Analysis Overview
SHA256
0075ad3afcd0768928f57844818f6c0765d84d358415075f047346ec119242b0
Threat Level: Known bad
The file UAB VISI ATSAKYMAI30000290161120220112162613..js was found to be: Known bad.
Malicious Activity Summary
AgentTesla
WSHRAT
Vjw0rm
Blocklisted process makes network request
Downloads MZ/PE file
Executes dropped EXE
Reads user/profile data of web browsers
Loads dropped DLL
Reads data files stored by FTP clients
Drops startup file
Reads user/profile data of local email clients
Checks computer location settings
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Adds Run key to start application
Suspicious use of SetThreadContext
Enumerates physical storage devices
NSIS installer
Suspicious behavior: MapViewOfSection
outlook_win_path
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
outlook_office_path
Suspicious use of SetWindowsHookEx
Script User-Agent
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-11-24 09:46
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-11-24 09:46
Reported
2022-11-24 09:49
Platform
win7-20221111-en
Max time kernel
189s
Max time network
206s
Command Line
Signatures
AgentTesla
Vjw0rm
WSHRAT
Blocklisted process makes network request
Downloads MZ/PE file
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\hat.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\kbddodhxh.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\kbddodhxh.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\UAB VISI ATSAKYMAI30000290161120220112162613..js | C:\Windows\system32\wscript.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\UAB VISI ATSAKYMAI30000290161120220112162613..js | C:\Windows\System32\wscript.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mgmTAuaTmT.js | C:\Windows\System32\wscript.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mgmTAuaTmT.js | C:\Windows\System32\wscript.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mgmTAuaTmT.js | C:\Windows\System32\wscript.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\hat.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\kbddodhxh.exe | N/A |
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\kbddodhxh.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\kbddodhxh.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\kbddodhxh.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run | C:\Windows\System32\wscript.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\UAB VISI ATSAKYMAI30000290161120220112162613 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\UAB VISI ATSAKYMAI30000290161120220112162613..js\"" | C:\Windows\System32\wscript.exe | N/A |
| Key created | \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run | C:\Windows\system32\wscript.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\UAB VISI ATSAKYMAI30000290161120220112162613 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\UAB VISI ATSAKYMAI30000290161120220112162613..js\"" | C:\Windows\system32\wscript.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\software\microsoft\windows\currentversion\run | C:\Windows\System32\wscript.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Run\UAB VISI ATSAKYMAI30000290161120220112162613 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\UAB VISI ATSAKYMAI30000290161120220112162613..js\"" | C:\Windows\System32\wscript.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Run\ethjtred = "C:\\Users\\Admin\\AppData\\Roaming\\ethjtred\\ethjtred.exe" | C:\Users\Admin\AppData\Local\Temp\kbddodhxh.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\software\microsoft\windows\currentversion\run | C:\Windows\system32\wscript.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Run\UAB VISI ATSAKYMAI30000290161120220112162613 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\UAB VISI ATSAKYMAI30000290161120220112162613..js\"" | C:\Windows\system32\wscript.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1716 set thread context of 1972 | N/A | C:\Users\Admin\AppData\Local\Temp\kbddodhxh.exe | C:\Users\Admin\AppData\Local\Temp\kbddodhxh.exe |
Enumerates physical storage devices
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Script User-Agent
| Description | Indicator | Process | Target |
| HTTP User-Agent header | WSHRAT|409F1942|VZODHOJJ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 24/11/2022|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|409F1942|VZODHOJJ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 24/11/2022|JavaScript | N/A | N/A |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
| HTTP User-Agent header | WSHRAT|409F1942|VZODHOJJ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 24/11/2022|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|409F1942|VZODHOJJ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 24/11/2022|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|409F1942|VZODHOJJ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 24/11/2022|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|409F1942|VZODHOJJ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 24/11/2022|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|409F1942|VZODHOJJ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 24/11/2022|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|409F1942|VZODHOJJ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 24/11/2022|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|409F1942|VZODHOJJ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 24/11/2022|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|409F1942|VZODHOJJ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 24/11/2022|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|409F1942|VZODHOJJ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 24/11/2022|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|409F1942|VZODHOJJ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 24/11/2022|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|409F1942|VZODHOJJ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 24/11/2022|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|409F1942|VZODHOJJ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 24/11/2022|JavaScript | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\kbddodhxh.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\kbddodhxh.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\kbddodhxh.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\kbddodhxh.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\kbddodhxh.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\kbddodhxh.exe | N/A |
Suspicious use of WriteProcessMemory
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\kbddodhxh.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\kbddodhxh.exe | N/A |
Processes
C:\Windows\system32\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Local\Temp\UAB VISI ATSAKYMAI30000290161120220112162613..js"
C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\mgmTAuaTmT.js"
C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\UAB VISI ATSAKYMAI30000290161120220112162613..js"
C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\mgmTAuaTmT.js"
C:\Users\Admin\AppData\Roaming\hat.exe
"C:\Users\Admin\AppData\Roaming\hat.exe"
C:\Users\Admin\AppData\Local\Temp\kbddodhxh.exe
"C:\Users\Admin\AppData\Local\Temp\kbddodhxh.exe" C:\Users\Admin\AppData\Local\Temp\cajpktnk.qa
C:\Users\Admin\AppData\Local\Temp\kbddodhxh.exe
"C:\Users\Admin\AppData\Local\Temp\kbddodhxh.exe" C:\Users\Admin\AppData\Local\Temp\cajpktnk.qa
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | snkcyp.duckdns.org | udp |
| N/A | 8.8.8.8:53 | javaautorun.duia.ro | udp |
| N/A | 8.8.8.8:53 | javaautorun.duia.ro | udp |
| N/A | 154.120.118.131:5465 | javaautorun.duia.ro | tcp |
| N/A | 154.120.118.131:5465 | javaautorun.duia.ro | tcp |
| N/A | 8.8.8.8:53 | snkcyp.duckdns.org | udp |
| N/A | 194.180.48.65:3369 | snkcyp.duckdns.org | tcp |
| N/A | 154.120.118.131:5465 | javaautorun.duia.ro | tcp |
| N/A | 154.120.118.131:5465 | javaautorun.duia.ro | tcp |
| N/A | 45.85.219.227:80 | 45.85.219.227 | tcp |
| N/A | 194.180.48.65:3369 | snkcyp.duckdns.org | tcp |
| N/A | 194.180.48.65:3369 | snkcyp.duckdns.org | tcp |
| N/A | 194.180.48.65:3369 | snkcyp.duckdns.org | tcp |
| N/A | 194.180.48.65:3369 | snkcyp.duckdns.org | tcp |
| N/A | 154.120.118.131:5465 | javaautorun.duia.ro | tcp |
| N/A | 154.120.118.131:5465 | javaautorun.duia.ro | tcp |
| N/A | 194.180.48.65:3369 | snkcyp.duckdns.org | tcp |
| N/A | 8.8.8.8:53 | api.ipify.org | udp |
| N/A | 194.180.48.65:3369 | snkcyp.duckdns.org | tcp |
| N/A | 194.180.48.65:3369 | snkcyp.duckdns.org | tcp |
| N/A | 154.120.118.131:5465 | javaautorun.duia.ro | tcp |
| N/A | 154.120.118.131:5465 | javaautorun.duia.ro | tcp |
| N/A | 194.180.48.65:3369 | snkcyp.duckdns.org | tcp |
| N/A | 194.180.48.65:3369 | snkcyp.duckdns.org | tcp |
| N/A | 194.180.48.65:3369 | snkcyp.duckdns.org | tcp |
| N/A | 194.180.48.65:3369 | snkcyp.duckdns.org | tcp |
| N/A | 154.120.118.131:5465 | javaautorun.duia.ro | tcp |
| N/A | 154.120.118.131:5465 | javaautorun.duia.ro | tcp |
| N/A | 194.180.48.65:3369 | snkcyp.duckdns.org | tcp |
| N/A | 194.180.48.65:3369 | snkcyp.duckdns.org | tcp |
Files
memory/340-54-0x000007FEFBC61000-0x000007FEFBC63000-memory.dmp
C:\Users\Admin\AppData\Roaming\mgmTAuaTmT.js
| MD5 | 94dd9e1490caedd9dddf727c42c773f1 |
| SHA1 | 8f65feb0c94185d5b514053851f2849956f2e5f7 |
| SHA256 | 0aabf186522f4c8154c13f1a2c55ef0705de899f70f3e6261ac9816aaa39756b |
| SHA512 | 741f8c8814715c3459aa8c735623db5daefc4943d2effec94edf39535f530dc8597ad0c9b5dc5a91a0527e9130cad22ec56cd3736213a98764dc27d22ce2ffab |
memory/1704-55-0x0000000000000000-mapping.dmp
memory/1696-57-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\UAB VISI ATSAKYMAI30000290161120220112162613..js
| MD5 | 2b4fd5e86969e9a8b56ce60175c15866 |
| SHA1 | 0e6890d6be1462aa5576a00ddaac640214e70256 |
| SHA256 | 0075ad3afcd0768928f57844818f6c0765d84d358415075f047346ec119242b0 |
| SHA512 | 7769908e20121e3e50fea394c16497a99ceae2313af6e7c8bd9952bd8ea8bf0a71aba1fbd47f1462281c91b0db7aa21896413660069b8e413ea8cd65f925f4db |
memory/600-60-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\mgmTAuaTmT.js
| MD5 | 94dd9e1490caedd9dddf727c42c773f1 |
| SHA1 | 8f65feb0c94185d5b514053851f2849956f2e5f7 |
| SHA256 | 0aabf186522f4c8154c13f1a2c55ef0705de899f70f3e6261ac9816aaa39756b |
| SHA512 | 741f8c8814715c3459aa8c735623db5daefc4943d2effec94edf39535f530dc8597ad0c9b5dc5a91a0527e9130cad22ec56cd3736213a98764dc27d22ce2ffab |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\UAB VISI ATSAKYMAI30000290161120220112162613..js
| MD5 | 2b4fd5e86969e9a8b56ce60175c15866 |
| SHA1 | 0e6890d6be1462aa5576a00ddaac640214e70256 |
| SHA256 | 0075ad3afcd0768928f57844818f6c0765d84d358415075f047346ec119242b0 |
| SHA512 | 7769908e20121e3e50fea394c16497a99ceae2313af6e7c8bd9952bd8ea8bf0a71aba1fbd47f1462281c91b0db7aa21896413660069b8e413ea8cd65f925f4db |
memory/328-65-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\hat.exe
| MD5 | 2a163403e00ba8afbe3c7a2e6df3e2e2 |
| SHA1 | 404038a796396209580a64a537b57695bbd9b175 |
| SHA256 | 4a8bba516cd171925cf36969b9e882c1029dbf88383463f9f646145f54fc35ef |
| SHA512 | 6a7fdae05a3f2945ef2a8b87c1495dc00a69daa66355cd1009e0b924919f25314b47e541aefd1465c0ca6f2db0dc2b9796b056c1357aa67721ee044446d91187 |
memory/328-67-0x0000000076161000-0x0000000076163000-memory.dmp
C:\Users\Admin\AppData\Roaming\hat.exe
| MD5 | 2a163403e00ba8afbe3c7a2e6df3e2e2 |
| SHA1 | 404038a796396209580a64a537b57695bbd9b175 |
| SHA256 | 4a8bba516cd171925cf36969b9e882c1029dbf88383463f9f646145f54fc35ef |
| SHA512 | 6a7fdae05a3f2945ef2a8b87c1495dc00a69daa66355cd1009e0b924919f25314b47e541aefd1465c0ca6f2db0dc2b9796b056c1357aa67721ee044446d91187 |
\Users\Admin\AppData\Local\Temp\kbddodhxh.exe
| MD5 | 8a73408537089a2c75b20e5777a45a3c |
| SHA1 | 6743c59431668ff81f1c09e2c2820417dea10324 |
| SHA256 | 6058cebe9c8ccfd2c4576dbfbaf254e18e0617d3a42e4b4e054b71105cbdb98b |
| SHA512 | 87955fcebd7dfe6c2b6517266a7525a6ef71bd215de8404622ff2ebf0145a95b44955f6fee33292a247e32fc2e5f3d0f9063cecff2e68d67b987195788917a06 |
memory/1716-70-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\kbddodhxh.exe
| MD5 | 8a73408537089a2c75b20e5777a45a3c |
| SHA1 | 6743c59431668ff81f1c09e2c2820417dea10324 |
| SHA256 | 6058cebe9c8ccfd2c4576dbfbaf254e18e0617d3a42e4b4e054b71105cbdb98b |
| SHA512 | 87955fcebd7dfe6c2b6517266a7525a6ef71bd215de8404622ff2ebf0145a95b44955f6fee33292a247e32fc2e5f3d0f9063cecff2e68d67b987195788917a06 |
C:\Users\Admin\AppData\Local\Temp\cajpktnk.qa
| MD5 | 52d6c758e902d52f73d818e395df4afc |
| SHA1 | e947d2b6392657226ca248014dc3933e8ed56007 |
| SHA256 | a38032f0d1f0dfc6eb4d3b0d898b8faefe486d63a84113ad8f856d130049f910 |
| SHA512 | 2dd0ed8c70a8ace942f48763add368ce411e068ad40ab3524d09edb6a21c074c06404a9b7fd2228cb3253028e63a8885804c5a37b9d9ec3c5ea7a5e584fc2551 |
C:\Users\Admin\AppData\Local\Temp\ymnzmdjt.z
| MD5 | 287ed1f3735b69389a9c35b08671168f |
| SHA1 | 7ceeaf5bc178a85b911d8415f220d82e1a347398 |
| SHA256 | 64a65ddf80fa3ebedaa87d12c18366b83650b779f7af15696442f0725bd29d7f |
| SHA512 | 1d21132e401ef395fbb92bb669dbb0b10a3daaf60e3b09be68d3884ba10901ee9429cf73b4f6c4d1e5f52a0630c547a35be6a38ed480d977e904b99b55240c5a |
\Users\Admin\AppData\Local\Temp\kbddodhxh.exe
| MD5 | 8a73408537089a2c75b20e5777a45a3c |
| SHA1 | 6743c59431668ff81f1c09e2c2820417dea10324 |
| SHA256 | 6058cebe9c8ccfd2c4576dbfbaf254e18e0617d3a42e4b4e054b71105cbdb98b |
| SHA512 | 87955fcebd7dfe6c2b6517266a7525a6ef71bd215de8404622ff2ebf0145a95b44955f6fee33292a247e32fc2e5f3d0f9063cecff2e68d67b987195788917a06 |
C:\Users\Admin\AppData\Local\Temp\kbddodhxh.exe
| MD5 | 8a73408537089a2c75b20e5777a45a3c |
| SHA1 | 6743c59431668ff81f1c09e2c2820417dea10324 |
| SHA256 | 6058cebe9c8ccfd2c4576dbfbaf254e18e0617d3a42e4b4e054b71105cbdb98b |
| SHA512 | 87955fcebd7dfe6c2b6517266a7525a6ef71bd215de8404622ff2ebf0145a95b44955f6fee33292a247e32fc2e5f3d0f9063cecff2e68d67b987195788917a06 |
C:\Users\Admin\AppData\Local\Temp\kbddodhxh.exe
| MD5 | 8a73408537089a2c75b20e5777a45a3c |
| SHA1 | 6743c59431668ff81f1c09e2c2820417dea10324 |
| SHA256 | 6058cebe9c8ccfd2c4576dbfbaf254e18e0617d3a42e4b4e054b71105cbdb98b |
| SHA512 | 87955fcebd7dfe6c2b6517266a7525a6ef71bd215de8404622ff2ebf0145a95b44955f6fee33292a247e32fc2e5f3d0f9063cecff2e68d67b987195788917a06 |
memory/1972-77-0x0000000000401896-mapping.dmp
memory/1972-80-0x0000000001E20000-0x0000000001E5C000-memory.dmp
memory/1972-81-0x0000000000400000-0x000000000044E000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-11-24 09:46
Reported
2022-11-24 09:49
Platform
win10v2004-20221111-en
Max time kernel
186s
Max time network
201s
Command Line
Signatures
Vjw0rm
WSHRAT
Blocklisted process makes network request
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\wscript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\Control Panel\International\Geo\Nation | C:\Windows\System32\wscript.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\UAB VISI ATSAKYMAI30000290161120220112162613..js | C:\Windows\system32\wscript.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mgmTAuaTmT.js | C:\Windows\System32\wscript.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mgmTAuaTmT.js | C:\Windows\System32\wscript.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\UAB VISI ATSAKYMAI30000290161120220112162613..js | C:\Windows\System32\wscript.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mgmTAuaTmT.js | C:\Windows\System32\wscript.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\UAB VISI ATSAKYMAI30000290161120220112162613 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\UAB VISI ATSAKYMAI30000290161120220112162613..js\"" | C:\Windows\system32\wscript.exe | N/A |
| Key created | \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run | C:\Windows\system32\wscript.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\UAB VISI ATSAKYMAI30000290161120220112162613 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\UAB VISI ATSAKYMAI30000290161120220112162613..js\"" | C:\Windows\system32\wscript.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\software\microsoft\windows\currentversion\run | C:\Windows\System32\wscript.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\UAB VISI ATSAKYMAI30000290161120220112162613 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\UAB VISI ATSAKYMAI30000290161120220112162613..js\"" | C:\Windows\System32\wscript.exe | N/A |
| Key created | \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run | C:\Windows\System32\wscript.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\UAB VISI ATSAKYMAI30000290161120220112162613 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\UAB VISI ATSAKYMAI30000290161120220112162613..js\"" | C:\Windows\System32\wscript.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\software\microsoft\windows\currentversion\run | C:\Windows\system32\wscript.exe | N/A |
Enumerates physical storage devices
Script User-Agent
| Description | Indicator | Process | Target |
| HTTP User-Agent header | WSHRAT|CEC20621|FXOYPAIQ|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 24/11/2022|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|CEC20621|FXOYPAIQ|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 24/11/2022|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|CEC20621|FXOYPAIQ|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 24/11/2022|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|CEC20621|FXOYPAIQ|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 24/11/2022|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|CEC20621|FXOYPAIQ|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 24/11/2022|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|CEC20621|FXOYPAIQ|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 24/11/2022|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|CEC20621|FXOYPAIQ|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 24/11/2022|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|CEC20621|FXOYPAIQ|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 24/11/2022|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|CEC20621|FXOYPAIQ|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 24/11/2022|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|CEC20621|FXOYPAIQ|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 24/11/2022|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|CEC20621|FXOYPAIQ|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 24/11/2022|JavaScript | N/A | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 504 wrote to memory of 3324 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\wscript.exe |
| PID 504 wrote to memory of 3324 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\wscript.exe |
| PID 504 wrote to memory of 3568 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\wscript.exe |
| PID 504 wrote to memory of 3568 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\wscript.exe |
| PID 3568 wrote to memory of 2852 | N/A | C:\Windows\System32\wscript.exe | C:\Windows\System32\wscript.exe |
| PID 3568 wrote to memory of 2852 | N/A | C:\Windows\System32\wscript.exe | C:\Windows\System32\wscript.exe |
Processes
C:\Windows\system32\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Local\Temp\UAB VISI ATSAKYMAI30000290161120220112162613..js"
C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\mgmTAuaTmT.js"
C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\UAB VISI ATSAKYMAI30000290161120220112162613..js"
C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\mgmTAuaTmT.js"
Network
| Country | Destination | Domain | Proto |
| N/A | 72.21.91.29:80 | tcp | |
| N/A | 67.24.35.254:80 | tcp | |
| N/A | 67.24.35.254:80 | tcp | |
| N/A | 13.69.239.73:443 | tcp | |
| N/A | 87.248.202.1:80 | tcp | |
| N/A | 87.248.202.1:80 | tcp | |
| N/A | 87.248.202.1:80 | tcp | |
| N/A | 8.8.8.8:53 | javaautorun.duia.ro | udp |
| N/A | 8.8.8.8:53 | snkcyp.duckdns.org | udp |
| N/A | 154.120.118.131:5465 | javaautorun.duia.ro | tcp |
| N/A | 154.120.118.131:5465 | javaautorun.duia.ro | tcp |
| N/A | 104.80.225.205:443 | tcp | |
| N/A | 194.180.48.65:3369 | snkcyp.duckdns.org | tcp |
| N/A | 45.85.219.227:80 | tcp | |
| N/A | 154.120.118.131:5465 | javaautorun.duia.ro | tcp |
| N/A | 154.120.118.131:5465 | javaautorun.duia.ro | tcp |
| N/A | 194.180.48.65:3369 | snkcyp.duckdns.org | tcp |
| N/A | 20.82.209.183:443 | tcp | |
| N/A | 20.82.209.183:443 | tcp | |
| N/A | 20.82.209.183:443 | tcp | |
| N/A | 20.82.209.183:443 | tcp | |
| N/A | 194.180.48.65:3369 | snkcyp.duckdns.org | tcp |
| N/A | 154.120.118.131:5465 | javaautorun.duia.ro | tcp |
| N/A | 154.120.118.131:5465 | javaautorun.duia.ro | tcp |
| N/A | 194.180.48.65:3369 | snkcyp.duckdns.org | tcp |
| N/A | 194.180.48.65:3369 | snkcyp.duckdns.org | tcp |
| N/A | 194.180.48.65:3369 | snkcyp.duckdns.org | tcp |
| N/A | 154.120.118.131:5465 | javaautorun.duia.ro | tcp |
| N/A | 154.120.118.131:5465 | javaautorun.duia.ro | tcp |
| N/A | 194.180.48.65:3369 | snkcyp.duckdns.org | tcp |
| N/A | 194.180.48.65:3369 | snkcyp.duckdns.org | tcp |
| N/A | 154.120.118.131:5465 | javaautorun.duia.ro | tcp |
| N/A | 154.120.118.131:5465 | javaautorun.duia.ro | tcp |
| N/A | 194.180.48.65:3369 | snkcyp.duckdns.org | tcp |
| N/A | 194.180.48.65:3369 | snkcyp.duckdns.org | tcp |
| N/A | 104.80.224.44:443 | tcp | |
| N/A | 8.8.8.8:53 | 151.122.125.40.in-addr.arpa | udp |
| N/A | 194.180.48.65:3369 | snkcyp.duckdns.org | tcp |
| N/A | 194.180.48.65:3369 | snkcyp.duckdns.org | tcp |
| N/A | 194.180.48.65:3369 | snkcyp.duckdns.org | tcp |
| N/A | 154.120.118.131:5465 | javaautorun.duia.ro | tcp |
| N/A | 154.120.118.131:5465 | javaautorun.duia.ro | tcp |
Files
memory/3324-132-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\mgmTAuaTmT.js
| MD5 | 94dd9e1490caedd9dddf727c42c773f1 |
| SHA1 | 8f65feb0c94185d5b514053851f2849956f2e5f7 |
| SHA256 | 0aabf186522f4c8154c13f1a2c55ef0705de899f70f3e6261ac9816aaa39756b |
| SHA512 | 741f8c8814715c3459aa8c735623db5daefc4943d2effec94edf39535f530dc8597ad0c9b5dc5a91a0527e9130cad22ec56cd3736213a98764dc27d22ce2ffab |
memory/3568-134-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\UAB VISI ATSAKYMAI30000290161120220112162613..js
| MD5 | 2b4fd5e86969e9a8b56ce60175c15866 |
| SHA1 | 0e6890d6be1462aa5576a00ddaac640214e70256 |
| SHA256 | 0075ad3afcd0768928f57844818f6c0765d84d358415075f047346ec119242b0 |
| SHA512 | 7769908e20121e3e50fea394c16497a99ceae2313af6e7c8bd9952bd8ea8bf0a71aba1fbd47f1462281c91b0db7aa21896413660069b8e413ea8cd65f925f4db |
C:\Users\Admin\AppData\Roaming\mgmTAuaTmT.js
| MD5 | 94dd9e1490caedd9dddf727c42c773f1 |
| SHA1 | 8f65feb0c94185d5b514053851f2849956f2e5f7 |
| SHA256 | 0aabf186522f4c8154c13f1a2c55ef0705de899f70f3e6261ac9816aaa39756b |
| SHA512 | 741f8c8814715c3459aa8c735623db5daefc4943d2effec94edf39535f530dc8597ad0c9b5dc5a91a0527e9130cad22ec56cd3736213a98764dc27d22ce2ffab |
memory/2852-137-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\UAB VISI ATSAKYMAI30000290161120220112162613..js
| MD5 | 2b4fd5e86969e9a8b56ce60175c15866 |
| SHA1 | 0e6890d6be1462aa5576a00ddaac640214e70256 |
| SHA256 | 0075ad3afcd0768928f57844818f6c0765d84d358415075f047346ec119242b0 |
| SHA512 | 7769908e20121e3e50fea394c16497a99ceae2313af6e7c8bd9952bd8ea8bf0a71aba1fbd47f1462281c91b0db7aa21896413660069b8e413ea8cd65f925f4db |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mgmTAuaTmT.js
| MD5 | 94dd9e1490caedd9dddf727c42c773f1 |
| SHA1 | 8f65feb0c94185d5b514053851f2849956f2e5f7 |
| SHA256 | 0aabf186522f4c8154c13f1a2c55ef0705de899f70f3e6261ac9816aaa39756b |
| SHA512 | 741f8c8814715c3459aa8c735623db5daefc4943d2effec94edf39535f530dc8597ad0c9b5dc5a91a0527e9130cad22ec56cd3736213a98764dc27d22ce2ffab |