Malware Analysis Report

2025-04-14 08:31

Sample ID 220208-c7ktdsccf7
Target 5b7447c2595eb7fd167d064c441991843ddaeefda4ee0f882e85fc6b920c7ee2
SHA256 5b7447c2595eb7fd167d064c441991843ddaeefda4ee0f882e85fc6b920c7ee2
Tags
wshrat persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5b7447c2595eb7fd167d064c441991843ddaeefda4ee0f882e85fc6b920c7ee2

Threat Level: Known bad

The file 5b7447c2595eb7fd167d064c441991843ddaeefda4ee0f882e85fc6b920c7ee2 was found to be: Known bad.

Malicious Activity Summary

wshrat persistence trojan

WSHRAT

Blocklisted process makes network request

Drops startup file

Checks computer location settings

Adds Run key to start application

Looks up external IP address via web service

Drops file in Windows directory

Enumerates physical storage devices

Checks processor information in registry

Suspicious use of WriteProcessMemory

Script User-Agent

Runs .reg file with regedit

Modifies data under HKEY_USERS

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-02-08 02:43

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-02-08 02:43

Reported

2022-02-08 07:08

Platform

win7-en-20211208

Max time kernel

160s

Max time network

178s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\Solicitud.js

Signatures

WSHRAT

trojan wshrat

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Solicitud.js C:\Windows\system32\wscript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Solicitud.js C:\Windows\System32\wscript.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows\CurrentVersion\Run\Solicitud = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Solicitud.js\"" C:\Windows\System32\wscript.exe N/A
Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run C:\Windows\System32\wscript.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Solicitud = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Solicitud.js\"" C:\Windows\System32\wscript.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\software\microsoft\windows\currentversion\run C:\Windows\system32\wscript.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows\CurrentVersion\Run\Solicitud = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Solicitud.js\"" C:\Windows\system32\wscript.exe N/A
Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run C:\Windows\system32\wscript.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Solicitud = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Solicitud.js\"" C:\Windows\system32\wscript.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\software\microsoft\windows\currentversion\run C:\Windows\System32\wscript.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Enumerates physical storage devices

Runs .reg file with regedit

Description Indicator Process Target
N/A N/A C:\Windows\regedit.exe N/A
N/A N/A C:\Windows\regedit.exe N/A

Script User-Agent

Description Indicator Process Target
HTTP User-Agent header WSHRAT|C435AF30|VQVVOAJK|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 8/2/2022|JavaScript-v2.0|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|C435AF30|VQVVOAJK|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 8/2/2022|JavaScript-v2.0|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|C435AF30|VQVVOAJK|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 8/2/2022|JavaScript-v2.0|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|C435AF30|VQVVOAJK|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 8/2/2022|JavaScript-v2.0|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|C435AF30|VQVVOAJK|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 8/2/2022|JavaScript-v2.0|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|C435AF30|VQVVOAJK|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 8/2/2022|JavaScript-v2.0|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|C435AF30|VQVVOAJK|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 8/2/2022|JavaScript-v2.0|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|C435AF30|VQVVOAJK|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 8/2/2022|JavaScript-v2.0|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|C435AF30|VQVVOAJK|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 8/2/2022|JavaScript-v2.0|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|C435AF30|VQVVOAJK|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 8/2/2022|JavaScript-v2.0|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|C435AF30|VQVVOAJK|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 8/2/2022|JavaScript-v2.0|NL:Netherlands N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 524 wrote to memory of 1436 N/A C:\Windows\system32\wscript.exe C:\Windows\regedit.exe
PID 524 wrote to memory of 1436 N/A C:\Windows\system32\wscript.exe C:\Windows\regedit.exe
PID 524 wrote to memory of 1436 N/A C:\Windows\system32\wscript.exe C:\Windows\regedit.exe
PID 524 wrote to memory of 1832 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe
PID 524 wrote to memory of 1832 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe
PID 524 wrote to memory of 1832 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe
PID 1832 wrote to memory of 1156 N/A C:\Windows\System32\wscript.exe C:\Windows\regedit.exe
PID 1832 wrote to memory of 1156 N/A C:\Windows\System32\wscript.exe C:\Windows\regedit.exe
PID 1832 wrote to memory of 1156 N/A C:\Windows\System32\wscript.exe C:\Windows\regedit.exe

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\Solicitud.js

C:\Windows\regedit.exe

"regedit.exe" "C:\Users\Admin\AppData\Local\Temp\ebgeaegdbdecaedfebace.reg"

C:\Windows\System32\wscript.exe

"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\Solicitud.js"

C:\Windows\regedit.exe

"regedit.exe" "C:\Users\Admin\AppData\Local\Temp\ebgeaegdbdecaedfebace.reg"

Network

Country Destination Domain Proto
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 trabajovalle2019.duckdns.org udp
US 192.169.69.26:2034 trabajovalle2019.duckdns.org tcp
US 192.169.69.26:2034 trabajovalle2019.duckdns.org tcp
US 192.169.69.26:2034 trabajovalle2019.duckdns.org tcp
US 192.169.69.26:2034 trabajovalle2019.duckdns.org tcp
US 192.169.69.26:2034 trabajovalle2019.duckdns.org tcp
US 192.169.69.26:2034 trabajovalle2019.duckdns.org tcp
US 192.169.69.26:2034 trabajovalle2019.duckdns.org tcp
US 192.169.69.26:2034 trabajovalle2019.duckdns.org tcp
US 192.169.69.26:2034 trabajovalle2019.duckdns.org tcp
US 192.169.69.26:2034 trabajovalle2019.duckdns.org tcp
US 192.169.69.26:2034 trabajovalle2019.duckdns.org tcp
US 192.169.69.26:2034 trabajovalle2019.duckdns.org tcp
US 192.169.69.26:2034 trabajovalle2019.duckdns.org tcp

Files

memory/524-54-0x000007FEFB591000-0x000007FEFB593000-memory.dmp

memory/1436-56-0x0000000000410000-0x0000000000411000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ebgeaegdbdecaedfebace.reg

MD5 0e5411d7ecba9a435afda71c6c39d8fd
SHA1 2d6812052bf7be1b5e213e1d813ae39faa07284c
SHA256 cb68d50df5817e51ec5b2f72893dc4c749bf3504519107e0a78dda84d55f09e2
SHA512 903ac6e5c8a12607af267b54bcbbedfa5542c5b4f7ea289ab7c6a32a424d5b846ae406d830cb4ad48e2b46f92c504163c0856af8c3e09685a8855f39f616ddb1

C:\Users\Admin\AppData\Roaming\Solicitud.js

MD5 941e9bce9139aeebd0588f515af98221
SHA1 0a6f6b9f9fd6cce6e7e8460ac85a88094a1dcb59
SHA256 a6ae6b0462bfbad2f8637834d17a848cf483c3fc65268d098829fdb88ba7148c
SHA512 c270270a878ab61f03ebaa842e057d36032521c94a147fa27e8a8c331484d35e756aadab08ddc1aed439df6ccc048b29d69a5eb59cca1c38365b1f00eb63aca6

memory/1156-61-0x0000000000180000-0x0000000000181000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ebgeaegdbdecaedfebace.reg

MD5 0e5411d7ecba9a435afda71c6c39d8fd
SHA1 2d6812052bf7be1b5e213e1d813ae39faa07284c
SHA256 cb68d50df5817e51ec5b2f72893dc4c749bf3504519107e0a78dda84d55f09e2
SHA512 903ac6e5c8a12607af267b54bcbbedfa5542c5b4f7ea289ab7c6a32a424d5b846ae406d830cb4ad48e2b46f92c504163c0856af8c3e09685a8855f39f616ddb1

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Solicitud.js

MD5 941e9bce9139aeebd0588f515af98221
SHA1 0a6f6b9f9fd6cce6e7e8460ac85a88094a1dcb59
SHA256 a6ae6b0462bfbad2f8637834d17a848cf483c3fc65268d098829fdb88ba7148c
SHA512 c270270a878ab61f03ebaa842e057d36032521c94a147fa27e8a8c331484d35e756aadab08ddc1aed439df6ccc048b29d69a5eb59cca1c38365b1f00eb63aca6

Analysis: behavioral2

Detonation Overview

Submitted

2022-02-08 02:43

Reported

2022-02-08 07:08

Platform

win10v2004-en-20220112

Max time kernel

178s

Max time network

186s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\Solicitud.js

Signatures

WSHRAT

trojan wshrat

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation C:\Windows\system32\wscript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation C:\Windows\System32\wscript.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Solicitud.js C:\Windows\system32\wscript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Solicitud.js C:\Windows\System32\wscript.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Solicitud = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Solicitud.js\"" C:\Windows\system32\wscript.exe N/A
Key created \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\software\microsoft\windows\currentversion\run C:\Windows\System32\wscript.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Solicitud = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Solicitud.js\"" C:\Windows\System32\wscript.exe N/A
Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run C:\Windows\System32\wscript.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Solicitud = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Solicitud.js\"" C:\Windows\System32\wscript.exe N/A
Key created \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\software\microsoft\windows\currentversion\run C:\Windows\system32\wscript.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Solicitud = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Solicitud.js\"" C:\Windows\system32\wscript.exe N/A
Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run C:\Windows\system32\wscript.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\State\keyValueLKG.dat C:\Windows\System32\svchost.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\system32\MusNotifyIcon.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\system32\MusNotifyIcon.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyInternetBytes = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyGroupBytes = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CacheSizeBytes = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkUsageBps = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkBps = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadRatePct = "100" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadPendingCount = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyInternetBytes = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCacheHostBytes = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LinkLocalConnectionCount = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthlyUploadRestriction = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadCount = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4076" C:\Windows\System32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyLanBytes = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\InternetConnectionCount = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\FrDownloadRatePct = "90" C:\Windows\System32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Settings C:\Windows\System32\svchost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\GeoVersion_EndpointFullUri = "https://geover.prod.do.dsp.mp.microsoft.com/geoversion" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PeerInfoCount = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\GroupConnectionCount = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadCount = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkCnt = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLinkLocalBytes = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrBps = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkBps = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthID = "2" C:\Windows\System32\svchost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\Geo_EndpointFullUri = "https://geo.prod.do.dsp.mp.microsoft.com/geo" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "1" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LANConnectionCount = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DODownloadMode = "1" C:\Windows\System32\svchost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "1.877963" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkBps = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCdnBytes = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLanBytes = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrCnt = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CDNConnectionCount = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkUsageBps = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadPendingCount = "0" C:\Windows\System32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization C:\Windows\System32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\KVFileExpirationTime = "132889540487807322" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\BkDownloadRatePct = "45" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadCount = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DownloadMode_BackCompat = "1" C:\Windows\System32\svchost.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings C:\Windows\system32\wscript.exe N/A
Key created \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings C:\Windows\System32\wscript.exe N/A

Runs .reg file with regedit

Description Indicator Process Target
N/A N/A C:\Windows\regedit.exe N/A
N/A N/A C:\Windows\regedit.exe N/A

Script User-Agent

Description Indicator Process Target
HTTP User-Agent header WSHRAT|48C8CF8A|RIBCQUHQ|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 8/2/2022|JavaScript-v2.0|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|48C8CF8A|RIBCQUHQ|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 8/2/2022|JavaScript-v2.0|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|48C8CF8A|RIBCQUHQ|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 8/2/2022|JavaScript-v2.0|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|48C8CF8A|RIBCQUHQ|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 8/2/2022|JavaScript-v2.0|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|48C8CF8A|RIBCQUHQ|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 8/2/2022|JavaScript-v2.0|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|48C8CF8A|RIBCQUHQ|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 8/2/2022|JavaScript-v2.0|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|48C8CF8A|RIBCQUHQ|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 8/2/2022|JavaScript-v2.0|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|48C8CF8A|RIBCQUHQ|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 8/2/2022|JavaScript-v2.0|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|48C8CF8A|RIBCQUHQ|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 8/2/2022|JavaScript-v2.0|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|48C8CF8A|RIBCQUHQ|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 8/2/2022|JavaScript-v2.0|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|48C8CF8A|RIBCQUHQ|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 8/2/2022|JavaScript-v2.0|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|48C8CF8A|RIBCQUHQ|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 8/2/2022|JavaScript-v2.0|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|48C8CF8A|RIBCQUHQ|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 8/2/2022|JavaScript-v2.0|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|48C8CF8A|RIBCQUHQ|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 8/2/2022|JavaScript-v2.0|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|48C8CF8A|RIBCQUHQ|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 8/2/2022|JavaScript-v2.0|NL:Netherlands N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1020 wrote to memory of 1384 N/A C:\Windows\system32\wscript.exe C:\Windows\regedit.exe
PID 1020 wrote to memory of 1384 N/A C:\Windows\system32\wscript.exe C:\Windows\regedit.exe
PID 1020 wrote to memory of 3964 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe
PID 1020 wrote to memory of 3964 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe
PID 3964 wrote to memory of 2144 N/A C:\Windows\System32\wscript.exe C:\Windows\regedit.exe
PID 3964 wrote to memory of 2144 N/A C:\Windows\System32\wscript.exe C:\Windows\regedit.exe

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\Solicitud.js

C:\Windows\regedit.exe

"regedit.exe" "C:\Users\Admin\AppData\Local\Temp\ebgeaegdbdecaedfebace.reg"

C:\Windows\System32\wscript.exe

"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\Solicitud.js"

C:\Windows\regedit.exe

"regedit.exe" "C:\Users\Admin\AppData\Local\Temp\ebgeaegdbdecaedfebace.reg"

C:\Windows\system32\MusNotifyIcon.exe

%systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 13

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k NetworkService -p

Network

Country Destination Domain Proto
US 8.8.8.8:53 settings-win.data.microsoft.com udp
US 52.167.17.97:443 settings-win.data.microsoft.com tcp
NL 104.110.191.140:80 tcp
US 52.167.17.97:443 settings-win.data.microsoft.com tcp
US 52.167.17.97:443 settings-win.data.microsoft.com tcp
US 8.8.8.8:53 settings-win.data.microsoft.com udp
US 52.167.249.196:443 settings-win.data.microsoft.com tcp
US 8.8.8.8:53 settings-win.data.microsoft.com udp
US 52.167.17.97:443 settings-win.data.microsoft.com tcp
US 52.167.17.97:443 settings-win.data.microsoft.com tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 trabajovalle2019.duckdns.org udp
US 192.169.69.26:2034 trabajovalle2019.duckdns.org tcp
US 192.169.69.26:2034 trabajovalle2019.duckdns.org tcp
US 8.8.8.8:53 geo.prod.do.dsp.mp.microsoft.com udp
US 52.184.213.187:443 geo.prod.do.dsp.mp.microsoft.com tcp
US 52.167.17.97:443 settings-win.data.microsoft.com tcp
US 8.8.8.8:53 kv801.prod.do.dsp.mp.microsoft.com udp
NL 184.29.205.60:443 kv801.prod.do.dsp.mp.microsoft.com tcp
US 192.169.69.26:2034 trabajovalle2019.duckdns.org tcp
US 192.169.69.26:2034 trabajovalle2019.duckdns.org tcp
US 192.169.69.26:2034 trabajovalle2019.duckdns.org tcp
US 192.169.69.26:2034 trabajovalle2019.duckdns.org tcp
US 192.169.69.26:2034 trabajovalle2019.duckdns.org tcp
US 192.169.69.26:2034 trabajovalle2019.duckdns.org tcp
US 192.169.69.26:2034 trabajovalle2019.duckdns.org tcp
US 192.169.69.26:2034 trabajovalle2019.duckdns.org tcp
US 192.169.69.26:2034 trabajovalle2019.duckdns.org tcp
US 192.169.69.26:2034 trabajovalle2019.duckdns.org tcp
US 192.169.69.26:2034 trabajovalle2019.duckdns.org tcp
US 192.169.69.26:2034 trabajovalle2019.duckdns.org tcp
US 192.169.69.26:2034 trabajovalle2019.duckdns.org tcp

Files

C:\Users\Admin\AppData\Local\Temp\ebgeaegdbdecaedfebace.reg

MD5 0e5411d7ecba9a435afda71c6c39d8fd
SHA1 2d6812052bf7be1b5e213e1d813ae39faa07284c
SHA256 cb68d50df5817e51ec5b2f72893dc4c749bf3504519107e0a78dda84d55f09e2
SHA512 903ac6e5c8a12607af267b54bcbbedfa5542c5b4f7ea289ab7c6a32a424d5b846ae406d830cb4ad48e2b46f92c504163c0856af8c3e09685a8855f39f616ddb1

C:\Users\Admin\AppData\Roaming\Solicitud.js

MD5 941e9bce9139aeebd0588f515af98221
SHA1 0a6f6b9f9fd6cce6e7e8460ac85a88094a1dcb59
SHA256 a6ae6b0462bfbad2f8637834d17a848cf483c3fc65268d098829fdb88ba7148c
SHA512 c270270a878ab61f03ebaa842e057d36032521c94a147fa27e8a8c331484d35e756aadab08ddc1aed439df6ccc048b29d69a5eb59cca1c38365b1f00eb63aca6

C:\Users\Admin\AppData\Local\Temp\ebgeaegdbdecaedfebace.reg

MD5 0e5411d7ecba9a435afda71c6c39d8fd
SHA1 2d6812052bf7be1b5e213e1d813ae39faa07284c
SHA256 cb68d50df5817e51ec5b2f72893dc4c749bf3504519107e0a78dda84d55f09e2
SHA512 903ac6e5c8a12607af267b54bcbbedfa5542c5b4f7ea289ab7c6a32a424d5b846ae406d830cb4ad48e2b46f92c504163c0856af8c3e09685a8855f39f616ddb1

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Solicitud.js

MD5 941e9bce9139aeebd0588f515af98221
SHA1 0a6f6b9f9fd6cce6e7e8460ac85a88094a1dcb59
SHA256 a6ae6b0462bfbad2f8637834d17a848cf483c3fc65268d098829fdb88ba7148c
SHA512 c270270a878ab61f03ebaa842e057d36032521c94a147fa27e8a8c331484d35e756aadab08ddc1aed439df6ccc048b29d69a5eb59cca1c38365b1f00eb63aca6