\VQRpXFxKoe.js\"" C:\Windows\System32\wscript.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\software\microsoft\windows\currentversion\run C:\Windows\system32\wscript.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\software\microsoft\windows\currentversion\run C:\Windows\System32\wscript.exe N/A
Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run C:\Windows\System32\wscript.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\New0rder04202012 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\New0rder04202012.js\"" C:\Windows\System32\wscript.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\VQRpXFxKoe = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\VQRpXFxKoe.js\"" C:\Windows\System32\wscript.exe N/A
Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run C:\Windows\System32\wscript.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\New0rder04202012 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\New0rder04202012.js\"" C:\Windows\system32\wscript.exe N/A
Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run C:\Windows\system32\wscript.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\New0rder04202012 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\New0rder04202012.js\"" C:\Windows\system32\wscript.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\New0rder04202012 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\New0rder04202012.js\"" C:\Windows\System32\wscript.exe N/A

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\WindowsUpdate.log C:\Windows\system32\svchost.exe N/A

Enumerates physical storage devices

Script User-Agent

Description Indicator Process Target
HTTP User-Agent header WSHRAT|5C0A896F|JDQPXOPR|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 5/2/2022|JavaScript-v1.6 N/A N/A
HTTP User-Agent header WSHRAT|5C0A896F|JDQPXOPR|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 5/2/2022|JavaScript-v1.6 N/A N/A
HTTP User-Agent header WSHRAT|5C0A896F|JDQPXOPR|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 5/2/2022|JavaScript-v1.6 N/A N/A
HTTP User-Agent header WSHRAT|5C0A896F|JDQPXOPR|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 5/2/2022|JavaScript-v1.6 N/A N/A
HTTP User-Agent header WSHRAT|5C0A896F|JDQPXOPR|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 5/2/2022|JavaScript-v1.6 N/A N/A
HTTP User-Agent header WSHRAT|5C0A896F|JDQPXOPR|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 5/2/2022|JavaScript-v1.6 N/A N/A
HTTP User-Agent header WSHRAT|5C0A896F|JDQPXOPR|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 5/2/2022|JavaScript-v1.6 N/A N/A
HTTP User-Agent header WSHRAT|5C0A896F|JDQPXOPR|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 5/2/2022|JavaScript-v1.6 N/A N/A
HTTP User-Agent header WSHRAT|5C0A896F|JDQPXOPR|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 5/2/2022|JavaScript-v1.6 N/A N/A
HTTP User-Agent header WSHRAT|5C0A896F|JDQPXOPR|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 5/2/2022|JavaScript-v1.6 N/A N/A
HTTP User-Agent header WSHRAT|5C0A896F|JDQPXOPR|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 5/2/2022|JavaScript-v1.6 N/A N/A
HTTP User-Agent header WSHRAT|5C0A896F|JDQPXOPR|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 5/2/2022|JavaScript-v1.6 N/A N/A
HTTP User-Agent header WSHRAT|5C0A896F|JDQPXOPR|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 5/2/2022|JavaScript-v1.6 N/A N/A
HTTP User-Agent header WSHRAT|5C0A896F|JDQPXOPR|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 5/2/2022|JavaScript-v1.6 N/A N/A
HTTP User-Agent header WSHRAT|5C0A896F|JDQPXOPR|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 5/2/2022|JavaScript-v1.6 N/A N/A
HTTP User-Agent header WSHRAT|5C0A896F|JDQPXOPR|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 5/2/2022|JavaScript-v1.6 N/A N/A
HTTP User-Agent header WSHRAT|5C0A896F|JDQPXOPR|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 5/2/2022|JavaScript-v1.6 N/A N/A
HTTP User-Agent header WSHRAT|5C0A896F|JDQPXOPR|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 5/2/2022|JavaScript-v1.6 N/A N/A
HTTP User-Agent header WSHRAT|5C0A896F|JDQPXOPR|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 5/2/2022|JavaScript-v1.6 N/A N/A
HTTP User-Agent header WSHRAT|5C0A896F|JDQPXOPR|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 5/2/2022|JavaScript-v1.6 N/A N/A
HTTP User-Agent header WSHRAT|5C0A896F|JDQPXOPR|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 5/2/2022|JavaScript-v1.6 N/A N/A
HTTP User-Agent header WSHRAT|5C0A896F|JDQPXOPR|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 5/2/2022|JavaScript-v1.6 N/A N/A
HTTP User-Agent header WSHRAT|5C0A896F|JDQPXOPR|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 5/2/2022|JavaScript-v1.6 N/A N/A
HTTP User-Agent header WSHRAT|5C0A896F|JDQPXOPR|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 5/2/2022|JavaScript-v1.6 N/A N/A
HTTP User-Agent header WSHRAT|5C0A896F|JDQPXOPR|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 5/2/2022|JavaScript-v1.6 N/A N/A
HTTP User-Agent header WSHRAT|5C0A896F|JDQPXOPR|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 5/2/2022|JavaScript-v1.6 N/A N/A
HTTP User-Agent header WSHRAT|5C0A896F|JDQPXOPR|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 5/2/2022|JavaScript-v1.6 N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5024 wrote to memory of 4800 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe
PID 5024 wrote to memory of 4800 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe
PID 5024 wrote to memory of 4912 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe
PID 5024 wrote to memory of 4912 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe
PID 4912 wrote to memory of 3556 N/A C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe
PID 4912 wrote to memory of 3556 N/A C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\New0rder04202012.js

C:\Windows\System32\wscript.exe

"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\VQRpXFxKoe.js"

C:\Windows\System32\wscript.exe

"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\New0rder04202012.js"

C:\Windows\System32\wscript.exe

"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\VQRpXFxKoe.js"

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv

Network

Country Destination Domain Proto
US 8.8.8.8:53 pastebin.com udp
US 104.23.99.190:80 pastebin.com tcp
US 104.23.99.190:443 pastebin.com tcp
US 8.8.8.8:53 pluginsrv2.duckdns.org udp
US 192.169.69.25:8000 pluginsrv2.duckdns.org tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 159.65.219.192:7777 tcp
US 8.8.8.8:53 settings-win.data.microsoft.com udp
NL 20.73.194.208:443 settings-win.data.microsoft.com tcp
US 192.169.69.25:8000 pluginsrv2.duckdns.org tcp
NL 20.73.194.208:443 settings-win.data.microsoft.com tcp
US 192.169.69.25:8000 pluginsrv2.duckdns.org tcp
US 13.107.4.50:80 tcp
US 13.107.4.50:80 tcp
US 192.169.69.25:8000 pluginsrv2.duckdns.org tcp
NL 20.73.194.208:443 settings-win.data.microsoft.com tcp
NL 20.73.194.208:443 settings-win.data.microsoft.com tcp
NL 20.73.194.208:443 settings-win.data.microsoft.com tcp
US 192.169.69.25:8000 pluginsrv2.duckdns.org tcp
US 159.65.219.192:7777 tcp
US 192.169.69.25:8000 pluginsrv2.duckdns.org tcp
US 192.169.69.25:8000 pluginsrv2.duckdns.org tcp
US 192.169.69.25:8000 pluginsrv2.duckdns.org tcp
US 192.169.69.25:8000 pluginsrv2.duckdns.org tcp
US 192.169.69.25:8000 pluginsrv2.duckdns.org tcp
US 159.65.219.192:7777 tcp
US 192.169.69.25:8000 pluginsrv2.duckdns.org tcp
US 192.169.69.25:8000 pluginsrv2.duckdns.org tcp
US 192.169.69.25:8000 pluginsrv2.duckdns.org tcp
US 192.169.69.25:8000 pluginsrv2.duckdns.org tcp
US 192.169.69.25:8000 pluginsrv2.duckdns.org tcp
US 159.65.219.192:7777 tcp
US 192.169.69.25:8000 pluginsrv2.duckdns.org tcp
US 192.169.69.25:8000 pluginsrv2.duckdns.org tcp
US 192.169.69.25:8000 pluginsrv2.duckdns.org tcp
US 192.169.69.25:8000 pluginsrv2.duckdns.org tcp
US 192.169.69.25:8000 pluginsrv2.duckdns.org tcp
US 159.65.219.192:7777 tcp
US 192.169.69.25:8000 pluginsrv2.duckdns.org tcp
US 192.169.69.25:8000 pluginsrv2.duckdns.org tcp
US 192.169.69.25:8000 pluginsrv2.duckdns.org tcp
US 192.169.69.25:8000 pluginsrv2.duckdns.org tcp
US 159.65.219.192:7777 tcp
US 192.169.69.25:8000 pluginsrv2.duckdns.org tcp
US 192.169.69.25:8000 pluginsrv2.duckdns.org tcp
US 192.169.69.25:8000 pluginsrv2.duckdns.org tcp
US 192.169.69.25:8000 tcp

Files

C:\Users\Admin\AppData\Roaming\VQRpXFxKoe.js

MD5 9cd3652dcdda5c46166d031a36adc6ff
SHA1 0bb84d0e02d04cccc00eb906de035a1f1d0b924f
SHA256 72bcc845e81e46498d69496e4eed26b0b15982705417aef0a5c72a8bed8b3715
SHA512 42b75dd0ecb67ba5f6a0894b101acd03071fbbc556dd9258dc8144b34b7417082efb7513c55899169e614b3beaa5dca8d9174e529aec3dc1f1984c7f8810202a

C:\Users\Admin\AppData\Roaming\New0rder04202012.js

MD5 e23b5b84e026514e3aaa4bb5c592b632
SHA1 b7ce80e71024621004d7658ae9d2eb4133c06dba
SHA256 807f51f6b359e2eed175d4bb28cc94da5c48390867013e5f8cc9155356509406
SHA512 b66de6f76d2a372db84c0821046dd3e72eb53ab6fc0a76032e40f5125c46ea31827823fb05cb295eac8051badeb10b7012a09a3af0eeb6985bcd3905b843286e

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\K6H59MEI\94cJpJDi[1]

MD5 fda44910deb1a460be4ac5d56d61d837
SHA1 f6d0c643351580307b2eaa6a7560e76965496bc7
SHA256 933b971c6388d594a23fa1559825db5bec8ade2db1240aa8fc9d0c684949e8c9
SHA512 57dda9aa7c29f960cd7948a4e4567844d3289fa729e9e388e7f4edcbdf16bf6a94536598b4f9ff8942849f1f96bd3c00bc24a75e748a36fbf2a145f63bf904c1

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\OMK7HR9K\94cJpJDi[1].txt

MD5 2008964ef2e2c06fb98a35262700d712
SHA1 7660a6d1246543385c390fb29b0980ff850519fb
SHA256 396af765f913e09066e3470e7c3d4e0c678e2cf453445029dab2da1973a1db5b
SHA512 a1ed490ee38dd77fe80dd8da1000fe38a374a210ae5b52d69814aa3b98b1ac6bd34a0ee96e29eafbc2f83b45c6f75fd549c5fe8fb0de6b068eb3e31cd749fb69

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\New0rder04202012.js

MD5 e23b5b84e026514e3aaa4bb5c592b632
SHA1 b7ce80e71024621004d7658ae9d2eb4133c06dba
SHA256 807f51f6b359e2eed175d4bb28cc94da5c48390867013e5f8cc9155356509406
SHA512 b66de6f76d2a372db84c0821046dd3e72eb53ab6fc0a76032e40f5125c46ea31827823fb05cb295eac8051badeb10b7012a09a3af0eeb6985bcd3905b843286e

memory/3560-135-0x000001BEE4DA0000-0x000001BEE4DB0000-memory.dmp

memory/3560-142-0x000001BEE7A20000-0x000001BEE7A24000-memory.dmp