Malware Analysis Report

2024-11-13 15:41

Sample ID 230325-k9fw8aca64
Target Downloads.rar
SHA256 453b93a211b664c8be6ad43c584a9c4e3781ea9e51c3d9d598b4cd9719fcb7c6
Tags
upx vjw0rm wshrat persistence trojan worm asyncrat default rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

453b93a211b664c8be6ad43c584a9c4e3781ea9e51c3d9d598b4cd9719fcb7c6

Threat Level: Known bad

The file Downloads.rar was found to be: Known bad.

Malicious Activity Summary

upx vjw0rm wshrat persistence trojan worm asyncrat default rat

Vjw0rm

AsyncRat

WSHRAT

Async RAT payload

Blocklisted process makes network request

Drops startup file

UPX packed file

Checks computer location settings

Adds Run key to start application

Enumerates physical storage devices

Script User-Agent

Suspicious use of AdjustPrivilegeToken

Modifies registry class

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-03-25 09:17

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral8

Detonation Overview

Submitted

2023-03-25 09:17

Reported

2023-03-25 09:20

Platform

win10v2004-20230220-en

Max time kernel

143s

Max time network

127s

Command Line

"C:\Users\Admin\AppData\Local\Temp\eb6af295c348f16f2361cbe96fdc3bcb.exe"

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Processes

C:\Users\Admin\AppData\Local\Temp\eb6af295c348f16f2361cbe96fdc3bcb.exe

"C:\Users\Admin\AppData\Local\Temp\eb6af295c348f16f2361cbe96fdc3bcb.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 254.133.241.8.in-addr.arpa udp
US 8.8.8.8:53 solar.huawei.com udp
NL 163.171.140.79:80 solar.huawei.com tcp
US 8.8.8.8:53 108.211.229.192.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 79.140.171.163.in-addr.arpa udp
US 8.8.8.8:53 38.146.190.20.in-addr.arpa udp
US 8.8.8.8:53 58.104.205.20.in-addr.arpa udp
US 8.8.8.8:53 234.238.32.23.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
IE 13.69.239.74:443 tcp
NL 173.223.113.164:443 tcp
NL 173.223.113.131:80 tcp
US 8.8.8.8:53 62.13.109.52.in-addr.arpa udp
US 8.8.8.8:53 199.176.139.52.in-addr.arpa udp
NL 84.53.175.11:80 tcp

Files

memory/428-133-0x00007FF663690000-0x00007FF6637FD000-memory.dmp

memory/428-135-0x00007FF663690000-0x00007FF6637FD000-memory.dmp

memory/428-134-0x00007FF663690000-0x00007FF6637FD000-memory.dmp

memory/428-136-0x00007FF663690000-0x00007FF6637FD000-memory.dmp

memory/428-138-0x00007FF663690000-0x00007FF6637FD000-memory.dmp

memory/428-140-0x0000023FE06B0000-0x0000023FE06D2000-memory.dmp

memory/428-149-0x00007FF9EE270000-0x00007FF9EE465000-memory.dmp

memory/428-150-0x00007FF663690000-0x00007FF6637FD000-memory.dmp

memory/428-151-0x0000023FE06E0000-0x0000023FE08D5000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-03-25 09:17

Reported

2023-03-25 09:20

Platform

win10v2004-20230220-en

Max time kernel

148s

Max time network

151s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\9e98c04e777e77b1498f4b3447b6221d.js

Signatures

Vjw0rm

trojan worm vjw0rm

WSHRAT

trojan wshrat

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation C:\Windows\system32\wscript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation C:\Windows\System32\wscript.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\9e98c04e777e77b1498f4b3447b6221d.js C:\Windows\system32\wscript.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\eTnwIXREbR.js C:\Windows\System32\wscript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\eTnwIXREbR.js C:\Windows\System32\wscript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\9e98c04e777e77b1498f4b3447b6221d.js C:\Windows\System32\wscript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\eTnwIXREbR.js C:\Windows\System32\wscript.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\9e98c04e777e77b1498f4b3447b6221d = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\9e98c04e777e77b1498f4b3447b6221d.js\"" C:\Windows\System32\wscript.exe N/A
Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run C:\Windows\System32\wscript.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\9e98c04e777e77b1498f4b3447b6221d = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\9e98c04e777e77b1498f4b3447b6221d.js\"" C:\Windows\System32\wscript.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\software\microsoft\windows\currentversion\run C:\Windows\system32\wscript.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\9e98c04e777e77b1498f4b3447b6221d = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\9e98c04e777e77b1498f4b3447b6221d.js\"" C:\Windows\system32\wscript.exe N/A
Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run C:\Windows\system32\wscript.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\9e98c04e777e77b1498f4b3447b6221d = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\9e98c04e777e77b1498f4b3447b6221d.js\"" C:\Windows\system32\wscript.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\software\microsoft\windows\currentversion\run C:\Windows\System32\wscript.exe N/A

Enumerates physical storage devices

Script User-Agent

Description Indicator Process Target
HTTP User-Agent header WSHRAT|D0F59775|TPAVZECK|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 25/3/2023|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|D0F59775|TPAVZECK|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 25/3/2023|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|D0F59775|TPAVZECK|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 25/3/2023|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|D0F59775|TPAVZECK|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 25/3/2023|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|D0F59775|TPAVZECK|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 25/3/2023|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|D0F59775|TPAVZECK|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 25/3/2023|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|D0F59775|TPAVZECK|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 25/3/2023|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|D0F59775|TPAVZECK|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 25/3/2023|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|D0F59775|TPAVZECK|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 25/3/2023|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|D0F59775|TPAVZECK|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 25/3/2023|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|D0F59775|TPAVZECK|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 25/3/2023|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|D0F59775|TPAVZECK|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 25/3/2023|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|D0F59775|TPAVZECK|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 25/3/2023|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|D0F59775|TPAVZECK|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 25/3/2023|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|D0F59775|TPAVZECK|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 25/3/2023|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|D0F59775|TPAVZECK|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 25/3/2023|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|D0F59775|TPAVZECK|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 25/3/2023|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|D0F59775|TPAVZECK|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 25/3/2023|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|D0F59775|TPAVZECK|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 25/3/2023|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|D0F59775|TPAVZECK|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 25/3/2023|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|D0F59775|TPAVZECK|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 25/3/2023|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|D0F59775|TPAVZECK|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 25/3/2023|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|D0F59775|TPAVZECK|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 25/3/2023|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|D0F59775|TPAVZECK|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 25/3/2023|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|D0F59775|TPAVZECK|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 25/3/2023|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|D0F59775|TPAVZECK|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 25/3/2023|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|D0F59775|TPAVZECK|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 25/3/2023|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|D0F59775|TPAVZECK|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 25/3/2023|JavaScript N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5076 wrote to memory of 1776 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe
PID 5076 wrote to memory of 1776 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe
PID 5076 wrote to memory of 2144 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe
PID 5076 wrote to memory of 2144 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe
PID 2144 wrote to memory of 1508 N/A C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe
PID 2144 wrote to memory of 1508 N/A C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\9e98c04e777e77b1498f4b3447b6221d.js

C:\Windows\System32\wscript.exe

"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\eTnwIXREbR.js"

C:\Windows\System32\wscript.exe

"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\9e98c04e777e77b1498f4b3447b6221d.js"

C:\Windows\System32\wscript.exe

"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\eTnwIXREbR.js"

Network

Country Destination Domain Proto
US 117.18.237.29:80 tcp
NL 95.101.78.106:80 tcp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 210.81.184.52.in-addr.arpa udp
US 8.8.8.8:53 javaautorun.duia.ro udp
RU 23.111.200.87:5449 javaautorun.duia.ro tcp
US 8.8.8.8:53 smile4u.webredirect.org udp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
RU 23.111.200.87:5449 javaautorun.duia.ro tcp
US 139.177.146.154:4242 smile4u.webredirect.org tcp
US 8.8.8.8:53 154.146.177.139.in-addr.arpa udp
US 139.177.146.154:4242 smile4u.webredirect.org tcp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 139.177.146.154:4242 smile4u.webredirect.org tcp
US 139.177.146.154:4242 smile4u.webredirect.org tcp
US 139.177.146.154:4242 smile4u.webredirect.org tcp
US 139.177.146.154:4242 smile4u.webredirect.org tcp
RU 23.111.200.87:5449 javaautorun.duia.ro tcp
RU 23.111.200.87:5449 javaautorun.duia.ro tcp
US 139.177.146.154:4242 smile4u.webredirect.org tcp
US 13.89.178.26:443 tcp
US 139.177.146.154:4242 smile4u.webredirect.org tcp
US 139.177.146.154:4242 smile4u.webredirect.org tcp
US 139.177.146.154:4242 smile4u.webredirect.org tcp
US 8.8.8.8:53 73.254.224.20.in-addr.arpa udp
US 139.177.146.154:4242 smile4u.webredirect.org tcp
RU 23.111.200.87:5449 javaautorun.duia.ro tcp
RU 23.111.200.87:5449 javaautorun.duia.ro tcp
US 209.197.3.8:80 tcp
US 139.177.146.154:4242 smile4u.webredirect.org tcp
NL 173.223.113.164:443 tcp
US 204.79.197.203:80 tcp
US 139.177.146.154:4242 smile4u.webredirect.org tcp
US 8.8.8.8:53 199.176.139.52.in-addr.arpa udp
US 139.177.146.154:4242 smile4u.webredirect.org tcp
US 139.177.146.154:4242 smile4u.webredirect.org tcp
US 139.177.146.154:4242 smile4u.webredirect.org tcp
RU 23.111.200.87:5449 javaautorun.duia.ro tcp
RU 23.111.200.87:5449 javaautorun.duia.ro tcp
US 139.177.146.154:4242 smile4u.webredirect.org tcp
US 139.177.146.154:4242 smile4u.webredirect.org tcp
US 139.177.146.154:4242 smile4u.webredirect.org tcp
US 139.177.146.154:4242 smile4u.webredirect.org tcp
US 8.8.8.8:53 67.169.210.20.in-addr.arpa udp
US 8.8.8.8:53 177.238.32.23.in-addr.arpa udp
US 139.177.146.154:4242 smile4u.webredirect.org tcp
US 139.177.146.154:4242 smile4u.webredirect.org tcp
RU 23.111.200.87:5449 javaautorun.duia.ro tcp
RU 23.111.200.87:5449 javaautorun.duia.ro tcp
US 139.177.146.154:4242 smile4u.webredirect.org tcp
US 139.177.146.154:4242 smile4u.webredirect.org tcp
US 139.177.146.154:4242 smile4u.webredirect.org tcp
US 139.177.146.154:4242 smile4u.webredirect.org tcp
US 139.177.146.154:4242 smile4u.webredirect.org tcp
RU 23.111.200.87:5449 javaautorun.duia.ro tcp
RU 23.111.200.87:5449 javaautorun.duia.ro tcp
US 139.177.146.154:4242 smile4u.webredirect.org tcp

Files

C:\Users\Admin\AppData\Roaming\eTnwIXREbR.js

MD5 b43bf8252ad3a3e446126a99e944cd4e
SHA1 c1a8971c18e14c69141d4ab9bfb2832323677a0d
SHA256 3d2a10980087f97455426f3486c74aeeb705f782317819687aaa44e4c0a58dca
SHA512 e30050ce894c855249fa57874aded7059912b5f7852b693ec3b015f0bd83a9a9db342b2b942a8a0074f1a2b9a78881cc23adfc5f1a2687aeb5798312a0b47d02

C:\Users\Admin\AppData\Roaming\9e98c04e777e77b1498f4b3447b6221d.js

MD5 9e98c04e777e77b1498f4b3447b6221d
SHA1 00a23c268459816d8fe5d46bda86a36f06e0c374
SHA256 39e57f5e8da66eb93df1bf017348f3cc3007e3acfe568a846d420ea76fdd43b3
SHA512 e5cb2b6f79474e70cb807b4a26af782a328038e52d2e28e6640269026c91c97ff40d3b98e6a156410339b4e53b538d256d0b554013bb78ce88ec1dc010d889d5

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\9e98c04e777e77b1498f4b3447b6221d.js

MD5 9e98c04e777e77b1498f4b3447b6221d
SHA1 00a23c268459816d8fe5d46bda86a36f06e0c374
SHA256 39e57f5e8da66eb93df1bf017348f3cc3007e3acfe568a846d420ea76fdd43b3
SHA512 e5cb2b6f79474e70cb807b4a26af782a328038e52d2e28e6640269026c91c97ff40d3b98e6a156410339b4e53b538d256d0b554013bb78ce88ec1dc010d889d5

C:\Users\Admin\AppData\Roaming\eTnwIXREbR.js

MD5 b43bf8252ad3a3e446126a99e944cd4e
SHA1 c1a8971c18e14c69141d4ab9bfb2832323677a0d
SHA256 3d2a10980087f97455426f3486c74aeeb705f782317819687aaa44e4c0a58dca
SHA512 e30050ce894c855249fa57874aded7059912b5f7852b693ec3b015f0bd83a9a9db342b2b942a8a0074f1a2b9a78881cc23adfc5f1a2687aeb5798312a0b47d02

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\eTnwIXREbR.js

MD5 b43bf8252ad3a3e446126a99e944cd4e
SHA1 c1a8971c18e14c69141d4ab9bfb2832323677a0d
SHA256 3d2a10980087f97455426f3486c74aeeb705f782317819687aaa44e4c0a58dca
SHA512 e30050ce894c855249fa57874aded7059912b5f7852b693ec3b015f0bd83a9a9db342b2b942a8a0074f1a2b9a78881cc23adfc5f1a2687aeb5798312a0b47d02

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\9e98c04e777e77b1498f4b3447b6221d.js

MD5 9e98c04e777e77b1498f4b3447b6221d
SHA1 00a23c268459816d8fe5d46bda86a36f06e0c374
SHA256 39e57f5e8da66eb93df1bf017348f3cc3007e3acfe568a846d420ea76fdd43b3
SHA512 e5cb2b6f79474e70cb807b4a26af782a328038e52d2e28e6640269026c91c97ff40d3b98e6a156410339b4e53b538d256d0b554013bb78ce88ec1dc010d889d5

Analysis: behavioral3

Detonation Overview

Submitted

2023-03-25 09:17

Reported

2023-03-25 09:20

Platform

win7-20230220-en

Max time kernel

150s

Max time network

133s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\c72d738747f68d4f8d9e9368e47928bf.js

Signatures

Vjw0rm

trojan worm vjw0rm

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WScript.exe N/A
N/A N/A C:\Windows\System32\WScript.exe N/A
N/A N/A C:\Windows\System32\WScript.exe N/A

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\oUvEoxxwKv.js C:\Windows\System32\WScript.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\oUvEoxxwKv.js C:\Windows\System32\WScript.exe N/A

Enumerates physical storage devices

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\c72d738747f68d4f8d9e9368e47928bf.js

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\oUvEoxxwKv.js"

C:\Program Files\Java\jre7\bin\javaw.exe

"C:\Program Files\Java\jre7\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\tenotvjsh.txt"

C:\Program Files\Java\jre7\bin\java.exe

"C:\Program Files\Java\jre7\bin\java.exe" -jar "C:\Users\Admin\tenotvjsh.txt"

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
US 8.8.8.8:53 repo1.maven.org udp
US 199.232.192.209:443 repo1.maven.org tcp
US 199.232.192.209:443 repo1.maven.org tcp
US 199.232.192.209:443 repo1.maven.org tcp
IN 20.207.73.82:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 javaautorun.duia.ro udp
RU 23.111.200.87:5443 javaautorun.duia.ro tcp
RU 23.111.200.87:5443 javaautorun.duia.ro tcp
RU 23.111.200.87:5443 javaautorun.duia.ro tcp

Files

C:\Users\Admin\AppData\Roaming\tenotvjsh.txt

MD5 ec5e12b3ea2318692c2d2b74c33dfbda
SHA1 f7f6c3d3e266c7a85ec489389d5508eaa1983055
SHA256 056579d3948044c01ffa21dd8a14f7c4109efd25e609055e24a37cb6db603ef7
SHA512 0c91246971bb23ba3801b348ca8148c048de43c4caa7912b681868e471f5a0f080f2969e8fda1b04a002a81b403bddb22b62496b8eee75814cb691391ad5851a

C:\Users\Admin\AppData\Roaming\oUvEoxxwKv.js

MD5 b7e9c8bac9afc434944605c2422e1ad0
SHA1 a653b478be92ecbd848bf79e175c454ebb9ccf21
SHA256 be481241ae35aed859e1b558e23fcf640e0ec5f36d1e993a085ccc499b62c465
SHA512 b790f27cce05ee3c754728489c8912501dc5c61d00639db760957697e3ea28855a81ce38634ddf2d98bf865055977c4d5dd2faaecc3a625eb090012161df2190

memory/1340-70-0x00000000000A0000-0x00000000000A1000-memory.dmp

memory/1340-77-0x00000000000A0000-0x00000000000A1000-memory.dmp

memory/1340-87-0x00000000000A0000-0x00000000000A1000-memory.dmp

memory/1340-95-0x00000000000A0000-0x00000000000A1000-memory.dmp

memory/1340-97-0x00000000000A0000-0x00000000000A1000-memory.dmp

C:\Users\Admin\tenotvjsh.txt

MD5 ec5e12b3ea2318692c2d2b74c33dfbda
SHA1 f7f6c3d3e266c7a85ec489389d5508eaa1983055
SHA256 056579d3948044c01ffa21dd8a14f7c4109efd25e609055e24a37cb6db603ef7
SHA512 0c91246971bb23ba3801b348ca8148c048de43c4caa7912b681868e471f5a0f080f2969e8fda1b04a002a81b403bddb22b62496b8eee75814cb691391ad5851a

memory/1580-108-0x0000000000430000-0x0000000000431000-memory.dmp

Analysis: behavioral6

Detonation Overview

Submitted

2023-03-25 09:17

Reported

2023-03-25 09:20

Platform

win10v2004-20230220-en

Max time kernel

145s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\cc03a8f9433b57e4ea8a87544dde5470.exe"

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\cc03a8f9433b57e4ea8a87544dde5470.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\cc03a8f9433b57e4ea8a87544dde5470.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\cc03a8f9433b57e4ea8a87544dde5470.exe

"C:\Users\Admin\AppData\Local\Temp\cc03a8f9433b57e4ea8a87544dde5470.exe"

Network

Country Destination Domain Proto
CN 120.78.151.171:8848 120.78.151.171 tcp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 171.151.78.120.in-addr.arpa udp
US 8.8.8.8:53 254.134.241.8.in-addr.arpa udp
US 93.184.220.29:80 tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
CN 120.78.151.171:6658 tcp
US 8.8.8.8:53 1.208.79.178.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
CN 120.78.151.171:6658 tcp
CN 120.78.151.171:6658 tcp
US 8.8.8.8:53 63.13.109.52.in-addr.arpa udp
US 8.247.210.254:80 tcp
CN 120.78.151.171:6658 tcp
NL 173.223.113.164:443 tcp
CN 120.78.151.171:6658 tcp
CN 120.78.151.171:6658 tcp
CN 120.78.151.171:6658 tcp
CN 120.78.151.171:6658 tcp
CN 120.78.151.171:6658 tcp

Files

memory/1312-133-0x00000000001D0000-0x00000000001E0000-memory.dmp

memory/1312-134-0x0000000000A40000-0x0000000000A50000-memory.dmp

memory/1312-135-0x0000000000A40000-0x0000000000A50000-memory.dmp

memory/1312-136-0x0000000000A70000-0x0000000000A8A000-memory.dmp

memory/1312-137-0x0000000000A40000-0x0000000000A50000-memory.dmp

memory/1312-138-0x0000000000A40000-0x0000000000A50000-memory.dmp

memory/1312-139-0x0000000000A40000-0x0000000000A50000-memory.dmp

memory/1312-140-0x0000000000A40000-0x0000000000A50000-memory.dmp

Analysis: behavioral7

Detonation Overview

Submitted

2023-03-25 09:17

Reported

2023-03-25 09:20

Platform

win7-20230220-en

Max time kernel

27s

Max time network

30s

Command Line

"C:\Users\Admin\AppData\Local\Temp\eb6af295c348f16f2361cbe96fdc3bcb.exe"

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Processes

C:\Users\Admin\AppData\Local\Temp\eb6af295c348f16f2361cbe96fdc3bcb.exe

"C:\Users\Admin\AppData\Local\Temp\eb6af295c348f16f2361cbe96fdc3bcb.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 solar.huawei.com udp
NL 163.171.140.79:80 solar.huawei.com tcp

Files

memory/1928-54-0x000000013F2F0000-0x000000013F45D000-memory.dmp

memory/1928-55-0x000000013F2F0000-0x000000013F45D000-memory.dmp

memory/1928-56-0x000000013F2F0000-0x000000013F45D000-memory.dmp

memory/1928-57-0x000000013F2F0000-0x000000013F45D000-memory.dmp

memory/1928-58-0x000000013F2F0000-0x000000013F45D000-memory.dmp

memory/1928-60-0x0000000001B50000-0x0000000001B72000-memory.dmp

memory/1928-69-0x0000000077AC0000-0x0000000077C69000-memory.dmp

memory/1928-70-0x000000013F2F0000-0x000000013F45D000-memory.dmp

memory/1928-71-0x000000013F2F0000-0x000000013F45D000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2023-03-25 09:17

Reported

2023-03-25 09:20

Platform

win7-20230220-en

Max time kernel

150s

Max time network

153s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\9e98c04e777e77b1498f4b3447b6221d.js

Signatures

Vjw0rm

trojan worm vjw0rm

WSHRAT

trojan wshrat

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\9e98c04e777e77b1498f4b3447b6221d.js C:\Windows\system32\wscript.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\eTnwIXREbR.js C:\Windows\System32\wscript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\eTnwIXREbR.js C:\Windows\System32\wscript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\9e98c04e777e77b1498f4b3447b6221d.js C:\Windows\System32\wscript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\eTnwIXREbR.js C:\Windows\System32\wscript.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\software\microsoft\windows\currentversion\run C:\Windows\System32\wscript.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Windows\CurrentVersion\Run\9e98c04e777e77b1498f4b3447b6221d = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\9e98c04e777e77b1498f4b3447b6221d.js\"" C:\Windows\System32\wscript.exe N/A
Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run C:\Windows\System32\wscript.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\9e98c04e777e77b1498f4b3447b6221d = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\9e98c04e777e77b1498f4b3447b6221d.js\"" C:\Windows\System32\wscript.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\software\microsoft\windows\currentversion\run C:\Windows\system32\wscript.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Windows\CurrentVersion\Run\9e98c04e777e77b1498f4b3447b6221d = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\9e98c04e777e77b1498f4b3447b6221d.js\"" C:\Windows\system32\wscript.exe N/A
Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run C:\Windows\system32\wscript.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\9e98c04e777e77b1498f4b3447b6221d = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\9e98c04e777e77b1498f4b3447b6221d.js\"" C:\Windows\system32\wscript.exe N/A

Enumerates physical storage devices

Script User-Agent

Description Indicator Process Target
HTTP User-Agent header WSHRAT|7031BB36|BPOQNXYB|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 25/3/2023|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|7031BB36|BPOQNXYB|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 25/3/2023|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|7031BB36|BPOQNXYB|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 25/3/2023|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|7031BB36|BPOQNXYB|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 25/3/2023|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|7031BB36|BPOQNXYB|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 25/3/2023|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|7031BB36|BPOQNXYB|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 25/3/2023|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|7031BB36|BPOQNXYB|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 25/3/2023|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|7031BB36|BPOQNXYB|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 25/3/2023|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|7031BB36|BPOQNXYB|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 25/3/2023|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|7031BB36|BPOQNXYB|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 25/3/2023|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|7031BB36|BPOQNXYB|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 25/3/2023|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|7031BB36|BPOQNXYB|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 25/3/2023|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|7031BB36|BPOQNXYB|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 25/3/2023|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|7031BB36|BPOQNXYB|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 25/3/2023|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|7031BB36|BPOQNXYB|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 25/3/2023|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|7031BB36|BPOQNXYB|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 25/3/2023|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|7031BB36|BPOQNXYB|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 25/3/2023|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|7031BB36|BPOQNXYB|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 25/3/2023|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|7031BB36|BPOQNXYB|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 25/3/2023|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|7031BB36|BPOQNXYB|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 25/3/2023|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|7031BB36|BPOQNXYB|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 25/3/2023|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|7031BB36|BPOQNXYB|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 25/3/2023|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|7031BB36|BPOQNXYB|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 25/3/2023|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|7031BB36|BPOQNXYB|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 25/3/2023|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|7031BB36|BPOQNXYB|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 25/3/2023|JavaScript N/A N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\9e98c04e777e77b1498f4b3447b6221d.js

C:\Windows\System32\wscript.exe

"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\eTnwIXREbR.js"

C:\Windows\System32\wscript.exe

"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\9e98c04e777e77b1498f4b3447b6221d.js"

C:\Windows\System32\wscript.exe

"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\eTnwIXREbR.js"

Network

Country Destination Domain Proto
US 8.8.8.8:53 javaautorun.duia.ro udp
US 8.8.8.8:53 javaautorun.duia.ro udp
US 8.8.8.8:53 smile4u.webredirect.org udp
RU 23.111.200.87:5449 javaautorun.duia.ro tcp
RU 23.111.200.87:5449 javaautorun.duia.ro tcp
US 139.177.146.154:4242 smile4u.webredirect.org tcp
US 139.177.146.154:4242 smile4u.webredirect.org tcp
US 139.177.146.154:4242 smile4u.webredirect.org tcp
US 139.177.146.154:4242 smile4u.webredirect.org tcp
US 139.177.146.154:4242 smile4u.webredirect.org tcp
US 139.177.146.154:4242 smile4u.webredirect.org tcp
RU 23.111.200.87:5449 javaautorun.duia.ro tcp
RU 23.111.200.87:5449 javaautorun.duia.ro tcp
US 139.177.146.154:4242 smile4u.webredirect.org tcp
US 139.177.146.154:4242 smile4u.webredirect.org tcp
US 139.177.146.154:4242 smile4u.webredirect.org tcp
US 139.177.146.154:4242 smile4u.webredirect.org tcp
US 139.177.146.154:4242 smile4u.webredirect.org tcp
RU 23.111.200.87:5449 javaautorun.duia.ro tcp
RU 23.111.200.87:5449 javaautorun.duia.ro tcp
US 139.177.146.154:4242 smile4u.webredirect.org tcp
US 139.177.146.154:4242 smile4u.webredirect.org tcp
US 139.177.146.154:4242 smile4u.webredirect.org tcp
US 139.177.146.154:4242 smile4u.webredirect.org tcp
US 139.177.146.154:4242 smile4u.webredirect.org tcp
RU 23.111.200.87:5449 javaautorun.duia.ro tcp
RU 23.111.200.87:5449 javaautorun.duia.ro tcp
US 139.177.146.154:4242 smile4u.webredirect.org tcp
US 139.177.146.154:4242 smile4u.webredirect.org tcp
US 139.177.146.154:4242 smile4u.webredirect.org tcp
US 139.177.146.154:4242 smile4u.webredirect.org tcp
US 139.177.146.154:4242 smile4u.webredirect.org tcp
RU 23.111.200.87:5449 javaautorun.duia.ro tcp
RU 23.111.200.87:5449 javaautorun.duia.ro tcp
US 139.177.146.154:4242 smile4u.webredirect.org tcp
US 139.177.146.154:4242 smile4u.webredirect.org tcp
US 139.177.146.154:4242 smile4u.webredirect.org tcp
US 139.177.146.154:4242 smile4u.webredirect.org tcp

Files

C:\Users\Admin\AppData\Roaming\eTnwIXREbR.js

MD5 b43bf8252ad3a3e446126a99e944cd4e
SHA1 c1a8971c18e14c69141d4ab9bfb2832323677a0d
SHA256 3d2a10980087f97455426f3486c74aeeb705f782317819687aaa44e4c0a58dca
SHA512 e30050ce894c855249fa57874aded7059912b5f7852b693ec3b015f0bd83a9a9db342b2b942a8a0074f1a2b9a78881cc23adfc5f1a2687aeb5798312a0b47d02

C:\Users\Admin\AppData\Roaming\9e98c04e777e77b1498f4b3447b6221d.js

MD5 9e98c04e777e77b1498f4b3447b6221d
SHA1 00a23c268459816d8fe5d46bda86a36f06e0c374
SHA256 39e57f5e8da66eb93df1bf017348f3cc3007e3acfe568a846d420ea76fdd43b3
SHA512 e5cb2b6f79474e70cb807b4a26af782a328038e52d2e28e6640269026c91c97ff40d3b98e6a156410339b4e53b538d256d0b554013bb78ce88ec1dc010d889d5

C:\Users\Admin\AppData\Roaming\eTnwIXREbR.js

MD5 b43bf8252ad3a3e446126a99e944cd4e
SHA1 c1a8971c18e14c69141d4ab9bfb2832323677a0d
SHA256 3d2a10980087f97455426f3486c74aeeb705f782317819687aaa44e4c0a58dca
SHA512 e30050ce894c855249fa57874aded7059912b5f7852b693ec3b015f0bd83a9a9db342b2b942a8a0074f1a2b9a78881cc23adfc5f1a2687aeb5798312a0b47d02

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\9e98c04e777e77b1498f4b3447b6221d.js

MD5 9e98c04e777e77b1498f4b3447b6221d
SHA1 00a23c268459816d8fe5d46bda86a36f06e0c374
SHA256 39e57f5e8da66eb93df1bf017348f3cc3007e3acfe568a846d420ea76fdd43b3
SHA512 e5cb2b6f79474e70cb807b4a26af782a328038e52d2e28e6640269026c91c97ff40d3b98e6a156410339b4e53b538d256d0b554013bb78ce88ec1dc010d889d5

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\eTnwIXREbR.js

MD5 b43bf8252ad3a3e446126a99e944cd4e
SHA1 c1a8971c18e14c69141d4ab9bfb2832323677a0d
SHA256 3d2a10980087f97455426f3486c74aeeb705f782317819687aaa44e4c0a58dca
SHA512 e30050ce894c855249fa57874aded7059912b5f7852b693ec3b015f0bd83a9a9db342b2b942a8a0074f1a2b9a78881cc23adfc5f1a2687aeb5798312a0b47d02

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\9e98c04e777e77b1498f4b3447b6221d.js

MD5 9e98c04e777e77b1498f4b3447b6221d
SHA1 00a23c268459816d8fe5d46bda86a36f06e0c374
SHA256 39e57f5e8da66eb93df1bf017348f3cc3007e3acfe568a846d420ea76fdd43b3
SHA512 e5cb2b6f79474e70cb807b4a26af782a328038e52d2e28e6640269026c91c97ff40d3b98e6a156410339b4e53b538d256d0b554013bb78ce88ec1dc010d889d5

Analysis: behavioral4

Detonation Overview

Submitted

2023-03-25 09:17

Reported

2023-03-25 09:20

Platform

win10v2004-20230220-en

Max time kernel

109s

Max time network

115s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\c72d738747f68d4f8d9e9368e47928bf.js

Signatures

Vjw0rm

trojan worm vjw0rm

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WScript.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation C:\Windows\system32\wscript.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\oUvEoxxwKv.js C:\Windows\System32\WScript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\oUvEoxxwKv.js C:\Windows\System32\WScript.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_Classes\Local Settings C:\Windows\system32\wscript.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1840 wrote to memory of 3996 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\WScript.exe
PID 1840 wrote to memory of 3996 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\WScript.exe
PID 1840 wrote to memory of 1336 N/A C:\Windows\system32\wscript.exe C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe
PID 1840 wrote to memory of 1336 N/A C:\Windows\system32\wscript.exe C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\c72d738747f68d4f8d9e9368e47928bf.js

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\oUvEoxxwKv.js"

C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe

"C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\mvxqayu.txt"

Network

Country Destination Domain Proto
DE 162.19.139.184:2222 tcp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 javaautorun.duia.ro udp
RU 23.111.200.87:5443 javaautorun.duia.ro tcp
US 8.8.8.8:53 repo1.maven.org udp
US 8.8.8.8:53 github.com udp
US 199.232.192.209:443 repo1.maven.org tcp
US 199.232.192.209:443 repo1.maven.org tcp
IN 20.207.73.82:443 github.com tcp
US 199.232.192.209:443 repo1.maven.org tcp
US 8.8.8.8:53 209.192.232.199.in-addr.arpa udp
US 8.8.8.8:53 82.73.207.20.in-addr.arpa udp
US 8.8.8.8:53 73.254.224.20.in-addr.arpa udp
NL 8.238.179.126:80 tcp
NL 173.223.113.164:443 tcp
NL 173.223.113.131:80 tcp
US 131.253.33.203:80 tcp
US 13.107.42.16:443 tcp

Files

C:\Users\Admin\AppData\Roaming\oUvEoxxwKv.js

MD5 b7e9c8bac9afc434944605c2422e1ad0
SHA1 a653b478be92ecbd848bf79e175c454ebb9ccf21
SHA256 be481241ae35aed859e1b558e23fcf640e0ec5f36d1e993a085ccc499b62c465
SHA512 b790f27cce05ee3c754728489c8912501dc5c61d00639db760957697e3ea28855a81ce38634ddf2d98bf865055977c4d5dd2faaecc3a625eb090012161df2190

C:\Users\Admin\AppData\Roaming\mvxqayu.txt

MD5 ec5e12b3ea2318692c2d2b74c33dfbda
SHA1 f7f6c3d3e266c7a85ec489389d5508eaa1983055
SHA256 056579d3948044c01ffa21dd8a14f7c4109efd25e609055e24a37cb6db603ef7
SHA512 0c91246971bb23ba3801b348ca8148c048de43c4caa7912b681868e471f5a0f080f2969e8fda1b04a002a81b403bddb22b62496b8eee75814cb691391ad5851a

memory/1336-150-0x0000000001200000-0x0000000001201000-memory.dmp

memory/1336-169-0x0000000001200000-0x0000000001201000-memory.dmp

memory/1336-181-0x0000000001200000-0x0000000001201000-memory.dmp

memory/1336-197-0x0000000001200000-0x0000000001201000-memory.dmp

Analysis: behavioral5

Detonation Overview

Submitted

2023-03-25 09:17

Reported

2023-03-25 09:20

Platform

win7-20230220-en

Max time kernel

146s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\cc03a8f9433b57e4ea8a87544dde5470.exe"

Signatures

AsyncRat

rat asyncrat

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\cc03a8f9433b57e4ea8a87544dde5470.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\cc03a8f9433b57e4ea8a87544dde5470.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\cc03a8f9433b57e4ea8a87544dde5470.exe

"C:\Users\Admin\AppData\Local\Temp\cc03a8f9433b57e4ea8a87544dde5470.exe"

Network

Country Destination Domain Proto
CN 120.78.151.171:8848 120.78.151.171 tcp
CN 120.78.151.171:6658 tcp
CN 120.78.151.171:6658 tcp
CN 120.78.151.171:6658 tcp
CN 120.78.151.171:6658 tcp
CN 120.78.151.171:6658 tcp
CN 120.78.151.171:6658 tcp
CN 120.78.151.171:6658 tcp
CN 120.78.151.171:6658 tcp
CN 120.78.151.171:6658 tcp
CN 120.78.151.171:6658 tcp
CN 120.78.151.171:6658 tcp
CN 120.78.151.171:6658 tcp
CN 120.78.151.171:6658 tcp

Files

memory/1336-54-0x0000000001000000-0x0000000001010000-memory.dmp

memory/1336-55-0x0000000000340000-0x0000000000350000-memory.dmp

memory/1336-56-0x000000001B000000-0x000000001B080000-memory.dmp

memory/1336-57-0x00000000006B0000-0x00000000006CA000-memory.dmp

memory/1336-58-0x0000000000A10000-0x0000000000A26000-memory.dmp

memory/1336-59-0x000000001B000000-0x000000001B080000-memory.dmp

memory/1336-60-0x000000001B000000-0x000000001B080000-memory.dmp

memory/1336-61-0x000000001B000000-0x000000001B080000-memory.dmp

memory/1336-62-0x000000001B000000-0x000000001B080000-memory.dmp

memory/1336-64-0x000000001B000000-0x000000001B080000-memory.dmp

memory/1336-63-0x000000001B000000-0x000000001B080000-memory.dmp