Malware Analysis Report

2025-01-18 12:23

Sample ID 221124-lrmgqaeg24
Target UAB VISI ATSAKYMAI30000290161120220112162613..js
SHA256 0075ad3afcd0768928f57844818f6c0765d84d358415075f047346ec119242b0
Tags
agenttesla vjw0rm wshrat collection keylogger persistence spyware stealer trojan worm
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0075ad3afcd0768928f57844818f6c0765d84d358415075f047346ec119242b0

Threat Level: Known bad

The file UAB VISI ATSAKYMAI30000290161120220112162613..js was found to be: Known bad.

Malicious Activity Summary

agenttesla vjw0rm wshrat collection keylogger persistence spyware stealer trojan worm

AgentTesla

WSHRAT

Vjw0rm

Blocklisted process makes network request

Downloads MZ/PE file

Executes dropped EXE

Reads user/profile data of web browsers

Loads dropped DLL

Reads data files stored by FTP clients

Drops startup file

Reads user/profile data of local email clients

Checks computer location settings

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Adds Run key to start application

Suspicious use of SetThreadContext

Enumerates physical storage devices

NSIS installer

Suspicious behavior: MapViewOfSection

outlook_win_path

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

outlook_office_path

Suspicious use of SetWindowsHookEx

Script User-Agent

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-11-24 09:46

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-11-24 09:46

Reported

2022-11-24 09:49

Platform

win7-20221111-en

Max time kernel

189s

Max time network

206s

Command Line

wscript.exe "C:\Users\Admin\AppData\Local\Temp\UAB VISI ATSAKYMAI30000290161120220112162613..js"

Signatures

AgentTesla

keylogger trojan stealer spyware agenttesla

Vjw0rm

trojan worm vjw0rm

WSHRAT

trojan wshrat

Downloads MZ/PE file

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\hat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kbddodhxh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kbddodhxh.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\UAB VISI ATSAKYMAI30000290161120220112162613..js C:\Windows\system32\wscript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\UAB VISI ATSAKYMAI30000290161120220112162613..js C:\Windows\System32\wscript.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mgmTAuaTmT.js C:\Windows\System32\wscript.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mgmTAuaTmT.js C:\Windows\System32\wscript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mgmTAuaTmT.js C:\Windows\System32\wscript.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\hat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kbddodhxh.exe N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\kbddodhxh.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\kbddodhxh.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\kbddodhxh.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run C:\Windows\System32\wscript.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\UAB VISI ATSAKYMAI30000290161120220112162613 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\UAB VISI ATSAKYMAI30000290161120220112162613..js\"" C:\Windows\System32\wscript.exe N/A
Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run C:\Windows\system32\wscript.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\UAB VISI ATSAKYMAI30000290161120220112162613 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\UAB VISI ATSAKYMAI30000290161120220112162613..js\"" C:\Windows\system32\wscript.exe N/A
Key created \REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\software\microsoft\windows\currentversion\run C:\Windows\System32\wscript.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Run\UAB VISI ATSAKYMAI30000290161120220112162613 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\UAB VISI ATSAKYMAI30000290161120220112162613..js\"" C:\Windows\System32\wscript.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Run\ethjtred = "C:\\Users\\Admin\\AppData\\Roaming\\ethjtred\\ethjtred.exe" C:\Users\Admin\AppData\Local\Temp\kbddodhxh.exe N/A
Key created \REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\software\microsoft\windows\currentversion\run C:\Windows\system32\wscript.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Run\UAB VISI ATSAKYMAI30000290161120220112162613 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\UAB VISI ATSAKYMAI30000290161120220112162613..js\"" C:\Windows\system32\wscript.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1716 set thread context of 1972 N/A C:\Users\Admin\AppData\Local\Temp\kbddodhxh.exe C:\Users\Admin\AppData\Local\Temp\kbddodhxh.exe

Enumerates physical storage devices

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Script User-Agent

Description Indicator Process Target
HTTP User-Agent header WSHRAT|409F1942|VZODHOJJ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 24/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|409F1942|VZODHOJJ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 24/11/2022|JavaScript N/A N/A
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A
HTTP User-Agent header WSHRAT|409F1942|VZODHOJJ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 24/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|409F1942|VZODHOJJ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 24/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|409F1942|VZODHOJJ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 24/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|409F1942|VZODHOJJ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 24/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|409F1942|VZODHOJJ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 24/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|409F1942|VZODHOJJ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 24/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|409F1942|VZODHOJJ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 24/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|409F1942|VZODHOJJ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 24/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|409F1942|VZODHOJJ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 24/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|409F1942|VZODHOJJ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 24/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|409F1942|VZODHOJJ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 24/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|409F1942|VZODHOJJ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 24/11/2022|JavaScript N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\kbddodhxh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kbddodhxh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kbddodhxh.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\kbddodhxh.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\kbddodhxh.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\kbddodhxh.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 340 wrote to memory of 1704 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe
PID 340 wrote to memory of 1704 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe
PID 340 wrote to memory of 1704 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe
PID 340 wrote to memory of 1696 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe
PID 340 wrote to memory of 1696 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe
PID 340 wrote to memory of 1696 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe
PID 1696 wrote to memory of 600 N/A C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe
PID 1696 wrote to memory of 600 N/A C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe
PID 1696 wrote to memory of 600 N/A C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe
PID 1696 wrote to memory of 328 N/A C:\Windows\System32\wscript.exe C:\Users\Admin\AppData\Roaming\hat.exe
PID 1696 wrote to memory of 328 N/A C:\Windows\System32\wscript.exe C:\Users\Admin\AppData\Roaming\hat.exe
PID 1696 wrote to memory of 328 N/A C:\Windows\System32\wscript.exe C:\Users\Admin\AppData\Roaming\hat.exe
PID 1696 wrote to memory of 328 N/A C:\Windows\System32\wscript.exe C:\Users\Admin\AppData\Roaming\hat.exe
PID 328 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Roaming\hat.exe C:\Users\Admin\AppData\Local\Temp\kbddodhxh.exe
PID 328 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Roaming\hat.exe C:\Users\Admin\AppData\Local\Temp\kbddodhxh.exe
PID 328 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Roaming\hat.exe C:\Users\Admin\AppData\Local\Temp\kbddodhxh.exe
PID 328 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Roaming\hat.exe C:\Users\Admin\AppData\Local\Temp\kbddodhxh.exe
PID 1716 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Local\Temp\kbddodhxh.exe C:\Users\Admin\AppData\Local\Temp\kbddodhxh.exe
PID 1716 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Local\Temp\kbddodhxh.exe C:\Users\Admin\AppData\Local\Temp\kbddodhxh.exe
PID 1716 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Local\Temp\kbddodhxh.exe C:\Users\Admin\AppData\Local\Temp\kbddodhxh.exe
PID 1716 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Local\Temp\kbddodhxh.exe C:\Users\Admin\AppData\Local\Temp\kbddodhxh.exe
PID 1716 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Local\Temp\kbddodhxh.exe C:\Users\Admin\AppData\Local\Temp\kbddodhxh.exe

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\kbddodhxh.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\kbddodhxh.exe N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe "C:\Users\Admin\AppData\Local\Temp\UAB VISI ATSAKYMAI30000290161120220112162613..js"

C:\Windows\System32\wscript.exe

"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\mgmTAuaTmT.js"

C:\Windows\System32\wscript.exe

"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\UAB VISI ATSAKYMAI30000290161120220112162613..js"

C:\Windows\System32\wscript.exe

"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\mgmTAuaTmT.js"

C:\Users\Admin\AppData\Roaming\hat.exe

"C:\Users\Admin\AppData\Roaming\hat.exe"

C:\Users\Admin\AppData\Local\Temp\kbddodhxh.exe

"C:\Users\Admin\AppData\Local\Temp\kbddodhxh.exe" C:\Users\Admin\AppData\Local\Temp\cajpktnk.qa

C:\Users\Admin\AppData\Local\Temp\kbddodhxh.exe

"C:\Users\Admin\AppData\Local\Temp\kbddodhxh.exe" C:\Users\Admin\AppData\Local\Temp\cajpktnk.qa

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 snkcyp.duckdns.org udp
N/A 8.8.8.8:53 javaautorun.duia.ro udp
N/A 8.8.8.8:53 javaautorun.duia.ro udp
N/A 154.120.118.131:5465 javaautorun.duia.ro tcp
N/A 154.120.118.131:5465 javaautorun.duia.ro tcp
N/A 8.8.8.8:53 snkcyp.duckdns.org udp
N/A 194.180.48.65:3369 snkcyp.duckdns.org tcp
N/A 154.120.118.131:5465 javaautorun.duia.ro tcp
N/A 154.120.118.131:5465 javaautorun.duia.ro tcp
N/A 45.85.219.227:80 45.85.219.227 tcp
N/A 194.180.48.65:3369 snkcyp.duckdns.org tcp
N/A 194.180.48.65:3369 snkcyp.duckdns.org tcp
N/A 194.180.48.65:3369 snkcyp.duckdns.org tcp
N/A 194.180.48.65:3369 snkcyp.duckdns.org tcp
N/A 154.120.118.131:5465 javaautorun.duia.ro tcp
N/A 154.120.118.131:5465 javaautorun.duia.ro tcp
N/A 194.180.48.65:3369 snkcyp.duckdns.org tcp
N/A 8.8.8.8:53 api.ipify.org udp
N/A 194.180.48.65:3369 snkcyp.duckdns.org tcp
N/A 194.180.48.65:3369 snkcyp.duckdns.org tcp
N/A 154.120.118.131:5465 javaautorun.duia.ro tcp
N/A 154.120.118.131:5465 javaautorun.duia.ro tcp
N/A 194.180.48.65:3369 snkcyp.duckdns.org tcp
N/A 194.180.48.65:3369 snkcyp.duckdns.org tcp
N/A 194.180.48.65:3369 snkcyp.duckdns.org tcp
N/A 194.180.48.65:3369 snkcyp.duckdns.org tcp
N/A 154.120.118.131:5465 javaautorun.duia.ro tcp
N/A 154.120.118.131:5465 javaautorun.duia.ro tcp
N/A 194.180.48.65:3369 snkcyp.duckdns.org tcp
N/A 194.180.48.65:3369 snkcyp.duckdns.org tcp

Files

memory/340-54-0x000007FEFBC61000-0x000007FEFBC63000-memory.dmp

C:\Users\Admin\AppData\Roaming\mgmTAuaTmT.js

MD5 94dd9e1490caedd9dddf727c42c773f1
SHA1 8f65feb0c94185d5b514053851f2849956f2e5f7
SHA256 0aabf186522f4c8154c13f1a2c55ef0705de899f70f3e6261ac9816aaa39756b
SHA512 741f8c8814715c3459aa8c735623db5daefc4943d2effec94edf39535f530dc8597ad0c9b5dc5a91a0527e9130cad22ec56cd3736213a98764dc27d22ce2ffab

memory/1704-55-0x0000000000000000-mapping.dmp

memory/1696-57-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\UAB VISI ATSAKYMAI30000290161120220112162613..js

MD5 2b4fd5e86969e9a8b56ce60175c15866
SHA1 0e6890d6be1462aa5576a00ddaac640214e70256
SHA256 0075ad3afcd0768928f57844818f6c0765d84d358415075f047346ec119242b0
SHA512 7769908e20121e3e50fea394c16497a99ceae2313af6e7c8bd9952bd8ea8bf0a71aba1fbd47f1462281c91b0db7aa21896413660069b8e413ea8cd65f925f4db

memory/600-60-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\mgmTAuaTmT.js

MD5 94dd9e1490caedd9dddf727c42c773f1
SHA1 8f65feb0c94185d5b514053851f2849956f2e5f7
SHA256 0aabf186522f4c8154c13f1a2c55ef0705de899f70f3e6261ac9816aaa39756b
SHA512 741f8c8814715c3459aa8c735623db5daefc4943d2effec94edf39535f530dc8597ad0c9b5dc5a91a0527e9130cad22ec56cd3736213a98764dc27d22ce2ffab

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\UAB VISI ATSAKYMAI30000290161120220112162613..js

MD5 2b4fd5e86969e9a8b56ce60175c15866
SHA1 0e6890d6be1462aa5576a00ddaac640214e70256
SHA256 0075ad3afcd0768928f57844818f6c0765d84d358415075f047346ec119242b0
SHA512 7769908e20121e3e50fea394c16497a99ceae2313af6e7c8bd9952bd8ea8bf0a71aba1fbd47f1462281c91b0db7aa21896413660069b8e413ea8cd65f925f4db

memory/328-65-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\hat.exe

MD5 2a163403e00ba8afbe3c7a2e6df3e2e2
SHA1 404038a796396209580a64a537b57695bbd9b175
SHA256 4a8bba516cd171925cf36969b9e882c1029dbf88383463f9f646145f54fc35ef
SHA512 6a7fdae05a3f2945ef2a8b87c1495dc00a69daa66355cd1009e0b924919f25314b47e541aefd1465c0ca6f2db0dc2b9796b056c1357aa67721ee044446d91187

memory/328-67-0x0000000076161000-0x0000000076163000-memory.dmp

C:\Users\Admin\AppData\Roaming\hat.exe

MD5 2a163403e00ba8afbe3c7a2e6df3e2e2
SHA1 404038a796396209580a64a537b57695bbd9b175
SHA256 4a8bba516cd171925cf36969b9e882c1029dbf88383463f9f646145f54fc35ef
SHA512 6a7fdae05a3f2945ef2a8b87c1495dc00a69daa66355cd1009e0b924919f25314b47e541aefd1465c0ca6f2db0dc2b9796b056c1357aa67721ee044446d91187

\Users\Admin\AppData\Local\Temp\kbddodhxh.exe

MD5 8a73408537089a2c75b20e5777a45a3c
SHA1 6743c59431668ff81f1c09e2c2820417dea10324
SHA256 6058cebe9c8ccfd2c4576dbfbaf254e18e0617d3a42e4b4e054b71105cbdb98b
SHA512 87955fcebd7dfe6c2b6517266a7525a6ef71bd215de8404622ff2ebf0145a95b44955f6fee33292a247e32fc2e5f3d0f9063cecff2e68d67b987195788917a06

memory/1716-70-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\kbddodhxh.exe

MD5 8a73408537089a2c75b20e5777a45a3c
SHA1 6743c59431668ff81f1c09e2c2820417dea10324
SHA256 6058cebe9c8ccfd2c4576dbfbaf254e18e0617d3a42e4b4e054b71105cbdb98b
SHA512 87955fcebd7dfe6c2b6517266a7525a6ef71bd215de8404622ff2ebf0145a95b44955f6fee33292a247e32fc2e5f3d0f9063cecff2e68d67b987195788917a06

C:\Users\Admin\AppData\Local\Temp\cajpktnk.qa

MD5 52d6c758e902d52f73d818e395df4afc
SHA1 e947d2b6392657226ca248014dc3933e8ed56007
SHA256 a38032f0d1f0dfc6eb4d3b0d898b8faefe486d63a84113ad8f856d130049f910
SHA512 2dd0ed8c70a8ace942f48763add368ce411e068ad40ab3524d09edb6a21c074c06404a9b7fd2228cb3253028e63a8885804c5a37b9d9ec3c5ea7a5e584fc2551

C:\Users\Admin\AppData\Local\Temp\ymnzmdjt.z

MD5 287ed1f3735b69389a9c35b08671168f
SHA1 7ceeaf5bc178a85b911d8415f220d82e1a347398
SHA256 64a65ddf80fa3ebedaa87d12c18366b83650b779f7af15696442f0725bd29d7f
SHA512 1d21132e401ef395fbb92bb669dbb0b10a3daaf60e3b09be68d3884ba10901ee9429cf73b4f6c4d1e5f52a0630c547a35be6a38ed480d977e904b99b55240c5a

\Users\Admin\AppData\Local\Temp\kbddodhxh.exe

MD5 8a73408537089a2c75b20e5777a45a3c
SHA1 6743c59431668ff81f1c09e2c2820417dea10324
SHA256 6058cebe9c8ccfd2c4576dbfbaf254e18e0617d3a42e4b4e054b71105cbdb98b
SHA512 87955fcebd7dfe6c2b6517266a7525a6ef71bd215de8404622ff2ebf0145a95b44955f6fee33292a247e32fc2e5f3d0f9063cecff2e68d67b987195788917a06

C:\Users\Admin\AppData\Local\Temp\kbddodhxh.exe

MD5 8a73408537089a2c75b20e5777a45a3c
SHA1 6743c59431668ff81f1c09e2c2820417dea10324
SHA256 6058cebe9c8ccfd2c4576dbfbaf254e18e0617d3a42e4b4e054b71105cbdb98b
SHA512 87955fcebd7dfe6c2b6517266a7525a6ef71bd215de8404622ff2ebf0145a95b44955f6fee33292a247e32fc2e5f3d0f9063cecff2e68d67b987195788917a06

C:\Users\Admin\AppData\Local\Temp\kbddodhxh.exe

MD5 8a73408537089a2c75b20e5777a45a3c
SHA1 6743c59431668ff81f1c09e2c2820417dea10324
SHA256 6058cebe9c8ccfd2c4576dbfbaf254e18e0617d3a42e4b4e054b71105cbdb98b
SHA512 87955fcebd7dfe6c2b6517266a7525a6ef71bd215de8404622ff2ebf0145a95b44955f6fee33292a247e32fc2e5f3d0f9063cecff2e68d67b987195788917a06

memory/1972-77-0x0000000000401896-mapping.dmp

memory/1972-80-0x0000000001E20000-0x0000000001E5C000-memory.dmp

memory/1972-81-0x0000000000400000-0x000000000044E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-11-24 09:46

Reported

2022-11-24 09:49

Platform

win10v2004-20221111-en

Max time kernel

186s

Max time network

201s

Command Line

wscript.exe "C:\Users\Admin\AppData\Local\Temp\UAB VISI ATSAKYMAI30000290161120220112162613..js"

Signatures

Vjw0rm

trojan worm vjw0rm

WSHRAT

trojan wshrat

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\Control Panel\International\Geo\Nation C:\Windows\system32\wscript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\Control Panel\International\Geo\Nation C:\Windows\System32\wscript.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\UAB VISI ATSAKYMAI30000290161120220112162613..js C:\Windows\system32\wscript.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mgmTAuaTmT.js C:\Windows\System32\wscript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mgmTAuaTmT.js C:\Windows\System32\wscript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\UAB VISI ATSAKYMAI30000290161120220112162613..js C:\Windows\System32\wscript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mgmTAuaTmT.js C:\Windows\System32\wscript.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\UAB VISI ATSAKYMAI30000290161120220112162613 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\UAB VISI ATSAKYMAI30000290161120220112162613..js\"" C:\Windows\system32\wscript.exe N/A
Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run C:\Windows\system32\wscript.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\UAB VISI ATSAKYMAI30000290161120220112162613 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\UAB VISI ATSAKYMAI30000290161120220112162613..js\"" C:\Windows\system32\wscript.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\software\microsoft\windows\currentversion\run C:\Windows\System32\wscript.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\UAB VISI ATSAKYMAI30000290161120220112162613 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\UAB VISI ATSAKYMAI30000290161120220112162613..js\"" C:\Windows\System32\wscript.exe N/A
Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run C:\Windows\System32\wscript.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\UAB VISI ATSAKYMAI30000290161120220112162613 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\UAB VISI ATSAKYMAI30000290161120220112162613..js\"" C:\Windows\System32\wscript.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\software\microsoft\windows\currentversion\run C:\Windows\system32\wscript.exe N/A

Enumerates physical storage devices

Script User-Agent

Description Indicator Process Target
HTTP User-Agent header WSHRAT|CEC20621|FXOYPAIQ|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 24/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|CEC20621|FXOYPAIQ|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 24/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|CEC20621|FXOYPAIQ|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 24/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|CEC20621|FXOYPAIQ|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 24/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|CEC20621|FXOYPAIQ|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 24/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|CEC20621|FXOYPAIQ|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 24/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|CEC20621|FXOYPAIQ|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 24/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|CEC20621|FXOYPAIQ|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 24/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|CEC20621|FXOYPAIQ|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 24/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|CEC20621|FXOYPAIQ|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 24/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|CEC20621|FXOYPAIQ|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 24/11/2022|JavaScript N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 504 wrote to memory of 3324 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe
PID 504 wrote to memory of 3324 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe
PID 504 wrote to memory of 3568 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe
PID 504 wrote to memory of 3568 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe
PID 3568 wrote to memory of 2852 N/A C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe
PID 3568 wrote to memory of 2852 N/A C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe

Processes

C:\Windows\system32\wscript.exe

wscript.exe "C:\Users\Admin\AppData\Local\Temp\UAB VISI ATSAKYMAI30000290161120220112162613..js"

C:\Windows\System32\wscript.exe

"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\mgmTAuaTmT.js"

C:\Windows\System32\wscript.exe

"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\UAB VISI ATSAKYMAI30000290161120220112162613..js"

C:\Windows\System32\wscript.exe

"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\mgmTAuaTmT.js"

Network

Country Destination Domain Proto
N/A 72.21.91.29:80 tcp
N/A 67.24.35.254:80 tcp
N/A 67.24.35.254:80 tcp
N/A 13.69.239.73:443 tcp
N/A 87.248.202.1:80 tcp
N/A 87.248.202.1:80 tcp
N/A 87.248.202.1:80 tcp
N/A 8.8.8.8:53 javaautorun.duia.ro udp
N/A 8.8.8.8:53 snkcyp.duckdns.org udp
N/A 154.120.118.131:5465 javaautorun.duia.ro tcp
N/A 154.120.118.131:5465 javaautorun.duia.ro tcp
N/A 104.80.225.205:443 tcp
N/A 194.180.48.65:3369 snkcyp.duckdns.org tcp
N/A 45.85.219.227:80 tcp
N/A 154.120.118.131:5465 javaautorun.duia.ro tcp
N/A 154.120.118.131:5465 javaautorun.duia.ro tcp
N/A 194.180.48.65:3369 snkcyp.duckdns.org tcp
N/A 20.82.209.183:443 tcp
N/A 20.82.209.183:443 tcp
N/A 20.82.209.183:443 tcp
N/A 20.82.209.183:443 tcp
N/A 194.180.48.65:3369 snkcyp.duckdns.org tcp
N/A 154.120.118.131:5465 javaautorun.duia.ro tcp
N/A 154.120.118.131:5465 javaautorun.duia.ro tcp
N/A 194.180.48.65:3369 snkcyp.duckdns.org tcp
N/A 194.180.48.65:3369 snkcyp.duckdns.org tcp
N/A 194.180.48.65:3369 snkcyp.duckdns.org tcp
N/A 154.120.118.131:5465 javaautorun.duia.ro tcp
N/A 154.120.118.131:5465 javaautorun.duia.ro tcp
N/A 194.180.48.65:3369 snkcyp.duckdns.org tcp
N/A 194.180.48.65:3369 snkcyp.duckdns.org tcp
N/A 154.120.118.131:5465 javaautorun.duia.ro tcp
N/A 154.120.118.131:5465 javaautorun.duia.ro tcp
N/A 194.180.48.65:3369 snkcyp.duckdns.org tcp
N/A 194.180.48.65:3369 snkcyp.duckdns.org tcp
N/A 104.80.224.44:443 tcp
N/A 8.8.8.8:53 151.122.125.40.in-addr.arpa udp
N/A 194.180.48.65:3369 snkcyp.duckdns.org tcp
N/A 194.180.48.65:3369 snkcyp.duckdns.org tcp
N/A 194.180.48.65:3369 snkcyp.duckdns.org tcp
N/A 154.120.118.131:5465 javaautorun.duia.ro tcp
N/A 154.120.118.131:5465 javaautorun.duia.ro tcp

Files

memory/3324-132-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\mgmTAuaTmT.js

MD5 94dd9e1490caedd9dddf727c42c773f1
SHA1 8f65feb0c94185d5b514053851f2849956f2e5f7
SHA256 0aabf186522f4c8154c13f1a2c55ef0705de899f70f3e6261ac9816aaa39756b
SHA512 741f8c8814715c3459aa8c735623db5daefc4943d2effec94edf39535f530dc8597ad0c9b5dc5a91a0527e9130cad22ec56cd3736213a98764dc27d22ce2ffab

memory/3568-134-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\UAB VISI ATSAKYMAI30000290161120220112162613..js

MD5 2b4fd5e86969e9a8b56ce60175c15866
SHA1 0e6890d6be1462aa5576a00ddaac640214e70256
SHA256 0075ad3afcd0768928f57844818f6c0765d84d358415075f047346ec119242b0
SHA512 7769908e20121e3e50fea394c16497a99ceae2313af6e7c8bd9952bd8ea8bf0a71aba1fbd47f1462281c91b0db7aa21896413660069b8e413ea8cd65f925f4db

C:\Users\Admin\AppData\Roaming\mgmTAuaTmT.js

MD5 94dd9e1490caedd9dddf727c42c773f1
SHA1 8f65feb0c94185d5b514053851f2849956f2e5f7
SHA256 0aabf186522f4c8154c13f1a2c55ef0705de899f70f3e6261ac9816aaa39756b
SHA512 741f8c8814715c3459aa8c735623db5daefc4943d2effec94edf39535f530dc8597ad0c9b5dc5a91a0527e9130cad22ec56cd3736213a98764dc27d22ce2ffab

memory/2852-137-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\UAB VISI ATSAKYMAI30000290161120220112162613..js

MD5 2b4fd5e86969e9a8b56ce60175c15866
SHA1 0e6890d6be1462aa5576a00ddaac640214e70256
SHA256 0075ad3afcd0768928f57844818f6c0765d84d358415075f047346ec119242b0
SHA512 7769908e20121e3e50fea394c16497a99ceae2313af6e7c8bd9952bd8ea8bf0a71aba1fbd47f1462281c91b0db7aa21896413660069b8e413ea8cd65f925f4db

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mgmTAuaTmT.js

MD5 94dd9e1490caedd9dddf727c42c773f1
SHA1 8f65feb0c94185d5b514053851f2849956f2e5f7
SHA256 0aabf186522f4c8154c13f1a2c55ef0705de899f70f3e6261ac9816aaa39756b
SHA512 741f8c8814715c3459aa8c735623db5daefc4943d2effec94edf39535f530dc8597ad0c9b5dc5a91a0527e9130cad22ec56cd3736213a98764dc27d22ce2ffab