wshrat | 2161b5dd86e081eda035a9f959c1fc740b6ac31a47791eb7ce457965335cb5c5

Analysis

max time kernel
147s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20230831-en
resource tags

arch:x64arch:x86image:win10v2004-20230831-enlocale:en-usos:windows10-2004-x64system
submitted
14-09-2023 23:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SoftBankNDA.js
Size

21KB
MD5

c8f19fa9f346f7409e3bba98c1e3f058
SHA1

d857192d59c0ce2196925ce59436e0e36d94b6ee
SHA256

645074638e8c896237a2340918cb99558103c717bbcb20a483651e6e242c5808
SHA512

cf214cd1c41ee8b42e1f1ea55d61802a1f35d89626406e02bed1874dfae15ccd24629c7ec2bf0686131691fdd8efefd4d91833afad6c3976fb908c69c4f2f326
SSDEEP

384:n/+tc8v+YhrKZKZXeX5U7CP9fD0eX5GrnB63vQOaSDsvkysjqFJ8TatW8TaUxTam:n/+tbv+YhdZXeXic9fD0eXknB6Y6Dsv7

Score

10^/10

wshrat persistence trojan

Malware Config

Extracted

Family

wshrat

http://homesafe1000.duckdns.org:1604

Signatures

WSHRAT
WSHRAT is a variant of Houdini worm and has vbs and js variants.
trojan wshrat

Blocklisted process makes network request 31 IoCs

flow	pid	Process
7	2140	wscript.exe
10	2140	wscript.exe
19	2140	wscript.exe
27	2140	wscript.exe
33	2140	wscript.exe
34	2140	wscript.exe
35	2140	wscript.exe
36	2140	wscript.exe
49	2140	wscript.exe
60	2140	wscript.exe
61	2140	wscript.exe
62	2140	wscript.exe
63	2140	wscript.exe
64	2140	wscript.exe
67	2140	wscript.exe
70	2140	wscript.exe
71	2140	wscript.exe
72	2140	wscript.exe
73	2140	wscript.exe
75	2140	wscript.exe
76	2140	wscript.exe
77	2140	wscript.exe
78	2140	wscript.exe
79	2140	wscript.exe
80	2140	wscript.exe
81	2140	wscript.exe
85	2140	wscript.exe
87	2140	wscript.exe
88	2140	wscript.exe
89	2140	wscript.exe
90	2140	wscript.exe

Downloads MZ/PE file

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000\Control Panel\International\Geo\Nation	wscript.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SoftBankNDA.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SoftBankNDA.js	wscript.exe

Executes dropped EXE 4 IoCs

pid	Process
5100	svchost.exe
112	svchost.exe
4108	svchost.exe
64	svchost.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SoftBankNDA = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\SoftBankNDA.js\""	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SoftBankNDA = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\SoftBankNDA.js\""	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SoftBankNDA = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\SoftBankNDA.js\""	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SoftBankNDA = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\SoftBankNDA.js\""	wscript.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 5100 set thread context of 112	5100	svchost.exe	103
PID 4108 set thread context of 64	4108	svchost.exe	113

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
4472	schtasks.exe
4268	schtasks.exe

Script User-Agent 31 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	10	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	61	WSHRAT\|1EFF53AE\|KMGZTCGZ\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 14/9/2023\|JavaScript
HTTP User-Agent header	70	WSHRAT\|1EFF53AE\|KMGZTCGZ\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 14/9/2023\|JavaScript
HTTP User-Agent header	79	WSHRAT\|1EFF53AE\|KMGZTCGZ\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 14/9/2023\|JavaScript
HTTP User-Agent header	33	WSHRAT\|1EFF53AE\|KMGZTCGZ\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 14/9/2023\|JavaScript
HTTP User-Agent header	62	WSHRAT\|1EFF53AE\|KMGZTCGZ\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 14/9/2023\|JavaScript
HTTP User-Agent header	75	WSHRAT\|1EFF53AE\|KMGZTCGZ\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 14/9/2023\|JavaScript
HTTP User-Agent header	89	WSHRAT\|1EFF53AE\|KMGZTCGZ\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 14/9/2023\|JavaScript
HTTP User-Agent header	81	WSHRAT\|1EFF53AE\|KMGZTCGZ\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 14/9/2023\|JavaScript
HTTP User-Agent header	87	WSHRAT\|1EFF53AE\|KMGZTCGZ\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 14/9/2023\|JavaScript
HTTP User-Agent header	27	WSHRAT\|1EFF53AE\|KMGZTCGZ\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 14/9/2023\|JavaScript
HTTP User-Agent header	49	WSHRAT\|1EFF53AE\|KMGZTCGZ\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 14/9/2023\|JavaScript
HTTP User-Agent header	64	WSHRAT\|1EFF53AE\|KMGZTCGZ\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 14/9/2023\|JavaScript
HTTP User-Agent header	73	WSHRAT\|1EFF53AE\|KMGZTCGZ\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 14/9/2023\|JavaScript
HTTP User-Agent header	80	WSHRAT\|1EFF53AE\|KMGZTCGZ\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 14/9/2023\|JavaScript
HTTP User-Agent header	60	WSHRAT\|1EFF53AE\|KMGZTCGZ\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 14/9/2023\|JavaScript
HTTP User-Agent header	36	WSHRAT\|1EFF53AE\|KMGZTCGZ\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 14/9/2023\|JavaScript
HTTP User-Agent header	85	WSHRAT\|1EFF53AE\|KMGZTCGZ\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 14/9/2023\|JavaScript
HTTP User-Agent header	78	WSHRAT\|1EFF53AE\|KMGZTCGZ\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 14/9/2023\|JavaScript
HTTP User-Agent header	19	WSHRAT\|1EFF53AE\|KMGZTCGZ\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 14/9/2023\|JavaScript
HTTP User-Agent header	34	WSHRAT\|1EFF53AE\|KMGZTCGZ\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 14/9/2023\|JavaScript
HTTP User-Agent header	63	WSHRAT\|1EFF53AE\|KMGZTCGZ\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 14/9/2023\|JavaScript
HTTP User-Agent header	67	WSHRAT\|1EFF53AE\|KMGZTCGZ\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 14/9/2023\|JavaScript
HTTP User-Agent header	76	WSHRAT\|1EFF53AE\|KMGZTCGZ\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 14/9/2023\|JavaScript
HTTP User-Agent header	88	WSHRAT\|1EFF53AE\|KMGZTCGZ\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 14/9/2023\|JavaScript
HTTP User-Agent header	90	WSHRAT\|1EFF53AE\|KMGZTCGZ\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 14/9/2023\|JavaScript
HTTP User-Agent header	7	WSHRAT\|1EFF53AE\|KMGZTCGZ\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 14/9/2023\|JavaScript
HTTP User-Agent header	35	WSHRAT\|1EFF53AE\|KMGZTCGZ\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 14/9/2023\|JavaScript
HTTP User-Agent header	71	WSHRAT\|1EFF53AE\|KMGZTCGZ\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 14/9/2023\|JavaScript
HTTP User-Agent header	72	WSHRAT\|1EFF53AE\|KMGZTCGZ\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 14/9/2023\|JavaScript
HTTP User-Agent header	77	WSHRAT\|1EFF53AE\|KMGZTCGZ\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 14/9/2023\|JavaScript

Suspicious behavior: SetClipboardViewer 1 IoCs

pid	Process
64	svchost.exe

Suspicious use of WriteProcessMemory 45 IoCs

description	pid	Process	procid_target
PID 2188 wrote to memory of 2140	2188	wscript.exe	83
PID 2188 wrote to memory of 2140	2188	wscript.exe	83
PID 2140 wrote to memory of 5100	2140	wscript.exe	87
PID 2140 wrote to memory of 5100	2140	wscript.exe	87
PID 2140 wrote to memory of 5100	2140	wscript.exe	87
PID 5100 wrote to memory of 112	5100	svchost.exe	103
PID 5100 wrote to memory of 112	5100	svchost.exe	103
PID 5100 wrote to memory of 112	5100	svchost.exe	103
PID 5100 wrote to memory of 112	5100	svchost.exe	103
PID 5100 wrote to memory of 112	5100	svchost.exe	103
PID 5100 wrote to memory of 112	5100	svchost.exe	103
PID 5100 wrote to memory of 112	5100	svchost.exe	103
PID 5100 wrote to memory of 112	5100	svchost.exe	103
PID 5100 wrote to memory of 100	5100	svchost.exe	104
PID 5100 wrote to memory of 100	5100	svchost.exe	104
PID 5100 wrote to memory of 100	5100	svchost.exe	104
PID 5100 wrote to memory of 4424	5100	svchost.exe	105
PID 5100 wrote to memory of 4424	5100	svchost.exe	105
PID 5100 wrote to memory of 4424	5100	svchost.exe	105
PID 5100 wrote to memory of 4464	5100	svchost.exe	106
PID 5100 wrote to memory of 4464	5100	svchost.exe	106
PID 5100 wrote to memory of 4464	5100	svchost.exe	106
PID 4424 wrote to memory of 4472	4424	cmd.exe	110
PID 4424 wrote to memory of 4472	4424	cmd.exe	110
PID 4424 wrote to memory of 4472	4424	cmd.exe	110
PID 4108 wrote to memory of 64	4108	svchost.exe	113
PID 4108 wrote to memory of 64	4108	svchost.exe	113
PID 4108 wrote to memory of 64	4108	svchost.exe	113
PID 4108 wrote to memory of 64	4108	svchost.exe	113
PID 4108 wrote to memory of 64	4108	svchost.exe	113
PID 4108 wrote to memory of 64	4108	svchost.exe	113
PID 4108 wrote to memory of 64	4108	svchost.exe	113
PID 4108 wrote to memory of 64	4108	svchost.exe	113
PID 4108 wrote to memory of 636	4108	svchost.exe	114
PID 4108 wrote to memory of 636	4108	svchost.exe	114
PID 4108 wrote to memory of 636	4108	svchost.exe	114
PID 4108 wrote to memory of 4988	4108	svchost.exe	115
PID 4108 wrote to memory of 4988	4108	svchost.exe	115
PID 4108 wrote to memory of 4988	4108	svchost.exe	115
PID 4108 wrote to memory of 3848	4108	svchost.exe	117
PID 4108 wrote to memory of 3848	4108	svchost.exe	117
PID 4108 wrote to memory of 3848	4108	svchost.exe	117
PID 4988 wrote to memory of 4268	4988	cmd.exe	120
PID 4988 wrote to memory of 4268	4988	cmd.exe	120
PID 4988 wrote to memory of 4268	4988	cmd.exe	120

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\SoftBankNDA.js
1⤵
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2188
- C:\Windows\System32\wscript.exe
  "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\SoftBankNDA.js"
  2⤵
  - Blocklisted process makes network request
  - Checks computer location settings
  - Drops startup file
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2140
- - C:\Users\Admin\AppData\Roaming\svchost.exe
    "C:\Users\Admin\AppData\Roaming\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:5100
  - - C:\Users\Admin\AppData\Roaming\svchost.exe
      "C:\Users\Admin\AppData\Roaming\svchost.exe"
      4⤵
      Executes dropped EXE
      PID:112
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\svchost"
      4⤵
      PID:100
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4424
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f
        5⤵
        Creates scheduled task(s)
        
        PID:4472
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd" /c copy "C:\Users\Admin\AppData\Roaming\svchost.exe" "C:\Users\Admin\AppData\Roaming\svchost\svchost.exe"
      4⤵
      PID:4464

C:\Users\Admin\AppData\Roaming\svchost\svchost.exe
C:\Users\Admin\AppData\Roaming\svchost\svchost.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4108
- C:\Users\Admin\AppData\Roaming\svchost\svchost.exe
  "C:\Users\Admin\AppData\Roaming\svchost\svchost.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: SetClipboardViewer
  PID:64
- C:\Windows\SysWOW64\cmd.exe
  "cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\svchost"
  2⤵
  PID:636
- C:\Windows\SysWOW64\cmd.exe
  "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4988
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f
    3⤵
    - Creates scheduled task(s)
    PID:4268
- C:\Windows\SysWOW64\cmd.exe
  "cmd" /c copy "C:\Users\Admin\AppData\Roaming\svchost\svchost.exe" "C:\Users\Admin\AppData\Roaming\svchost\svchost.exe"
  2⤵
  PID:3848

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\svchost.exe.log

Filesize
520B

MD5
03febbff58da1d3318c31657d89c8542

SHA1
c9e017bd9d0a4fe533795b227c855935d86c2092

SHA256
5164770a37b199a79ccd23b399bb3309228973d9f74c589bc2623dc613b37ac4

SHA512
3750c372bbca1892e9c1b34681d592c693e725a8b149c3d6938079cd467628cec42c4293b0d886b57a786abf45f5e7229247b3445001774e3e793ff5a3accfa3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SoftBankNDA.js

Filesize
21KB

MD5
c8f19fa9f346f7409e3bba98c1e3f058

SHA1
d857192d59c0ce2196925ce59436e0e36d94b6ee

SHA256
645074638e8c896237a2340918cb99558103c717bbcb20a483651e6e242c5808

SHA512
cf214cd1c41ee8b42e1f1ea55d61802a1f35d89626406e02bed1874dfae15ccd24629c7ec2bf0686131691fdd8efefd4d91833afad6c3976fb908c69c4f2f326

Download Submit
C:\Users\Admin\AppData\Roaming\SoftBankNDA.js

Filesize
21KB

MD5
c8f19fa9f346f7409e3bba98c1e3f058

SHA1
d857192d59c0ce2196925ce59436e0e36d94b6ee

SHA256
645074638e8c896237a2340918cb99558103c717bbcb20a483651e6e242c5808

SHA512
cf214cd1c41ee8b42e1f1ea55d61802a1f35d89626406e02bed1874dfae15ccd24629c7ec2bf0686131691fdd8efefd4d91833afad6c3976fb908c69c4f2f326

Download Submit
C:\Users\Admin\AppData\Roaming\svchost.exe

Filesize
322KB

MD5
431e978fce00a21289c3d958c0190f83

SHA1
1c0df89dd89160455b5696d2ae37e53451fd67f5

SHA256
03677e5a163e5beca94ec01231e799c1e7fd763f44e09811accef10b870ee24b

SHA512
60465ebb8fc7c09ff93d758fa1aecb6342b87c696aeafe5cf89a36e2ee6c5667fb75cf2a7e6105b33650008b668c43b2b7dad2ddf87b139752cb6e58481bcf9f

Download Submit
C:\Users\Admin\AppData\Roaming\svchost.exe

Filesize
322KB

MD5
431e978fce00a21289c3d958c0190f83

SHA1
1c0df89dd89160455b5696d2ae37e53451fd67f5

SHA256
03677e5a163e5beca94ec01231e799c1e7fd763f44e09811accef10b870ee24b

SHA512
60465ebb8fc7c09ff93d758fa1aecb6342b87c696aeafe5cf89a36e2ee6c5667fb75cf2a7e6105b33650008b668c43b2b7dad2ddf87b139752cb6e58481bcf9f

Download Submit
C:\Users\Admin\AppData\Roaming\svchost.exe

Filesize
322KB

MD5
431e978fce00a21289c3d958c0190f83

SHA1
1c0df89dd89160455b5696d2ae37e53451fd67f5

SHA256
03677e5a163e5beca94ec01231e799c1e7fd763f44e09811accef10b870ee24b

SHA512
60465ebb8fc7c09ff93d758fa1aecb6342b87c696aeafe5cf89a36e2ee6c5667fb75cf2a7e6105b33650008b668c43b2b7dad2ddf87b139752cb6e58481bcf9f

Download Submit
C:\Users\Admin\AppData\Roaming\svchost.exe

Filesize
322KB

MD5
431e978fce00a21289c3d958c0190f83

SHA1
1c0df89dd89160455b5696d2ae37e53451fd67f5

SHA256
03677e5a163e5beca94ec01231e799c1e7fd763f44e09811accef10b870ee24b

SHA512
60465ebb8fc7c09ff93d758fa1aecb6342b87c696aeafe5cf89a36e2ee6c5667fb75cf2a7e6105b33650008b668c43b2b7dad2ddf87b139752cb6e58481bcf9f

Download Submit
C:\Users\Admin\AppData\Roaming\svchost\svchost.exe

Filesize
322KB

MD5
431e978fce00a21289c3d958c0190f83

SHA1
1c0df89dd89160455b5696d2ae37e53451fd67f5

SHA256
03677e5a163e5beca94ec01231e799c1e7fd763f44e09811accef10b870ee24b

SHA512
60465ebb8fc7c09ff93d758fa1aecb6342b87c696aeafe5cf89a36e2ee6c5667fb75cf2a7e6105b33650008b668c43b2b7dad2ddf87b139752cb6e58481bcf9f

Download Submit
C:\Users\Admin\AppData\Roaming\svchost\svchost.exe

Filesize
322KB

MD5
431e978fce00a21289c3d958c0190f83

SHA1
1c0df89dd89160455b5696d2ae37e53451fd67f5

SHA256
03677e5a163e5beca94ec01231e799c1e7fd763f44e09811accef10b870ee24b

SHA512
60465ebb8fc7c09ff93d758fa1aecb6342b87c696aeafe5cf89a36e2ee6c5667fb75cf2a7e6105b33650008b668c43b2b7dad2ddf87b139752cb6e58481bcf9f

Download Submit
C:\Users\Admin\AppData\Roaming\svchost\svchost.exe

Filesize
322KB

MD5
431e978fce00a21289c3d958c0190f83

SHA1
1c0df89dd89160455b5696d2ae37e53451fd67f5

SHA256
03677e5a163e5beca94ec01231e799c1e7fd763f44e09811accef10b870ee24b

SHA512
60465ebb8fc7c09ff93d758fa1aecb6342b87c696aeafe5cf89a36e2ee6c5667fb75cf2a7e6105b33650008b668c43b2b7dad2ddf87b139752cb6e58481bcf9f

Download Submit
memory/64-65-0x0000000075330000-0x0000000075AE0000-memory.dmp

Filesize
7.7MB

Download
memory/112-37-0x0000000075330000-0x0000000075AE0000-memory.dmp

Filesize
7.7MB

Download
memory/112-36-0x0000000005740000-0x00000000057D2000-memory.dmp

Filesize
584KB

Download
memory/112-41-0x0000000005BD0000-0x0000000005BDA000-memory.dmp

Filesize
40KB

Download
memory/112-43-0x0000000075330000-0x0000000075AE0000-memory.dmp

Filesize
7.7MB

Download
memory/112-33-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4108-49-0x0000000075330000-0x0000000075AE0000-memory.dmp

Filesize
7.7MB

Download
memory/4108-52-0x0000000075330000-0x0000000075AE0000-memory.dmp

Filesize
7.7MB

Download
memory/4108-66-0x0000000075330000-0x0000000075AE0000-memory.dmp

Filesize
7.7MB

Download
memory/5100-38-0x0000000075330000-0x0000000075AE0000-memory.dmp

Filesize
7.7MB

Download
memory/5100-22-0x0000000075330000-0x0000000075AE0000-memory.dmp

Filesize
7.7MB

Download
memory/5100-19-0x00000000061B0000-0x0000000006754000-memory.dmp

Filesize
5.6MB

Download
memory/5100-18-0x0000000000B60000-0x0000000000BB6000-memory.dmp

Filesize
344KB

Download
memory/5100-17-0x0000000075330000-0x0000000075AE0000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads