Malware Analysis Report

2025-04-14 08:31

Sample ID 220206-2vav4acehp
Target 9a80d362fb152ee89fc8bb35e54d65eb9d229b516a57ce43413f2596daef0c8a
SHA256 9a80d362fb152ee89fc8bb35e54d65eb9d229b516a57ce43413f2596daef0c8a
Tags
wshrat persistence trojan asyncrat default rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9a80d362fb152ee89fc8bb35e54d65eb9d229b516a57ce43413f2596daef0c8a

Threat Level: Known bad

The file 9a80d362fb152ee89fc8bb35e54d65eb9d229b516a57ce43413f2596daef0c8a was found to be: Known bad.

Malicious Activity Summary

wshrat persistence trojan asyncrat default rat

AsyncRat

Wshrat family

WSHRAT

WSHRAT Payload

Async RAT payload

Blocklisted process makes network request

Drops startup file

Checks computer location settings

Looks up external IP address via web service

Adds Run key to start application

Suspicious use of SetThreadContext

Drops file in Windows directory

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Checks processor information in registry

Modifies data under HKEY_USERS

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-02-06 22:53

Signatures

WSHRAT Payload

Description Indicator Process Target
N/A N/A N/A N/A

Wshrat family

wshrat

Analysis: behavioral1

Detonation Overview

Submitted

2022-02-06 22:53

Reported

2022-02-06 22:56

Platform

win7-en-20211208

Max time kernel

150s

Max time network

148s

Command Line

wscript.exe "C:\Users\Admin\AppData\Local\Temp\Rfq Attached 202103_Top Urgent (9).js"

Signatures

WSHRAT

trojan wshrat

WSHRAT Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\wscript.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Rfq Attached 202103_Top Urgent (9).js C:\Windows\system32\wscript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Rfq Attached 202103_Top Urgent (9).js C:\Windows\System32\wscript.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Rfq Attached 202103_Top Urgent (9) = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Rfq Attached 202103_Top Urgent (9).js\"" C:\Windows\System32\wscript.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\software\microsoft\windows\currentversion\run C:\Windows\system32\wscript.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows\CurrentVersion\Run\Rfq Attached 202103_Top Urgent (9) = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Rfq Attached 202103_Top Urgent (9).js\"" C:\Windows\system32\wscript.exe N/A
Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run C:\Windows\system32\wscript.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Rfq Attached 202103_Top Urgent (9) = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Rfq Attached 202103_Top Urgent (9).js\"" C:\Windows\system32\wscript.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\software\microsoft\windows\currentversion\run C:\Windows\System32\wscript.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows\CurrentVersion\Run\Rfq Attached 202103_Top Urgent (9) = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Rfq Attached 202103_Top Urgent (9).js\"" C:\Windows\System32\wscript.exe N/A
Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run C:\Windows\System32\wscript.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe "C:\Users\Admin\AppData\Local\Temp\Rfq Attached 202103_Top Urgent (9).js"

C:\Windows\System32\wscript.exe

"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\Rfq Attached 202103_Top Urgent (9).js"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Rfq Attached 202103_Top Urgent (9).vbs"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EXECUTIONPOLICY REMOTESIGNED -FILE C:\Users\Admin\AppData\Local\Temp\Systray64.PS1

Network

Country Destination Domain Proto
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 4750wsh25.ddns.net udp

Files

memory/876-53-0x000007FEFC501000-0x000007FEFC503000-memory.dmp

C:\Users\Admin\AppData\Roaming\Rfq Attached 202103_Top Urgent (9).js

MD5 9bfa5fa269bb950a4d2e9b3e5c42364f
SHA1 2ac8c8e30b6f372eea81785e7ad7e502efc4e366
SHA256 92e7d30a12117e09df1df828f25455892238a636bf076640fcfb65bc5ddde4d6
SHA512 56fc5e27436e6fa7aa9c5d5bcf822d853782c590d1ec95c1b9534a7ede2e588be567d56e74e0803dbcae0b3ee1bda0c861867fc730c7724be2332ba485c034d7

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Rfq Attached 202103_Top Urgent (9).js

MD5 9bfa5fa269bb950a4d2e9b3e5c42364f
SHA1 2ac8c8e30b6f372eea81785e7ad7e502efc4e366
SHA256 92e7d30a12117e09df1df828f25455892238a636bf076640fcfb65bc5ddde4d6
SHA512 56fc5e27436e6fa7aa9c5d5bcf822d853782c590d1ec95c1b9534a7ede2e588be567d56e74e0803dbcae0b3ee1bda0c861867fc730c7724be2332ba485c034d7

C:\Users\Admin\AppData\Roaming\Rfq Attached 202103_Top Urgent (9).vbs

MD5 45fdeb19db7b1aa6d95c72849260e451
SHA1 c0c65f1236644f9fc421b687535a9a53d5d39d37
SHA256 5afc60f9fcbb6a7f552ba06a7972d6608dfcf3a0ef8501dc5db1484e64acf99c
SHA512 cb5226270be57fdc43e6e0663cf499beb4f20f5b53fb67cbbbba11603d9d77a6d70724e340c5620ecaefe01bc8615f3dd5732f74ed1d6097df6da97996585572

memory/1240-61-0x00000000027C0000-0x00000000027C2000-memory.dmp

memory/1240-62-0x00000000027C2000-0x00000000027C4000-memory.dmp

memory/1240-63-0x00000000027C4000-0x00000000027C7000-memory.dmp

memory/1240-60-0x000007FEF2F80000-0x000007FEF3ADD000-memory.dmp

memory/1240-64-0x000000001B7E0000-0x000000001BADF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Systray64.PS1

MD5 1c73a556680a28514db20dcbcce19a6b
SHA1 e78ad654f4a0ec3c68e038f6a021f345fa65694d
SHA256 ec99df95b25782a915c645cd0fd7e0f43b44c14d57fb63d944811bcaa2a05c18
SHA512 73dd05502306eb9cff1891c3b8bab562416096ce0b72ca229dde39a84a504cb642b7ba21b5ef4456cc3b44cfe641c637907209099d75142b90f4ee4dae263f69

memory/1240-66-0x00000000027CB000-0x00000000027EA000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-02-06 22:53

Reported

2022-02-06 22:56

Platform

win10v2004-en-20220112

Max time kernel

150s

Max time network

154s

Command Line

wscript.exe "C:\Users\Admin\AppData\Local\Temp\Rfq Attached 202103_Top Urgent (9).js"

Signatures

AsyncRat

rat asyncrat

WSHRAT

trojan wshrat

WSHRAT Payload

Description Indicator Process Target
N/A N/A N/A N/A

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\wscript.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation C:\Windows\system32\wscript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation C:\Windows\System32\wscript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation C:\Windows\System32\WScript.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Rfq Attached 202103_Top Urgent (9).js C:\Windows\system32\wscript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Rfq Attached 202103_Top Urgent (9).js C:\Windows\System32\wscript.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Installation.vbs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Installation.vbs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Rfq Attached 202103_Top Urgent (9) = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Rfq Attached 202103_Top Urgent (9).js\"" C:\Windows\system32\wscript.exe N/A
Key created \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\software\microsoft\windows\currentversion\run C:\Windows\System32\wscript.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Rfq Attached 202103_Top Urgent (9) = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Rfq Attached 202103_Top Urgent (9).js\"" C:\Windows\System32\wscript.exe N/A
Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run C:\Windows\System32\wscript.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Rfq Attached 202103_Top Urgent (9) = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Rfq Attached 202103_Top Urgent (9).js\"" C:\Windows\System32\wscript.exe N/A
Key created \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\software\microsoft\windows\currentversion\run C:\Windows\system32\wscript.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Rfq Attached 202103_Top Urgent (9) = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Rfq Attached 202103_Top Urgent (9).js\"" C:\Windows\system32\wscript.exe N/A
Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run C:\Windows\system32\wscript.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3148 set thread context of 1284 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\State\keyValueLKG.dat C:\Windows\System32\svchost.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\system32\MusNotifyIcon.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\system32\MusNotifyIcon.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyLanBytes = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLinkLocalBytes = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCacheHostBytes = "0" C:\Windows\System32\svchost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\GeoVersion_EndpointFullUri = "https://geover.prod.do.dsp.mp.microsoft.com/geoversion" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadCount = "0" C:\Windows\System32\svchost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.000000" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DownloadMode_BackCompat = "1" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkUsageBps = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthID = "2" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLanBytes = "0" C:\Windows\System32\svchost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\Geo_EndpointFullUri = "https://geo.prod.do.dsp.mp.microsoft.com/geo" C:\Windows\System32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyInternetBytes = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyInternetBytes = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrCnt = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "1" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LANConnectionCount = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LinkLocalConnectionCount = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadPendingCount = "0" C:\Windows\System32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "3840" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4076" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DODownloadMode = "1" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCdnBytes = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyGroupBytes = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkBps = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PeerInfoCount = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkUsageBps = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadRatePct = "100" C:\Windows\System32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Settings C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthlyUploadRestriction = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkCnt = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadPendingCount = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrBps = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CDNConnectionCount = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\InternetConnectionCount = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkBps = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkBps = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadCount = "0" C:\Windows\System32\svchost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "4.385591" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CacheSizeBytes = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\KVFileExpirationTime = "132888380361315537" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\GroupConnectionCount = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\FrDownloadRatePct = "90" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\BkDownloadRatePct = "45" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadCount = "0" C:\Windows\System32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage C:\Windows\System32\svchost.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings C:\Windows\System32\wscript.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 380 wrote to memory of 3756 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe
PID 380 wrote to memory of 3756 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe
PID 3756 wrote to memory of 412 N/A C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe
PID 3756 wrote to memory of 412 N/A C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe
PID 412 wrote to memory of 3148 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 412 wrote to memory of 3148 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3148 wrote to memory of 1928 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 3148 wrote to memory of 1928 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 1928 wrote to memory of 3576 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 1928 wrote to memory of 3576 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 3148 wrote to memory of 1284 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3148 wrote to memory of 1284 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3148 wrote to memory of 1284 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3148 wrote to memory of 1284 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3148 wrote to memory of 1284 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3148 wrote to memory of 1284 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3148 wrote to memory of 1284 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3148 wrote to memory of 1284 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Processes

C:\Windows\system32\wscript.exe

wscript.exe "C:\Users\Admin\AppData\Local\Temp\Rfq Attached 202103_Top Urgent (9).js"

C:\Windows\System32\wscript.exe

"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\Rfq Attached 202103_Top Urgent (9).js"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Rfq Attached 202103_Top Urgent (9).vbs"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EXECUTIONPOLICY REMOTESIGNED -FILE C:\Users\Admin\AppData\Local\Temp\Systray64.PS1

C:\Windows\system32\MusNotifyIcon.exe

%systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 13

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\giz1nqvd\giz1nqvd.cmdline"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEFAD.tmp" "c:\Users\Admin\AppData\Local\Temp\giz1nqvd\CSC5F6220482C05472F9C9FD7C828A35BD7.TMP"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k NetworkService -p

Network

Country Destination Domain Proto
US 8.8.8.8:53 settings-win.data.microsoft.com udp
US 52.167.17.97:443 settings-win.data.microsoft.com tcp
US 52.167.17.97:443 settings-win.data.microsoft.com tcp
US 52.167.17.97:443 settings-win.data.microsoft.com tcp
US 52.167.17.97:443 settings-win.data.microsoft.com tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 4750wsh25.ddns.net udp
US 8.8.8.8:53 geo.prod.do.dsp.mp.microsoft.com udp
US 8.8.8.8:53 4750wsh25.ddns.net udp
US 40.91.80.89:443 geo.prod.do.dsp.mp.microsoft.com tcp
US 8.8.8.8:53 kv801.prod.do.dsp.mp.microsoft.com udp
NL 184.29.205.60:443 kv801.prod.do.dsp.mp.microsoft.com tcp
NL 104.110.191.140:80 tcp
US 93.184.221.240:80 tcp
US 8.8.8.8:53 settings-win.data.microsoft.com udp
NL 51.124.78.146:443 settings-win.data.microsoft.com tcp
US 8.8.8.8:53 4750wsh25.ddns.net udp
US 8.8.8.8:53 4750wsh25.ddns.net udp
US 8.8.8.8:53 asin8988.ddns.net udp
US 93.184.221.240:80 tcp
US 8.8.8.8:53 4750wsh25.ddns.net udp
US 8.8.8.8:53 Asin8989.ddns.net udp
US 8.8.8.8:53 4750wsh25.ddns.net udp
N/A 10.127.0.99:8989 tcp
US 8.8.8.8:53 4750wsh25.ddns.net udp
US 8.8.8.8:53 4750wsh25.ddns.net udp
N/A 10.127.0.99:8989 tcp
US 8.8.8.8:53 4750wsh25.ddns.net udp
US 8.8.8.8:53 4750wsh25.ddns.net udp
US 8.8.8.8:53 4750wsh25.ddns.net udp
US 8.8.8.8:53 4750wsh25.ddns.net udp
US 8.8.8.8:53 4750wsh25.ddns.net udp
US 8.8.8.8:53 4750wsh25.ddns.net udp
US 8.8.8.8:53 4750wsh25.ddns.net udp
US 8.8.8.8:53 4750wsh25.ddns.net udp
N/A 10.127.0.99:8988 tcp
US 8.8.8.8:53 4750wsh25.ddns.net udp
US 8.8.8.8:53 4750wsh25.ddns.net udp
N/A 10.127.0.99:8988 tcp
US 8.8.8.8:53 4750wsh25.ddns.net udp
N/A 10.127.0.99:8989 tcp
US 8.8.8.8:53 4750wsh25.ddns.net udp
US 8.8.8.8:53 4750wsh25.ddns.net udp
US 8.8.8.8:53 4750wsh25.ddns.net udp
US 8.8.8.8:53 4750wsh25.ddns.net udp
US 8.8.8.8:53 4750wsh25.ddns.net udp
US 8.8.8.8:53 4750wsh25.ddns.net udp
US 8.8.8.8:53 4750wsh25.ddns.net udp
US 8.8.8.8:53 4750wsh25.ddns.net udp
N/A 10.127.0.99:8988 tcp
US 8.8.8.8:53 4750wsh25.ddns.net udp
US 8.8.8.8:53 4750wsh25.ddns.net udp
N/A 10.127.0.99:8989 tcp

Files

C:\Users\Admin\AppData\Roaming\Rfq Attached 202103_Top Urgent (9).js

MD5 9bfa5fa269bb950a4d2e9b3e5c42364f
SHA1 2ac8c8e30b6f372eea81785e7ad7e502efc4e366
SHA256 92e7d30a12117e09df1df828f25455892238a636bf076640fcfb65bc5ddde4d6
SHA512 56fc5e27436e6fa7aa9c5d5bcf822d853782c590d1ec95c1b9534a7ede2e588be567d56e74e0803dbcae0b3ee1bda0c861867fc730c7724be2332ba485c034d7

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Rfq Attached 202103_Top Urgent (9).js

MD5 d255bce5ceb9f875c9c3174132a99c94
SHA1 21f56620c495eabcf366a8d43c95312987bb5d3c
SHA256 4a73e8d93a70fe2149d97640330568cc3f1d80646d75476f1d4535e52169eab3
SHA512 a5dc76d1721f828fbff436be8232ea32f35fb28045735a07f7dfe38b93437451e4d4b7abad3167f58a4d87937ca6f1bf9f1b1cae554cdd8ed9e2454559f81fe2

C:\Users\Admin\AppData\Roaming\Rfq Attached 202103_Top Urgent (9).vbs

MD5 45fdeb19db7b1aa6d95c72849260e451
SHA1 c0c65f1236644f9fc421b687535a9a53d5d39d37
SHA256 5afc60f9fcbb6a7f552ba06a7972d6608dfcf3a0ef8501dc5db1484e64acf99c
SHA512 cb5226270be57fdc43e6e0663cf499beb4f20f5b53fb67cbbbba11603d9d77a6d70724e340c5620ecaefe01bc8615f3dd5732f74ed1d6097df6da97996585572

memory/3148-137-0x00000278D2F80000-0x00000278D2FA2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Systray64.PS1

MD5 1c73a556680a28514db20dcbcce19a6b
SHA1 e78ad654f4a0ec3c68e038f6a021f345fa65694d
SHA256 ec99df95b25782a915c645cd0fd7e0f43b44c14d57fb63d944811bcaa2a05c18
SHA512 73dd05502306eb9cff1891c3b8bab562416096ce0b72ca229dde39a84a504cb642b7ba21b5ef4456cc3b44cfe641c637907209099d75142b90f4ee4dae263f69

memory/3148-141-0x00000278D3030000-0x00000278D3032000-memory.dmp

memory/3148-142-0x00000278D3033000-0x00000278D3035000-memory.dmp

memory/3148-143-0x00000278D3036000-0x00000278D3038000-memory.dmp

memory/3148-144-0x00000278D34E0000-0x00000278D3556000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\giz1nqvd\giz1nqvd.cmdline

MD5 a411e7a835e16e6985a9c1cbaa59f8b7
SHA1 60813eeeb8cd248eecbb7647924cdb688df92e66
SHA256 66e045192fab77069aa133d0ebeb781ee03d0b0f26a452fed5d23b4cb04b9410
SHA512 d583875c276eb5736c2d13fdbeeaefa692a2584263f371f88054289196237d5c4d97c4466f9eec4dca3f739b4b1491869b61edbf0dc1be76ea93cff1a62a5930

\??\c:\Users\Admin\AppData\Local\Temp\giz1nqvd\giz1nqvd.0.cs

MD5 e03b1e7ba7f1a53a7e10c0fd9049f437
SHA1 3bb851a42717eeb588eb7deadfcd04c571c15f41
SHA256 3ca2d456cf2f8d781f2134e1481bd787a9cb6f4bcaa2131ebbe0d47a0eb36427
SHA512 a098a8e2a60a75357ee202ed4bbe6b86fa7b2ebae30574791e0d13dcf3ee95b841a14b51553c23b95af32a29cc2265afc285b3b0442f0454ea730de4d647383f

\??\c:\Users\Admin\AppData\Local\Temp\giz1nqvd\CSC5F6220482C05472F9C9FD7C828A35BD7.TMP

MD5 3aaf559d8eff6ebdb55f22cb0b646a6b
SHA1 b27f3a82b2064dc2d6e86cfa13547c02258a8c80
SHA256 7750496efc79a1e6e21e9bad6f6d6fb024b207a348468ae86c157743367bcd83
SHA512 72c911f27e19d6a9bab7036146ac476b2bd2268797668ee0fca2812d6420b0c17f99b6b5a40736459f05044f7887c1ef8ced3dca64b52922fb1f43f1839c480e

C:\Users\Admin\AppData\Local\Temp\RESEFAD.tmp

MD5 d83e681efd4e71216e8045ce29fed856
SHA1 0583547c733af5bc546bec41597eacf2d59024ae
SHA256 c82196a5c4c6b5ef3a6ebfa9313d3d87933c7e960f353b17fbe3bcc5008500b8
SHA512 7ae0422803233eabf41d148e552362279204c2dfd86f353448d562ce311206e40ccc74f3f42fce54f47e85813c58ba117f4231656415b9e1927577071ed44995

C:\Users\Admin\AppData\Local\Temp\giz1nqvd\giz1nqvd.dll

MD5 dbb988f918ff343ec052c1c3b3080727
SHA1 ef5ce04e4d0d9c78bdcc467b41fc084ab8681a1b
SHA256 46d78fd7e44cfcde3892b37e3619da527c6da41dff8d5047425a724014f63a72
SHA512 06b0a5466cfbf8ec408b7ad80252b98c2d93259860821de0642be1254dc5cf1f94da624955bd603727de8e574da18c1dc6cdbe8f0043c975768996ae1f78acb9

memory/1284-151-0x0000000000400000-0x0000000000412000-memory.dmp

memory/1284-156-0x0000000009610000-0x0000000009611000-memory.dmp