Analysis Overview
SHA256
7e549fd76a7595d0531d7e10bff5c60bdedd7d67d2693d09357fe9546d7988a1
Threat Level: Known bad
The file ORDER AT HAND URGENT.js was found to be: Known bad.
Malicious Activity Summary
STRRAT
Vjw0rm
Blocklisted process makes network request
Checks computer location settings
Loads dropped DLL
Drops startup file
Adds Run key to start application
Looks up external IP address via web service
Enumerates physical storage devices
Creates scheduled task(s)
Modifies registry class
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2023-03-02 12:29
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2023-03-02 12:29
Reported
2023-03-02 12:31
Platform
win7-20230220-en
Max time kernel
143s
Max time network
148s
Command Line
Signatures
STRRAT
Vjw0rm
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WScript.exe | N/A |
| N/A | N/A | C:\Windows\System32\WScript.exe | N/A |
| N/A | N/A | C:\Windows\System32\WScript.exe | N/A |
| N/A | N/A | C:\Windows\System32\WScript.exe | N/A |
| N/A | N/A | C:\Windows\System32\WScript.exe | N/A |
| N/A | N/A | C:\Windows\System32\WScript.exe | N/A |
| N/A | N/A | C:\Windows\System32\WScript.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vSGNXlMuXH.js | C:\Windows\System32\WScript.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vSGNXlMuXH.js | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pdrvzyglvq.txt | C:\Program Files\Java\jre7\bin\java.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Java\jre7\bin\java.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Windows\CurrentVersion\Run\pdrvzyglvq = "\"C:\\Users\\Admin\\AppData\\Roaming\\pdrvzyglvq.txt\"" | C:\Program Files\Java\jre7\bin\java.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pdrvzyglvq = "\"C:\\Users\\Admin\\AppData\\Roaming\\pdrvzyglvq.txt\"" | C:\Program Files\Java\jre7\bin\java.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Windows\system32\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Local\Temp\ORDER AT HAND URGENT.js"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\vSGNXlMuXH.js"
C:\Program Files\Java\jre7\bin\javaw.exe
"C:\Program Files\Java\jre7\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\pdrvzyglvq.txt"
C:\Program Files\Java\jre7\bin\java.exe
"C:\Program Files\Java\jre7\bin\java.exe" -jar "C:\Users\Admin\pdrvzyglvq.txt"
C:\Windows\system32\cmd.exe
cmd /c schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\pdrvzyglvq.txt"
C:\Program Files\Java\jre7\bin\java.exe
"C:\Program Files\Java\jre7\bin\java.exe" -jar "C:\Users\Admin\AppData\Roaming\pdrvzyglvq.txt"
C:\Windows\system32\schtasks.exe
schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\pdrvzyglvq.txt"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | repo1.maven.org | udp |
| US | 8.8.8.8:53 | github.com | udp |
| US | 199.232.192.209:443 | repo1.maven.org | tcp |
| US | 199.232.192.209:443 | repo1.maven.org | tcp |
| US | 199.232.192.209:443 | repo1.maven.org | tcp |
| IN | 20.207.73.82:443 | github.com | tcp |
| US | 8.8.8.8:53 | javaautorun.duia.ro | udp |
| EE | 91.193.75.131:5440 | javaautorun.duia.ro | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.109.133:443 | objects.githubusercontent.com | tcp |
| EE | 91.193.75.131:5440 | javaautorun.duia.ro | tcp |
| EE | 91.193.75.131:5440 | javaautorun.duia.ro | tcp |
| NL | 45.139.105.174:2070 | tcp | |
| EE | 91.193.75.131:5440 | javaautorun.duia.ro | tcp |
| EE | 91.193.75.131:5440 | javaautorun.duia.ro | tcp |
| EE | 91.193.75.131:5440 | javaautorun.duia.ro | tcp |
| EE | 91.193.75.131:5440 | javaautorun.duia.ro | tcp |
Files
C:\Users\Admin\AppData\Roaming\pdrvzyglvq.txt
| MD5 | 6ca326558de612f3682313fdffd0bb50 |
| SHA1 | b65d2e8c39a0b1816b6ffbcec845173df4690604 |
| SHA256 | 876fa2086b40be6c70d12bc73a1f6d3520eafe791ec804dad5cd2735e3f8c5cf |
| SHA512 | c2a2c9bdc86e510ad7f15f83fe98696dad33b8d2d2befb5915a289c54cbf13615b0faa8bef190136a12a9153d121e1fcdcc2266f7c5cebf9cf5a82e2a970f531 |
C:\Users\Admin\AppData\Roaming\vSGNXlMuXH.js
| MD5 | 39eef940efb1e1def04675bc6fe14477 |
| SHA1 | 17a2994f749bccc3e633897b7b92c52be38930b5 |
| SHA256 | 51e51b24b0e7ff7d76e602a34b7462b625c07ca9468fd8e35cb4ea660d1de720 |
| SHA512 | ac4e8f8cc864d4d42e215fd2a83a499b2349d5962c3c375221c90d7de0522a15db6c6caf4d353c27fef04f078835ac8ffec262568d5bcf8e1fc2595344d84215 |
memory/1688-70-0x0000000000220000-0x0000000000221000-memory.dmp
memory/1688-77-0x0000000000220000-0x0000000000221000-memory.dmp
memory/1688-80-0x0000000000220000-0x0000000000221000-memory.dmp
memory/1688-85-0x0000000000220000-0x0000000000221000-memory.dmp
memory/1688-86-0x0000000000220000-0x0000000000221000-memory.dmp
memory/1688-91-0x0000000000220000-0x0000000000221000-memory.dmp
memory/1688-92-0x0000000000220000-0x0000000000221000-memory.dmp
memory/1688-98-0x0000000000220000-0x0000000000221000-memory.dmp
memory/1688-99-0x0000000000220000-0x0000000000221000-memory.dmp
memory/1688-102-0x0000000000220000-0x0000000000221000-memory.dmp
memory/1688-104-0x0000000000220000-0x0000000000221000-memory.dmp
C:\Users\Admin\pdrvzyglvq.txt
| MD5 | 6ca326558de612f3682313fdffd0bb50 |
| SHA1 | b65d2e8c39a0b1816b6ffbcec845173df4690604 |
| SHA256 | 876fa2086b40be6c70d12bc73a1f6d3520eafe791ec804dad5cd2735e3f8c5cf |
| SHA512 | c2a2c9bdc86e510ad7f15f83fe98696dad33b8d2d2befb5915a289c54cbf13615b0faa8bef190136a12a9153d121e1fcdcc2266f7c5cebf9cf5a82e2a970f531 |
memory/1580-115-0x0000000000130000-0x0000000000131000-memory.dmp
C:\Users\Admin\lib\jna-5.5.0.jar
| MD5 | acfb5b5fd9ee10bf69497792fd469f85 |
| SHA1 | 0e0845217c4907822403912ad6828d8e0b256208 |
| SHA256 | b308faebfe4ed409de8410e0a632d164b2126b035f6eacff968d3908cafb4d9e |
| SHA512 | e52575f58a195ceb3bd16b9740eadf5bc5b1d4d63c0734e8e5fd1d1776aa2d068d2e4c7173b83803f95f72c0a6759ae1c9b65773c734250d4cfcdf47a19f82aa |
C:\Users\Admin\lib\jna-platform-5.5.0.jar
| MD5 | 2f4a99c2758e72ee2b59a73586a2322f |
| SHA1 | af38e7c4d0fc73c23ecd785443705bfdee5b90bf |
| SHA256 | 24d81621f82ac29fcdd9a74116031f5907a2343158e616f4573bbfa2434ae0d5 |
| SHA512 | b860459a0d3bf7ccb600a03aa1d2ac0358619ee89b2b96ed723541e182b6fdab53aefef7992acb4e03fca67aa47cbe3907b1e6060a60b57ed96c4e00c35c7494 |
C:\Users\Admin\lib\sqlite-jdbc-3.14.2.1.jar
| MD5 | b33387e15ab150a7bf560abdc73c3bec |
| SHA1 | 66b8075784131f578ef893fd7674273f709b9a4c |
| SHA256 | 2eae3dea1c3dde6104c49f9601074b6038ff6abcf3be23f4b56f6720a4f6a491 |
| SHA512 | 25cfb0d6ce35d0bcb18527d3aa12c63ecb2d9c1b8b78805d1306e516c13480b79bb0d74730aa93bd1752f9ac2da9fdd51781c48844cea2fd52a06c62852c8279 |
C:\Users\Admin\lib\system-hook-3.5.jar
| MD5 | e1aa38a1e78a76a6de73efae136cdb3a |
| SHA1 | c463da71871f780b2e2e5dba115d43953b537daf |
| SHA256 | 2ddda8af6faef8bde46acf43ec546603180bcf8dcb2e5591fff8ac9cd30b5609 |
| SHA512 | fee16fe9364926ec337e52f551fd62ed81984808a847de2fd68ff29b6c5da0dcc04ef6d8977f0fe675662a7d2ea1065cdcdd2a5259446226a7c7c5516bd7d60d |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pdrvzyglvq.txt
| MD5 | 6ca326558de612f3682313fdffd0bb50 |
| SHA1 | b65d2e8c39a0b1816b6ffbcec845173df4690604 |
| SHA256 | 876fa2086b40be6c70d12bc73a1f6d3520eafe791ec804dad5cd2735e3f8c5cf |
| SHA512 | c2a2c9bdc86e510ad7f15f83fe98696dad33b8d2d2befb5915a289c54cbf13615b0faa8bef190136a12a9153d121e1fcdcc2266f7c5cebf9cf5a82e2a970f531 |
C:\Users\Admin\AppData\Roaming\pdrvzyglvq.txt
| MD5 | 6ca326558de612f3682313fdffd0bb50 |
| SHA1 | b65d2e8c39a0b1816b6ffbcec845173df4690604 |
| SHA256 | 876fa2086b40be6c70d12bc73a1f6d3520eafe791ec804dad5cd2735e3f8c5cf |
| SHA512 | c2a2c9bdc86e510ad7f15f83fe98696dad33b8d2d2befb5915a289c54cbf13615b0faa8bef190136a12a9153d121e1fcdcc2266f7c5cebf9cf5a82e2a970f531 |
memory/1264-141-0x0000000000120000-0x0000000000121000-memory.dmp
C:\Users\Admin\AppData\Roaming\lib\system-hook-3.5.jar
| MD5 | e1aa38a1e78a76a6de73efae136cdb3a |
| SHA1 | c463da71871f780b2e2e5dba115d43953b537daf |
| SHA256 | 2ddda8af6faef8bde46acf43ec546603180bcf8dcb2e5591fff8ac9cd30b5609 |
| SHA512 | fee16fe9364926ec337e52f551fd62ed81984808a847de2fd68ff29b6c5da0dcc04ef6d8977f0fe675662a7d2ea1065cdcdd2a5259446226a7c7c5516bd7d60d |
C:\Users\Admin\AppData\Roaming\lib\jna-platform-5.5.0.jar
| MD5 | 2f4a99c2758e72ee2b59a73586a2322f |
| SHA1 | af38e7c4d0fc73c23ecd785443705bfdee5b90bf |
| SHA256 | 24d81621f82ac29fcdd9a74116031f5907a2343158e616f4573bbfa2434ae0d5 |
| SHA512 | b860459a0d3bf7ccb600a03aa1d2ac0358619ee89b2b96ed723541e182b6fdab53aefef7992acb4e03fca67aa47cbe3907b1e6060a60b57ed96c4e00c35c7494 |
C:\Users\Admin\AppData\Roaming\lib\jna-5.5.0.jar
| MD5 | acfb5b5fd9ee10bf69497792fd469f85 |
| SHA1 | 0e0845217c4907822403912ad6828d8e0b256208 |
| SHA256 | b308faebfe4ed409de8410e0a632d164b2126b035f6eacff968d3908cafb4d9e |
| SHA512 | e52575f58a195ceb3bd16b9740eadf5bc5b1d4d63c0734e8e5fd1d1776aa2d068d2e4c7173b83803f95f72c0a6759ae1c9b65773c734250d4cfcdf47a19f82aa |
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1563773381-2037468142-1146002597-1000\83aa4cc77f591dfc2374580bbd95f6ba_b2297557-1764-4c87-9db5-9b6890ebc138
| MD5 | c8366ae350e7019aefc9d1e6e6a498c6 |
| SHA1 | 5731d8a3e6568a5f2dfbbc87e3db9637df280b61 |
| SHA256 | 11e6aca8e682c046c83b721eeb5c72c5ef03cb5936c60df6f4993511ddc61238 |
| SHA512 | 33c980d5a638bfc791de291ebf4b6d263b384247ab27f261a54025108f2f85374b579a026e545f81395736dd40fa4696f2163ca17640dd47f1c42bc9971b18cd |
\Users\Admin\AppData\Local\Temp\jna-63116079\jna5570603281483309895.dll
| MD5 | e02979ecd43bcc9061eb2b494ab5af50 |
| SHA1 | 3122ac0e751660f646c73b10c4f79685aa65c545 |
| SHA256 | a66959bec2ef5af730198db9f3b3f7cab0d4ae70ce01bec02bf1d738e6d1ee7a |
| SHA512 | 1e6f7dcb6a557c9b896412a48dd017c16f7a52fa2b9ab513593c9ecd118e86083979821ca7a3e2f098ee349200c823c759cec6599740dd391cb5f354dc29b372 |
memory/1264-151-0x0000000000120000-0x0000000000121000-memory.dmp
memory/1264-157-0x0000000000120000-0x0000000000121000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-03-02 12:29
Reported
2023-03-02 12:31
Platform
win10v2004-20230220-en
Max time kernel
146s
Max time network
150s
Command Line
Signatures
STRRAT
Vjw0rm
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WScript.exe | N/A |
| N/A | N/A | C:\Windows\System32\WScript.exe | N/A |
| N/A | N/A | C:\Windows\System32\WScript.exe | N/A |
| N/A | N/A | C:\Windows\System32\WScript.exe | N/A |
| N/A | N/A | C:\Windows\System32\WScript.exe | N/A |
| N/A | N/A | C:\Windows\System32\WScript.exe | N/A |
| N/A | N/A | C:\Windows\System32\WScript.exe | N/A |
| N/A | N/A | C:\Windows\System32\WScript.exe | N/A |
| N/A | N/A | C:\Windows\System32\WScript.exe | N/A |
| N/A | N/A | C:\Windows\System32\WScript.exe | N/A |
| N/A | N/A | C:\Windows\System32\WScript.exe | N/A |
| N/A | N/A | C:\Windows\System32\WScript.exe | N/A |
| N/A | N/A | C:\Windows\System32\WScript.exe | N/A |
| N/A | N/A | C:\Windows\System32\WScript.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\wscript.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vSGNXlMuXH.js | C:\Windows\System32\WScript.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vSGNXlMuXH.js | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\czdjfdvew.txt | C:\Program Files\Java\jre1.8.0_66\bin\java.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Java\jre1.8.0_66\bin\java.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\czdjfdvew = "\"C:\\Users\\Admin\\AppData\\Roaming\\czdjfdvew.txt\"" | C:\Program Files\Java\jre1.8.0_66\bin\java.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\czdjfdvew = "\"C:\\Users\\Admin\\AppData\\Roaming\\czdjfdvew.txt\"" | C:\Program Files\Java\jre1.8.0_66\bin\java.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings | C:\Windows\system32\wscript.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Windows\system32\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Local\Temp\ORDER AT HAND URGENT.js"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\vSGNXlMuXH.js"
C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe
"C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\czdjfdvew.txt"
C:\Program Files\Java\jre1.8.0_66\bin\java.exe
"C:\Program Files\Java\jre1.8.0_66\bin\java.exe" -jar "C:\Users\Admin\czdjfdvew.txt"
C:\Windows\SYSTEM32\cmd.exe
cmd /c schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\czdjfdvew.txt"
C:\Program Files\Java\jre1.8.0_66\bin\java.exe
"C:\Program Files\Java\jre1.8.0_66\bin\java.exe" -jar "C:\Users\Admin\AppData\Roaming\czdjfdvew.txt"
C:\Windows\system32\schtasks.exe
schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\czdjfdvew.txt"
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c "wmic /node:. /namespace:'\\root\cimv2' path win32_logicaldisk get volumeserialnumber /format:list"
C:\Windows\System32\Wbem\WMIC.exe
wmic /node:. /namespace:'\\root\cimv2' path win32_logicaldisk get volumeserialnumber /format:list
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c "wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get caption,OSArchitecture /format:list"
C:\Windows\System32\Wbem\WMIC.exe
wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get caption,OSArchitecture /format:list
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c "wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get version /format:list"
C:\Windows\System32\Wbem\WMIC.exe
wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get version /format:list
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c "wmic /node:localhost /namespace:'\\root\securitycenter2' path antivirusproduct get displayname /format:list"
C:\Windows\System32\Wbem\WMIC.exe
wmic /node:localhost /namespace:'\\root\securitycenter2' path antivirusproduct get displayname /format:list
Network
| Country | Destination | Domain | Proto |
| US | 93.184.221.240:80 | tcp | |
| US | 93.184.221.240:80 | tcp | |
| US | 8.8.8.8:53 | 14.110.152.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 93.184.221.240:80 | tcp | |
| US | 8.8.8.8:53 | javaautorun.duia.ro | udp |
| EE | 91.193.75.131:5440 | javaautorun.duia.ro | tcp |
| US | 8.8.8.8:53 | 199.176.139.52.in-addr.arpa | udp |
| US | 93.184.221.240:80 | tcp | |
| US | 8.8.8.8:53 | repo1.maven.org | udp |
| US | 8.8.8.8:53 | github.com | udp |
| US | 199.232.192.209:443 | repo1.maven.org | tcp |
| US | 199.232.192.209:443 | repo1.maven.org | tcp |
| US | 199.232.192.209:443 | repo1.maven.org | tcp |
| IN | 20.207.73.82:443 | github.com | tcp |
| US | 8.8.8.8:53 | 209.192.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.73.207.20.in-addr.arpa | udp |
| EE | 91.193.75.131:5440 | javaautorun.duia.ro | tcp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| EE | 91.193.75.131:5440 | javaautorun.duia.ro | tcp |
| US | 8.8.8.8:53 | 138.175.53.84.in-addr.arpa | udp |
| NL | 45.139.105.174:2070 | tcp | |
| US | 8.8.8.8:53 | 174.105.139.45.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| EE | 91.193.75.131:5440 | javaautorun.duia.ro | tcp |
| US | 8.8.8.8:53 | 208.194.73.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.8.109.52.in-addr.arpa | udp |
| EE | 91.193.75.131:5440 | javaautorun.duia.ro | tcp |
| EE | 91.193.75.131:5440 | javaautorun.duia.ro | tcp |
| EE | 91.193.75.131:5440 | javaautorun.duia.ro | tcp |
| EE | 91.193.75.131:5440 | javaautorun.duia.ro | tcp |
| US | 8.8.8.8:53 | 210.81.184.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 161.252.72.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 93.184.220.29:80 | tcp | |
| US | 93.184.220.29:80 | tcp | |
| US | 93.184.221.240:80 | tcp | |
| NL | 173.223.113.164:443 | tcp | |
| NL | 173.223.113.131:80 | tcp | |
| US | 204.79.197.203:80 | tcp | |
| EE | 91.193.75.131:5440 | javaautorun.duia.ro | tcp |
| EE | 91.193.75.131:5440 | javaautorun.duia.ro | tcp |
| EE | 91.193.75.131:5440 | javaautorun.duia.ro | tcp |
| EE | 91.193.75.131:5440 | javaautorun.duia.ro | tcp |
| EE | 91.193.75.131:5440 | javaautorun.duia.ro | tcp |
| EE | 91.193.75.131:5440 | javaautorun.duia.ro | tcp |
Files
C:\Users\Admin\AppData\Roaming\vSGNXlMuXH.js
| MD5 | 39eef940efb1e1def04675bc6fe14477 |
| SHA1 | 17a2994f749bccc3e633897b7b92c52be38930b5 |
| SHA256 | 51e51b24b0e7ff7d76e602a34b7462b625c07ca9468fd8e35cb4ea660d1de720 |
| SHA512 | ac4e8f8cc864d4d42e215fd2a83a499b2349d5962c3c375221c90d7de0522a15db6c6caf4d353c27fef04f078835ac8ffec262568d5bcf8e1fc2595344d84215 |
C:\Users\Admin\AppData\Roaming\czdjfdvew.txt
| MD5 | 6ca326558de612f3682313fdffd0bb50 |
| SHA1 | b65d2e8c39a0b1816b6ffbcec845173df4690604 |
| SHA256 | 876fa2086b40be6c70d12bc73a1f6d3520eafe791ec804dad5cd2735e3f8c5cf |
| SHA512 | c2a2c9bdc86e510ad7f15f83fe98696dad33b8d2d2befb5915a289c54cbf13615b0faa8bef190136a12a9153d121e1fcdcc2266f7c5cebf9cf5a82e2a970f531 |
memory/3000-150-0x0000000000E70000-0x0000000000E71000-memory.dmp
memory/3000-168-0x0000000000E70000-0x0000000000E71000-memory.dmp
memory/3000-181-0x0000000000E70000-0x0000000000E71000-memory.dmp
memory/3000-185-0x0000000000E70000-0x0000000000E71000-memory.dmp
memory/3000-194-0x0000000000E70000-0x0000000000E71000-memory.dmp
memory/3000-200-0x0000000000E70000-0x0000000000E71000-memory.dmp
memory/3000-201-0x0000000000E70000-0x0000000000E71000-memory.dmp
C:\Users\Admin\czdjfdvew.txt
| MD5 | 6ca326558de612f3682313fdffd0bb50 |
| SHA1 | b65d2e8c39a0b1816b6ffbcec845173df4690604 |
| SHA256 | 876fa2086b40be6c70d12bc73a1f6d3520eafe791ec804dad5cd2735e3f8c5cf |
| SHA512 | c2a2c9bdc86e510ad7f15f83fe98696dad33b8d2d2befb5915a289c54cbf13615b0faa8bef190136a12a9153d121e1fcdcc2266f7c5cebf9cf5a82e2a970f531 |
C:\Users\Admin\lib\jna-5.5.0.jar
| MD5 | acfb5b5fd9ee10bf69497792fd469f85 |
| SHA1 | 0e0845217c4907822403912ad6828d8e0b256208 |
| SHA256 | b308faebfe4ed409de8410e0a632d164b2126b035f6eacff968d3908cafb4d9e |
| SHA512 | e52575f58a195ceb3bd16b9740eadf5bc5b1d4d63c0734e8e5fd1d1776aa2d068d2e4c7173b83803f95f72c0a6759ae1c9b65773c734250d4cfcdf47a19f82aa |
C:\Users\Admin\lib\sqlite-jdbc-3.14.2.1.jar
| MD5 | b33387e15ab150a7bf560abdc73c3bec |
| SHA1 | 66b8075784131f578ef893fd7674273f709b9a4c |
| SHA256 | 2eae3dea1c3dde6104c49f9601074b6038ff6abcf3be23f4b56f6720a4f6a491 |
| SHA512 | 25cfb0d6ce35d0bcb18527d3aa12c63ecb2d9c1b8b78805d1306e516c13480b79bb0d74730aa93bd1752f9ac2da9fdd51781c48844cea2fd52a06c62852c8279 |
C:\Users\Admin\lib\jna-platform-5.5.0.jar
| MD5 | 2f4a99c2758e72ee2b59a73586a2322f |
| SHA1 | af38e7c4d0fc73c23ecd785443705bfdee5b90bf |
| SHA256 | 24d81621f82ac29fcdd9a74116031f5907a2343158e616f4573bbfa2434ae0d5 |
| SHA512 | b860459a0d3bf7ccb600a03aa1d2ac0358619ee89b2b96ed723541e182b6fdab53aefef7992acb4e03fca67aa47cbe3907b1e6060a60b57ed96c4e00c35c7494 |
C:\Users\Admin\lib\system-hook-3.5.jar
| MD5 | e1aa38a1e78a76a6de73efae136cdb3a |
| SHA1 | c463da71871f780b2e2e5dba115d43953b537daf |
| SHA256 | 2ddda8af6faef8bde46acf43ec546603180bcf8dcb2e5591fff8ac9cd30b5609 |
| SHA512 | fee16fe9364926ec337e52f551fd62ed81984808a847de2fd68ff29b6c5da0dcc04ef6d8977f0fe675662a7d2ea1065cdcdd2a5259446226a7c7c5516bd7d60d |
C:\Users\Admin\.oracle_jre_usage\90737d32e3aba4b.timestamp
| MD5 | 9e027e4f0dac537b495167f3b5a1d17c |
| SHA1 | dc129b712a7f55da350a213e02b89413eb26a5f8 |
| SHA256 | 39df5d64f81f9b66665d504e40c396e0e376b1aaf6c6619f05c54e97f5ec363e |
| SHA512 | 02fa9ec47f5d934a19c72edc9eda50514f929a187cb01319ba92ba92fafd60fc508e55634e54d6c23aa39b3aa15bf0be381c5587e926d08782c9898f6fc6760e |
memory/3460-222-0x0000000000B20000-0x0000000000B21000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\czdjfdvew.txt
| MD5 | 6ca326558de612f3682313fdffd0bb50 |
| SHA1 | b65d2e8c39a0b1816b6ffbcec845173df4690604 |
| SHA256 | 876fa2086b40be6c70d12bc73a1f6d3520eafe791ec804dad5cd2735e3f8c5cf |
| SHA512 | c2a2c9bdc86e510ad7f15f83fe98696dad33b8d2d2befb5915a289c54cbf13615b0faa8bef190136a12a9153d121e1fcdcc2266f7c5cebf9cf5a82e2a970f531 |
C:\Users\Admin\AppData\Roaming\czdjfdvew.txt
| MD5 | 6ca326558de612f3682313fdffd0bb50 |
| SHA1 | b65d2e8c39a0b1816b6ffbcec845173df4690604 |
| SHA256 | 876fa2086b40be6c70d12bc73a1f6d3520eafe791ec804dad5cd2735e3f8c5cf |
| SHA512 | c2a2c9bdc86e510ad7f15f83fe98696dad33b8d2d2befb5915a289c54cbf13615b0faa8bef190136a12a9153d121e1fcdcc2266f7c5cebf9cf5a82e2a970f531 |
C:\Users\Admin\AppData\Roaming\lib\sqlite-jdbc-3.14.2.1.jar
| MD5 | b33387e15ab150a7bf560abdc73c3bec |
| SHA1 | 66b8075784131f578ef893fd7674273f709b9a4c |
| SHA256 | 2eae3dea1c3dde6104c49f9601074b6038ff6abcf3be23f4b56f6720a4f6a491 |
| SHA512 | 25cfb0d6ce35d0bcb18527d3aa12c63ecb2d9c1b8b78805d1306e516c13480b79bb0d74730aa93bd1752f9ac2da9fdd51781c48844cea2fd52a06c62852c8279 |
C:\Users\Admin\AppData\Roaming\lib\jna-platform-5.5.0.jar
| MD5 | 2f4a99c2758e72ee2b59a73586a2322f |
| SHA1 | af38e7c4d0fc73c23ecd785443705bfdee5b90bf |
| SHA256 | 24d81621f82ac29fcdd9a74116031f5907a2343158e616f4573bbfa2434ae0d5 |
| SHA512 | b860459a0d3bf7ccb600a03aa1d2ac0358619ee89b2b96ed723541e182b6fdab53aefef7992acb4e03fca67aa47cbe3907b1e6060a60b57ed96c4e00c35c7494 |
C:\Users\Admin\AppData\Roaming\lib\jna-5.5.0.jar
| MD5 | acfb5b5fd9ee10bf69497792fd469f85 |
| SHA1 | 0e0845217c4907822403912ad6828d8e0b256208 |
| SHA256 | b308faebfe4ed409de8410e0a632d164b2126b035f6eacff968d3908cafb4d9e |
| SHA512 | e52575f58a195ceb3bd16b9740eadf5bc5b1d4d63c0734e8e5fd1d1776aa2d068d2e4c7173b83803f95f72c0a6759ae1c9b65773c734250d4cfcdf47a19f82aa |
C:\Users\Admin\AppData\Roaming\lib\system-hook-3.5.jar
| MD5 | e1aa38a1e78a76a6de73efae136cdb3a |
| SHA1 | c463da71871f780b2e2e5dba115d43953b537daf |
| SHA256 | 2ddda8af6faef8bde46acf43ec546603180bcf8dcb2e5591fff8ac9cd30b5609 |
| SHA512 | fee16fe9364926ec337e52f551fd62ed81984808a847de2fd68ff29b6c5da0dcc04ef6d8977f0fe675662a7d2ea1065cdcdd2a5259446226a7c7c5516bd7d60d |
C:\Users\Admin\.oracle_jre_usage\90737d32e3aba4b.timestamp
| MD5 | 04a39d76e692219e8cdfc198fdb4b7a8 |
| SHA1 | 8033bcd9d066e36f6c0a14be1845403a4913b9e0 |
| SHA256 | ef0ab4d515f307f0be59729b809bb70f0ec43b85b9d4555b61d3606a26cab6d2 |
| SHA512 | 99a34199fa0d9e76a6e2b96440f7d4e12dbda674af9a18fbe3dbbf7e8d4d09c30e15fb6ac4a6e227285b63ae0335414f8f47a732914688128477e8fcd09df021 |
memory/2872-251-0x0000000001450000-0x0000000001451000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1529757233-3489015626-3409890339-1000\83aa4cc77f591dfc2374580bbd95f6ba_2007c659-eb65-4631-bf41-16f7650120a3
| MD5 | c8366ae350e7019aefc9d1e6e6a498c6 |
| SHA1 | 5731d8a3e6568a5f2dfbbc87e3db9637df280b61 |
| SHA256 | 11e6aca8e682c046c83b721eeb5c72c5ef03cb5936c60df6f4993511ddc61238 |
| SHA512 | 33c980d5a638bfc791de291ebf4b6d263b384247ab27f261a54025108f2f85374b579a026e545f81395736dd40fa4696f2163ca17640dd47f1c42bc9971b18cd |
C:\Users\Admin\AppData\Local\Temp\jna-63116079\jna1632512839265670579.dll
| MD5 | e02979ecd43bcc9061eb2b494ab5af50 |
| SHA1 | 3122ac0e751660f646c73b10c4f79685aa65c545 |
| SHA256 | a66959bec2ef5af730198db9f3b3f7cab0d4ae70ce01bec02bf1d738e6d1ee7a |
| SHA512 | 1e6f7dcb6a557c9b896412a48dd017c16f7a52fa2b9ab513593c9ecd118e86083979821ca7a3e2f098ee349200c823c759cec6599740dd391cb5f354dc29b372 |
memory/2872-258-0x0000000001450000-0x0000000001451000-memory.dmp
memory/2872-265-0x0000000001450000-0x0000000001451000-memory.dmp