Analysis Overview
SHA256
39a5592307e15f1f09859534419c0c6ea0b6c052b45a22b2df0acef1c1bc77d4
Threat Level: Known bad
The file 39A5592307E15F1F09859534419C0C6EA0B6C052B45A2.exe was found to be: Known bad.
Malicious Activity Summary
WSHRAT
xmrig
XMRig Miner Payload
Blocklisted process makes network request
ASPack v2.12-2.42
Executes dropped EXE
Loads dropped DLL
Checks computer location settings
Drops startup file
Looks up external IP address via web service
Adds Run key to start application
Suspicious use of SetThreadContext
Enumerates physical storage devices
NSIS installer
Checks processor information in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Script User-Agent
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: LoadsDriver
Modifies registry class
Modifies data under HKEY_USERS
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-02-14 18:07
Signatures
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2022-02-14 18:07
Reported
2022-02-14 18:10
Platform
win10v2004-en-20220112
Max time kernel
161s
Max time network
176s
Command Line
Signatures
WSHRAT
xmrig
XMRig Miner Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WScript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WScript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WScript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WScript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WScript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WScript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WScript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WScript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WScript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WScript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WScript.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Windows Security Notification.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\stalker_player.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\39A5592307E15F1F09859534419C0C6EA0B6C052B45A2.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Windows Security Notification.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VisualStudio.JS | C:\Windows\SysWOW64\WScript.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VisualStudio.JS | C:\Windows\SysWOW64\WScript.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VisualStudio.vbs | C:\Windows\SysWOW64\WScript.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VisualStudio.vbs | C:\Windows\SysWOW64\WScript.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\software\WOW6432Node\microsoft\windows\currentversion\run | C:\Windows\SysWOW64\WScript.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\VisualStudio = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\VisualStudio.vbs\"" | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\software\microsoft\windows\currentversion\run | C:\Windows\SysWOW64\WScript.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\VisualStudio = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\VisualStudio.JS\"" | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key created | \REGISTRY\MACHINE\software\WOW6432Node\microsoft\windows\currentversion\run | C:\Windows\SysWOW64\WScript.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\VisualStudio = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\VisualStudio.JS\"" | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\software\microsoft\windows\currentversion\run | C:\Windows\SysWOW64\WScript.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\VisualStudio = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\VisualStudio.vbs\"" | C:\Windows\SysWOW64\WScript.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3144 set thread context of 1904 | N/A | C:\Users\Admin\AppData\Roaming\Windows Security Notification.exe | C:\Windows\explorer.exe |
Enumerates physical storage devices
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\system32\MusNotifyIcon.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Windows\system32\MusNotifyIcon.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DODownloadMode = "1" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyInternetBytes = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkBps = "0" | C:\Windows\System32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Settings | C:\Windows\System32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyLanBytes = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLanBytes = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLinkLocalBytes = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCacheHostBytes = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthID = "2" | C:\Windows\System32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization | C:\Windows\System32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyInternetBytes = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DownloadMode_BackCompat = "1" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCdnBytes = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyGroupBytes = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrBps = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrCnt = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkCnt = "0" | C:\Windows\System32\svchost.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\39A5592307E15F1F09859534419C0C6EA0B6C052B45A2.exe | N/A |
Script User-Agent
| Description | Indicator | Process | Target |
| HTTP User-Agent header | WSHRAT|48C8CF8A|RIBCQUHQ|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 14/2/2022|JavaScript-v2.0|NL:Netherlands | N/A | N/A |
| HTTP User-Agent header | WSHRAT|48C8CF8A|RIBCQUHQ|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 14/2/2022|JavaScript-v2.0|NL:Netherlands | N/A | N/A |
| HTTP User-Agent header | WSHRAT|48C8CF8A|RIBCQUHQ|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 14/2/2022|JavaScript-v2.0|NL:Netherlands | N/A | N/A |
| HTTP User-Agent header | WSHRAT|48C8CF8A|RIBCQUHQ|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 14/2/2022|JavaScript-v2.0|NL:Netherlands | N/A | N/A |
| HTTP User-Agent header | WSHRAT|48C8CF8A|RIBCQUHQ|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 14/2/2022|JavaScript-v2.0|NL:Netherlands | N/A | N/A |
| HTTP User-Agent header | WSHRAT|48C8CF8A|RIBCQUHQ|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 14/2/2022|JavaScript-v2.0|NL:Netherlands | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\Windows Security Notification.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\explorer.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\39A5592307E15F1F09859534419C0C6EA0B6C052B45A2.exe
"C:\Users\Admin\AppData\Local\Temp\39A5592307E15F1F09859534419C0C6EA0B6C052B45A2.exe"
C:\Windows\system32\MusNotifyIcon.exe
%systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 13
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\VisualStudio.JS"
C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe
"C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\VisualStudio.jar"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\VisualStudio.vbs"
C:\Users\Admin\AppData\Roaming\Windows Security Notification.exe
"C:\Users\Admin\AppData\Roaming\Windows Security Notification.exe"
C:\Users\Admin\AppData\Roaming\stalker_player.exe
"C:\Users\Admin\AppData\Roaming\stalker_player.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"
C:\Windows\explorer.exe
C:\Windows\explorer.exe --cinit-find-x -B --algo="rx/0" --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=auto.skypool.org:5555 --user=42LWroKkaot7k6VU59vZyz7kxmhQGgWJhfdrEhV5GBkQ1Q6DqNRmoDALTM4PoM5n2JcS4t4wYDXTfWR8oyM8XfQhQxXhvdU --pass=151 --cpu-max-threads-hint=30 --cinit-stealth-targets="+iU/trnPCTLD3p+slbva5u4EYOS6bvIPemCHGQx2WRUcnFdomWh6dhl5H5KbQCjp6yCYlsFu5LR1mi7nQAy56B+5doUwurAPvCael2sR/N4=" --cinit-idle-wait=1 --cinit-idle-cpu=100 --cinit-stealth
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p
C:\Windows\System32\conhost.exe
"C:\Windows\System32\conhost.exe" "/sihost64"
Network
| Country | Destination | Domain | Proto |
| US | 93.184.220.29:80 | tcp | |
| US | 93.184.220.29:80 | tcp | |
| US | 8.253.208.113:80 | tcp | |
| US | 8.253.208.113:80 | tcp | |
| US | 8.253.208.113:80 | tcp | |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | redlan.mywire.org | udp |
| FR | 92.205.28.105:8000 | redlan.mywire.org | tcp |
| FR | 92.205.28.105:8000 | redlan.mywire.org | tcp |
| US | 8.8.8.8:53 | auto.skypool.org | udp |
| CN | 81.69.165.37:5555 | auto.skypool.org | tcp |
| FR | 92.205.28.105:8000 | redlan.mywire.org | tcp |
| FR | 92.205.28.105:8000 | redlan.mywire.org | tcp |
| FR | 92.205.28.105:8000 | redlan.mywire.org | tcp |
| FR | 92.205.28.105:8000 | redlan.mywire.org | tcp |
| FR | 92.205.28.105:8000 | redlan.mywire.org | tcp |
| FR | 92.205.28.105:8000 | redlan.mywire.org | tcp |
| FR | 92.205.28.105:8000 | redlan.mywire.org | tcp |
Files
C:\Users\Admin\AppData\Roaming\VisualStudio.JS
| MD5 | f07fe7d0a3b59b69c19c450d1516158e |
| SHA1 | 856a9c5c3938312c27697698e05b97fe8725db92 |
| SHA256 | db4639d5386e9702d006fdf268e33675e1b8d0e4886aadd04d0adcde9b08c426 |
| SHA512 | 283a1930c0b48a0224cabc908387f232b2adecda9f221040cf64b8eb81e0f67a092e338b6219e593fac207afb8333cc3ef8cdf1de3a44289d894037d313b19db |
C:\Users\Admin\AppData\Roaming\VisualStudio.vbs
| MD5 | 185ec018330ca154982464658dac12e1 |
| SHA1 | 7e19e7af5f3cce1c8bbf76610b5f330b4b1aa9d6 |
| SHA256 | cf43ab984c1c4d0f8dd5ad81e920f6f69593cf49a72b2606deb223351d4ff4ca |
| SHA512 | ec7d58af3844a9689b8d5cdb5bc02a99e327ae56ed70a1cf387a354f359e56d8485f4e0855b82819e38b2025d790981883d76c584742aa2afdbd22ff0825e2a3 |
C:\Users\Admin\AppData\Roaming\VisualStudio.jar
| MD5 | 6fe6bac5dd75eeb70521ff947fb7008b |
| SHA1 | 1bceb447ec1174f0b2a34cbdf08703dc8020a6b2 |
| SHA256 | 0e0e37118bddbf947175118a866700bc475b80543864b28ca0870d337c0ffcd6 |
| SHA512 | 4cf68c825c5fdf5b53d4a92c8b24929aaf25a4f6b0e9cf5971a28428461d2343b1f786e993bdbae5b06be4f0e59c23b62eff2ad9dbf32e8ec6ce78df98e5c9c4 |
C:\Users\Admin\AppData\Roaming\Windows Security Notification.exe
| MD5 | 21f7e46a5755745289909a6f46c3719b |
| SHA1 | 3f91c5ca31526347115497c9518e1a80ee43e31f |
| SHA256 | 35cf9162f6ffa815f1300fa2d131aa68cd9c7f8fde595ced98f2a5e3ae81032b |
| SHA512 | c99f4ecfa322a4a888e1693d803e64b1137ee3660a7f37cb93517e6418936527c9a20fc604d840b25d2d769e226e231a7c681546df427f66b27be65e4d9e50cc |
C:\Users\Admin\AppData\Roaming\Windows Security Notification.exe
| MD5 | 21f7e46a5755745289909a6f46c3719b |
| SHA1 | 3f91c5ca31526347115497c9518e1a80ee43e31f |
| SHA256 | 35cf9162f6ffa815f1300fa2d131aa68cd9c7f8fde595ced98f2a5e3ae81032b |
| SHA512 | c99f4ecfa322a4a888e1693d803e64b1137ee3660a7f37cb93517e6418936527c9a20fc604d840b25d2d769e226e231a7c681546df427f66b27be65e4d9e50cc |
C:\Users\Admin\AppData\Roaming\stalker_player.exe
| MD5 | 3359548ffc45021bb8ce25740092c6c8 |
| SHA1 | 5bfe69c4b3adc72ea70eb7617bb3e273c5f2153d |
| SHA256 | 7a86fa659027bb4a3774afc27251c8362c59d4cb8a526ef7f9bdac2dcea266f8 |
| SHA512 | 7180e9120b259e597d689f6c83df3bb7a5775ce48e050064eca371a90e525b2f7d688429e2d9d5dfcdb6c0c223cf2585fd5947bedc90529ab8b43c483a758599 |
memory/3144-136-0x00007FFBBDCD3000-0x00007FFBBDCD5000-memory.dmp
memory/3144-137-0x0000000000C50000-0x0000000002A0E000-memory.dmp
memory/3144-138-0x0000000003250000-0x0000000003262000-memory.dmp
memory/1596-139-0x0000000000400000-0x0000000001CE0000-memory.dmp
memory/1596-140-0x0000000000400000-0x0000000001CE0000-memory.dmp
memory/3144-141-0x0000000003280000-0x000000000328A000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
| MD5 | a342197e9ff299ae20b11b3b0a0a1199 |
| SHA1 | 09cb1c072b677243fdeddf80d159109d0e04ecba |
| SHA256 | 0a47491a230d24ce3d1095fb54d7ba6560331c7bff9757ccaeb73a2e93d3e4bd |
| SHA512 | 6df7c852e7c3ee720ee72b8d444203a01410d82acbf1f6bf48c796fed21d04d1b10ffc1922338ee91b19aaf8abf965164415edf9e131767dee01cdf616c4c2a2 |
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
| MD5 | a342197e9ff299ae20b11b3b0a0a1199 |
| SHA1 | 09cb1c072b677243fdeddf80d159109d0e04ecba |
| SHA256 | 0a47491a230d24ce3d1095fb54d7ba6560331c7bff9757ccaeb73a2e93d3e4bd |
| SHA512 | 6df7c852e7c3ee720ee72b8d444203a01410d82acbf1f6bf48c796fed21d04d1b10ffc1922338ee91b19aaf8abf965164415edf9e131767dee01cdf616c4c2a2 |
memory/1904-145-0x0000000140000000-0x0000000140786000-memory.dmp
memory/1904-146-0x0000000000C50000-0x0000000000C70000-memory.dmp
memory/3240-149-0x0000000000F90000-0x0000000000F91000-memory.dmp
memory/3240-154-0x0000000000F90000-0x0000000000F91000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\VMAZW8LB\json[2].json
| MD5 | 0c17abb0ed055fecf0c48bb6e46eb4eb |
| SHA1 | a692730c8ec7353c31b94a888f359edb54aaa4c8 |
| SHA256 | f41e99f954e33e7b0e39930ec8620bf29801efc44275c1ee6b5cfa5e1be202c0 |
| SHA512 | 645a9f2f94461d8a187261b736949df398ece5cfbf1af8653d18d3487ec1269d9f565534c1e249c12f31b3b1a41a8512953b1e991b001fc1360059e3fd494ec3 |
memory/1480-174-0x00000212E9280000-0x00000212E9286000-memory.dmp
memory/3240-175-0x0000000000F90000-0x0000000000F91000-memory.dmp
memory/3240-176-0x0000000000F90000-0x0000000000F91000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2022-02-14 18:07
Reported
2022-02-14 18:09
Platform
win7-en-20211208
Max time kernel
124s
Max time network
157s
Command Line
Signatures
WSHRAT
xmrig
XMRig Miner Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WScript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WScript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WScript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WScript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WScript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WScript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WScript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WScript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WScript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WScript.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Windows Security Notification.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\stalker_player.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VisualStudio.JS | C:\Windows\SysWOW64\WScript.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VisualStudio.JS | C:\Windows\SysWOW64\WScript.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VisualStudio.vbs | C:\Windows\SysWOW64\WScript.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VisualStudio.vbs | C:\Windows\SysWOW64\WScript.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\39A5592307E15F1F09859534419C0C6EA0B6C052B45A2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\39A5592307E15F1F09859534419C0C6EA0B6C052B45A2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Windows Security Notification.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Windows Security Notification.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\software\microsoft\windows\currentversion\run | C:\Windows\SysWOW64\WScript.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows\CurrentVersion\Run\VisualStudio = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\VisualStudio.vbs\"" | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key created | \REGISTRY\MACHINE\software\Wow6432Node\microsoft\windows\currentversion\run | C:\Windows\SysWOW64\WScript.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\VisualStudio = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\VisualStudio.vbs\"" | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\software\microsoft\windows\currentversion\run | C:\Windows\SysWOW64\WScript.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows\CurrentVersion\Run\VisualStudio = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\VisualStudio.JS\"" | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key created | \REGISTRY\MACHINE\software\Wow6432Node\microsoft\windows\currentversion\run | C:\Windows\SysWOW64\WScript.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\VisualStudio = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\VisualStudio.JS\"" | C:\Windows\SysWOW64\WScript.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2012 set thread context of 1656 | N/A | C:\Users\Admin\AppData\Roaming\Windows Security Notification.exe | C:\Windows\explorer.exe |
Enumerates physical storage devices
Script User-Agent
| Description | Indicator | Process | Target |
| HTTP User-Agent header | WSHRAT|C435AF30|VQVVOAJK|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 14/2/2022|JavaScript-v2.0|NL:Netherlands | N/A | N/A |
| HTTP User-Agent header | WSHRAT|C435AF30|VQVVOAJK|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 14/2/2022|JavaScript-v2.0|NL:Netherlands | N/A | N/A |
| HTTP User-Agent header | WSHRAT|C435AF30|VQVVOAJK|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 14/2/2022|JavaScript-v2.0|NL:Netherlands | N/A | N/A |
| HTTP User-Agent header | WSHRAT|C435AF30|VQVVOAJK|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 14/2/2022|JavaScript-v2.0|NL:Netherlands | N/A | N/A |
| HTTP User-Agent header | WSHRAT|C435AF30|VQVVOAJK|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 14/2/2022|JavaScript-v2.0|NL:Netherlands | N/A | N/A |
| HTTP User-Agent header | WSHRAT|C435AF30|VQVVOAJK|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 14/2/2022|JavaScript-v2.0|NL:Netherlands | N/A | N/A |
| HTTP User-Agent header | WSHRAT|C435AF30|VQVVOAJK|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 14/2/2022|JavaScript-v2.0|NL:Netherlands | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Windows Security Notification.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Windows Security Notification.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\Windows Security Notification.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\explorer.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\39A5592307E15F1F09859534419C0C6EA0B6C052B45A2.exe
"C:\Users\Admin\AppData\Local\Temp\39A5592307E15F1F09859534419C0C6EA0B6C052B45A2.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\VisualStudio.JS"
C:\Program Files\Java\jre7\bin\javaw.exe
"C:\Program Files\Java\jre7\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\VisualStudio.jar"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\VisualStudio.vbs"
C:\Users\Admin\AppData\Roaming\Windows Security Notification.exe
"C:\Users\Admin\AppData\Roaming\Windows Security Notification.exe"
C:\Users\Admin\AppData\Roaming\stalker_player.exe
"C:\Users\Admin\AppData\Roaming\stalker_player.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"
C:\Windows\explorer.exe
C:\Windows\explorer.exe --cinit-find-x -B --algo="rx/0" --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=auto.skypool.org:5555 --user=42LWroKkaot7k6VU59vZyz7kxmhQGgWJhfdrEhV5GBkQ1Q6DqNRmoDALTM4PoM5n2JcS4t4wYDXTfWR8oyM8XfQhQxXhvdU --pass=151 --cpu-max-threads-hint=30 --cinit-stealth-targets="+iU/trnPCTLD3p+slbva5u4EYOS6bvIPemCHGQx2WRUcnFdomWh6dhl5H5KbQCjp6yCYlsFu5LR1mi7nQAy56B+5doUwurAPvCael2sR/N4=" --cinit-idle-wait=1 --cinit-idle-cpu=100 --cinit-stealth
C:\Windows\System32\conhost.exe
"C:\Windows\System32\conhost.exe" "/sihost64"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | redlan.mywire.org | udp |
| FR | 92.205.28.105:8000 | redlan.mywire.org | tcp |
| FR | 92.205.28.105:8000 | redlan.mywire.org | tcp |
| FR | 92.205.28.105:8000 | redlan.mywire.org | tcp |
| FR | 92.205.28.105:8000 | redlan.mywire.org | tcp |
| FR | 92.205.28.105:8000 | redlan.mywire.org | tcp |
| FR | 92.205.28.105:8000 | redlan.mywire.org | tcp |
| FR | 92.205.28.105:8000 | redlan.mywire.org | tcp |
| FR | 92.205.28.105:8000 | redlan.mywire.org | tcp |
| US | 8.8.8.8:53 | github.com | udp |
| US | 140.82.112.4:443 | github.com | tcp |
| US | 8.8.8.8:53 | repo1.maven.org | udp |
| US | 199.232.192.209:443 | repo1.maven.org | tcp |
| US | 199.232.192.209:443 | repo1.maven.org | tcp |
| US | 199.232.192.209:443 | repo1.maven.org | tcp |
| FR | 92.205.28.105:8000 | redlan.mywire.org | tcp |
| US | 8.8.8.8:53 | auto.skypool.org | udp |
| CN | 81.69.165.37:5555 | auto.skypool.org | tcp |
| FR | 92.205.28.105:8000 | redlan.mywire.org | tcp |
| FR | 92.205.28.105:8000 | redlan.mywire.org | tcp |
Files
memory/1664-54-0x0000000075B51000-0x0000000075B53000-memory.dmp
memory/764-55-0x000007FEFB9C1000-0x000007FEFB9C3000-memory.dmp
C:\Users\Admin\AppData\Roaming\VisualStudio.JS
| MD5 | f07fe7d0a3b59b69c19c450d1516158e |
| SHA1 | 856a9c5c3938312c27697698e05b97fe8725db92 |
| SHA256 | db4639d5386e9702d006fdf268e33675e1b8d0e4886aadd04d0adcde9b08c426 |
| SHA512 | 283a1930c0b48a0224cabc908387f232b2adecda9f221040cf64b8eb81e0f67a092e338b6219e593fac207afb8333cc3ef8cdf1de3a44289d894037d313b19db |
C:\Users\Admin\AppData\Roaming\VisualStudio.jar
| MD5 | 6fe6bac5dd75eeb70521ff947fb7008b |
| SHA1 | 1bceb447ec1174f0b2a34cbdf08703dc8020a6b2 |
| SHA256 | 0e0e37118bddbf947175118a866700bc475b80543864b28ca0870d337c0ffcd6 |
| SHA512 | 4cf68c825c5fdf5b53d4a92c8b24929aaf25a4f6b0e9cf5971a28428461d2343b1f786e993bdbae5b06be4f0e59c23b62eff2ad9dbf32e8ec6ce78df98e5c9c4 |
C:\Users\Admin\AppData\Roaming\VisualStudio.vbs
| MD5 | 185ec018330ca154982464658dac12e1 |
| SHA1 | 7e19e7af5f3cce1c8bbf76610b5f330b4b1aa9d6 |
| SHA256 | cf43ab984c1c4d0f8dd5ad81e920f6f69593cf49a72b2606deb223351d4ff4ca |
| SHA512 | ec7d58af3844a9689b8d5cdb5bc02a99e327ae56ed70a1cf387a354f359e56d8485f4e0855b82819e38b2025d790981883d76c584742aa2afdbd22ff0825e2a3 |
memory/764-62-0x0000000002400000-0x0000000002670000-memory.dmp
C:\Users\Admin\AppData\Roaming\Windows Security Notification.exe
| MD5 | 21f7e46a5755745289909a6f46c3719b |
| SHA1 | 3f91c5ca31526347115497c9518e1a80ee43e31f |
| SHA256 | 35cf9162f6ffa815f1300fa2d131aa68cd9c7f8fde595ced98f2a5e3ae81032b |
| SHA512 | c99f4ecfa322a4a888e1693d803e64b1137ee3660a7f37cb93517e6418936527c9a20fc604d840b25d2d769e226e231a7c681546df427f66b27be65e4d9e50cc |
C:\Users\Admin\AppData\Roaming\Windows Security Notification.exe
| MD5 | 21f7e46a5755745289909a6f46c3719b |
| SHA1 | 3f91c5ca31526347115497c9518e1a80ee43e31f |
| SHA256 | 35cf9162f6ffa815f1300fa2d131aa68cd9c7f8fde595ced98f2a5e3ae81032b |
| SHA512 | c99f4ecfa322a4a888e1693d803e64b1137ee3660a7f37cb93517e6418936527c9a20fc604d840b25d2d769e226e231a7c681546df427f66b27be65e4d9e50cc |
\Users\Admin\AppData\Roaming\Windows Security Notification.exe
| MD5 | 21f7e46a5755745289909a6f46c3719b |
| SHA1 | 3f91c5ca31526347115497c9518e1a80ee43e31f |
| SHA256 | 35cf9162f6ffa815f1300fa2d131aa68cd9c7f8fde595ced98f2a5e3ae81032b |
| SHA512 | c99f4ecfa322a4a888e1693d803e64b1137ee3660a7f37cb93517e6418936527c9a20fc604d840b25d2d769e226e231a7c681546df427f66b27be65e4d9e50cc |
\Users\Admin\AppData\Roaming\stalker_player.exe
| MD5 | 3359548ffc45021bb8ce25740092c6c8 |
| SHA1 | 5bfe69c4b3adc72ea70eb7617bb3e273c5f2153d |
| SHA256 | 7a86fa659027bb4a3774afc27251c8362c59d4cb8a526ef7f9bdac2dcea266f8 |
| SHA512 | 7180e9120b259e597d689f6c83df3bb7a5775ce48e050064eca371a90e525b2f7d688429e2d9d5dfcdb6c0c223cf2585fd5947bedc90529ab8b43c483a758599 |
C:\Users\Admin\AppData\Roaming\stalker_player.exe
| MD5 | 3359548ffc45021bb8ce25740092c6c8 |
| SHA1 | 5bfe69c4b3adc72ea70eb7617bb3e273c5f2153d |
| SHA256 | 7a86fa659027bb4a3774afc27251c8362c59d4cb8a526ef7f9bdac2dcea266f8 |
| SHA512 | 7180e9120b259e597d689f6c83df3bb7a5775ce48e050064eca371a90e525b2f7d688429e2d9d5dfcdb6c0c223cf2585fd5947bedc90529ab8b43c483a758599 |
memory/2012-69-0x000007FEF4FB3000-0x000007FEF4FB4000-memory.dmp
memory/2012-71-0x000000013FF70000-0x0000000141D2E000-memory.dmp
memory/1316-70-0x0000000000400000-0x0000000001CE0000-memory.dmp
memory/1316-72-0x0000000000400000-0x0000000001CE0000-memory.dmp
memory/764-73-0x0000000000210000-0x0000000000211000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\34ZL0Q4Z\json[1].json
| MD5 | 149c2823b7eadbfb0a82388a2ab9494f |
| SHA1 | 415fe979ce5fd0064d2557a48745a3ed1a3fbf9c |
| SHA256 | 06fa5d4e7fbfb1efdc19baa034601a894b21cf729785732853ced4bb40aca869 |
| SHA512 | f8fb6b7c93c4ab37f6e250ba8ac5c82f6e17fe52156cab81d34e91107d1da716b744bfe02ee0306497a3876d5352af789a1e66dab10e11e22065bac3050475fe |
memory/764-88-0x0000000000210000-0x0000000000211000-memory.dmp
memory/764-98-0x0000000000210000-0x0000000000211000-memory.dmp
memory/764-100-0x0000000000210000-0x0000000000211000-memory.dmp
\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
| MD5 | a342197e9ff299ae20b11b3b0a0a1199 |
| SHA1 | 09cb1c072b677243fdeddf80d159109d0e04ecba |
| SHA256 | 0a47491a230d24ce3d1095fb54d7ba6560331c7bff9757ccaeb73a2e93d3e4bd |
| SHA512 | 6df7c852e7c3ee720ee72b8d444203a01410d82acbf1f6bf48c796fed21d04d1b10ffc1922338ee91b19aaf8abf965164415edf9e131767dee01cdf616c4c2a2 |
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
| MD5 | a342197e9ff299ae20b11b3b0a0a1199 |
| SHA1 | 09cb1c072b677243fdeddf80d159109d0e04ecba |
| SHA256 | 0a47491a230d24ce3d1095fb54d7ba6560331c7bff9757ccaeb73a2e93d3e4bd |
| SHA512 | 6df7c852e7c3ee720ee72b8d444203a01410d82acbf1f6bf48c796fed21d04d1b10ffc1922338ee91b19aaf8abf965164415edf9e131767dee01cdf616c4c2a2 |
\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
| MD5 | a342197e9ff299ae20b11b3b0a0a1199 |
| SHA1 | 09cb1c072b677243fdeddf80d159109d0e04ecba |
| SHA256 | 0a47491a230d24ce3d1095fb54d7ba6560331c7bff9757ccaeb73a2e93d3e4bd |
| SHA512 | 6df7c852e7c3ee720ee72b8d444203a01410d82acbf1f6bf48c796fed21d04d1b10ffc1922338ee91b19aaf8abf965164415edf9e131767dee01cdf616c4c2a2 |
memory/764-106-0x0000000000210000-0x0000000000211000-memory.dmp
memory/764-110-0x0000000000210000-0x0000000000211000-memory.dmp
memory/1656-113-0x0000000140000000-0x0000000140786000-memory.dmp
memory/1656-116-0x0000000140000000-0x0000000140786000-memory.dmp
memory/1656-119-0x0000000140000000-0x0000000140786000-memory.dmp
memory/1656-122-0x0000000140000000-0x0000000140786000-memory.dmp
memory/1656-125-0x0000000140000000-0x0000000140786000-memory.dmp
memory/1656-130-0x0000000140000000-0x0000000140786000-memory.dmp
memory/1656-128-0x0000000140000000-0x0000000140786000-memory.dmp
memory/1656-131-0x0000000140000000-0x0000000140786000-memory.dmp
memory/872-175-0x0000000001A20000-0x0000000001A26000-memory.dmp