wshrat | 47d9609b24eb159a6948190c0cd6e1619ab9437f17ea5e3967d0065b3b2cb1d8

Analysis

max time kernel
138s
max time network
142s
platform
windows11-21h2_x64
resource
win11-20240419-en
resource tags

arch:x64arch:x86image:win11-20240419-enlocale:en-usos:windows11-21h2-x64system
submitted
08-05-2024 21:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0cb55adaebcd33b94fb00efcd1b927b2bc49a05e4ec4f9cc02bb70b3c5dfeb7c.js
Size

830KB
MD5

3f2a1c1daacef7c9dc6f69c5362c9928
SHA1

3ce5d81226174c6c048313b9702fec63491eb339
SHA256

0cb55adaebcd33b94fb00efcd1b927b2bc49a05e4ec4f9cc02bb70b3c5dfeb7c
SHA512

d325873f1fd3bf4393ce60329451874b2a7543c5c3068fd0427030f761f20f9e8539fed72ff24155cfc6d7d609a997c1ceb91cc643a79732c0a2bf97c731eee9
SSDEEP

24576:hKDnslywYmw3SkKNuhf+0s3S3PnukeZauv/k5IgPZ5i:hKbstYmw3SNwhm0CSfgauvmLi

Score

10^/10

wshrat execution persistence trojan

Malware Config

Extracted

Family

wshrat

http://masterokrwh.duckdns.org:8426

Signatures

WSHRAT
WSHRAT is a variant of Houdini worm and has vbs and js variants.
trojan wshrat

Blocklisted process makes network request 28 IoCs

flow	pid	Process
2	4748	wscript.exe
3	4748	wscript.exe
4	4748	wscript.exe
5	4748	wscript.exe
6	4748	wscript.exe
9	4748	wscript.exe
10	4748	wscript.exe
11	4748	wscript.exe
21	4748	wscript.exe
23	4748	wscript.exe
24	4748	wscript.exe
25	4748	wscript.exe
26	4748	wscript.exe
27	4748	wscript.exe
28	4748	wscript.exe
50	4748	wscript.exe
52	4748	wscript.exe
53	4748	wscript.exe
55	4748	wscript.exe
68	4748	wscript.exe
71	4748	wscript.exe
80	4748	wscript.exe
81	4748	wscript.exe
82	4748	wscript.exe
83	4748	wscript.exe
84	4748	wscript.exe
85	4748	wscript.exe
90	4748	wscript.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0cb55adaebcd33b94fb00efcd1b927b2bc49a05e4ec4f9cc02bb70b3c5dfeb7c.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0cb55adaebcd33b94fb00efcd1b927b2bc49a05e4ec4f9cc02bb70b3c5dfeb7c.js	wscript.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000\Software\Microsoft\Windows\CurrentVersion\Run\0cb55adaebcd33b94fb00efcd1b927b2bc49a05e4ec4f9cc02bb70b3c5dfeb7c = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\0cb55adaebcd33b94fb00efcd1b927b2bc49a05e4ec4f9cc02bb70b3c5dfeb7c.js\""	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\0cb55adaebcd33b94fb00efcd1b927b2bc49a05e4ec4f9cc02bb70b3c5dfeb7c = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\0cb55adaebcd33b94fb00efcd1b927b2bc49a05e4ec4f9cc02bb70b3c5dfeb7c.js\""	wscript.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
6	pastebin.com
1	pastebin.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
7	ip-api.com

Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 12 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\MuiCache	MiniSearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings	firefox.exe

Script User-Agent 22 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	82	WSHRAT\|ECBE8BE2\|UBLNJRHF\|Admin\|Microsoft Windows 11 Pro\|plus\|nan-av\|false - 8/5/2024\|JavaScript-v3.4\|GB:United Kingdom
HTTP User-Agent header	83	WSHRAT\|ECBE8BE2\|UBLNJRHF\|Admin\|Microsoft Windows 11 Pro\|plus\|nan-av\|false - 8/5/2024\|JavaScript-v3.4\|GB:United Kingdom
HTTP User-Agent header	68	WSHRAT\|ECBE8BE2\|UBLNJRHF\|Admin\|Microsoft Windows 11 Pro\|plus\|nan-av\|false - 8/5/2024\|JavaScript-v3.4\|GB:United Kingdom
HTTP User-Agent header	24	WSHRAT\|ECBE8BE2\|UBLNJRHF\|Admin\|Microsoft Windows 11 Pro\|plus\|nan-av\|false - 8/5/2024\|JavaScript-v3.4\|GB:United Kingdom
HTTP User-Agent header	26	WSHRAT\|ECBE8BE2\|UBLNJRHF\|Admin\|Microsoft Windows 11 Pro\|plus\|nan-av\|false - 8/5/2024\|JavaScript-v3.4\|GB:United Kingdom
HTTP User-Agent header	50	WSHRAT\|ECBE8BE2\|UBLNJRHF\|Admin\|Microsoft Windows 11 Pro\|plus\|nan-av\|false - 8/5/2024\|JavaScript-v3.4\|GB:United Kingdom
HTTP User-Agent header	80	WSHRAT\|ECBE8BE2\|UBLNJRHF\|Admin\|Microsoft Windows 11 Pro\|plus\|nan-av\|false - 8/5/2024\|JavaScript-v3.4\|GB:United Kingdom
HTTP User-Agent header	85	WSHRAT\|ECBE8BE2\|UBLNJRHF\|Admin\|Microsoft Windows 11 Pro\|plus\|nan-av\|false - 8/5/2024\|JavaScript-v3.4\|GB:United Kingdom
HTTP User-Agent header	10	WSHRAT\|ECBE8BE2\|UBLNJRHF\|Admin\|Microsoft Windows 11 Pro\|plus\|nan-av\|false - 8/5/2024\|JavaScript-v3.4\|GB:United Kingdom
HTTP User-Agent header	25	WSHRAT\|ECBE8BE2\|UBLNJRHF\|Admin\|Microsoft Windows 11 Pro\|plus\|nan-av\|false - 8/5/2024\|JavaScript-v3.4\|GB:United Kingdom
HTTP User-Agent header	27	WSHRAT\|ECBE8BE2\|UBLNJRHF\|Admin\|Microsoft Windows 11 Pro\|plus\|nan-av\|false - 8/5/2024\|JavaScript-v3.4\|GB:United Kingdom
HTTP User-Agent header	53	WSHRAT\|ECBE8BE2\|UBLNJRHF\|Admin\|Microsoft Windows 11 Pro\|plus\|nan-av\|false - 8/5/2024\|JavaScript-v3.4\|GB:United Kingdom
HTTP User-Agent header	81	WSHRAT\|ECBE8BE2\|UBLNJRHF\|Admin\|Microsoft Windows 11 Pro\|plus\|nan-av\|false - 8/5/2024\|JavaScript-v3.4\|GB:United Kingdom
HTTP User-Agent header	84	WSHRAT\|ECBE8BE2\|UBLNJRHF\|Admin\|Microsoft Windows 11 Pro\|plus\|nan-av\|false - 8/5/2024\|JavaScript-v3.4\|GB:United Kingdom
HTTP User-Agent header	5	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	21	WSHRAT\|ECBE8BE2\|UBLNJRHF\|Admin\|Microsoft Windows 11 Pro\|plus\|nan-av\|false - 8/5/2024\|JavaScript-v3.4\|GB:United Kingdom
HTTP User-Agent header	23	WSHRAT\|ECBE8BE2\|UBLNJRHF\|Admin\|Microsoft Windows 11 Pro\|plus\|nan-av\|false - 8/5/2024\|JavaScript-v3.4\|GB:United Kingdom
HTTP User-Agent header	28	WSHRAT\|ECBE8BE2\|UBLNJRHF\|Admin\|Microsoft Windows 11 Pro\|plus\|nan-av\|false - 8/5/2024\|JavaScript-v3.4\|GB:United Kingdom
HTTP User-Agent header	52	WSHRAT\|ECBE8BE2\|UBLNJRHF\|Admin\|Microsoft Windows 11 Pro\|plus\|nan-av\|false - 8/5/2024\|JavaScript-v3.4\|GB:United Kingdom
HTTP User-Agent header	55	WSHRAT\|ECBE8BE2\|UBLNJRHF\|Admin\|Microsoft Windows 11 Pro\|plus\|nan-av\|false - 8/5/2024\|JavaScript-v3.4\|GB:United Kingdom
HTTP User-Agent header	71	WSHRAT\|ECBE8BE2\|UBLNJRHF\|Admin\|Microsoft Windows 11 Pro\|plus\|nan-av\|false - 8/5/2024\|JavaScript-v3.4\|GB:United Kingdom
HTTP User-Agent header	11	WSHRAT\|ECBE8BE2\|UBLNJRHF\|Admin\|Microsoft Windows 11 Pro\|plus\|nan-av\|false - 8/5/2024\|JavaScript-v3.4\|GB:United Kingdom

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1524	firefox.exe
Token: SeDebugPrivilege	1524	firefox.exe

Suspicious use of FindShellTrayWindow 21 IoCs

pid	Process
1524	firefox.exe
1524	firefox.exe
1524	firefox.exe
1524	firefox.exe
1524	firefox.exe
1524	firefox.exe
1524	firefox.exe
1524	firefox.exe
1524	firefox.exe
1524	firefox.exe
1524	firefox.exe
1524	firefox.exe
1524	firefox.exe
1524	firefox.exe
1524	firefox.exe
1524	firefox.exe
1524	firefox.exe
1524	firefox.exe
1524	firefox.exe
1524	firefox.exe
1524	firefox.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
3352	MiniSearchHost.exe
1524	firefox.exe
1524	firefox.exe
1524	firefox.exe
1524	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4580 wrote to memory of 1524	4580	firefox.exe	85
PID 4580 wrote to memory of 1524	4580	firefox.exe	85
PID 4580 wrote to memory of 1524	4580	firefox.exe	85
PID 4580 wrote to memory of 1524	4580	firefox.exe	85
PID 4580 wrote to memory of 1524	4580	firefox.exe	85
PID 4580 wrote to memory of 1524	4580	firefox.exe	85
PID 4580 wrote to memory of 1524	4580	firefox.exe	85
PID 4580 wrote to memory of 1524	4580	firefox.exe	85
PID 4580 wrote to memory of 1524	4580	firefox.exe	85
PID 4580 wrote to memory of 1524	4580	firefox.exe	85
PID 4580 wrote to memory of 1524	4580	firefox.exe	85
PID 1524 wrote to memory of 2852	1524	firefox.exe	86
PID 1524 wrote to memory of 2852	1524	firefox.exe	86
PID 1524 wrote to memory of 2852	1524	firefox.exe	86
PID 1524 wrote to memory of 2852	1524	firefox.exe	86
PID 1524 wrote to memory of 2852	1524	firefox.exe	86
PID 1524 wrote to memory of 2852	1524	firefox.exe	86
PID 1524 wrote to memory of 2852	1524	firefox.exe	86
PID 1524 wrote to memory of 2852	1524	firefox.exe	86
PID 1524 wrote to memory of 2852	1524	firefox.exe	86
PID 1524 wrote to memory of 2852	1524	firefox.exe	86
PID 1524 wrote to memory of 2852	1524	firefox.exe	86
PID 1524 wrote to memory of 2852	1524	firefox.exe	86
PID 1524 wrote to memory of 2852	1524	firefox.exe	86
PID 1524 wrote to memory of 2852	1524	firefox.exe	86
PID 1524 wrote to memory of 2852	1524	firefox.exe	86
PID 1524 wrote to memory of 2852	1524	firefox.exe	86
PID 1524 wrote to memory of 2852	1524	firefox.exe	86
PID 1524 wrote to memory of 2852	1524	firefox.exe	86
PID 1524 wrote to memory of 2852	1524	firefox.exe	86
PID 1524 wrote to memory of 2852	1524	firefox.exe	86
PID 1524 wrote to memory of 2852	1524	firefox.exe	86
PID 1524 wrote to memory of 2852	1524	firefox.exe	86
PID 1524 wrote to memory of 2852	1524	firefox.exe	86
PID 1524 wrote to memory of 2852	1524	firefox.exe	86
PID 1524 wrote to memory of 2852	1524	firefox.exe	86
PID 1524 wrote to memory of 2852	1524	firefox.exe	86
PID 1524 wrote to memory of 2852	1524	firefox.exe	86
PID 1524 wrote to memory of 2852	1524	firefox.exe	86
PID 1524 wrote to memory of 2852	1524	firefox.exe	86
PID 1524 wrote to memory of 2852	1524	firefox.exe	86
PID 1524 wrote to memory of 2852	1524	firefox.exe	86
PID 1524 wrote to memory of 2852	1524	firefox.exe	86
PID 1524 wrote to memory of 2852	1524	firefox.exe	86
PID 1524 wrote to memory of 2852	1524	firefox.exe	86
PID 1524 wrote to memory of 2852	1524	firefox.exe	86
PID 1524 wrote to memory of 2852	1524	firefox.exe	86
PID 1524 wrote to memory of 2852	1524	firefox.exe	86
PID 1524 wrote to memory of 2852	1524	firefox.exe	86
PID 1524 wrote to memory of 2852	1524	firefox.exe	86
PID 1524 wrote to memory of 2852	1524	firefox.exe	86
PID 1524 wrote to memory of 2852	1524	firefox.exe	86
PID 1524 wrote to memory of 2852	1524	firefox.exe	86
PID 1524 wrote to memory of 2852	1524	firefox.exe	86
PID 1524 wrote to memory of 2852	1524	firefox.exe	86
PID 1524 wrote to memory of 2852	1524	firefox.exe	86
PID 1524 wrote to memory of 1284	1524	firefox.exe	87
PID 1524 wrote to memory of 1284	1524	firefox.exe	87
PID 1524 wrote to memory of 1284	1524	firefox.exe	87
PID 1524 wrote to memory of 1284	1524	firefox.exe	87
PID 1524 wrote to memory of 1284	1524	firefox.exe	87
PID 1524 wrote to memory of 1284	1524	firefox.exe	87
PID 1524 wrote to memory of 1284	1524	firefox.exe	87
PID 1524 wrote to memory of 1284	1524	firefox.exe	87

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\0cb55adaebcd33b94fb00efcd1b927b2bc49a05e4ec4f9cc02bb70b3c5dfeb7c.js
1⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
PID:4748

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3352

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4580
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1524
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1996 -parentBuildID 20240401114208 -prefsHandle 1924 -prefMapHandle 1916 -prefsLen 25459 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {01c98074-fe3f-44e2-8e26-c18c9f185418} 1524 "\\.\pipe\gecko-crash-server-pipe.1524" gpu
    3⤵
    PID:2852
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2396 -parentBuildID 20240401114208 -prefsHandle 2388 -prefMapHandle 2360 -prefsLen 25495 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {289c782f-0151-4c11-8af6-4e3ed8efb192} 1524 "\\.\pipe\gecko-crash-server-pipe.1524" socket
    3⤵
    - Checks processor information in registry
    PID:1284
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3008 -childID 1 -isForBrowser -prefsHandle 3000 -prefMapHandle 2996 -prefsLen 25636 -prefMapSize 244658 -jsInitHandle 928 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6ee998aa-5557-4d77-93c4-007c66030e33} 1524 "\\.\pipe\gecko-crash-server-pipe.1524" tab
    3⤵
    PID:2724
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3648 -childID 2 -isForBrowser -prefsHandle 3620 -prefMapHandle 3616 -prefsLen 30869 -prefMapSize 244658 -jsInitHandle 928 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2290a5ef-5534-4e26-b6b8-a0997ffc80c3} 1524 "\\.\pipe\gecko-crash-server-pipe.1524" tab
    3⤵
    PID:2772
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4460 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4412 -prefMapHandle 4404 -prefsLen 30869 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b22b8acd-e3ac-43d5-b583-2667b8704a5f} 1524 "\\.\pipe\gecko-crash-server-pipe.1524" utility
    3⤵
    - Checks processor information in registry
    PID:3752
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5320 -childID 3 -isForBrowser -prefsHandle 5340 -prefMapHandle 5328 -prefsLen 27097 -prefMapSize 244658 -jsInitHandle 928 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3df7a445-8abb-4d1a-9bb6-07cc7ca1539e} 1524 "\\.\pipe\gecko-crash-server-pipe.1524" tab
    3⤵
    PID:5464
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5488 -childID 4 -isForBrowser -prefsHandle 5444 -prefMapHandle 5308 -prefsLen 27097 -prefMapSize 244658 -jsInitHandle 928 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {34a5ae30-c2ab-4a5c-9c20-25f2186439c1} 1524 "\\.\pipe\gecko-crash-server-pipe.1524" tab
    3⤵
    PID:5476
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5676 -childID 5 -isForBrowser -prefsHandle 5680 -prefMapHandle 5688 -prefsLen 27097 -prefMapSize 244658 -jsInitHandle 928 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {db7c0775-b42f-4bac-ac42-b2de7f93df34} 1524 "\\.\pipe\gecko-crash-server-pipe.1524" tab
    3⤵
    PID:5488

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1048

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

JavaScript

T1059.007

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

Filesize
10KB

MD5
18951ad4190ed728ba23e932e0c6e0db

SHA1
fa2d16fcbc3defd07cb8f21d8ea4793a21f261f0

SHA256
66607b009c345a8e70fc1e58ab8a13bbea0e370c8d75f16d2cce5b876a748915

SHA512
a67237089efa8615747bdc6cfe0afc977dc54cfd624a8d2e5124a441c204f1ec58ee7cfbbc105ddc2c18d4f254b9e124d71630bcdba0253d41a96890104f2fff

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
13.8MB

MD5
0a8747a2ac9ac08ae9508f36c6d75692

SHA1
b287a96fd6cc12433adb42193dfe06111c38eaf0

SHA256
32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

SHA512
59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0cb55adaebcd33b94fb00efcd1b927b2bc49a05e4ec4f9cc02bb70b3c5dfeb7c.js

Filesize
830KB

MD5
3f2a1c1daacef7c9dc6f69c5362c9928

SHA1
3ce5d81226174c6c048313b9702fec63491eb339

SHA256
0cb55adaebcd33b94fb00efcd1b927b2bc49a05e4ec4f9cc02bb70b3c5dfeb7c

SHA512
d325873f1fd3bf4393ce60329451874b2a7543c5c3068fd0427030f761f20f9e8539fed72ff24155cfc6d7d609a997c1ceb91cc643a79732c0a2bf97c731eee9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pz5zwzp5.default-release\AlternateServices.bin

Filesize
7KB

MD5
5858faf7900ef7f658da524c4e90451d

SHA1
a98de0687b031b7e259806ea9a6fa6e3fbbf26af

SHA256
199af30609ba552c18a7656b64aa1b388d56ffc303e33af3d6793f793aaec27b

SHA512
b5efac6b2b29c8ad584ae3bc550e18083249ed76c3472027d0b916b96c161c84dab85d2fc7e4877585759913e244d92d48bed69d4a2892655cc803f13f558201

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pz5zwzp5.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
cec04f700344308a5199f6f4222403cd

SHA1
a01ce98a4823c74d7df1375e7bc567cfcc27fcdb

SHA256
1aa08decf0cdf374d59462a0093f61a48ed46fa7bbb7be2b842f86380579d6e5

SHA512
ed4dfe22225d87705e6daff2b50362a60db3339ccc033139b108dcbcd0f82f877fd8082386c5242b506463aeef5cf04e9aec3efcf65b587e3340e7dc93daa432

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pz5zwzp5.default-release\datareporting\glean\pending_pings\47ead327-4ed3-4d45-aac8-ca4d4d36b246

Filesize
671B

MD5
a30a509911089d8b64bc0ab12905bd5f

SHA1
3bb68e92b5de8ec6579a1ab42d030410365fea98

SHA256
78391499df8ec589a0aff43e3e33b143d1cb4ebbd628d1b2646c19f5653ee73c

SHA512
f0bbd260b02bd94c06a05ffaf75376db59942d162858a515f443ab9beeb69a0563c9ec6a3557e8e11abf2df12093e08ae48c8e637ae98615394c25a542207f66

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pz5zwzp5.default-release\datareporting\glean\pending_pings\59efa2cc-43aa-4b1f-9e5c-f8a124f97cc5

Filesize
25KB

MD5
142c9b2af9d3507df3694f693a1c5c9e

SHA1
785f8d1be4195b8604ced4b299f3ffa5306a3f6d

SHA256
d529a2820c89d679a379950c95bb9c4e64c8cbdf9e916f5545f4cc061bfb1d93

SHA512
e8c22f5589a6c67d504215fdd534ca555b253a64f66c642e0282e5c45b2b18189016e0862338ee67d1ffbd7b2bd8ea39c878e528cbbc3c27ce3965e67cc84f9c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pz5zwzp5.default-release\datareporting\glean\pending_pings\a210f2ac-42fe-4df0-b4bb-1ff19e79911d

Filesize
982B

MD5
baf148ae7f040aa1e4eef3ad81846caa

SHA1
63ae5001fb36efe342f7d8744afe7b8b9d749014

SHA256
56155eb4d9a35f68cba6ab1ea1385269f85656101b744404563c6a6c8a93536a

SHA512
66ad50a0ea09e37e7a12046e8fea4f7b0d14399ba16cfd234f7a62d1d1d2a34b498ee05f4b6cb9bdbb0f6597ee6869783c4179b7501172d3aa3aa2ab33c092d9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pz5zwzp5.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pz5zwzp5.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pz5zwzp5.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

Filesize
372B

MD5
bf957ad58b55f64219ab3f793e374316

SHA1
a11adc9d7f2c28e04d9b35e23b7616d0527118a1

SHA256
bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

SHA512
79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pz5zwzp5.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

Filesize
17.8MB

MD5
daf7ef3acccab478aaa7d6dc1c60f865

SHA1
f8246162b97ce4a945feced27b6ea114366ff2ad

SHA256
bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

SHA512
5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pz5zwzp5.default-release\prefs-1.js

Filesize
9KB

MD5
bafa02d0495f0faa4c26ef37d99e4e89

SHA1
3a3fc16fc1017e7ef280e46f9f1526d17f4cc487

SHA256
79735834024055fe7c08b67a9e48b563dd61815727e8a3b4846a531330186074

SHA512
1720580e8f37372e773738f4f9ad37fc2836506f40aa04b47876fcca7eaa47a86810c95f3d45fcc4f092862e4d34442757b00d60f4e77839916333ae4446028e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pz5zwzp5.default-release\prefs-1.js

Filesize
8KB

MD5
6380bec47a00b3c0fbc51b0f215a2adc

SHA1
a3898a8820800ac6aa514c95285ccc44b5991473

SHA256
3b3a632fc9286319492dbe1d81eb5056c27b9bc58fde2a40f605a866bf08ba3d

SHA512
fd6c5b512b75c8237a8b6ae4de3d3675c5e858dc149dbb49052b41a6d5357b65a7632c7c2bc6ef501cdd0567422b92d21a1c53a647226c713c9be18c90aa8c48

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pz5zwzp5.default-release\prefs.js

Filesize
8KB

MD5
cabb99c52b1a0db86e6b9f5aa1098a1e

SHA1
eb61e1954def0024515cda3f7b040417a6eaf050

SHA256
7673cde3b6bd52c3f1e3d608d75d3d6464b5a90729cdc23ea403c9907200188d

SHA512
ff3b305d5d9b1e458a71dcb676c3b35ddbf701c2aa17077bbe16c140880b6f5d251e6684aa2bb083db7cd39392b8cf1600cffa6eb846b48fda4a02259bc54d1b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pz5zwzp5.default-release\prefs.js

Filesize
8KB

MD5
4bc3fac1b21c1298cd94a43422960bf0

SHA1
749cb3b5cf6ac995fe68035041382de40b15fd3b

SHA256
1f6b32ffd1ae9b588c4f82517fc27cb3b068a9551307fa4263d65d32192d7dfa

SHA512
82161e56816a10dab8d6c52cde1fb140d7f68512ba9d295b9323491a0647d9745d85640f76845724d61d1ba80e5c5743d6b99f9c1c0d9cf4c70378207f058f80

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pz5zwzp5.default-release\sessionCheckpoints.json.tmp

Filesize
259B

MD5
e6c20f53d6714067f2b49d0e9ba8030e

SHA1
f516dc1084cdd8302b3e7f7167b905e603b6f04f

SHA256
50a670fb78ff2712aae2c16d9499e01c15fddf24e229330d02a69b0527a38092

SHA512
462415b8295c1cdcac0a7cb16bb8a027ef36ae2ce0b061071074ac3209332a7eae71de843af4b96bbbd6158ca8fd5c18147bf9a79b8a7768a9a35edce8b784bf

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads