Analysis Overview
SHA256
453b93a211b664c8be6ad43c584a9c4e3781ea9e51c3d9d598b4cd9719fcb7c6
Threat Level: Known bad
The file Downloads.rar was found to be: Known bad.
Malicious Activity Summary
Vjw0rm
AsyncRat
WSHRAT
Async RAT payload
Blocklisted process makes network request
Drops startup file
UPX packed file
Checks computer location settings
Adds Run key to start application
Enumerates physical storage devices
Script User-Agent
Suspicious use of AdjustPrivilegeToken
Modifies registry class
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2023-03-25 09:17
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral8
Detonation Overview
Submitted
2023-03-25 09:17
Reported
2023-03-25 09:20
Platform
win10v2004-20230220-en
Max time kernel
143s
Max time network
127s
Command Line
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\eb6af295c348f16f2361cbe96fdc3bcb.exe
"C:\Users\Admin\AppData\Local\Temp\eb6af295c348f16f2361cbe96fdc3bcb.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 254.133.241.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | solar.huawei.com | udp |
| NL | 163.171.140.79:80 | solar.huawei.com | tcp |
| US | 8.8.8.8:53 | 108.211.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.140.171.163.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 38.146.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.104.205.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 234.238.32.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| IE | 13.69.239.74:443 | tcp | |
| NL | 173.223.113.164:443 | tcp | |
| NL | 173.223.113.131:80 | tcp | |
| US | 8.8.8.8:53 | 62.13.109.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 199.176.139.52.in-addr.arpa | udp |
| NL | 84.53.175.11:80 | tcp |
Files
memory/428-133-0x00007FF663690000-0x00007FF6637FD000-memory.dmp
memory/428-135-0x00007FF663690000-0x00007FF6637FD000-memory.dmp
memory/428-134-0x00007FF663690000-0x00007FF6637FD000-memory.dmp
memory/428-136-0x00007FF663690000-0x00007FF6637FD000-memory.dmp
memory/428-138-0x00007FF663690000-0x00007FF6637FD000-memory.dmp
memory/428-140-0x0000023FE06B0000-0x0000023FE06D2000-memory.dmp
memory/428-149-0x00007FF9EE270000-0x00007FF9EE465000-memory.dmp
memory/428-150-0x00007FF663690000-0x00007FF6637FD000-memory.dmp
memory/428-151-0x0000023FE06E0000-0x0000023FE08D5000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-03-25 09:17
Reported
2023-03-25 09:20
Platform
win10v2004-20230220-en
Max time kernel
148s
Max time network
151s
Command Line
Signatures
Vjw0rm
WSHRAT
Blocklisted process makes network request
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\wscript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation | C:\Windows\System32\wscript.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\9e98c04e777e77b1498f4b3447b6221d.js | C:\Windows\system32\wscript.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\eTnwIXREbR.js | C:\Windows\System32\wscript.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\eTnwIXREbR.js | C:\Windows\System32\wscript.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\9e98c04e777e77b1498f4b3447b6221d.js | C:\Windows\System32\wscript.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\eTnwIXREbR.js | C:\Windows\System32\wscript.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\9e98c04e777e77b1498f4b3447b6221d = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\9e98c04e777e77b1498f4b3447b6221d.js\"" | C:\Windows\System32\wscript.exe | N/A |
| Key created | \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run | C:\Windows\System32\wscript.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\9e98c04e777e77b1498f4b3447b6221d = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\9e98c04e777e77b1498f4b3447b6221d.js\"" | C:\Windows\System32\wscript.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\software\microsoft\windows\currentversion\run | C:\Windows\system32\wscript.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\9e98c04e777e77b1498f4b3447b6221d = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\9e98c04e777e77b1498f4b3447b6221d.js\"" | C:\Windows\system32\wscript.exe | N/A |
| Key created | \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run | C:\Windows\system32\wscript.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\9e98c04e777e77b1498f4b3447b6221d = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\9e98c04e777e77b1498f4b3447b6221d.js\"" | C:\Windows\system32\wscript.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\software\microsoft\windows\currentversion\run | C:\Windows\System32\wscript.exe | N/A |
Enumerates physical storage devices
Script User-Agent
| Description | Indicator | Process | Target |
| HTTP User-Agent header | WSHRAT|D0F59775|TPAVZECK|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 25/3/2023|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|D0F59775|TPAVZECK|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 25/3/2023|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|D0F59775|TPAVZECK|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 25/3/2023|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|D0F59775|TPAVZECK|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 25/3/2023|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|D0F59775|TPAVZECK|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 25/3/2023|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|D0F59775|TPAVZECK|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 25/3/2023|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|D0F59775|TPAVZECK|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 25/3/2023|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|D0F59775|TPAVZECK|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 25/3/2023|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|D0F59775|TPAVZECK|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 25/3/2023|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|D0F59775|TPAVZECK|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 25/3/2023|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|D0F59775|TPAVZECK|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 25/3/2023|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|D0F59775|TPAVZECK|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 25/3/2023|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|D0F59775|TPAVZECK|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 25/3/2023|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|D0F59775|TPAVZECK|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 25/3/2023|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|D0F59775|TPAVZECK|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 25/3/2023|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|D0F59775|TPAVZECK|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 25/3/2023|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|D0F59775|TPAVZECK|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 25/3/2023|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|D0F59775|TPAVZECK|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 25/3/2023|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|D0F59775|TPAVZECK|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 25/3/2023|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|D0F59775|TPAVZECK|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 25/3/2023|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|D0F59775|TPAVZECK|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 25/3/2023|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|D0F59775|TPAVZECK|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 25/3/2023|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|D0F59775|TPAVZECK|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 25/3/2023|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|D0F59775|TPAVZECK|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 25/3/2023|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|D0F59775|TPAVZECK|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 25/3/2023|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|D0F59775|TPAVZECK|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 25/3/2023|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|D0F59775|TPAVZECK|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 25/3/2023|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|D0F59775|TPAVZECK|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 25/3/2023|JavaScript | N/A | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 5076 wrote to memory of 1776 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\wscript.exe |
| PID 5076 wrote to memory of 1776 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\wscript.exe |
| PID 5076 wrote to memory of 2144 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\wscript.exe |
| PID 5076 wrote to memory of 2144 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\wscript.exe |
| PID 2144 wrote to memory of 1508 | N/A | C:\Windows\System32\wscript.exe | C:\Windows\System32\wscript.exe |
| PID 2144 wrote to memory of 1508 | N/A | C:\Windows\System32\wscript.exe | C:\Windows\System32\wscript.exe |
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\9e98c04e777e77b1498f4b3447b6221d.js
C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\eTnwIXREbR.js"
C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\9e98c04e777e77b1498f4b3447b6221d.js"
C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\eTnwIXREbR.js"
Network
| Country | Destination | Domain | Proto |
| US | 117.18.237.29:80 | tcp | |
| NL | 95.101.78.106:80 | tcp | |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 210.81.184.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | javaautorun.duia.ro | udp |
| RU | 23.111.200.87:5449 | javaautorun.duia.ro | tcp |
| US | 8.8.8.8:53 | smile4u.webredirect.org | udp |
| US | 8.8.8.8:53 | 20.160.190.20.in-addr.arpa | udp |
| RU | 23.111.200.87:5449 | javaautorun.duia.ro | tcp |
| US | 139.177.146.154:4242 | smile4u.webredirect.org | tcp |
| US | 8.8.8.8:53 | 154.146.177.139.in-addr.arpa | udp |
| US | 139.177.146.154:4242 | smile4u.webredirect.org | tcp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 139.177.146.154:4242 | smile4u.webredirect.org | tcp |
| US | 139.177.146.154:4242 | smile4u.webredirect.org | tcp |
| US | 139.177.146.154:4242 | smile4u.webredirect.org | tcp |
| US | 139.177.146.154:4242 | smile4u.webredirect.org | tcp |
| RU | 23.111.200.87:5449 | javaautorun.duia.ro | tcp |
| RU | 23.111.200.87:5449 | javaautorun.duia.ro | tcp |
| US | 139.177.146.154:4242 | smile4u.webredirect.org | tcp |
| US | 13.89.178.26:443 | tcp | |
| US | 139.177.146.154:4242 | smile4u.webredirect.org | tcp |
| US | 139.177.146.154:4242 | smile4u.webredirect.org | tcp |
| US | 139.177.146.154:4242 | smile4u.webredirect.org | tcp |
| US | 8.8.8.8:53 | 73.254.224.20.in-addr.arpa | udp |
| US | 139.177.146.154:4242 | smile4u.webredirect.org | tcp |
| RU | 23.111.200.87:5449 | javaautorun.duia.ro | tcp |
| RU | 23.111.200.87:5449 | javaautorun.duia.ro | tcp |
| US | 209.197.3.8:80 | tcp | |
| US | 139.177.146.154:4242 | smile4u.webredirect.org | tcp |
| NL | 173.223.113.164:443 | tcp | |
| US | 204.79.197.203:80 | tcp | |
| US | 139.177.146.154:4242 | smile4u.webredirect.org | tcp |
| US | 8.8.8.8:53 | 199.176.139.52.in-addr.arpa | udp |
| US | 139.177.146.154:4242 | smile4u.webredirect.org | tcp |
| US | 139.177.146.154:4242 | smile4u.webredirect.org | tcp |
| US | 139.177.146.154:4242 | smile4u.webredirect.org | tcp |
| RU | 23.111.200.87:5449 | javaautorun.duia.ro | tcp |
| RU | 23.111.200.87:5449 | javaautorun.duia.ro | tcp |
| US | 139.177.146.154:4242 | smile4u.webredirect.org | tcp |
| US | 139.177.146.154:4242 | smile4u.webredirect.org | tcp |
| US | 139.177.146.154:4242 | smile4u.webredirect.org | tcp |
| US | 139.177.146.154:4242 | smile4u.webredirect.org | tcp |
| US | 8.8.8.8:53 | 67.169.210.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 177.238.32.23.in-addr.arpa | udp |
| US | 139.177.146.154:4242 | smile4u.webredirect.org | tcp |
| US | 139.177.146.154:4242 | smile4u.webredirect.org | tcp |
| RU | 23.111.200.87:5449 | javaautorun.duia.ro | tcp |
| RU | 23.111.200.87:5449 | javaautorun.duia.ro | tcp |
| US | 139.177.146.154:4242 | smile4u.webredirect.org | tcp |
| US | 139.177.146.154:4242 | smile4u.webredirect.org | tcp |
| US | 139.177.146.154:4242 | smile4u.webredirect.org | tcp |
| US | 139.177.146.154:4242 | smile4u.webredirect.org | tcp |
| US | 139.177.146.154:4242 | smile4u.webredirect.org | tcp |
| RU | 23.111.200.87:5449 | javaautorun.duia.ro | tcp |
| RU | 23.111.200.87:5449 | javaautorun.duia.ro | tcp |
| US | 139.177.146.154:4242 | smile4u.webredirect.org | tcp |
Files
C:\Users\Admin\AppData\Roaming\eTnwIXREbR.js
| MD5 | b43bf8252ad3a3e446126a99e944cd4e |
| SHA1 | c1a8971c18e14c69141d4ab9bfb2832323677a0d |
| SHA256 | 3d2a10980087f97455426f3486c74aeeb705f782317819687aaa44e4c0a58dca |
| SHA512 | e30050ce894c855249fa57874aded7059912b5f7852b693ec3b015f0bd83a9a9db342b2b942a8a0074f1a2b9a78881cc23adfc5f1a2687aeb5798312a0b47d02 |
C:\Users\Admin\AppData\Roaming\9e98c04e777e77b1498f4b3447b6221d.js
| MD5 | 9e98c04e777e77b1498f4b3447b6221d |
| SHA1 | 00a23c268459816d8fe5d46bda86a36f06e0c374 |
| SHA256 | 39e57f5e8da66eb93df1bf017348f3cc3007e3acfe568a846d420ea76fdd43b3 |
| SHA512 | e5cb2b6f79474e70cb807b4a26af782a328038e52d2e28e6640269026c91c97ff40d3b98e6a156410339b4e53b538d256d0b554013bb78ce88ec1dc010d889d5 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\9e98c04e777e77b1498f4b3447b6221d.js
| MD5 | 9e98c04e777e77b1498f4b3447b6221d |
| SHA1 | 00a23c268459816d8fe5d46bda86a36f06e0c374 |
| SHA256 | 39e57f5e8da66eb93df1bf017348f3cc3007e3acfe568a846d420ea76fdd43b3 |
| SHA512 | e5cb2b6f79474e70cb807b4a26af782a328038e52d2e28e6640269026c91c97ff40d3b98e6a156410339b4e53b538d256d0b554013bb78ce88ec1dc010d889d5 |
C:\Users\Admin\AppData\Roaming\eTnwIXREbR.js
| MD5 | b43bf8252ad3a3e446126a99e944cd4e |
| SHA1 | c1a8971c18e14c69141d4ab9bfb2832323677a0d |
| SHA256 | 3d2a10980087f97455426f3486c74aeeb705f782317819687aaa44e4c0a58dca |
| SHA512 | e30050ce894c855249fa57874aded7059912b5f7852b693ec3b015f0bd83a9a9db342b2b942a8a0074f1a2b9a78881cc23adfc5f1a2687aeb5798312a0b47d02 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\eTnwIXREbR.js
| MD5 | b43bf8252ad3a3e446126a99e944cd4e |
| SHA1 | c1a8971c18e14c69141d4ab9bfb2832323677a0d |
| SHA256 | 3d2a10980087f97455426f3486c74aeeb705f782317819687aaa44e4c0a58dca |
| SHA512 | e30050ce894c855249fa57874aded7059912b5f7852b693ec3b015f0bd83a9a9db342b2b942a8a0074f1a2b9a78881cc23adfc5f1a2687aeb5798312a0b47d02 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\9e98c04e777e77b1498f4b3447b6221d.js
| MD5 | 9e98c04e777e77b1498f4b3447b6221d |
| SHA1 | 00a23c268459816d8fe5d46bda86a36f06e0c374 |
| SHA256 | 39e57f5e8da66eb93df1bf017348f3cc3007e3acfe568a846d420ea76fdd43b3 |
| SHA512 | e5cb2b6f79474e70cb807b4a26af782a328038e52d2e28e6640269026c91c97ff40d3b98e6a156410339b4e53b538d256d0b554013bb78ce88ec1dc010d889d5 |
Analysis: behavioral3
Detonation Overview
Submitted
2023-03-25 09:17
Reported
2023-03-25 09:20
Platform
win7-20230220-en
Max time kernel
150s
Max time network
133s
Command Line
Signatures
Vjw0rm
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WScript.exe | N/A |
| N/A | N/A | C:\Windows\System32\WScript.exe | N/A |
| N/A | N/A | C:\Windows\System32\WScript.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\oUvEoxxwKv.js | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\oUvEoxxwKv.js | C:\Windows\System32\WScript.exe | N/A |
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\c72d738747f68d4f8d9e9368e47928bf.js
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\oUvEoxxwKv.js"
C:\Program Files\Java\jre7\bin\javaw.exe
"C:\Program Files\Java\jre7\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\tenotvjsh.txt"
C:\Program Files\Java\jre7\bin\java.exe
"C:\Program Files\Java\jre7\bin\java.exe" -jar "C:\Users\Admin\tenotvjsh.txt"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| US | 8.8.8.8:53 | repo1.maven.org | udp |
| US | 199.232.192.209:443 | repo1.maven.org | tcp |
| US | 199.232.192.209:443 | repo1.maven.org | tcp |
| US | 199.232.192.209:443 | repo1.maven.org | tcp |
| IN | 20.207.73.82:443 | github.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | javaautorun.duia.ro | udp |
| RU | 23.111.200.87:5443 | javaautorun.duia.ro | tcp |
| RU | 23.111.200.87:5443 | javaautorun.duia.ro | tcp |
| RU | 23.111.200.87:5443 | javaautorun.duia.ro | tcp |
Files
C:\Users\Admin\AppData\Roaming\tenotvjsh.txt
| MD5 | ec5e12b3ea2318692c2d2b74c33dfbda |
| SHA1 | f7f6c3d3e266c7a85ec489389d5508eaa1983055 |
| SHA256 | 056579d3948044c01ffa21dd8a14f7c4109efd25e609055e24a37cb6db603ef7 |
| SHA512 | 0c91246971bb23ba3801b348ca8148c048de43c4caa7912b681868e471f5a0f080f2969e8fda1b04a002a81b403bddb22b62496b8eee75814cb691391ad5851a |
C:\Users\Admin\AppData\Roaming\oUvEoxxwKv.js
| MD5 | b7e9c8bac9afc434944605c2422e1ad0 |
| SHA1 | a653b478be92ecbd848bf79e175c454ebb9ccf21 |
| SHA256 | be481241ae35aed859e1b558e23fcf640e0ec5f36d1e993a085ccc499b62c465 |
| SHA512 | b790f27cce05ee3c754728489c8912501dc5c61d00639db760957697e3ea28855a81ce38634ddf2d98bf865055977c4d5dd2faaecc3a625eb090012161df2190 |
memory/1340-70-0x00000000000A0000-0x00000000000A1000-memory.dmp
memory/1340-77-0x00000000000A0000-0x00000000000A1000-memory.dmp
memory/1340-87-0x00000000000A0000-0x00000000000A1000-memory.dmp
memory/1340-95-0x00000000000A0000-0x00000000000A1000-memory.dmp
memory/1340-97-0x00000000000A0000-0x00000000000A1000-memory.dmp
C:\Users\Admin\tenotvjsh.txt
| MD5 | ec5e12b3ea2318692c2d2b74c33dfbda |
| SHA1 | f7f6c3d3e266c7a85ec489389d5508eaa1983055 |
| SHA256 | 056579d3948044c01ffa21dd8a14f7c4109efd25e609055e24a37cb6db603ef7 |
| SHA512 | 0c91246971bb23ba3801b348ca8148c048de43c4caa7912b681868e471f5a0f080f2969e8fda1b04a002a81b403bddb22b62496b8eee75814cb691391ad5851a |
memory/1580-108-0x0000000000430000-0x0000000000431000-memory.dmp
Analysis: behavioral6
Detonation Overview
Submitted
2023-03-25 09:17
Reported
2023-03-25 09:20
Platform
win10v2004-20230220-en
Max time kernel
145s
Max time network
152s
Command Line
Signatures
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\cc03a8f9433b57e4ea8a87544dde5470.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\cc03a8f9433b57e4ea8a87544dde5470.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\cc03a8f9433b57e4ea8a87544dde5470.exe
"C:\Users\Admin\AppData\Local\Temp\cc03a8f9433b57e4ea8a87544dde5470.exe"
Network
| Country | Destination | Domain | Proto |
| CN | 120.78.151.171:8848 | 120.78.151.171 | tcp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.151.78.120.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 254.134.241.8.in-addr.arpa | udp |
| US | 93.184.220.29:80 | tcp | |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| CN | 120.78.151.171:6658 | tcp | |
| US | 8.8.8.8:53 | 1.208.79.178.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| CN | 120.78.151.171:6658 | tcp | |
| CN | 120.78.151.171:6658 | tcp | |
| US | 8.8.8.8:53 | 63.13.109.52.in-addr.arpa | udp |
| US | 8.247.210.254:80 | tcp | |
| CN | 120.78.151.171:6658 | tcp | |
| NL | 173.223.113.164:443 | tcp | |
| CN | 120.78.151.171:6658 | tcp | |
| CN | 120.78.151.171:6658 | tcp | |
| CN | 120.78.151.171:6658 | tcp | |
| CN | 120.78.151.171:6658 | tcp | |
| CN | 120.78.151.171:6658 | tcp |
Files
memory/1312-133-0x00000000001D0000-0x00000000001E0000-memory.dmp
memory/1312-134-0x0000000000A40000-0x0000000000A50000-memory.dmp
memory/1312-135-0x0000000000A40000-0x0000000000A50000-memory.dmp
memory/1312-136-0x0000000000A70000-0x0000000000A8A000-memory.dmp
memory/1312-137-0x0000000000A40000-0x0000000000A50000-memory.dmp
memory/1312-138-0x0000000000A40000-0x0000000000A50000-memory.dmp
memory/1312-139-0x0000000000A40000-0x0000000000A50000-memory.dmp
memory/1312-140-0x0000000000A40000-0x0000000000A50000-memory.dmp
Analysis: behavioral7
Detonation Overview
Submitted
2023-03-25 09:17
Reported
2023-03-25 09:20
Platform
win7-20230220-en
Max time kernel
27s
Max time network
30s
Command Line
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\eb6af295c348f16f2361cbe96fdc3bcb.exe
"C:\Users\Admin\AppData\Local\Temp\eb6af295c348f16f2361cbe96fdc3bcb.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | solar.huawei.com | udp |
| NL | 163.171.140.79:80 | solar.huawei.com | tcp |
Files
memory/1928-54-0x000000013F2F0000-0x000000013F45D000-memory.dmp
memory/1928-55-0x000000013F2F0000-0x000000013F45D000-memory.dmp
memory/1928-56-0x000000013F2F0000-0x000000013F45D000-memory.dmp
memory/1928-57-0x000000013F2F0000-0x000000013F45D000-memory.dmp
memory/1928-58-0x000000013F2F0000-0x000000013F45D000-memory.dmp
memory/1928-60-0x0000000001B50000-0x0000000001B72000-memory.dmp
memory/1928-69-0x0000000077AC0000-0x0000000077C69000-memory.dmp
memory/1928-70-0x000000013F2F0000-0x000000013F45D000-memory.dmp
memory/1928-71-0x000000013F2F0000-0x000000013F45D000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2023-03-25 09:17
Reported
2023-03-25 09:20
Platform
win7-20230220-en
Max time kernel
150s
Max time network
153s
Command Line
Signatures
Vjw0rm
WSHRAT
Blocklisted process makes network request
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\9e98c04e777e77b1498f4b3447b6221d.js | C:\Windows\system32\wscript.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\eTnwIXREbR.js | C:\Windows\System32\wscript.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\eTnwIXREbR.js | C:\Windows\System32\wscript.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\9e98c04e777e77b1498f4b3447b6221d.js | C:\Windows\System32\wscript.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\eTnwIXREbR.js | C:\Windows\System32\wscript.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\software\microsoft\windows\currentversion\run | C:\Windows\System32\wscript.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Windows\CurrentVersion\Run\9e98c04e777e77b1498f4b3447b6221d = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\9e98c04e777e77b1498f4b3447b6221d.js\"" | C:\Windows\System32\wscript.exe | N/A |
| Key created | \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run | C:\Windows\System32\wscript.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\9e98c04e777e77b1498f4b3447b6221d = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\9e98c04e777e77b1498f4b3447b6221d.js\"" | C:\Windows\System32\wscript.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\software\microsoft\windows\currentversion\run | C:\Windows\system32\wscript.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Windows\CurrentVersion\Run\9e98c04e777e77b1498f4b3447b6221d = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\9e98c04e777e77b1498f4b3447b6221d.js\"" | C:\Windows\system32\wscript.exe | N/A |
| Key created | \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run | C:\Windows\system32\wscript.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\9e98c04e777e77b1498f4b3447b6221d = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\9e98c04e777e77b1498f4b3447b6221d.js\"" | C:\Windows\system32\wscript.exe | N/A |
Enumerates physical storage devices
Script User-Agent
| Description | Indicator | Process | Target |
| HTTP User-Agent header | WSHRAT|7031BB36|BPOQNXYB|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 25/3/2023|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|7031BB36|BPOQNXYB|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 25/3/2023|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|7031BB36|BPOQNXYB|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 25/3/2023|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|7031BB36|BPOQNXYB|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 25/3/2023|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|7031BB36|BPOQNXYB|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 25/3/2023|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|7031BB36|BPOQNXYB|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 25/3/2023|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|7031BB36|BPOQNXYB|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 25/3/2023|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|7031BB36|BPOQNXYB|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 25/3/2023|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|7031BB36|BPOQNXYB|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 25/3/2023|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|7031BB36|BPOQNXYB|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 25/3/2023|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|7031BB36|BPOQNXYB|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 25/3/2023|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|7031BB36|BPOQNXYB|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 25/3/2023|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|7031BB36|BPOQNXYB|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 25/3/2023|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|7031BB36|BPOQNXYB|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 25/3/2023|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|7031BB36|BPOQNXYB|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 25/3/2023|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|7031BB36|BPOQNXYB|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 25/3/2023|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|7031BB36|BPOQNXYB|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 25/3/2023|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|7031BB36|BPOQNXYB|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 25/3/2023|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|7031BB36|BPOQNXYB|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 25/3/2023|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|7031BB36|BPOQNXYB|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 25/3/2023|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|7031BB36|BPOQNXYB|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 25/3/2023|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|7031BB36|BPOQNXYB|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 25/3/2023|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|7031BB36|BPOQNXYB|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 25/3/2023|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|7031BB36|BPOQNXYB|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 25/3/2023|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|7031BB36|BPOQNXYB|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 25/3/2023|JavaScript | N/A | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 824 wrote to memory of 1780 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\wscript.exe |
| PID 824 wrote to memory of 1780 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\wscript.exe |
| PID 824 wrote to memory of 1780 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\wscript.exe |
| PID 824 wrote to memory of 612 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\wscript.exe |
| PID 824 wrote to memory of 612 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\wscript.exe |
| PID 824 wrote to memory of 612 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\wscript.exe |
| PID 612 wrote to memory of 1564 | N/A | C:\Windows\System32\wscript.exe | C:\Windows\System32\wscript.exe |
| PID 612 wrote to memory of 1564 | N/A | C:\Windows\System32\wscript.exe | C:\Windows\System32\wscript.exe |
| PID 612 wrote to memory of 1564 | N/A | C:\Windows\System32\wscript.exe | C:\Windows\System32\wscript.exe |
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\9e98c04e777e77b1498f4b3447b6221d.js
C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\eTnwIXREbR.js"
C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\9e98c04e777e77b1498f4b3447b6221d.js"
C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\eTnwIXREbR.js"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | javaautorun.duia.ro | udp |
| US | 8.8.8.8:53 | javaautorun.duia.ro | udp |
| US | 8.8.8.8:53 | smile4u.webredirect.org | udp |
| RU | 23.111.200.87:5449 | javaautorun.duia.ro | tcp |
| RU | 23.111.200.87:5449 | javaautorun.duia.ro | tcp |
| US | 139.177.146.154:4242 | smile4u.webredirect.org | tcp |
| US | 139.177.146.154:4242 | smile4u.webredirect.org | tcp |
| US | 139.177.146.154:4242 | smile4u.webredirect.org | tcp |
| US | 139.177.146.154:4242 | smile4u.webredirect.org | tcp |
| US | 139.177.146.154:4242 | smile4u.webredirect.org | tcp |
| US | 139.177.146.154:4242 | smile4u.webredirect.org | tcp |
| RU | 23.111.200.87:5449 | javaautorun.duia.ro | tcp |
| RU | 23.111.200.87:5449 | javaautorun.duia.ro | tcp |
| US | 139.177.146.154:4242 | smile4u.webredirect.org | tcp |
| US | 139.177.146.154:4242 | smile4u.webredirect.org | tcp |
| US | 139.177.146.154:4242 | smile4u.webredirect.org | tcp |
| US | 139.177.146.154:4242 | smile4u.webredirect.org | tcp |
| US | 139.177.146.154:4242 | smile4u.webredirect.org | tcp |
| RU | 23.111.200.87:5449 | javaautorun.duia.ro | tcp |
| RU | 23.111.200.87:5449 | javaautorun.duia.ro | tcp |
| US | 139.177.146.154:4242 | smile4u.webredirect.org | tcp |
| US | 139.177.146.154:4242 | smile4u.webredirect.org | tcp |
| US | 139.177.146.154:4242 | smile4u.webredirect.org | tcp |
| US | 139.177.146.154:4242 | smile4u.webredirect.org | tcp |
| US | 139.177.146.154:4242 | smile4u.webredirect.org | tcp |
| RU | 23.111.200.87:5449 | javaautorun.duia.ro | tcp |
| RU | 23.111.200.87:5449 | javaautorun.duia.ro | tcp |
| US | 139.177.146.154:4242 | smile4u.webredirect.org | tcp |
| US | 139.177.146.154:4242 | smile4u.webredirect.org | tcp |
| US | 139.177.146.154:4242 | smile4u.webredirect.org | tcp |
| US | 139.177.146.154:4242 | smile4u.webredirect.org | tcp |
| US | 139.177.146.154:4242 | smile4u.webredirect.org | tcp |
| RU | 23.111.200.87:5449 | javaautorun.duia.ro | tcp |
| RU | 23.111.200.87:5449 | javaautorun.duia.ro | tcp |
| US | 139.177.146.154:4242 | smile4u.webredirect.org | tcp |
| US | 139.177.146.154:4242 | smile4u.webredirect.org | tcp |
| US | 139.177.146.154:4242 | smile4u.webredirect.org | tcp |
| US | 139.177.146.154:4242 | smile4u.webredirect.org | tcp |
Files
C:\Users\Admin\AppData\Roaming\eTnwIXREbR.js
| MD5 | b43bf8252ad3a3e446126a99e944cd4e |
| SHA1 | c1a8971c18e14c69141d4ab9bfb2832323677a0d |
| SHA256 | 3d2a10980087f97455426f3486c74aeeb705f782317819687aaa44e4c0a58dca |
| SHA512 | e30050ce894c855249fa57874aded7059912b5f7852b693ec3b015f0bd83a9a9db342b2b942a8a0074f1a2b9a78881cc23adfc5f1a2687aeb5798312a0b47d02 |
C:\Users\Admin\AppData\Roaming\9e98c04e777e77b1498f4b3447b6221d.js
| MD5 | 9e98c04e777e77b1498f4b3447b6221d |
| SHA1 | 00a23c268459816d8fe5d46bda86a36f06e0c374 |
| SHA256 | 39e57f5e8da66eb93df1bf017348f3cc3007e3acfe568a846d420ea76fdd43b3 |
| SHA512 | e5cb2b6f79474e70cb807b4a26af782a328038e52d2e28e6640269026c91c97ff40d3b98e6a156410339b4e53b538d256d0b554013bb78ce88ec1dc010d889d5 |
C:\Users\Admin\AppData\Roaming\eTnwIXREbR.js
| MD5 | b43bf8252ad3a3e446126a99e944cd4e |
| SHA1 | c1a8971c18e14c69141d4ab9bfb2832323677a0d |
| SHA256 | 3d2a10980087f97455426f3486c74aeeb705f782317819687aaa44e4c0a58dca |
| SHA512 | e30050ce894c855249fa57874aded7059912b5f7852b693ec3b015f0bd83a9a9db342b2b942a8a0074f1a2b9a78881cc23adfc5f1a2687aeb5798312a0b47d02 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\9e98c04e777e77b1498f4b3447b6221d.js
| MD5 | 9e98c04e777e77b1498f4b3447b6221d |
| SHA1 | 00a23c268459816d8fe5d46bda86a36f06e0c374 |
| SHA256 | 39e57f5e8da66eb93df1bf017348f3cc3007e3acfe568a846d420ea76fdd43b3 |
| SHA512 | e5cb2b6f79474e70cb807b4a26af782a328038e52d2e28e6640269026c91c97ff40d3b98e6a156410339b4e53b538d256d0b554013bb78ce88ec1dc010d889d5 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\eTnwIXREbR.js
| MD5 | b43bf8252ad3a3e446126a99e944cd4e |
| SHA1 | c1a8971c18e14c69141d4ab9bfb2832323677a0d |
| SHA256 | 3d2a10980087f97455426f3486c74aeeb705f782317819687aaa44e4c0a58dca |
| SHA512 | e30050ce894c855249fa57874aded7059912b5f7852b693ec3b015f0bd83a9a9db342b2b942a8a0074f1a2b9a78881cc23adfc5f1a2687aeb5798312a0b47d02 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\9e98c04e777e77b1498f4b3447b6221d.js
| MD5 | 9e98c04e777e77b1498f4b3447b6221d |
| SHA1 | 00a23c268459816d8fe5d46bda86a36f06e0c374 |
| SHA256 | 39e57f5e8da66eb93df1bf017348f3cc3007e3acfe568a846d420ea76fdd43b3 |
| SHA512 | e5cb2b6f79474e70cb807b4a26af782a328038e52d2e28e6640269026c91c97ff40d3b98e6a156410339b4e53b538d256d0b554013bb78ce88ec1dc010d889d5 |
Analysis: behavioral4
Detonation Overview
Submitted
2023-03-25 09:17
Reported
2023-03-25 09:20
Platform
win10v2004-20230220-en
Max time kernel
109s
Max time network
115s
Command Line
Signatures
Vjw0rm
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WScript.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\wscript.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\oUvEoxxwKv.js | C:\Windows\System32\WScript.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\oUvEoxxwKv.js | C:\Windows\System32\WScript.exe | N/A |
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_Classes\Local Settings | C:\Windows\system32\wscript.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1840 wrote to memory of 3996 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\WScript.exe |
| PID 1840 wrote to memory of 3996 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\WScript.exe |
| PID 1840 wrote to memory of 1336 | N/A | C:\Windows\system32\wscript.exe | C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe |
| PID 1840 wrote to memory of 1336 | N/A | C:\Windows\system32\wscript.exe | C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe |
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\c72d738747f68d4f8d9e9368e47928bf.js
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\oUvEoxxwKv.js"
C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe
"C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\mvxqayu.txt"
Network
| Country | Destination | Domain | Proto |
| DE | 162.19.139.184:2222 | tcp | |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | javaautorun.duia.ro | udp |
| RU | 23.111.200.87:5443 | javaautorun.duia.ro | tcp |
| US | 8.8.8.8:53 | repo1.maven.org | udp |
| US | 8.8.8.8:53 | github.com | udp |
| US | 199.232.192.209:443 | repo1.maven.org | tcp |
| US | 199.232.192.209:443 | repo1.maven.org | tcp |
| IN | 20.207.73.82:443 | github.com | tcp |
| US | 199.232.192.209:443 | repo1.maven.org | tcp |
| US | 8.8.8.8:53 | 209.192.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.73.207.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.254.224.20.in-addr.arpa | udp |
| NL | 8.238.179.126:80 | tcp | |
| NL | 173.223.113.164:443 | tcp | |
| NL | 173.223.113.131:80 | tcp | |
| US | 131.253.33.203:80 | tcp | |
| US | 13.107.42.16:443 | tcp |
Files
C:\Users\Admin\AppData\Roaming\oUvEoxxwKv.js
| MD5 | b7e9c8bac9afc434944605c2422e1ad0 |
| SHA1 | a653b478be92ecbd848bf79e175c454ebb9ccf21 |
| SHA256 | be481241ae35aed859e1b558e23fcf640e0ec5f36d1e993a085ccc499b62c465 |
| SHA512 | b790f27cce05ee3c754728489c8912501dc5c61d00639db760957697e3ea28855a81ce38634ddf2d98bf865055977c4d5dd2faaecc3a625eb090012161df2190 |
C:\Users\Admin\AppData\Roaming\mvxqayu.txt
| MD5 | ec5e12b3ea2318692c2d2b74c33dfbda |
| SHA1 | f7f6c3d3e266c7a85ec489389d5508eaa1983055 |
| SHA256 | 056579d3948044c01ffa21dd8a14f7c4109efd25e609055e24a37cb6db603ef7 |
| SHA512 | 0c91246971bb23ba3801b348ca8148c048de43c4caa7912b681868e471f5a0f080f2969e8fda1b04a002a81b403bddb22b62496b8eee75814cb691391ad5851a |
memory/1336-150-0x0000000001200000-0x0000000001201000-memory.dmp
memory/1336-169-0x0000000001200000-0x0000000001201000-memory.dmp
memory/1336-181-0x0000000001200000-0x0000000001201000-memory.dmp
memory/1336-197-0x0000000001200000-0x0000000001201000-memory.dmp
Analysis: behavioral5
Detonation Overview
Submitted
2023-03-25 09:17
Reported
2023-03-25 09:20
Platform
win7-20230220-en
Max time kernel
146s
Max time network
152s
Command Line
Signatures
AsyncRat
Async RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\cc03a8f9433b57e4ea8a87544dde5470.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\cc03a8f9433b57e4ea8a87544dde5470.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\cc03a8f9433b57e4ea8a87544dde5470.exe
"C:\Users\Admin\AppData\Local\Temp\cc03a8f9433b57e4ea8a87544dde5470.exe"
Network
| Country | Destination | Domain | Proto |
| CN | 120.78.151.171:8848 | 120.78.151.171 | tcp |
| CN | 120.78.151.171:6658 | tcp | |
| CN | 120.78.151.171:6658 | tcp | |
| CN | 120.78.151.171:6658 | tcp | |
| CN | 120.78.151.171:6658 | tcp | |
| CN | 120.78.151.171:6658 | tcp | |
| CN | 120.78.151.171:6658 | tcp | |
| CN | 120.78.151.171:6658 | tcp | |
| CN | 120.78.151.171:6658 | tcp | |
| CN | 120.78.151.171:6658 | tcp | |
| CN | 120.78.151.171:6658 | tcp | |
| CN | 120.78.151.171:6658 | tcp | |
| CN | 120.78.151.171:6658 | tcp | |
| CN | 120.78.151.171:6658 | tcp |
Files
memory/1336-54-0x0000000001000000-0x0000000001010000-memory.dmp
memory/1336-55-0x0000000000340000-0x0000000000350000-memory.dmp
memory/1336-56-0x000000001B000000-0x000000001B080000-memory.dmp
memory/1336-57-0x00000000006B0000-0x00000000006CA000-memory.dmp
memory/1336-58-0x0000000000A10000-0x0000000000A26000-memory.dmp
memory/1336-59-0x000000001B000000-0x000000001B080000-memory.dmp
memory/1336-60-0x000000001B000000-0x000000001B080000-memory.dmp
memory/1336-61-0x000000001B000000-0x000000001B080000-memory.dmp
memory/1336-62-0x000000001B000000-0x000000001B080000-memory.dmp
memory/1336-64-0x000000001B000000-0x000000001B080000-memory.dmp
memory/1336-63-0x000000001B000000-0x000000001B080000-memory.dmp