WSF Downloads Payload that Sets-up a Server to Accept Incoming Connections

VTI Information

VTI Score 100 / 100
VTI Database Version	2.6
VTI Rule Match Count	41
VTI Rule Type	Scripts

Detected Threats

	File System	Create many files
	Create above average number of files.
	Injection	Write into memory of another process
	"c:\users\ciihmn~1\appdata\roaming\micros~1\amsisigd\chakmcat.exe" modifies memory of "c:\windows\system32\svchost.exe"
	"c:\windows\system32\svchost.exe" modifies memory of "c:\windows\explorer.exe"
	"c:\windows\explorer.exe" modifies memory of "c:\windows\system32\runtimebroker.exe"
	"c:\windows\explorer.exe" modifies memory of "c:\program files\windows mail\winmail.exe"
	"c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\amsisigd\chakmcat.exe" modifies memory of "c:\windows\system32\svchost.exe"
	Injection	Modify control flow of another process
	"c:\users\ciihmn~1\appdata\roaming\micros~1\amsisigd\chakmcat.exe" alters context of "c:\windows\system32\svchost.exe"
	"c:\windows\system32\svchost.exe" alters context of "c:\windows\explorer.exe"
	"c:\windows\explorer.exe" alters context of "c:\windows\system32\runtimebroker.exe"
	"c:\windows\explorer.exe" alters context of "c:\program files\windows mail\winmail.exe"
	"c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\amsisigd\chakmcat.exe" alters context of "c:\windows\system32\svchost.exe"
	"c:\windows\system32\svchost.exe" creates thread in "c:\windows\explorer.exe"
	"c:\windows\explorer.exe" creates thread in "c:\windows\system32\runtimebroker.exe"
	Network	Setup server that accepts incoming connections
	TCP server listen on port "49430".
	Persistence	Install system startup script or application
	Add "C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Amsisigd\Chakmcat.exe" to windows startup via registry.
	Process	Read from memory of another process
	"c:\windows\system32\svchost.exe" reads from "c:\windows\explorer.exe".
	"c:\windows\explorer.exe" reads from "c:\windows\system32\runtimebroker.exe".
	"c:\windows\explorer.exe" reads from ""C:\Program Files\Windows Mail\WinMail" OCInstallUserConfigOE".
	Network	Reputation URL lookup
	URL "https://www.apapernotion.com/wp-includes/Text/ri.php" is known as malicious URL.
	URL "titanliquor.ca/images/A/2.tif" is known as suspicious URL.
	PE	Execute dropped PE file
	Execute dropped file "c:\users\ciihmn~1\appdata\local\temp\84526935.scr".
	Network	Perform DNS request
	Resolve host name "resolver1.opendns.com".
	Resolve host name "87.142.152.58".
	Network	Download data
	URL "https://www.apapernotion.com/wp-includes/Text/ri.php".
	URL "titanliquor.ca/images/A/2.tif".
	Network	Connect to HTTP server
	URL "https://www.atdrrtd.vs".
	URL "https://wsfxvers.ch/fdsffffjt.ico".
	URL "https://serfd.ch/fjgnt343.ico".
	URL "https://www.apapernotion.com/wp-includes/Text/ri.php".
	URL "titanliquor.ca/images/A/2.tif".
	PE	Drop PE file
	Drop file "c:\users\ciihmn~1\appdata\local\temp\84526935.scr".
	Process	Create system object
	Create mutex with name "{BB8A49DA-DE80-A5F2-C01F-F2A9F4C346ED}".
	Create mutex with name "{0F90C438-223E-19A7-A4B3-765D18970AE1}".
	Create mutex with name "Local\{14572DFD-6357-66D5-8D88-47FA113C6BCE}".
	Create mutex with name "Local\{2EBE0010-B5EF-903D-AF42-B9C45396FD38}".
	Create mutex with name "Local\{CC210EB6-BBF2-DEC8-A5C0-1FF2A9F4C346}".
	Create mutex with name "{B3575357-76B9-5D62-1897-0AE1CCBBDEA5}".
	Create nameless mutex.
	Create mutex with name "{DB45C3D0-7EC1-C5FA-603F-92C994E3E60D}".
	Create mutex with name "{BF4FAD76-121A-4972-1463-668D8847FA11}".
	Create mutex with name "{2B1EAAC7-8E9D-9587-F08F-A2992433F6DD}".
	Create mutex with name "{67DC9F31-9A2E-31AD-DC8B-6EF5D0EF82F9}".
	Network	Connect to remote host
	Outgoing TCP connection to host "193.23.244.244:443".