Analysis
-
max time kernel
148s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
30-09-2022 08:27
Static task
static1
Behavioral task
behavioral1
Sample
CREDIT NOTE.js
Resource
win7-20220812-en
General
-
Target
CREDIT NOTE.js
-
Size
47KB
-
MD5
771ee97bd2e61801d47f37b60a69d1c8
-
SHA1
b77ea83d939bc5ce8ceff9668488f8045ba58a0b
-
SHA256
25027a9677193ee152a6621382d40fcf31437b4366f6566d369f24d93f52f56d
-
SHA512
2ac19e006117d449467ec49f4b600293775bdbb0f03869a6e7c914449fb522d22f74ab060d0086ef1a033c91d987c38ddd97e258a7575581e95d68b1657737b1
-
SSDEEP
768:bH5hjkXAZJMdHG7TH8eA0oWz6nSwsmjX1uMW7/1W8eXBnKX2CzHsPOux4GsPje//:bH5hIwZ+dHk8n0ISwXZ8OBKX2yKCXlgT
Malware Config
Extracted
formbook
u8ow
j5a7vTwyeK/qHg==
M2qzs6QwZ5sVSqCc
7KoU1t9NdRnqZ8ML+cB8x38C
pgeKvdoqNNao7Cr94QiDuw==
/QZJhRORtafU/zeqK4o+
2JvqeTAGpQBYdqgXoA4=
5zJ7fa0A0PgCFA==
cnq44WjiBQ5VfKgXoA4=
oAp6hcdNVbr2NaHk4QiDuw==
Z/w2v4V/zV8aVoFnW0zzSt6hYjbD
WJ74K7ehJCNed6gXoA4=
hCRY0pmWSLhPzeTztw==
ZNhbVFvL8KKYyj2udtFXr3U8T6LZeQ==
ur75Bj2XjwVNhAGA
BlhiocrRF/kDFg==
aQY19Du631WFpEg=
yGCGEReSv1T1JVmWfHwp
cvso1tUbJeLrMlhjg4Z8x38C
XmTsffB+q25IYuOWfHwp
ry8fNm8E0PgCFA==
jpTC1EEMl8QsavylFo5Pn0XkR9HHtaw=
VVqBje/QWFipzFCNkl4sY4pzgFfL
vlWFIwZNUbxGXaij2E/PZ4RAT6LZeQ==
ZoKpx1VFx7v+RaPo4QiDuw==
H+M67QcOr9mm7l8=
eQgtxbcUPuSn4jlrfFbyT+GhYjbD
v8JQ+9lJeRvsL2fOuK9ZqVc=
EaLpmYiCMWUbjiCIup0h
Yq7zIaB3CwTHCYOS
e8QMNY/c8gWHsPn6/sJ8x38C
4qTUS/7ZXakxTpeXoZJ8x38C
5LALqHx4yFsEAw==
4n/CPfjjjwzKElNp44lbXV8=
nCNkIig/o0r+
7N63YHLe+8PHCYOS
S8Yv9Wvh64kDYoWF
VeYjqV804l7zMXQpwxM=
cr3GEFvhA6lYke8fqlIbK0sIQDZ+bdYn
KyqoLc3IbbQ7fqgXoA4=
+4gcGx0XujvyPpz5lRQx95FBT6LZeQ==
8vs6RY0S+P/uCQ==
0bgirl055FC1y0esWtbc64II
tUdqFCGRwGYzVoTz+CWJvQ==
I54qU23I75EDYoWF
M2mktwhxo6v1LlUlSEP0VeKhYjbD
UhF3C7WRF24ybI26eGkj
PUa3QvTcZq9KhwVGp0Y5MoEE
mJEVnfxTfoC95gPyhg0lLIk6Cg==
yoLNVw3plASw0yCgLqgs
Jt8Kqrm+NW7N9EDrlQQ=
gspPeq8JNjpDUoNn8X07QFU=
L8b5eiv1sWY5YOaWfHwp
4O6FBIV3K4QMJnO6lJk3
c74fNVa23o5VaNP84QiDuw==
m3vyQyWVBcGRpCSN
cwgrursqO+GwxkSq1sVlrXU8T6LZeQ==
NAJyMT1E6m0sc830BggoPwr4VpQ=
67D3oH1S6G5gkvIyRCi6RWQ8T6LZeQ==
yMo01aycP6gxX8kUTUPvZ4lUS5rUcw==
EipNd9xKbSPwMGdpdaEgS0g=
cCySPxoLstmm7l8=
l+pYdpbs3OfvFg==
kOpdbJ+0/+sqqavhoA==
swqGvwuDv8HvBDeqK4o+
avdoga.net
Extracted
xloader
3.5
u8ow
j5a7vTwyeK/qHg==
M2qzs6QwZ5sVSqCc
7KoU1t9NdRnqZ8ML+cB8x38C
pgeKvdoqNNao7Cr94QiDuw==
/QZJhRORtafU/zeqK4o+
2JvqeTAGpQBYdqgXoA4=
5zJ7fa0A0PgCFA==
cnq44WjiBQ5VfKgXoA4=
oAp6hcdNVbr2NaHk4QiDuw==
Z/w2v4V/zV8aVoFnW0zzSt6hYjbD
WJ74K7ehJCNed6gXoA4=
hCRY0pmWSLhPzeTztw==
ZNhbVFvL8KKYyj2udtFXr3U8T6LZeQ==
ur75Bj2XjwVNhAGA
BlhiocrRF/kDFg==
aQY19Du631WFpEg=
yGCGEReSv1T1JVmWfHwp
cvso1tUbJeLrMlhjg4Z8x38C
XmTsffB+q25IYuOWfHwp
ry8fNm8E0PgCFA==
jpTC1EEMl8QsavylFo5Pn0XkR9HHtaw=
VVqBje/QWFipzFCNkl4sY4pzgFfL
vlWFIwZNUbxGXaij2E/PZ4RAT6LZeQ==
ZoKpx1VFx7v+RaPo4QiDuw==
H+M67QcOr9mm7l8=
eQgtxbcUPuSn4jlrfFbyT+GhYjbD
v8JQ+9lJeRvsL2fOuK9ZqVc=
EaLpmYiCMWUbjiCIup0h
Yq7zIaB3CwTHCYOS
e8QMNY/c8gWHsPn6/sJ8x38C
4qTUS/7ZXakxTpeXoZJ8x38C
5LALqHx4yFsEAw==
4n/CPfjjjwzKElNp44lbXV8=
nCNkIig/o0r+
7N63YHLe+8PHCYOS
S8Yv9Wvh64kDYoWF
VeYjqV804l7zMXQpwxM=
cr3GEFvhA6lYke8fqlIbK0sIQDZ+bdYn
KyqoLc3IbbQ7fqgXoA4=
+4gcGx0XujvyPpz5lRQx95FBT6LZeQ==
8vs6RY0S+P/uCQ==
0bgirl055FC1y0esWtbc64II
tUdqFCGRwGYzVoTz+CWJvQ==
I54qU23I75EDYoWF
M2mktwhxo6v1LlUlSEP0VeKhYjbD
UhF3C7WRF24ybI26eGkj
PUa3QvTcZq9KhwVGp0Y5MoEE
mJEVnfxTfoC95gPyhg0lLIk6Cg==
yoLNVw3plASw0yCgLqgs
Jt8Kqrm+NW7N9EDrlQQ=
gspPeq8JNjpDUoNn8X07QFU=
L8b5eiv1sWY5YOaWfHwp
4O6FBIV3K4QMJnO6lJk3
c74fNVa23o5VaNP84QiDuw==
m3vyQyWVBcGRpCSN
cwgrursqO+GwxkSq1sVlrXU8T6LZeQ==
NAJyMT1E6m0sc830BggoPwr4VpQ=
67D3oH1S6G5gkvIyRCi6RWQ8T6LZeQ==
yMo01aycP6gxX8kUTUPvZ4lUS5rUcw==
EipNd9xKbSPwMGdpdaEgS0g=
cCySPxoLstmm7l8=
l+pYdpbs3OfvFg==
kOpdbJ+0/+sqqavhoA==
swqGvwuDv8HvBDeqK4o+
avdoga.net
Extracted
wshrat
http://3lv15.duckdns.org:6697
Signatures
-
Blocklisted process makes network request 43 IoCs
Processes:
wscript.exewscript.exewscript.exeflow pid process 10 2576 wscript.exe 11 2196 wscript.exe 12 5084 wscript.exe 13 5084 wscript.exe 22 5084 wscript.exe 24 5084 wscript.exe 31 5084 wscript.exe 32 5084 wscript.exe 33 5084 wscript.exe 36 5084 wscript.exe 37 2196 wscript.exe 38 2576 wscript.exe 44 5084 wscript.exe 50 5084 wscript.exe 51 5084 wscript.exe 54 5084 wscript.exe 58 5084 wscript.exe 59 2196 wscript.exe 60 2576 wscript.exe 63 5084 wscript.exe 65 5084 wscript.exe 68 5084 wscript.exe 70 5084 wscript.exe 74 5084 wscript.exe 77 5084 wscript.exe 78 2196 wscript.exe 79 2576 wscript.exe 81 5084 wscript.exe 83 5084 wscript.exe 87 5084 wscript.exe 88 5084 wscript.exe 90 5084 wscript.exe 93 2196 wscript.exe 94 2576 wscript.exe 96 5084 wscript.exe 99 5084 wscript.exe 101 5084 wscript.exe 105 5084 wscript.exe 109 5084 wscript.exe 112 5084 wscript.exe 113 2196 wscript.exe 114 2576 wscript.exe 116 5084 wscript.exe -
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
Processes:
NEWSXE.exefuwusylazeffuo.exepid process 2148 NEWSXE.exe 5116 fuwusylazeffuo.exe -
Checks computer location settings 2 TTPs 4 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
wscript.exewscript.exeNEWSXE.exefuwusylazeffuo.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation wscript.exe Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation wscript.exe Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation NEWSXE.exe Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation fuwusylazeffuo.exe -
Drops startup file 5 IoCs
Processes:
wscript.exewscript.exewscript.exewscript.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CREDIT NOTE.js wscript.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WjUZyzILPd.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WjUZyzILPd.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WjUZyzILPd.js wscript.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CREDIT NOTE.js wscript.exe -
Loads dropped DLL 1 IoCs
Processes:
fuwusylazeffuo.exepid process 4660 fuwusylazeffuo.exe -
Adds Run key to start application 2 TTPs 9 IoCs
Processes:
wscript.exewscript.exefuwusylazeffuo.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CREDIT NOTE = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\CREDIT NOTE.js\"" wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CREDIT NOTE = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\CREDIT NOTE.js\"" wscript.exe Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CREDIT NOTE = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\CREDIT NOTE.js\"" wscript.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\software\microsoft\windows\currentversion\run wscript.exe Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CREDIT NOTE = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\CREDIT NOTE.js\"" wscript.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dyhkboeiqg = "C:\\Users\\Admin\\AppData\\Roaming\\vhesmtdikvlglu\\avyvaajyo.exe" fuwusylazeffuo.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
fuwusylazeffuo.exefuwusylazeffuo.execmmon32.exedescription pid process target process PID 5116 set thread context of 4660 5116 fuwusylazeffuo.exe fuwusylazeffuo.exe PID 4660 set thread context of 744 4660 fuwusylazeffuo.exe Explorer.EXE PID 3752 set thread context of 744 3752 cmmon32.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3920 5116 WerFault.exe fuwusylazeffuo.exe -
Processes:
cmmon32.exedescription ioc process Key created \Registry\User\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 cmmon32.exe -
Script User-Agent 31 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 54 WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 30/9/2022|JavaScript HTTP User-Agent header 12 WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 30/9/2022|JavaScript HTTP User-Agent header 50 WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 30/9/2022|JavaScript HTTP User-Agent header 65 WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 30/9/2022|JavaScript HTTP User-Agent header 74 WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 30/9/2022|JavaScript HTTP User-Agent header 90 WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 30/9/2022|JavaScript HTTP User-Agent header 109 WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 30/9/2022|JavaScript HTTP User-Agent header 22 WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 30/9/2022|JavaScript HTTP User-Agent header 68 WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 30/9/2022|JavaScript HTTP User-Agent header 32 WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 30/9/2022|JavaScript HTTP User-Agent header 44 WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 30/9/2022|JavaScript HTTP User-Agent header 77 WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 30/9/2022|JavaScript HTTP User-Agent header 81 WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 30/9/2022|JavaScript HTTP User-Agent header 101 WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 30/9/2022|JavaScript HTTP User-Agent header 31 WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 30/9/2022|JavaScript HTTP User-Agent header 70 WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 30/9/2022|JavaScript HTTP User-Agent header 87 WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 30/9/2022|JavaScript HTTP User-Agent header 105 WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 30/9/2022|JavaScript HTTP User-Agent header 13 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 24 WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 30/9/2022|JavaScript HTTP User-Agent header 58 WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 30/9/2022|JavaScript HTTP User-Agent header 63 WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 30/9/2022|JavaScript HTTP User-Agent header 88 WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 30/9/2022|JavaScript HTTP User-Agent header 96 WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 30/9/2022|JavaScript HTTP User-Agent header 112 WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 30/9/2022|JavaScript HTTP User-Agent header 36 WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 30/9/2022|JavaScript HTTP User-Agent header 51 WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 30/9/2022|JavaScript HTTP User-Agent header 99 WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 30/9/2022|JavaScript HTTP User-Agent header 116 WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 30/9/2022|JavaScript HTTP User-Agent header 33 WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 30/9/2022|JavaScript HTTP User-Agent header 83 WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 30/9/2022|JavaScript -
Suspicious behavior: EnumeratesProcesses 62 IoCs
Processes:
fuwusylazeffuo.execmmon32.exepid process 4660 fuwusylazeffuo.exe 4660 fuwusylazeffuo.exe 4660 fuwusylazeffuo.exe 4660 fuwusylazeffuo.exe 4660 fuwusylazeffuo.exe 4660 fuwusylazeffuo.exe 4660 fuwusylazeffuo.exe 4660 fuwusylazeffuo.exe 3752 cmmon32.exe 3752 cmmon32.exe 3752 cmmon32.exe 3752 cmmon32.exe 3752 cmmon32.exe 3752 cmmon32.exe 3752 cmmon32.exe 3752 cmmon32.exe 3752 cmmon32.exe 3752 cmmon32.exe 3752 cmmon32.exe 3752 cmmon32.exe 3752 cmmon32.exe 3752 cmmon32.exe 3752 cmmon32.exe 3752 cmmon32.exe 3752 cmmon32.exe 3752 cmmon32.exe 3752 cmmon32.exe 3752 cmmon32.exe 3752 cmmon32.exe 3752 cmmon32.exe 3752 cmmon32.exe 3752 cmmon32.exe 3752 cmmon32.exe 3752 cmmon32.exe 3752 cmmon32.exe 3752 cmmon32.exe 3752 cmmon32.exe 3752 cmmon32.exe 3752 cmmon32.exe 3752 cmmon32.exe 3752 cmmon32.exe 3752 cmmon32.exe 3752 cmmon32.exe 3752 cmmon32.exe 3752 cmmon32.exe 3752 cmmon32.exe 3752 cmmon32.exe 3752 cmmon32.exe 3752 cmmon32.exe 3752 cmmon32.exe 3752 cmmon32.exe 3752 cmmon32.exe 3752 cmmon32.exe 3752 cmmon32.exe 3752 cmmon32.exe 3752 cmmon32.exe 3752 cmmon32.exe 3752 cmmon32.exe 3752 cmmon32.exe 3752 cmmon32.exe 3752 cmmon32.exe 3752 cmmon32.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 744 Explorer.EXE -
Suspicious behavior: MapViewOfSection 7 IoCs
Processes:
fuwusylazeffuo.execmmon32.exepid process 4660 fuwusylazeffuo.exe 4660 fuwusylazeffuo.exe 4660 fuwusylazeffuo.exe 3752 cmmon32.exe 3752 cmmon32.exe 3752 cmmon32.exe 3752 cmmon32.exe -
Suspicious use of AdjustPrivilegeToken 10 IoCs
Processes:
fuwusylazeffuo.exeExplorer.EXEcmmon32.exedescription pid process Token: SeDebugPrivilege 4660 fuwusylazeffuo.exe Token: SeShutdownPrivilege 744 Explorer.EXE Token: SeCreatePagefilePrivilege 744 Explorer.EXE Token: SeDebugPrivilege 3752 cmmon32.exe Token: SeShutdownPrivilege 744 Explorer.EXE Token: SeCreatePagefilePrivilege 744 Explorer.EXE Token: SeShutdownPrivilege 744 Explorer.EXE Token: SeCreatePagefilePrivilege 744 Explorer.EXE Token: SeShutdownPrivilege 744 Explorer.EXE Token: SeCreatePagefilePrivilege 744 Explorer.EXE -
Suspicious use of WriteProcessMemory 22 IoCs
Processes:
wscript.exewscript.exeNEWSXE.exefuwusylazeffuo.exeExplorer.EXEcmmon32.exedescription pid process target process PID 4844 wrote to memory of 2576 4844 wscript.exe wscript.exe PID 4844 wrote to memory of 2576 4844 wscript.exe wscript.exe PID 4844 wrote to memory of 5084 4844 wscript.exe wscript.exe PID 4844 wrote to memory of 5084 4844 wscript.exe wscript.exe PID 5084 wrote to memory of 2196 5084 wscript.exe wscript.exe PID 5084 wrote to memory of 2196 5084 wscript.exe wscript.exe PID 5084 wrote to memory of 2148 5084 wscript.exe NEWSXE.exe PID 5084 wrote to memory of 2148 5084 wscript.exe NEWSXE.exe PID 5084 wrote to memory of 2148 5084 wscript.exe NEWSXE.exe PID 2148 wrote to memory of 5116 2148 NEWSXE.exe fuwusylazeffuo.exe PID 2148 wrote to memory of 5116 2148 NEWSXE.exe fuwusylazeffuo.exe PID 2148 wrote to memory of 5116 2148 NEWSXE.exe fuwusylazeffuo.exe PID 5116 wrote to memory of 4660 5116 fuwusylazeffuo.exe fuwusylazeffuo.exe PID 5116 wrote to memory of 4660 5116 fuwusylazeffuo.exe fuwusylazeffuo.exe PID 5116 wrote to memory of 4660 5116 fuwusylazeffuo.exe fuwusylazeffuo.exe PID 5116 wrote to memory of 4660 5116 fuwusylazeffuo.exe fuwusylazeffuo.exe PID 744 wrote to memory of 3752 744 Explorer.EXE cmmon32.exe PID 744 wrote to memory of 3752 744 Explorer.EXE cmmon32.exe PID 744 wrote to memory of 3752 744 Explorer.EXE cmmon32.exe PID 3752 wrote to memory of 1276 3752 cmmon32.exe Firefox.exe PID 3752 wrote to memory of 1276 3752 cmmon32.exe Firefox.exe PID 3752 wrote to memory of 1276 3752 cmmon32.exe Firefox.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wscript.exewscript.exe "C:\Users\Admin\AppData\Local\Temp\CREDIT NOTE.js"2⤵
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\WjUZyzILPd.js"3⤵
- Blocklisted process makes network request
- Drops startup file
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\CREDIT NOTE.js"3⤵
- Blocklisted process makes network request
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\WjUZyzILPd.js"4⤵
- Blocklisted process makes network request
- Drops startup file
-
C:\Users\Admin\AppData\Roaming\NEWSXE.exe"C:\Users\Admin\AppData\Roaming\NEWSXE.exe"4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\fuwusylazeffuo.exe"C:\Users\Admin\AppData\Local\Temp\fuwusylazeffuo.exe"5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\fuwusylazeffuo.exe"C:\Users\Admin\AppData\Local\Temp\fuwusylazeffuo.exe"6⤵
- Checks computer location settings
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5116 -s 5806⤵
- Program crash
-
C:\Windows\SysWOW64\cmmon32.exe"C:\Windows\SysWOW64\cmmon32.exe"2⤵
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 5116 -ip 51161⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\fuwusylazeffuo.exeFilesize
56KB
MD5ce262c598fed05331ed24e0d44fab549
SHA1855a97836d6c47e7a4f6e9d702ac75adec755ea9
SHA256ff821e285da8c69105815df6e9f2bd04ad88ebcc6b881f59e9592e5bd62e25c1
SHA5128cd7b56cce82c801263546421db71815e84d2cd7894124761c2ce1ec49be28fa47e6751896a3aef1b0e21f2c4fef5c88d230f0b7fb7b0b67abc49bc1a3a5440c
-
C:\Users\Admin\AppData\Local\Temp\fuwusylazeffuo.exeFilesize
56KB
MD5ce262c598fed05331ed24e0d44fab549
SHA1855a97836d6c47e7a4f6e9d702ac75adec755ea9
SHA256ff821e285da8c69105815df6e9f2bd04ad88ebcc6b881f59e9592e5bd62e25c1
SHA5128cd7b56cce82c801263546421db71815e84d2cd7894124761c2ce1ec49be28fa47e6751896a3aef1b0e21f2c4fef5c88d230f0b7fb7b0b67abc49bc1a3a5440c
-
C:\Users\Admin\AppData\Local\Temp\fuwusylazeffuo.exeFilesize
56KB
MD5ce262c598fed05331ed24e0d44fab549
SHA1855a97836d6c47e7a4f6e9d702ac75adec755ea9
SHA256ff821e285da8c69105815df6e9f2bd04ad88ebcc6b881f59e9592e5bd62e25c1
SHA5128cd7b56cce82c801263546421db71815e84d2cd7894124761c2ce1ec49be28fa47e6751896a3aef1b0e21f2c4fef5c88d230f0b7fb7b0b67abc49bc1a3a5440c
-
C:\Users\Admin\AppData\Local\Temp\quhlzrpp.fFilesize
172KB
MD5cb9dbd9ff987c69b17f57f621c313e52
SHA1db0b62eb1c07a346ac161c4e6b086255f0c4b213
SHA25658b23d9622d97157ddb9cf7c1f4b89f694a4647f22ff238cc6b4ccc32c4ad024
SHA512582d261962572be24972239f692bc65cd69b410dafbae550858a6d87986e978fafaf95a183449cdf82c9a64ce90a32db0a0267580259e00dc751c676c3776884
-
C:\Users\Admin\AppData\Local\Temp\wwpwcbjhcxl.uweFilesize
6KB
MD562a9b361c89112dcb9e46476b5f12331
SHA18ea7603b6d6db984351684b08ff52ce28a50d3e3
SHA25666b19f4ba0ef9307c5da82840f3d85856cc852c96912ae4cb29944d30ea57538
SHA512a7fa474a4963111984e423138bae5652b0f8726eddcf2af1cbdae8ff6ea346904ca93879ae6a291b9928af6b29ca00a2a1523465890725f81c64d134c0970e5e
-
C:\Users\Admin\AppData\Roaming\CREDIT NOTE.jsFilesize
47KB
MD5771ee97bd2e61801d47f37b60a69d1c8
SHA1b77ea83d939bc5ce8ceff9668488f8045ba58a0b
SHA25625027a9677193ee152a6621382d40fcf31437b4366f6566d369f24d93f52f56d
SHA5122ac19e006117d449467ec49f4b600293775bdbb0f03869a6e7c914449fb522d22f74ab060d0086ef1a033c91d987c38ddd97e258a7575581e95d68b1657737b1
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CREDIT NOTE.jsFilesize
47KB
MD5771ee97bd2e61801d47f37b60a69d1c8
SHA1b77ea83d939bc5ce8ceff9668488f8045ba58a0b
SHA25625027a9677193ee152a6621382d40fcf31437b4366f6566d369f24d93f52f56d
SHA5122ac19e006117d449467ec49f4b600293775bdbb0f03869a6e7c914449fb522d22f74ab060d0086ef1a033c91d987c38ddd97e258a7575581e95d68b1657737b1
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WjUZyzILPd.jsFilesize
8KB
MD52f2198533289a4dac6f4406539f5b0f5
SHA1f37eef69eb03c33e41a0cbe2e3fcfb68070ccb58
SHA2562c9f6f3a3ee784722c588ff9bc72259461acc1084629364e44d479792c381bb4
SHA512cf791618aafeef05a5dd167e32746384f1ec8bb693735bcd7b1538e0ee988c76d4cd0235c951f24675045dcaebcf7d19fb3b8cb9d9ae76a4a1c695de23e612a5
-
C:\Users\Admin\AppData\Roaming\NEWSXE.exeFilesize
475KB
MD57241c4a2af9e08ca229912f6c95c72fe
SHA12cdc9f81881cb3bfb7a825bb7c8608922a5ee311
SHA256efb10cca23c4ed132ed9e516dee40bb2906696b91983947507cd05cb9561f6b3
SHA512b200d33df0abf7b1dd0462a6c1a6f26f70146cc50c0976c5734b3777290e5b36462cb59f903952f6d22ce22fecf85b64da2328b8f4d5d290cce49fe1834acf53
-
C:\Users\Admin\AppData\Roaming\NEWSXE.exeFilesize
475KB
MD57241c4a2af9e08ca229912f6c95c72fe
SHA12cdc9f81881cb3bfb7a825bb7c8608922a5ee311
SHA256efb10cca23c4ed132ed9e516dee40bb2906696b91983947507cd05cb9561f6b3
SHA512b200d33df0abf7b1dd0462a6c1a6f26f70146cc50c0976c5734b3777290e5b36462cb59f903952f6d22ce22fecf85b64da2328b8f4d5d290cce49fe1834acf53
-
C:\Users\Admin\AppData\Roaming\WjUZyzILPd.jsFilesize
8KB
MD52f2198533289a4dac6f4406539f5b0f5
SHA1f37eef69eb03c33e41a0cbe2e3fcfb68070ccb58
SHA2562c9f6f3a3ee784722c588ff9bc72259461acc1084629364e44d479792c381bb4
SHA512cf791618aafeef05a5dd167e32746384f1ec8bb693735bcd7b1538e0ee988c76d4cd0235c951f24675045dcaebcf7d19fb3b8cb9d9ae76a4a1c695de23e612a5
-
C:\Users\Admin\AppData\Roaming\WjUZyzILPd.jsFilesize
8KB
MD52f2198533289a4dac6f4406539f5b0f5
SHA1f37eef69eb03c33e41a0cbe2e3fcfb68070ccb58
SHA2562c9f6f3a3ee784722c588ff9bc72259461acc1084629364e44d479792c381bb4
SHA512cf791618aafeef05a5dd167e32746384f1ec8bb693735bcd7b1538e0ee988c76d4cd0235c951f24675045dcaebcf7d19fb3b8cb9d9ae76a4a1c695de23e612a5
-
memory/744-153-0x0000000002B20000-0x0000000002C02000-memory.dmpFilesize
904KB
-
memory/744-161-0x0000000007C80000-0x0000000007D1F000-memory.dmpFilesize
636KB
-
memory/744-159-0x0000000007C80000-0x0000000007D1F000-memory.dmpFilesize
636KB
-
memory/2148-140-0x0000000000000000-mapping.dmp
-
memory/2196-136-0x0000000000000000-mapping.dmp
-
memory/2576-132-0x0000000000000000-mapping.dmp
-
memory/3752-155-0x00000000000A0000-0x00000000000AC000-memory.dmpFilesize
48KB
-
memory/3752-154-0x0000000000000000-mapping.dmp
-
memory/3752-156-0x00000000001B0000-0x00000000001DB000-memory.dmpFilesize
172KB
-
memory/3752-157-0x0000000002350000-0x000000000269A000-memory.dmpFilesize
3.3MB
-
memory/3752-158-0x00000000020D0000-0x000000000215F000-memory.dmpFilesize
572KB
-
memory/3752-160-0x00000000001B0000-0x00000000001DB000-memory.dmpFilesize
172KB
-
memory/4660-151-0x0000000000400000-0x000000000042B000-memory.dmpFilesize
172KB
-
memory/4660-152-0x0000000000C10000-0x0000000000C20000-memory.dmpFilesize
64KB
-
memory/4660-150-0x00000000010B0000-0x00000000013FA000-memory.dmpFilesize
3.3MB
-
memory/4660-148-0x0000000000000000-mapping.dmp
-
memory/5084-133-0x0000000000000000-mapping.dmp
-
memory/5116-143-0x0000000000000000-mapping.dmp