WSF Downloads Payload that Sets-up a Server to Accept Incoming Connections | VTI by Category
Try VMRay Analyzer
|
VTI Score
100 / 100
|
|
| VTI Database Version | 2.6 |
| VTI Rule Match Count | 41 |
| VTI Rule Type | Scripts |
|
File System |
|
|
|
Create many files
|
|
|
Create above average number of files.
|
||
|
|
Injection |
|
|
|
Write into memory of another process
|
|
|
"c:\users\ciihmn~1\appdata\roaming\micros~1\amsisigd\chakmcat.exe" modifies memory of "c:\windows\system32\svchost.exe"
|
||
|
"c:\windows\system32\svchost.exe" modifies memory of "c:\windows\explorer.exe"
|
||
|
"c:\windows\explorer.exe" modifies memory of "c:\windows\system32\runtimebroker.exe"
|
||
|
"c:\windows\explorer.exe" modifies memory of "c:\program files\windows mail\winmail.exe"
|
||
|
"c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\amsisigd\chakmcat.exe" modifies memory of "c:\windows\system32\svchost.exe"
|
||
|
|
Modify control flow of another process
|
|
|
"c:\users\ciihmn~1\appdata\roaming\micros~1\amsisigd\chakmcat.exe" alters context of "c:\windows\system32\svchost.exe"
|
||
|
"c:\windows\system32\svchost.exe" alters context of "c:\windows\explorer.exe"
|
||
|
"c:\windows\explorer.exe" alters context of "c:\windows\system32\runtimebroker.exe"
|
||
|
"c:\windows\explorer.exe" alters context of "c:\program files\windows mail\winmail.exe"
|
||
|
"c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\amsisigd\chakmcat.exe" alters context of "c:\windows\system32\svchost.exe"
|
||
|
"c:\windows\system32\svchost.exe" creates thread in "c:\windows\explorer.exe"
|
||
|
"c:\windows\explorer.exe" creates thread in "c:\windows\system32\runtimebroker.exe"
|
||
|
|
Network |
|
|
|
Setup server that accepts incoming connections
|
|
|
TCP server listen on port "49430".
|
||
|
|
Reputation URL lookup
|
|
|
URL "https://www.apapernotion.com/wp-includes/Text/ri.php" is known as malicious URL.
|
||
|
URL "titanliquor.ca/images/A/2.tif" is known as suspicious URL.
|
||
|
|
Perform DNS request
|
|
|
Resolve host name "resolver1.opendns.com".
|
||
|
Resolve host name "87.142.152.58".
|
||
|
|
Download data
|
|
|
URL "https://www.apapernotion.com/wp-includes/Text/ri.php".
|
||
|
URL "titanliquor.ca/images/A/2.tif".
|
||
|
|
Connect to HTTP server
|
|
|
URL "https://www.atdrrtd.vs".
|
||
|
URL "https://wsfxvers.ch/fdsffffjt.ico".
|
||
|
URL "https://serfd.ch/fjgnt343.ico".
|
||
|
URL "https://www.apapernotion.com/wp-includes/Text/ri.php".
|
||
|
URL "titanliquor.ca/images/A/2.tif".
|
||
|
|
Connect to remote host
|
|
|
Outgoing TCP connection to host "193.23.244.244:443".
|
||
|
|
PE |
|
|
|
Execute dropped PE file
|
|
|
Execute dropped file "c:\users\ciihmn~1\appdata\local\temp\84526935.scr".
|
||
|
|
Drop PE file
|
|
|
Drop file "c:\users\ciihmn~1\appdata\local\temp\84526935.scr".
|
||
|
|
Persistence |
|
|
|
Install system startup script or application
|
|
|
Add "C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Amsisigd\Chakmcat.exe" to windows startup via registry.
|
||
|
|
Process |
|
|
|
Read from memory of another process
|
|
|
"c:\windows\system32\svchost.exe" reads from "c:\windows\explorer.exe".
|
||
|
"c:\windows\explorer.exe" reads from "c:\windows\system32\runtimebroker.exe".
|
||
|
"c:\windows\explorer.exe" reads from ""C:\Program Files\Windows Mail\WinMail" OCInstallUserConfigOE".
|
||
|
|
Create system object
|
|
|
Create mutex with name "{BB8A49DA-DE80-A5F2-C01F-F2A9F4C346ED}".
|
||
|
Create mutex with name "{0F90C438-223E-19A7-A4B3-765D18970AE1}".
|
||
|
Create mutex with name "Local\{14572DFD-6357-66D5-8D88-47FA113C6BCE}".
|
||
|
Create mutex with name "Local\{2EBE0010-B5EF-903D-AF42-B9C45396FD38}".
|
||
|
Create mutex with name "Local\{CC210EB6-BBF2-DEC8-A5C0-1FF2A9F4C346}".
|
||
|
Create mutex with name "{B3575357-76B9-5D62-1897-0AE1CCBBDEA5}".
|
||
|
Create nameless mutex.
|
||
|
Create mutex with name "{DB45C3D0-7EC1-C5FA-603F-92C994E3E60D}".
|
||
|
Create mutex with name "{BF4FAD76-121A-4972-1463-668D8847FA11}".
|
||
|
Create mutex with name "{2B1EAAC7-8E9D-9587-F08F-A2992433F6DD}".
|
||
|
Create mutex with name "{67DC9F31-9A2E-31AD-DC8B-6EF5D0EF82F9}".
|
||
| - | Anti Analysis | |
| - | Browser | |
| - | Device | |
| - | OS | |
| - | Hide Tracks | |
| - | Information Stealing | |
| - | Kernel | |
| - | Masquerade | |
| - | User | |
| - | VBA Macro | |
| - | YARA | |
