Malware Analysis Report

2024-10-19 09:24

Sample ID 230810-pwr5jsef6s
Target PurchaseOrder.XLS.js
SHA256 e3c938b4f4fe140677bb420c68b052b4473cfc1135b223871ade67706a3d16b3
Tags
warzonerat wshrat infostealer persistence rat spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e3c938b4f4fe140677bb420c68b052b4473cfc1135b223871ade67706a3d16b3

Threat Level: Known bad

The file PurchaseOrder.XLS.js was found to be: Known bad.

Malicious Activity Summary

warzonerat wshrat infostealer persistence rat spyware stealer trojan

WarzoneRat, AveMaria

WSHRAT

Warzone RAT payload

Blocklisted process makes network request

Reads user/profile data of web browsers

Loads dropped DLL

Drops startup file

Executes dropped EXE

Looks up external IP address via web service

Adds Run key to start application

Enumerates physical storage devices

Modifies registry class

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-08-10 12:41

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-08-10 12:41

Reported

2023-08-10 12:43

Platform

win7-20230712-en

Max time kernel

150s

Max time network

153s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\PurchaseOrder.XLS.js

Signatures

WSHRAT

trojan wshrat

WarzoneRat, AveMaria

rat infostealer warzonerat

Warzone RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SGTICY.vbs C:\Windows\System32\WScript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SGTICY.vbs C:\Windows\System32\WScript.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Tempwinlogon.exe N/A
N/A N/A C:\ProgramData\images.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Tempwinlogon.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Tempwinlogon.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Windows\CurrentVersion\Run\SGTICY = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\SGTICY.vbs\"" C:\Windows\System32\WScript.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SGTICY = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\SGTICY.vbs\"" C:\Windows\System32\WScript.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Images = "C:\\ProgramData\\images.exe" C:\Users\Admin\AppData\Local\Tempwinlogon.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\ProgramData\images.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2364 wrote to memory of 2224 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\WScript.exe
PID 2364 wrote to memory of 2224 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\WScript.exe
PID 2364 wrote to memory of 2224 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\WScript.exe
PID 2224 wrote to memory of 2372 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\WScript.exe
PID 2224 wrote to memory of 2372 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\WScript.exe
PID 2224 wrote to memory of 2372 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\WScript.exe
PID 2372 wrote to memory of 1712 N/A C:\Windows\System32\WScript.exe C:\Users\Admin\AppData\Local\Tempwinlogon.exe
PID 2372 wrote to memory of 1712 N/A C:\Windows\System32\WScript.exe C:\Users\Admin\AppData\Local\Tempwinlogon.exe
PID 2372 wrote to memory of 1712 N/A C:\Windows\System32\WScript.exe C:\Users\Admin\AppData\Local\Tempwinlogon.exe
PID 2372 wrote to memory of 1712 N/A C:\Windows\System32\WScript.exe C:\Users\Admin\AppData\Local\Tempwinlogon.exe
PID 1712 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\Tempwinlogon.exe C:\ProgramData\images.exe
PID 1712 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\Tempwinlogon.exe C:\ProgramData\images.exe
PID 1712 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\Tempwinlogon.exe C:\ProgramData\images.exe
PID 1712 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\Tempwinlogon.exe C:\ProgramData\images.exe
PID 2176 wrote to memory of 2976 N/A C:\ProgramData\images.exe C:\Windows\SysWOW64\cmd.exe
PID 2176 wrote to memory of 2976 N/A C:\ProgramData\images.exe C:\Windows\SysWOW64\cmd.exe
PID 2176 wrote to memory of 2976 N/A C:\ProgramData\images.exe C:\Windows\SysWOW64\cmd.exe
PID 2176 wrote to memory of 2976 N/A C:\ProgramData\images.exe C:\Windows\SysWOW64\cmd.exe
PID 2176 wrote to memory of 2976 N/A C:\ProgramData\images.exe C:\Windows\SysWOW64\cmd.exe
PID 2176 wrote to memory of 2976 N/A C:\ProgramData\images.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\PurchaseOrder.XLS.js

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\SGTICY.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\aug.vbs"

C:\Users\Admin\AppData\Local\Tempwinlogon.exe

"C:\Users\Admin\AppData\Local\Tempwinlogon.exe"

C:\ProgramData\images.exe

"C:\ProgramData\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 onedirve.info udp
US 162.254.39.140:80 onedirve.info tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 chongmei33.publicvm.com udp
SG 103.47.144.15:7045 chongmei33.publicvm.com tcp
SG 103.47.144.15:49746 chongmei33.publicvm.com tcp
SG 103.47.144.15:7045 chongmei33.publicvm.com tcp
SG 103.47.144.15:7045 chongmei33.publicvm.com tcp
SG 103.47.144.15:7045 chongmei33.publicvm.com tcp
SG 103.47.144.15:7045 chongmei33.publicvm.com tcp
SG 103.47.144.15:7045 chongmei33.publicvm.com tcp
NL 172.217.168.196:80 www.google.com tcp
NL 5.206.225.104:80 tcp
SG 103.47.144.15:7045 chongmei33.publicvm.com tcp
SG 103.47.144.15:7045 chongmei33.publicvm.com tcp
SG 103.47.144.15:7045 chongmei33.publicvm.com tcp
SG 103.47.144.15:7045 chongmei33.publicvm.com tcp
NL 5.206.225.104:80 tcp
SG 103.47.144.15:7045 chongmei33.publicvm.com tcp
SG 103.47.144.15:7045 chongmei33.publicvm.com tcp
SG 103.47.144.15:7045 chongmei33.publicvm.com tcp
SG 103.47.144.15:7045 chongmei33.publicvm.com tcp
NL 5.206.225.104:80 tcp
SG 103.47.144.15:7045 chongmei33.publicvm.com tcp
SG 103.47.144.15:7045 chongmei33.publicvm.com tcp
SG 103.47.144.15:7045 chongmei33.publicvm.com tcp
NL 5.206.225.104:80 tcp
SG 103.47.144.15:7045 chongmei33.publicvm.com tcp
SG 103.47.144.15:7045 chongmei33.publicvm.com tcp
SG 103.47.144.15:7045 chongmei33.publicvm.com tcp
SG 103.47.144.15:7045 chongmei33.publicvm.com tcp
NL 5.206.225.104:80 tcp
SG 103.47.144.15:7045 chongmei33.publicvm.com tcp
SG 103.47.144.15:7045 chongmei33.publicvm.com tcp
SG 103.47.144.15:7045 chongmei33.publicvm.com tcp
SG 103.47.144.15:7045 chongmei33.publicvm.com tcp
NL 5.206.225.104:80 tcp

Files

C:\Users\Admin\AppData\Local\Temp\SGTICY.vbs

MD5 72fab82acb233fa5b2d7aeb5cecf14bb
SHA1 dd7e2daa860b045e8b683407ab653c75df13256a
SHA256 35dd9286ed2d79a748a02cd32a9418e39a1b91d237f9ee67d2f305fc4b659f0b
SHA512 534c935688b227edaa3b77ba95b3de95ae1cf34a8614e906986c8448c54a64a5c4811d3d5ff79ea232160722173370e0dc3ae3b157ed12d789848034a6479ed4

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SGTICY.vbs

MD5 72fab82acb233fa5b2d7aeb5cecf14bb
SHA1 dd7e2daa860b045e8b683407ab653c75df13256a
SHA256 35dd9286ed2d79a748a02cd32a9418e39a1b91d237f9ee67d2f305fc4b659f0b
SHA512 534c935688b227edaa3b77ba95b3de95ae1cf34a8614e906986c8448c54a64a5c4811d3d5ff79ea232160722173370e0dc3ae3b157ed12d789848034a6479ed4

C:\Users\Admin\AppData\Local\Temp\aug.vbs

MD5 2725abf432ceeca35be3ac737c3f0847
SHA1 608ac3ed1248b3c35deec3ee55070d52b2c9d1a0
SHA256 6eaa55f7bd4117835ac0116d85b20fdcc35e1c461379dbac106d2c2c51d60516
SHA512 a014a6c2a10f9efe9ca85f4da5505fb2eb6071342b7f4dce0b48446d4462ba26fc1e44a1ba9833d6ab623d2d75c0643c488e46d1995fb20bfd0ed8d8f517b0e2

C:\Users\Admin\AppData\Local\Tempwinlogon.exe

MD5 20390c8434f741d1abee9c8d48248bdb
SHA1 10577df5ed0ecba6a3da8552d112bd5e00e793d2
SHA256 ab87db3a4dc092240719fe8d9f0192b15dbeaa25ee21ef6607ef5e2cb6f775e3
SHA512 e1cd502740eb8bc267c7ca61c1781225f598b17948b0c6f99d8495efb27181a34075b7b5a89b775e1b9ac7cccfb5f2cc32fb61dbdf8cda9ac795349745bdd98b

C:\Users\Admin\AppData\Local\Tempwinlogon.exe

MD5 20390c8434f741d1abee9c8d48248bdb
SHA1 10577df5ed0ecba6a3da8552d112bd5e00e793d2
SHA256 ab87db3a4dc092240719fe8d9f0192b15dbeaa25ee21ef6607ef5e2cb6f775e3
SHA512 e1cd502740eb8bc267c7ca61c1781225f598b17948b0c6f99d8495efb27181a34075b7b5a89b775e1b9ac7cccfb5f2cc32fb61dbdf8cda9ac795349745bdd98b

C:\Users\Admin\AppData\Local\Tempwinlogon.exe

MD5 20390c8434f741d1abee9c8d48248bdb
SHA1 10577df5ed0ecba6a3da8552d112bd5e00e793d2
SHA256 ab87db3a4dc092240719fe8d9f0192b15dbeaa25ee21ef6607ef5e2cb6f775e3
SHA512 e1cd502740eb8bc267c7ca61c1781225f598b17948b0c6f99d8495efb27181a34075b7b5a89b775e1b9ac7cccfb5f2cc32fb61dbdf8cda9ac795349745bdd98b

\ProgramData\images.exe

MD5 20390c8434f741d1abee9c8d48248bdb
SHA1 10577df5ed0ecba6a3da8552d112bd5e00e793d2
SHA256 ab87db3a4dc092240719fe8d9f0192b15dbeaa25ee21ef6607ef5e2cb6f775e3
SHA512 e1cd502740eb8bc267c7ca61c1781225f598b17948b0c6f99d8495efb27181a34075b7b5a89b775e1b9ac7cccfb5f2cc32fb61dbdf8cda9ac795349745bdd98b

\ProgramData\images.exe

MD5 20390c8434f741d1abee9c8d48248bdb
SHA1 10577df5ed0ecba6a3da8552d112bd5e00e793d2
SHA256 ab87db3a4dc092240719fe8d9f0192b15dbeaa25ee21ef6607ef5e2cb6f775e3
SHA512 e1cd502740eb8bc267c7ca61c1781225f598b17948b0c6f99d8495efb27181a34075b7b5a89b775e1b9ac7cccfb5f2cc32fb61dbdf8cda9ac795349745bdd98b

C:\ProgramData\images.exe

MD5 20390c8434f741d1abee9c8d48248bdb
SHA1 10577df5ed0ecba6a3da8552d112bd5e00e793d2
SHA256 ab87db3a4dc092240719fe8d9f0192b15dbeaa25ee21ef6607ef5e2cb6f775e3
SHA512 e1cd502740eb8bc267c7ca61c1781225f598b17948b0c6f99d8495efb27181a34075b7b5a89b775e1b9ac7cccfb5f2cc32fb61dbdf8cda9ac795349745bdd98b

memory/2976-82-0x00000000001B0000-0x00000000001B1000-memory.dmp

memory/2976-84-0x00000000001B0000-0x00000000001B1000-memory.dmp

C:\ProgramData\images.exe

MD5 20390c8434f741d1abee9c8d48248bdb
SHA1 10577df5ed0ecba6a3da8552d112bd5e00e793d2
SHA256 ab87db3a4dc092240719fe8d9f0192b15dbeaa25ee21ef6607ef5e2cb6f775e3
SHA512 e1cd502740eb8bc267c7ca61c1781225f598b17948b0c6f99d8495efb27181a34075b7b5a89b775e1b9ac7cccfb5f2cc32fb61dbdf8cda9ac795349745bdd98b

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\12APMO2Y\json[1].json

MD5 149c2823b7eadbfb0a82388a2ab9494f
SHA1 415fe979ce5fd0064d2557a48745a3ed1a3fbf9c
SHA256 06fa5d4e7fbfb1efdc19baa034601a894b21cf729785732853ced4bb40aca869
SHA512 f8fb6b7c93c4ab37f6e250ba8ac5c82f6e17fe52156cab81d34e91107d1da716b744bfe02ee0306497a3876d5352af789a1e66dab10e11e22065bac3050475fe

memory/2176-102-0x00000000035D0000-0x0000000003654000-memory.dmp

memory/2176-107-0x00000000035D0000-0x0000000003654000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-08-10 12:41

Reported

2023-08-10 12:43

Platform

win10v2004-20230703-en

Max time kernel

150s

Max time network

154s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\PurchaseOrder.XLS.js

Signatures

WSHRAT

trojan wshrat

WarzoneRat, AveMaria

rat infostealer warzonerat

Warzone RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SGTICY.vbs C:\Windows\System32\WScript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SGTICY.vbs C:\Windows\System32\WScript.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Tempwinlogon.exe N/A
N/A N/A C:\ProgramData\images.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SGTICY = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\SGTICY.vbs\"" C:\Windows\System32\WScript.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SGTICY = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\SGTICY.vbs\"" C:\Windows\System32\WScript.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Images = "C:\\ProgramData\\images.exe" C:\Users\Admin\AppData\Local\Tempwinlogon.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings C:\Windows\system32\wscript.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings C:\Windows\System32\WScript.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\ProgramData\images.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4948 wrote to memory of 3660 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\WScript.exe
PID 4948 wrote to memory of 3660 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\WScript.exe
PID 3660 wrote to memory of 4400 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\WScript.exe
PID 3660 wrote to memory of 4400 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\WScript.exe
PID 4400 wrote to memory of 2024 N/A C:\Windows\System32\WScript.exe C:\Users\Admin\AppData\Local\Tempwinlogon.exe
PID 4400 wrote to memory of 2024 N/A C:\Windows\System32\WScript.exe C:\Users\Admin\AppData\Local\Tempwinlogon.exe
PID 4400 wrote to memory of 2024 N/A C:\Windows\System32\WScript.exe C:\Users\Admin\AppData\Local\Tempwinlogon.exe
PID 2024 wrote to memory of 1484 N/A C:\Users\Admin\AppData\Local\Tempwinlogon.exe C:\ProgramData\images.exe
PID 2024 wrote to memory of 1484 N/A C:\Users\Admin\AppData\Local\Tempwinlogon.exe C:\ProgramData\images.exe
PID 2024 wrote to memory of 1484 N/A C:\Users\Admin\AppData\Local\Tempwinlogon.exe C:\ProgramData\images.exe
PID 1484 wrote to memory of 5056 N/A C:\ProgramData\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1484 wrote to memory of 5056 N/A C:\ProgramData\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1484 wrote to memory of 5056 N/A C:\ProgramData\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1484 wrote to memory of 5056 N/A C:\ProgramData\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1484 wrote to memory of 5056 N/A C:\ProgramData\images.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\PurchaseOrder.XLS.js

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\SGTICY.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\aug.vbs"

C:\Users\Admin\AppData\Local\Tempwinlogon.exe

"C:\Users\Admin\AppData\Local\Tempwinlogon.exe"

C:\ProgramData\images.exe

"C:\ProgramData\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 onedirve.info udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 162.254.39.140:80 onedirve.info tcp
US 8.8.8.8:53 240.81.21.72.in-addr.arpa udp
US 8.8.8.8:53 140.39.254.162.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 108.211.229.192.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 chongmei33.publicvm.com udp
SG 103.47.144.15:7045 chongmei33.publicvm.com tcp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 8.8.8.8:53 15.144.47.103.in-addr.arpa udp
SG 103.47.144.15:49746 chongmei33.publicvm.com tcp
SG 103.47.144.15:7045 chongmei33.publicvm.com tcp
SG 103.47.144.15:7045 chongmei33.publicvm.com tcp
SG 103.47.144.15:7045 chongmei33.publicvm.com tcp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
SG 103.47.144.15:7045 chongmei33.publicvm.com tcp
NL 172.217.168.196:80 www.google.com tcp
NL 5.206.225.104:80 tcp
SG 103.47.144.15:7045 chongmei33.publicvm.com tcp
US 8.8.8.8:53 196.168.217.172.in-addr.arpa udp
SG 103.47.144.15:7045 chongmei33.publicvm.com tcp
SG 103.47.144.15:7045 chongmei33.publicvm.com tcp
SG 103.47.144.15:7045 chongmei33.publicvm.com tcp
NL 5.206.225.104:80 tcp
SG 103.47.144.15:7045 chongmei33.publicvm.com tcp
SG 103.47.144.15:7045 chongmei33.publicvm.com tcp
SG 103.47.144.15:7045 chongmei33.publicvm.com tcp
SG 103.47.144.15:7045 chongmei33.publicvm.com tcp
NL 5.206.225.104:80 tcp
US 8.8.8.8:53 1.77.109.52.in-addr.arpa udp
SG 103.47.144.15:7045 chongmei33.publicvm.com tcp
SG 103.47.144.15:7045 chongmei33.publicvm.com tcp
SG 103.47.144.15:7045 chongmei33.publicvm.com tcp
NL 5.206.225.104:80 tcp
SG 103.47.144.15:7045 chongmei33.publicvm.com tcp
SG 103.47.144.15:7045 chongmei33.publicvm.com tcp
SG 103.47.144.15:7045 chongmei33.publicvm.com tcp
SG 103.47.144.15:7045 chongmei33.publicvm.com tcp
NL 5.206.225.104:80 tcp
SG 103.47.144.15:7045 chongmei33.publicvm.com tcp
SG 103.47.144.15:7045 chongmei33.publicvm.com tcp
SG 103.47.144.15:7045 chongmei33.publicvm.com tcp
US 8.8.8.8:53 104.193.132.51.in-addr.arpa udp
SG 103.47.144.15:7045 chongmei33.publicvm.com tcp
NL 5.206.225.104:80 tcp
SG 103.47.144.15:7045 tcp

Files

C:\Users\Admin\AppData\Local\Temp\SGTICY.vbs

MD5 72fab82acb233fa5b2d7aeb5cecf14bb
SHA1 dd7e2daa860b045e8b683407ab653c75df13256a
SHA256 35dd9286ed2d79a748a02cd32a9418e39a1b91d237f9ee67d2f305fc4b659f0b
SHA512 534c935688b227edaa3b77ba95b3de95ae1cf34a8614e906986c8448c54a64a5c4811d3d5ff79ea232160722173370e0dc3ae3b157ed12d789848034a6479ed4

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SGTICY.vbs

MD5 72fab82acb233fa5b2d7aeb5cecf14bb
SHA1 dd7e2daa860b045e8b683407ab653c75df13256a
SHA256 35dd9286ed2d79a748a02cd32a9418e39a1b91d237f9ee67d2f305fc4b659f0b
SHA512 534c935688b227edaa3b77ba95b3de95ae1cf34a8614e906986c8448c54a64a5c4811d3d5ff79ea232160722173370e0dc3ae3b157ed12d789848034a6479ed4

C:\Users\Admin\AppData\Local\Temp\aug.vbs

MD5 2725abf432ceeca35be3ac737c3f0847
SHA1 608ac3ed1248b3c35deec3ee55070d52b2c9d1a0
SHA256 6eaa55f7bd4117835ac0116d85b20fdcc35e1c461379dbac106d2c2c51d60516
SHA512 a014a6c2a10f9efe9ca85f4da5505fb2eb6071342b7f4dce0b48446d4462ba26fc1e44a1ba9833d6ab623d2d75c0643c488e46d1995fb20bfd0ed8d8f517b0e2

C:\Users\Admin\AppData\Local\Tempwinlogon.exe

MD5 20390c8434f741d1abee9c8d48248bdb
SHA1 10577df5ed0ecba6a3da8552d112bd5e00e793d2
SHA256 ab87db3a4dc092240719fe8d9f0192b15dbeaa25ee21ef6607ef5e2cb6f775e3
SHA512 e1cd502740eb8bc267c7ca61c1781225f598b17948b0c6f99d8495efb27181a34075b7b5a89b775e1b9ac7cccfb5f2cc32fb61dbdf8cda9ac795349745bdd98b

C:\Users\Admin\AppData\Local\Tempwinlogon.exe

MD5 20390c8434f741d1abee9c8d48248bdb
SHA1 10577df5ed0ecba6a3da8552d112bd5e00e793d2
SHA256 ab87db3a4dc092240719fe8d9f0192b15dbeaa25ee21ef6607ef5e2cb6f775e3
SHA512 e1cd502740eb8bc267c7ca61c1781225f598b17948b0c6f99d8495efb27181a34075b7b5a89b775e1b9ac7cccfb5f2cc32fb61dbdf8cda9ac795349745bdd98b

C:\Users\Admin\AppData\Local\Tempwinlogon.exe

MD5 20390c8434f741d1abee9c8d48248bdb
SHA1 10577df5ed0ecba6a3da8552d112bd5e00e793d2
SHA256 ab87db3a4dc092240719fe8d9f0192b15dbeaa25ee21ef6607ef5e2cb6f775e3
SHA512 e1cd502740eb8bc267c7ca61c1781225f598b17948b0c6f99d8495efb27181a34075b7b5a89b775e1b9ac7cccfb5f2cc32fb61dbdf8cda9ac795349745bdd98b

C:\ProgramData\images.exe

MD5 20390c8434f741d1abee9c8d48248bdb
SHA1 10577df5ed0ecba6a3da8552d112bd5e00e793d2
SHA256 ab87db3a4dc092240719fe8d9f0192b15dbeaa25ee21ef6607ef5e2cb6f775e3
SHA512 e1cd502740eb8bc267c7ca61c1781225f598b17948b0c6f99d8495efb27181a34075b7b5a89b775e1b9ac7cccfb5f2cc32fb61dbdf8cda9ac795349745bdd98b

C:\ProgramData\images.exe

MD5 20390c8434f741d1abee9c8d48248bdb
SHA1 10577df5ed0ecba6a3da8552d112bd5e00e793d2
SHA256 ab87db3a4dc092240719fe8d9f0192b15dbeaa25ee21ef6607ef5e2cb6f775e3
SHA512 e1cd502740eb8bc267c7ca61c1781225f598b17948b0c6f99d8495efb27181a34075b7b5a89b775e1b9ac7cccfb5f2cc32fb61dbdf8cda9ac795349745bdd98b

memory/5056-157-0x0000000000AF0000-0x0000000000AF1000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\RSFEJP46\json[1].json

MD5 0c17abb0ed055fecf0c48bb6e46eb4eb
SHA1 a692730c8ec7353c31b94a888f359edb54aaa4c8
SHA256 f41e99f954e33e7b0e39930ec8620bf29801efc44275c1ee6b5cfa5e1be202c0
SHA512 645a9f2f94461d8a187261b736949df398ece5cfbf1af8653d18d3487ec1269d9f565534c1e249c12f31b3b1a41a8512953b1e991b001fc1360059e3fd494ec3

memory/1484-170-0x00000000033D0000-0x0000000003454000-memory.dmp