Analysis Overview
SHA256
e61713ffb39c48f5a162cbd0635b869bbd9b318ee3ac47a5a62490b572752b7a
Threat Level: Known bad
The file PO 21.18.0047 -(APPROVAL).js was found to be: Known bad.
Malicious Activity Summary
Vjw0rm
suricata: ET MALWARE WSHRAT CnC Checkin
suricata: ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm Checkin 1
WSHRAT
Blocklisted process makes network request
Drops startup file
Adds Run key to start application
Enumerates physical storage devices
Script User-Agent
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2021-10-18 07:20
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2021-10-18 07:20
Reported
2021-10-18 07:23
Platform
win7-en-20210920
Max time kernel
149s
Max time network
179s
Command Line
Signatures
Vjw0rm
WSHRAT
suricata: ET MALWARE WSHRAT CnC Checkin
suricata: ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm Checkin 1
Blocklisted process makes network request
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sURhETJCuW.js | C:\Windows\System32\wscript.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sURhETJCuW.js | C:\Windows\System32\wscript.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sURhETJCuW.js | C:\Windows\System32\wscript.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sURhETJCuW.js | C:\Windows\System32\wscript.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PO 21.18.0047 -(APPROVAL).js | C:\Windows\system32\wscript.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PO 21.18.0047 -(APPROVAL).js | C:\Windows\System32\wscript.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PO 21 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\PO 21.18.0047 -(APPROVAL).js\"" | C:\Windows\System32\wscript.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\System32\wscript.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows\CurrentVersion\Run\SEJOKAOI5S = "\"C:\\Users\\Admin\\AppData\\Roaming\\sURhETJCuW.js\"" | C:\Windows\System32\wscript.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\System32\wscript.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows\CurrentVersion\Run\SEJOKAOI5S = "\"C:\\Users\\Admin\\AppData\\Roaming\\sURhETJCuW.js\"" | C:\Windows\System32\wscript.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows\CurrentVersion\Run\PO 21 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\PO 21.18.0047 -(APPROVAL).js\"" | C:\Windows\system32\wscript.exe | N/A |
| Key created | \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run | C:\Windows\system32\wscript.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\software\microsoft\windows\currentversion\run | C:\Windows\System32\wscript.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows\CurrentVersion\Run\PO 21 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\PO 21.18.0047 -(APPROVAL).js\"" | C:\Windows\System32\wscript.exe | N/A |
| Key created | \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run | C:\Windows\System32\wscript.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\software\microsoft\windows\currentversion\run | C:\Windows\system32\wscript.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PO 21 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\PO 21.18.0047 -(APPROVAL).js\"" | C:\Windows\system32\wscript.exe | N/A |
Enumerates physical storage devices
Script User-Agent
| Description | Indicator | Process | Target |
| HTTP User-Agent header | WSHRAT|DCE526E0|JZCKHXIN|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 18/10/2021|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|DCE526E0|JZCKHXIN|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 18/10/2021|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|DCE526E0|JZCKHXIN|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 18/10/2021|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|DCE526E0|JZCKHXIN|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 18/10/2021|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|DCE526E0|JZCKHXIN|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 18/10/2021|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|DCE526E0|JZCKHXIN|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 18/10/2021|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|DCE526E0|JZCKHXIN|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 18/10/2021|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|DCE526E0|JZCKHXIN|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 18/10/2021|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|DCE526E0|JZCKHXIN|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 18/10/2021|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|DCE526E0|JZCKHXIN|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 18/10/2021|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|DCE526E0|JZCKHXIN|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 18/10/2021|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|DCE526E0|JZCKHXIN|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 18/10/2021|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|DCE526E0|JZCKHXIN|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 18/10/2021|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|DCE526E0|JZCKHXIN|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 18/10/2021|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|DCE526E0|JZCKHXIN|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 18/10/2021|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|DCE526E0|JZCKHXIN|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 18/10/2021|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|DCE526E0|JZCKHXIN|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 18/10/2021|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|DCE526E0|JZCKHXIN|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 18/10/2021|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|DCE526E0|JZCKHXIN|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 18/10/2021|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|DCE526E0|JZCKHXIN|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 18/10/2021|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|DCE526E0|JZCKHXIN|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 18/10/2021|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|DCE526E0|JZCKHXIN|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 18/10/2021|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|DCE526E0|JZCKHXIN|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 18/10/2021|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|DCE526E0|JZCKHXIN|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 18/10/2021|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|DCE526E0|JZCKHXIN|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 18/10/2021|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|DCE526E0|JZCKHXIN|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 18/10/2021|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|DCE526E0|JZCKHXIN|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 18/10/2021|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|DCE526E0|JZCKHXIN|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 18/10/2021|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|DCE526E0|JZCKHXIN|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 18/10/2021|JavaScript | N/A | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1720 wrote to memory of 596 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\wscript.exe |
| PID 1720 wrote to memory of 596 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\wscript.exe |
| PID 1720 wrote to memory of 596 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\wscript.exe |
| PID 1720 wrote to memory of 1548 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\wscript.exe |
| PID 1720 wrote to memory of 1548 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\wscript.exe |
| PID 1720 wrote to memory of 1548 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\wscript.exe |
| PID 1548 wrote to memory of 660 | N/A | C:\Windows\System32\wscript.exe | C:\Windows\System32\wscript.exe |
| PID 1548 wrote to memory of 660 | N/A | C:\Windows\System32\wscript.exe | C:\Windows\System32\wscript.exe |
| PID 1548 wrote to memory of 660 | N/A | C:\Windows\System32\wscript.exe | C:\Windows\System32\wscript.exe |
Processes
C:\Windows\system32\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Local\Temp\PO 21.18.0047 -(APPROVAL).js"
C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\sURhETJCuW.js"
C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\PO 21.18.0047 -(APPROVAL).js"
C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\sURhETJCuW.js"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | jahblessrtd4ever.home-webserver.de | udp |
| US | 8.8.8.8:53 | gameserver-789.duia.ro | udp |
| US | 8.8.8.8:53 | gameserver-789.duia.ro | udp |
| NL | 2.56.59.91:1604 | jahblessrtd4ever.home-webserver.de | tcp |
| US | 23.105.131.203:6789 | gameserver-789.duia.ro | tcp |
| US | 23.105.131.203:6789 | gameserver-789.duia.ro | tcp |
| NL | 2.56.59.91:1604 | jahblessrtd4ever.home-webserver.de | tcp |
| US | 23.105.131.203:6789 | gameserver-789.duia.ro | tcp |
| US | 23.105.131.203:6789 | gameserver-789.duia.ro | tcp |
| NL | 2.56.59.91:1604 | jahblessrtd4ever.home-webserver.de | tcp |
| NL | 2.56.59.91:1604 | jahblessrtd4ever.home-webserver.de | tcp |
| US | 23.105.131.203:6789 | gameserver-789.duia.ro | tcp |
| US | 23.105.131.203:6789 | gameserver-789.duia.ro | tcp |
| NL | 2.56.59.91:1604 | jahblessrtd4ever.home-webserver.de | tcp |
| US | 23.105.131.203:6789 | gameserver-789.duia.ro | tcp |
| US | 23.105.131.203:6789 | gameserver-789.duia.ro | tcp |
| NL | 2.56.59.91:1604 | jahblessrtd4ever.home-webserver.de | tcp |
| NL | 2.56.59.91:1604 | jahblessrtd4ever.home-webserver.de | tcp |
| US | 23.105.131.203:6789 | gameserver-789.duia.ro | tcp |
| US | 23.105.131.203:6789 | gameserver-789.duia.ro | tcp |
| NL | 2.56.59.91:1604 | jahblessrtd4ever.home-webserver.de | tcp |
| NL | 2.56.59.91:1604 | jahblessrtd4ever.home-webserver.de | tcp |
| US | 23.105.131.203:6789 | gameserver-789.duia.ro | tcp |
| US | 23.105.131.203:6789 | gameserver-789.duia.ro | tcp |
| NL | 2.56.59.91:1604 | jahblessrtd4ever.home-webserver.de | tcp |
| US | 23.105.131.203:6789 | gameserver-789.duia.ro | tcp |
| US | 23.105.131.203:6789 | gameserver-789.duia.ro | tcp |
| NL | 2.56.59.91:1604 | jahblessrtd4ever.home-webserver.de | tcp |
| NL | 2.56.59.91:1604 | jahblessrtd4ever.home-webserver.de | tcp |
| US | 23.105.131.203:6789 | gameserver-789.duia.ro | tcp |
| US | 23.105.131.203:6789 | gameserver-789.duia.ro | tcp |
| NL | 2.56.59.91:1604 | jahblessrtd4ever.home-webserver.de | tcp |
| NL | 2.56.59.91:1604 | jahblessrtd4ever.home-webserver.de | tcp |
| US | 23.105.131.203:6789 | gameserver-789.duia.ro | tcp |
| US | 23.105.131.203:6789 | gameserver-789.duia.ro | tcp |
| NL | 2.56.59.91:1604 | jahblessrtd4ever.home-webserver.de | tcp |
| US | 23.105.131.203:6789 | gameserver-789.duia.ro | tcp |
| US | 23.105.131.203:6789 | gameserver-789.duia.ro | tcp |
| NL | 2.56.59.91:1604 | jahblessrtd4ever.home-webserver.de | tcp |
| NL | 2.56.59.91:1604 | jahblessrtd4ever.home-webserver.de | tcp |
| US | 23.105.131.203:6789 | gameserver-789.duia.ro | tcp |
| US | 23.105.131.203:6789 | gameserver-789.duia.ro | tcp |
| NL | 2.56.59.91:1604 | jahblessrtd4ever.home-webserver.de | tcp |
| NL | 2.56.59.91:1604 | jahblessrtd4ever.home-webserver.de | tcp |
| US | 23.105.131.203:6789 | gameserver-789.duia.ro | tcp |
| US | 23.105.131.203:6789 | gameserver-789.duia.ro | tcp |
| NL | 2.56.59.91:1604 | jahblessrtd4ever.home-webserver.de | tcp |
| US | 23.105.131.203:6789 | gameserver-789.duia.ro | tcp |
| US | 23.105.131.203:6789 | gameserver-789.duia.ro | tcp |
| NL | 2.56.59.91:1604 | jahblessrtd4ever.home-webserver.de | tcp |
| NL | 2.56.59.91:1604 | jahblessrtd4ever.home-webserver.de | tcp |
| US | 23.105.131.203:6789 | gameserver-789.duia.ro | tcp |
| US | 23.105.131.203:6789 | gameserver-789.duia.ro | tcp |
| NL | 2.56.59.91:1604 | jahblessrtd4ever.home-webserver.de | tcp |
| US | 23.105.131.203:6789 | gameserver-789.duia.ro | tcp |
| NL | 2.56.59.91:1604 | jahblessrtd4ever.home-webserver.de | tcp |
| US | 23.105.131.203:6789 | gameserver-789.duia.ro | tcp |
| NL | 2.56.59.91:1604 | jahblessrtd4ever.home-webserver.de | tcp |
| US | 23.105.131.203:6789 | gameserver-789.duia.ro | tcp |
| US | 23.105.131.203:6789 | gameserver-789.duia.ro | tcp |
| NL | 2.56.59.91:1604 | jahblessrtd4ever.home-webserver.de | tcp |
| NL | 2.56.59.91:1604 | jahblessrtd4ever.home-webserver.de | tcp |
| US | 23.105.131.203:6789 | gameserver-789.duia.ro | tcp |
| US | 23.105.131.203:6789 | gameserver-789.duia.ro | tcp |
| NL | 2.56.59.91:1604 | jahblessrtd4ever.home-webserver.de | tcp |
| US | 23.105.131.203:6789 | gameserver-789.duia.ro | tcp |
| US | 23.105.131.203:6789 | gameserver-789.duia.ro | tcp |
| NL | 2.56.59.91:1604 | jahblessrtd4ever.home-webserver.de | tcp |
Files
memory/596-53-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\sURhETJCuW.js
| MD5 | 1b42aad624e2912847110be197ac4d15 |
| SHA1 | d334bd3287bb2068345fd4f436cee2c0fabc687a |
| SHA256 | 3aae275c07d7764537c56383c404414ad94689c16dfdbf02c7315f1cc3cd870e |
| SHA512 | 57dbfdaf42cb38e993bb4ab03d2e74919d1d396b9225d99eac3ef39c76fac2d999a7cd2265dc65bf6693ff65863d98b00de7265d54b670b1a680cfcbf9062a8a |
memory/1548-55-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\PO 21.18.0047 -(APPROVAL).js
| MD5 | 8547af690a9b533d6acd08360f5b18d5 |
| SHA1 | fe393629e5df70bcfef741a70432af6c6a528b27 |
| SHA256 | e61713ffb39c48f5a162cbd0635b869bbd9b318ee3ac47a5a62490b572752b7a |
| SHA512 | 7dcab08f69aaefd585a31cf3636a6fe252a9efa18dd5e587f269ea5ccb8648a5daaa4c9302bc2a22f35fe48ac590a07b1192d7aed7eb7b2badb801b39b37552d |
memory/660-57-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PO 21.18.0047 -(APPROVAL).js
| MD5 | 8547af690a9b533d6acd08360f5b18d5 |
| SHA1 | fe393629e5df70bcfef741a70432af6c6a528b27 |
| SHA256 | e61713ffb39c48f5a162cbd0635b869bbd9b318ee3ac47a5a62490b572752b7a |
| SHA512 | 7dcab08f69aaefd585a31cf3636a6fe252a9efa18dd5e587f269ea5ccb8648a5daaa4c9302bc2a22f35fe48ac590a07b1192d7aed7eb7b2badb801b39b37552d |
C:\Users\Admin\AppData\Roaming\sURhETJCuW.js
| MD5 | 1b42aad624e2912847110be197ac4d15 |
| SHA1 | d334bd3287bb2068345fd4f436cee2c0fabc687a |
| SHA256 | 3aae275c07d7764537c56383c404414ad94689c16dfdbf02c7315f1cc3cd870e |
| SHA512 | 57dbfdaf42cb38e993bb4ab03d2e74919d1d396b9225d99eac3ef39c76fac2d999a7cd2265dc65bf6693ff65863d98b00de7265d54b670b1a680cfcbf9062a8a |
Analysis: behavioral2
Detonation Overview
Submitted
2021-10-18 07:20
Reported
2021-10-18 07:22
Platform
win10-en-20210920
Max time kernel
146s
Max time network
148s
Command Line
Signatures
Vjw0rm
WSHRAT
suricata: ET MALWARE WSHRAT CnC Checkin
suricata: ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm Checkin 1
Blocklisted process makes network request
Drops startup file
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sURhETJCuW.js | C:\Windows\System32\wscript.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sURhETJCuW.js | C:\Windows\System32\wscript.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PO 21.18.0047 -(APPROVAL).js | C:\Windows\system32\wscript.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PO 21.18.0047 -(APPROVAL).js | C:\Windows\System32\wscript.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sURhETJCuW.js | C:\Windows\System32\wscript.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run | C:\Windows\system32\wscript.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\software\microsoft\windows\currentversion\run | C:\Windows\System32\wscript.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows\CurrentVersion\Run\PO 21 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\PO 21.18.0047 -(APPROVAL).js\"" | C:\Windows\System32\wscript.exe | N/A |
| Key created | \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run | C:\Windows\System32\wscript.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\System32\wscript.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows\CurrentVersion\Run\SEJOKAOI5S = "\"C:\\Users\\Admin\\AppData\\Roaming\\sURhETJCuW.js\"" | C:\Windows\System32\wscript.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\System32\wscript.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\software\microsoft\windows\currentversion\run | C:\Windows\system32\wscript.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows\CurrentVersion\Run\PO 21 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\PO 21.18.0047 -(APPROVAL).js\"" | C:\Windows\system32\wscript.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PO 21 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\PO 21.18.0047 -(APPROVAL).js\"" | C:\Windows\system32\wscript.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PO 21 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\PO 21.18.0047 -(APPROVAL).js\"" | C:\Windows\System32\wscript.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows\CurrentVersion\Run\SEJOKAOI5S = "\"C:\\Users\\Admin\\AppData\\Roaming\\sURhETJCuW.js\"" | C:\Windows\System32\wscript.exe | N/A |
Enumerates physical storage devices
Script User-Agent
| Description | Indicator | Process | Target |
| HTTP User-Agent header | WSHRAT|A6E40E89|RSSLLXYN|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 21/10/2021|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|A6E40E89|RSSLLXYN|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 21/10/2021|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|A6E40E89|RSSLLXYN|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 21/10/2021|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|A6E40E89|RSSLLXYN|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 21/10/2021|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|A6E40E89|RSSLLXYN|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 21/10/2021|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|A6E40E89|RSSLLXYN|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 21/10/2021|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|A6E40E89|RSSLLXYN|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 21/10/2021|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|A6E40E89|RSSLLXYN|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 21/10/2021|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|A6E40E89|RSSLLXYN|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 21/10/2021|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|A6E40E89|RSSLLXYN|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 21/10/2021|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|A6E40E89|RSSLLXYN|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 21/10/2021|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|A6E40E89|RSSLLXYN|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 21/10/2021|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|A6E40E89|RSSLLXYN|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 21/10/2021|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|A6E40E89|RSSLLXYN|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 21/10/2021|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|A6E40E89|RSSLLXYN|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 21/10/2021|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|A6E40E89|RSSLLXYN|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 21/10/2021|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|A6E40E89|RSSLLXYN|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 21/10/2021|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|A6E40E89|RSSLLXYN|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 21/10/2021|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|A6E40E89|RSSLLXYN|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 21/10/2021|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|A6E40E89|RSSLLXYN|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 21/10/2021|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|A6E40E89|RSSLLXYN|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 21/10/2021|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|A6E40E89|RSSLLXYN|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 21/10/2021|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|A6E40E89|RSSLLXYN|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 21/10/2021|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|A6E40E89|RSSLLXYN|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 21/10/2021|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|A6E40E89|RSSLLXYN|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 21/10/2021|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|A6E40E89|RSSLLXYN|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 21/10/2021|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|A6E40E89|RSSLLXYN|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 21/10/2021|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|A6E40E89|RSSLLXYN|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 21/10/2021|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|A6E40E89|RSSLLXYN|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 21/10/2021|JavaScript | N/A | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1688 wrote to memory of 3808 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\wscript.exe |
| PID 1688 wrote to memory of 3808 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\wscript.exe |
| PID 1688 wrote to memory of 2152 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\wscript.exe |
| PID 1688 wrote to memory of 2152 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\wscript.exe |
| PID 2152 wrote to memory of 520 | N/A | C:\Windows\System32\wscript.exe | C:\Windows\System32\wscript.exe |
| PID 2152 wrote to memory of 520 | N/A | C:\Windows\System32\wscript.exe | C:\Windows\System32\wscript.exe |
Processes
C:\Windows\system32\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Local\Temp\PO 21.18.0047 -(APPROVAL).js"
C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\sURhETJCuW.js"
C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\PO 21.18.0047 -(APPROVAL).js"
C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\sURhETJCuW.js"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | gameserver-789.duia.ro | udp |
| US | 8.8.8.8:53 | jahblessrtd4ever.home-webserver.de | udp |
| US | 23.105.131.203:6789 | gameserver-789.duia.ro | tcp |
| US | 23.105.131.203:6789 | gameserver-789.duia.ro | tcp |
| NL | 2.56.59.91:1604 | jahblessrtd4ever.home-webserver.de | tcp |
| NL | 2.56.59.91:1604 | jahblessrtd4ever.home-webserver.de | tcp |
| US | 23.105.131.203:6789 | gameserver-789.duia.ro | tcp |
| US | 23.105.131.203:6789 | gameserver-789.duia.ro | tcp |
| NL | 2.56.59.91:1604 | jahblessrtd4ever.home-webserver.de | tcp |
| NL | 2.56.59.91:1604 | jahblessrtd4ever.home-webserver.de | tcp |
| US | 23.105.131.203:6789 | gameserver-789.duia.ro | tcp |
| US | 23.105.131.203:6789 | gameserver-789.duia.ro | tcp |
| NL | 2.56.59.91:1604 | jahblessrtd4ever.home-webserver.de | tcp |
| US | 23.105.131.203:6789 | gameserver-789.duia.ro | tcp |
| US | 23.105.131.203:6789 | gameserver-789.duia.ro | tcp |
| NL | 2.56.59.91:1604 | jahblessrtd4ever.home-webserver.de | tcp |
| NL | 2.56.59.91:1604 | jahblessrtd4ever.home-webserver.de | tcp |
| US | 23.105.131.203:6789 | gameserver-789.duia.ro | tcp |
| US | 23.105.131.203:6789 | gameserver-789.duia.ro | tcp |
| NL | 2.56.59.91:1604 | jahblessrtd4ever.home-webserver.de | tcp |
| NL | 2.56.59.91:1604 | jahblessrtd4ever.home-webserver.de | tcp |
| US | 23.105.131.203:6789 | gameserver-789.duia.ro | tcp |
| US | 23.105.131.203:6789 | gameserver-789.duia.ro | tcp |
| NL | 2.56.59.91:1604 | jahblessrtd4ever.home-webserver.de | tcp |
| US | 23.105.131.203:6789 | gameserver-789.duia.ro | tcp |
| US | 23.105.131.203:6789 | gameserver-789.duia.ro | tcp |
| NL | 2.56.59.91:1604 | jahblessrtd4ever.home-webserver.de | tcp |
| NL | 2.56.59.91:1604 | jahblessrtd4ever.home-webserver.de | tcp |
| US | 23.105.131.203:6789 | gameserver-789.duia.ro | tcp |
| US | 23.105.131.203:6789 | gameserver-789.duia.ro | tcp |
| NL | 2.56.59.91:1604 | jahblessrtd4ever.home-webserver.de | tcp |
| NL | 2.56.59.91:1604 | jahblessrtd4ever.home-webserver.de | tcp |
| US | 23.105.131.203:6789 | gameserver-789.duia.ro | tcp |
| US | 23.105.131.203:6789 | gameserver-789.duia.ro | tcp |
| NL | 2.56.59.91:1604 | jahblessrtd4ever.home-webserver.de | tcp |
| US | 23.105.131.203:6789 | gameserver-789.duia.ro | tcp |
| US | 23.105.131.203:6789 | gameserver-789.duia.ro | tcp |
| NL | 2.56.59.91:1604 | jahblessrtd4ever.home-webserver.de | tcp |
| NL | 2.56.59.91:1604 | jahblessrtd4ever.home-webserver.de | tcp |
| US | 23.105.131.203:6789 | gameserver-789.duia.ro | tcp |
| US | 23.105.131.203:6789 | gameserver-789.duia.ro | tcp |
| NL | 2.56.59.91:1604 | jahblessrtd4ever.home-webserver.de | tcp |
| US | 23.105.131.203:6789 | gameserver-789.duia.ro | tcp |
| US | 23.105.131.203:6789 | gameserver-789.duia.ro | tcp |
| NL | 2.56.59.91:1604 | jahblessrtd4ever.home-webserver.de | tcp |
| NL | 2.56.59.91:1604 | jahblessrtd4ever.home-webserver.de | tcp |
| US | 23.105.131.203:6789 | gameserver-789.duia.ro | tcp |
| US | 23.105.131.203:6789 | gameserver-789.duia.ro | tcp |
| NL | 2.56.59.91:1604 | jahblessrtd4ever.home-webserver.de | tcp |
| US | 23.105.131.203:6789 | gameserver-789.duia.ro | tcp |
| US | 23.105.131.203:6789 | gameserver-789.duia.ro | tcp |
| NL | 2.56.59.91:1604 | jahblessrtd4ever.home-webserver.de | tcp |
| NL | 2.56.59.91:1604 | jahblessrtd4ever.home-webserver.de | tcp |
| US | 23.105.131.203:6789 | gameserver-789.duia.ro | tcp |
| US | 23.105.131.203:6789 | gameserver-789.duia.ro | tcp |
| NL | 2.56.59.91:1604 | jahblessrtd4ever.home-webserver.de | tcp |
| NL | 2.56.59.91:1604 | jahblessrtd4ever.home-webserver.de | tcp |
| US | 23.105.131.203:6789 | gameserver-789.duia.ro | tcp |
| US | 23.105.131.203:6789 | gameserver-789.duia.ro | tcp |
| NL | 2.56.59.91:1604 | jahblessrtd4ever.home-webserver.de | tcp |
| US | 23.105.131.203:6789 | gameserver-789.duia.ro | tcp |
| US | 23.105.131.203:6789 | gameserver-789.duia.ro | tcp |
| NL | 2.56.59.91:1604 | jahblessrtd4ever.home-webserver.de | tcp |
| NL | 2.56.59.91:1604 | jahblessrtd4ever.home-webserver.de | tcp |
| US | 23.105.131.203:6789 | gameserver-789.duia.ro | tcp |
| US | 23.105.131.203:6789 | gameserver-789.duia.ro | tcp |
| NL | 2.56.59.91:1604 | jahblessrtd4ever.home-webserver.de | tcp |
Files
memory/3808-115-0x0000000000000000-mapping.dmp
memory/2152-117-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\sURhETJCuW.js
| MD5 | 1b42aad624e2912847110be197ac4d15 |
| SHA1 | d334bd3287bb2068345fd4f436cee2c0fabc687a |
| SHA256 | 3aae275c07d7764537c56383c404414ad94689c16dfdbf02c7315f1cc3cd870e |
| SHA512 | 57dbfdaf42cb38e993bb4ab03d2e74919d1d396b9225d99eac3ef39c76fac2d999a7cd2265dc65bf6693ff65863d98b00de7265d54b670b1a680cfcbf9062a8a |
C:\Users\Admin\AppData\Roaming\PO 21.18.0047 -(APPROVAL).js
| MD5 | 8547af690a9b533d6acd08360f5b18d5 |
| SHA1 | fe393629e5df70bcfef741a70432af6c6a528b27 |
| SHA256 | e61713ffb39c48f5a162cbd0635b869bbd9b318ee3ac47a5a62490b572752b7a |
| SHA512 | 7dcab08f69aaefd585a31cf3636a6fe252a9efa18dd5e587f269ea5ccb8648a5daaa4c9302bc2a22f35fe48ac590a07b1192d7aed7eb7b2badb801b39b37552d |
memory/520-119-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PO 21.18.0047 -(APPROVAL).js
| MD5 | 8547af690a9b533d6acd08360f5b18d5 |
| SHA1 | fe393629e5df70bcfef741a70432af6c6a528b27 |
| SHA256 | e61713ffb39c48f5a162cbd0635b869bbd9b318ee3ac47a5a62490b572752b7a |
| SHA512 | 7dcab08f69aaefd585a31cf3636a6fe252a9efa18dd5e587f269ea5ccb8648a5daaa4c9302bc2a22f35fe48ac590a07b1192d7aed7eb7b2badb801b39b37552d |
C:\Users\Admin\AppData\Roaming\sURhETJCuW.js
| MD5 | 1b42aad624e2912847110be197ac4d15 |
| SHA1 | d334bd3287bb2068345fd4f436cee2c0fabc687a |
| SHA256 | 3aae275c07d7764537c56383c404414ad94689c16dfdbf02c7315f1cc3cd870e |
| SHA512 | 57dbfdaf42cb38e993bb4ab03d2e74919d1d396b9225d99eac3ef39c76fac2d999a7cd2265dc65bf6693ff65863d98b00de7265d54b670b1a680cfcbf9062a8a |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sURhETJCuW.js
| MD5 | 1b42aad624e2912847110be197ac4d15 |
| SHA1 | d334bd3287bb2068345fd4f436cee2c0fabc687a |
| SHA256 | 3aae275c07d7764537c56383c404414ad94689c16dfdbf02c7315f1cc3cd870e |
| SHA512 | 57dbfdaf42cb38e993bb4ab03d2e74919d1d396b9225d99eac3ef39c76fac2d999a7cd2265dc65bf6693ff65863d98b00de7265d54b670b1a680cfcbf9062a8a |