Analysis Overview
SHA256
d52a0835e1845e89e134b1701d39b4f1fe4091814d9c1746f2f722599328dd13
Threat Level: Known bad
The file CPVN - PO 1910450087085-03 - C.P Việt Nam - CPV-01.js was found to be: Known bad.
Malicious Activity Summary
suricata: ET MALWARE WSHRAT CnC Checkin
Vjw0rm
WSHRAT
suricata: ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm Checkin 1
Blocklisted process makes network request
Drops startup file
Adds Run key to start application
Enumerates physical storage devices
Script User-Agent
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2021-10-19 08:27
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2021-10-19 08:27
Reported
2021-10-19 08:29
Platform
win7-en-20210920
Max time kernel
150s
Max time network
155s
Command Line
Signatures
Vjw0rm
WSHRAT
suricata: ET MALWARE WSHRAT CnC Checkin
suricata: ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm Checkin 1
Blocklisted process makes network request
Drops startup file
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fSHKTxYIwQ.js | C:\Windows\System32\wscript.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CPVN - PO 1910450087085-03 - C.P Việt Nam - CPV-01.js | C:\Windows\system32\wscript.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CPVN - PO 1910450087085-03 - C.P Việt Nam - CPV-01.js | C:\Windows\System32\wscript.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fSHKTxYIwQ.js | C:\Windows\System32\wscript.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fSHKTxYIwQ.js | C:\Windows\System32\wscript.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows\CurrentVersion\Run\SEJOKAOI5S = "\"C:\\Users\\Admin\\AppData\\Roaming\\fSHKTxYIwQ.js\"" | C:\Windows\System32\wscript.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\software\microsoft\windows\currentversion\run | C:\Windows\system32\wscript.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows\CurrentVersion\Run\CPVN - PO 1910450087085-03 - C = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\CPVN - PO 1910450087085-03 - C.P Vi?t Nam - CPV-01.js\"" | C:\Windows\system32\wscript.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CPVN - PO 1910450087085-03 - C = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\CPVN - PO 1910450087085-03 - C.P Vi?t Nam - CPV-01.js\"" | C:\Windows\system32\wscript.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows\CurrentVersion\Run\SEJOKAOI5S = "\"C:\\Users\\Admin\\AppData\\Roaming\\fSHKTxYIwQ.js\"" | C:\Windows\System32\wscript.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\System32\wscript.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\System32\wscript.exe | N/A |
| Key created | \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run | C:\Windows\system32\wscript.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\software\microsoft\windows\currentversion\run | C:\Windows\System32\wscript.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows\CurrentVersion\Run\CPVN - PO 1910450087085-03 - C = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\CPVN - PO 1910450087085-03 - C.P Vi?t Nam - CPV-01.js\"" | C:\Windows\System32\wscript.exe | N/A |
| Key created | \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run | C:\Windows\System32\wscript.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CPVN - PO 1910450087085-03 - C = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\CPVN - PO 1910450087085-03 - C.P Vi?t Nam - CPV-01.js\"" | C:\Windows\System32\wscript.exe | N/A |
Enumerates physical storage devices
Script User-Agent
| Description | Indicator | Process | Target |
| HTTP User-Agent header | WSHRAT|DCE526E0|JZCKHXIN|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 19/10/2021|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|DCE526E0|JZCKHXIN|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 19/10/2021|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|DCE526E0|JZCKHXIN|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 19/10/2021|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|DCE526E0|JZCKHXIN|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 19/10/2021|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|DCE526E0|JZCKHXIN|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 19/10/2021|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|DCE526E0|JZCKHXIN|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 19/10/2021|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|DCE526E0|JZCKHXIN|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 19/10/2021|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|DCE526E0|JZCKHXIN|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 19/10/2021|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|DCE526E0|JZCKHXIN|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 19/10/2021|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|DCE526E0|JZCKHXIN|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 19/10/2021|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|DCE526E0|JZCKHXIN|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 19/10/2021|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|DCE526E0|JZCKHXIN|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 19/10/2021|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|DCE526E0|JZCKHXIN|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 19/10/2021|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|DCE526E0|JZCKHXIN|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 19/10/2021|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|DCE526E0|JZCKHXIN|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 19/10/2021|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|DCE526E0|JZCKHXIN|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 19/10/2021|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|DCE526E0|JZCKHXIN|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 19/10/2021|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|DCE526E0|JZCKHXIN|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 19/10/2021|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|DCE526E0|JZCKHXIN|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 19/10/2021|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|DCE526E0|JZCKHXIN|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 19/10/2021|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|DCE526E0|JZCKHXIN|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 19/10/2021|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|DCE526E0|JZCKHXIN|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 19/10/2021|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|DCE526E0|JZCKHXIN|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 19/10/2021|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|DCE526E0|JZCKHXIN|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 19/10/2021|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|DCE526E0|JZCKHXIN|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 19/10/2021|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|DCE526E0|JZCKHXIN|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 19/10/2021|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|DCE526E0|JZCKHXIN|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 19/10/2021|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|DCE526E0|JZCKHXIN|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 19/10/2021|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|DCE526E0|JZCKHXIN|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 19/10/2021|JavaScript | N/A | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1768 wrote to memory of 524 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\wscript.exe |
| PID 1768 wrote to memory of 524 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\wscript.exe |
| PID 1768 wrote to memory of 524 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\wscript.exe |
| PID 1768 wrote to memory of 528 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\wscript.exe |
| PID 1768 wrote to memory of 528 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\wscript.exe |
| PID 1768 wrote to memory of 528 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\wscript.exe |
| PID 528 wrote to memory of 880 | N/A | C:\Windows\System32\wscript.exe | C:\Windows\System32\wscript.exe |
| PID 528 wrote to memory of 880 | N/A | C:\Windows\System32\wscript.exe | C:\Windows\System32\wscript.exe |
| PID 528 wrote to memory of 880 | N/A | C:\Windows\System32\wscript.exe | C:\Windows\System32\wscript.exe |
Processes
C:\Windows\system32\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Local\Temp\CPVN - PO 1910450087085-03 - C.P Việt Nam - CPV-01.js"
C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\fSHKTxYIwQ.js"
C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\CPVN - PO 1910450087085-03 - C.P Việt Nam - CPV-01.js"
C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\fSHKTxYIwQ.js"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | gameserver-789.duia.ro | udp |
| US | 8.8.8.8:53 | gameserver-789.duia.ro | udp |
| US | 8.8.8.8:53 | faxjohn01.dyn.ddnss.de | udp |
| NL | 212.193.30.51:1251 | faxjohn01.dyn.ddnss.de | tcp |
| US | 23.105.131.203:6789 | gameserver-789.duia.ro | tcp |
| US | 23.105.131.203:6789 | gameserver-789.duia.ro | tcp |
| NL | 212.193.30.51:1251 | faxjohn01.dyn.ddnss.de | tcp |
| US | 23.105.131.203:6789 | gameserver-789.duia.ro | tcp |
| US | 23.105.131.203:6789 | gameserver-789.duia.ro | tcp |
| NL | 212.193.30.51:1251 | faxjohn01.dyn.ddnss.de | tcp |
| NL | 212.193.30.51:1251 | faxjohn01.dyn.ddnss.de | tcp |
| US | 23.105.131.203:6789 | gameserver-789.duia.ro | tcp |
| US | 23.105.131.203:6789 | gameserver-789.duia.ro | tcp |
| NL | 212.193.30.51:1251 | faxjohn01.dyn.ddnss.de | tcp |
| US | 23.105.131.203:6789 | gameserver-789.duia.ro | tcp |
| US | 23.105.131.203:6789 | gameserver-789.duia.ro | tcp |
| NL | 212.193.30.51:1251 | faxjohn01.dyn.ddnss.de | tcp |
| NL | 212.193.30.51:1251 | faxjohn01.dyn.ddnss.de | tcp |
| US | 23.105.131.203:6789 | gameserver-789.duia.ro | tcp |
| US | 23.105.131.203:6789 | gameserver-789.duia.ro | tcp |
| NL | 212.193.30.51:1251 | faxjohn01.dyn.ddnss.de | tcp |
| NL | 212.193.30.51:1251 | faxjohn01.dyn.ddnss.de | tcp |
| US | 23.105.131.203:6789 | gameserver-789.duia.ro | tcp |
| US | 23.105.131.203:6789 | gameserver-789.duia.ro | tcp |
| NL | 212.193.30.51:1251 | faxjohn01.dyn.ddnss.de | tcp |
| US | 23.105.131.203:6789 | gameserver-789.duia.ro | tcp |
| US | 23.105.131.203:6789 | gameserver-789.duia.ro | tcp |
| NL | 212.193.30.51:1251 | faxjohn01.dyn.ddnss.de | tcp |
| NL | 212.193.30.51:1251 | faxjohn01.dyn.ddnss.de | tcp |
| US | 23.105.131.203:6789 | gameserver-789.duia.ro | tcp |
| US | 23.105.131.203:6789 | gameserver-789.duia.ro | tcp |
| NL | 212.193.30.51:1251 | faxjohn01.dyn.ddnss.de | tcp |
| NL | 212.193.30.51:1251 | faxjohn01.dyn.ddnss.de | tcp |
| US | 23.105.131.203:6789 | gameserver-789.duia.ro | tcp |
| US | 23.105.131.203:6789 | gameserver-789.duia.ro | tcp |
| NL | 212.193.30.51:1251 | faxjohn01.dyn.ddnss.de | tcp |
| US | 23.105.131.203:6789 | gameserver-789.duia.ro | tcp |
| US | 23.105.131.203:6789 | gameserver-789.duia.ro | tcp |
| NL | 212.193.30.51:1251 | faxjohn01.dyn.ddnss.de | tcp |
| NL | 212.193.30.51:1251 | faxjohn01.dyn.ddnss.de | tcp |
| US | 23.105.131.203:6789 | gameserver-789.duia.ro | tcp |
| US | 23.105.131.203:6789 | gameserver-789.duia.ro | tcp |
| NL | 212.193.30.51:1251 | faxjohn01.dyn.ddnss.de | tcp |
| NL | 212.193.30.51:1251 | faxjohn01.dyn.ddnss.de | tcp |
| US | 23.105.131.203:6789 | gameserver-789.duia.ro | tcp |
| US | 23.105.131.203:6789 | gameserver-789.duia.ro | tcp |
| NL | 212.193.30.51:1251 | faxjohn01.dyn.ddnss.de | tcp |
| US | 23.105.131.203:6789 | gameserver-789.duia.ro | tcp |
| US | 23.105.131.203:6789 | gameserver-789.duia.ro | tcp |
| NL | 212.193.30.51:1251 | faxjohn01.dyn.ddnss.de | tcp |
| NL | 212.193.30.51:1251 | faxjohn01.dyn.ddnss.de | tcp |
| US | 23.105.131.203:6789 | gameserver-789.duia.ro | tcp |
| US | 23.105.131.203:6789 | gameserver-789.duia.ro | tcp |
| NL | 212.193.30.51:1251 | faxjohn01.dyn.ddnss.de | tcp |
| NL | 212.193.30.51:1251 | faxjohn01.dyn.ddnss.de | tcp |
| US | 23.105.131.203:6789 | gameserver-789.duia.ro | tcp |
| US | 23.105.131.203:6789 | gameserver-789.duia.ro | tcp |
| NL | 212.193.30.51:1251 | faxjohn01.dyn.ddnss.de | tcp |
| US | 23.105.131.203:6789 | gameserver-789.duia.ro | tcp |
| US | 23.105.131.203:6789 | gameserver-789.duia.ro | tcp |
| NL | 212.193.30.51:1251 | faxjohn01.dyn.ddnss.de | tcp |
| NL | 212.193.30.51:1251 | faxjohn01.dyn.ddnss.de | tcp |
| US | 23.105.131.203:6789 | gameserver-789.duia.ro | tcp |
| US | 23.105.131.203:6789 | gameserver-789.duia.ro | tcp |
| NL | 212.193.30.51:1251 | faxjohn01.dyn.ddnss.de | tcp |
| US | 23.105.131.203:6789 | gameserver-789.duia.ro | tcp |
| US | 23.105.131.203:6789 | gameserver-789.duia.ro | tcp |
| NL | 212.193.30.51:1251 | faxjohn01.dyn.ddnss.de | tcp |
Files
memory/1768-53-0x000007FEFBE61000-0x000007FEFBE63000-memory.dmp
memory/524-54-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\fSHKTxYIwQ.js
| MD5 | b1723af127d01881617d42e94db1a187 |
| SHA1 | 02e312b6a5a1c47baa9dda51a2d887bda2a41d34 |
| SHA256 | 1b004dc8d63c6e9d0084e8fcfe952fad9a0b2355593dfdb8aab585ef3d74e9f3 |
| SHA512 | 5fb793b239795ffee051cade8464c0c98881c3ac4206dd671e8ea41f2ca9e4c06d0b368dcf5eeaaee62d23510a5e81a251dc282e49a025b9682e40cac0b9ed4d |
memory/528-55-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\CPVN - PO 1910450087085-03 - C.P Việt Nam - CPV-01.js
| MD5 | 8c7d90878061ce94f70b41a3d2678379 |
| SHA1 | 7d08d5be9c64a49ccfeeb14aee806cb017d941db |
| SHA256 | d52a0835e1845e89e134b1701d39b4f1fe4091814d9c1746f2f722599328dd13 |
| SHA512 | e510040078a0dc4b305abaf1a6d33d44f871f77f91c90c721c810fbb629b3c633e44654193bebd9b4bf537b9d124696432f808bdfbc60daf7c49e206eadb0792 |
memory/880-58-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CPVN - PO 1910450087085-03 - C.P Việt Nam - CPV-01.js
| MD5 | 8c7d90878061ce94f70b41a3d2678379 |
| SHA1 | 7d08d5be9c64a49ccfeeb14aee806cb017d941db |
| SHA256 | d52a0835e1845e89e134b1701d39b4f1fe4091814d9c1746f2f722599328dd13 |
| SHA512 | e510040078a0dc4b305abaf1a6d33d44f871f77f91c90c721c810fbb629b3c633e44654193bebd9b4bf537b9d124696432f808bdfbc60daf7c49e206eadb0792 |
C:\Users\Admin\AppData\Roaming\fSHKTxYIwQ.js
| MD5 | b1723af127d01881617d42e94db1a187 |
| SHA1 | 02e312b6a5a1c47baa9dda51a2d887bda2a41d34 |
| SHA256 | 1b004dc8d63c6e9d0084e8fcfe952fad9a0b2355593dfdb8aab585ef3d74e9f3 |
| SHA512 | 5fb793b239795ffee051cade8464c0c98881c3ac4206dd671e8ea41f2ca9e4c06d0b368dcf5eeaaee62d23510a5e81a251dc282e49a025b9682e40cac0b9ed4d |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fSHKTxYIwQ.js
| MD5 | b1723af127d01881617d42e94db1a187 |
| SHA1 | 02e312b6a5a1c47baa9dda51a2d887bda2a41d34 |
| SHA256 | 1b004dc8d63c6e9d0084e8fcfe952fad9a0b2355593dfdb8aab585ef3d74e9f3 |
| SHA512 | 5fb793b239795ffee051cade8464c0c98881c3ac4206dd671e8ea41f2ca9e4c06d0b368dcf5eeaaee62d23510a5e81a251dc282e49a025b9682e40cac0b9ed4d |
Analysis: behavioral2
Detonation Overview
Submitted
2021-10-19 08:27
Reported
2021-10-19 08:29
Platform
win10-en-20211014
Max time kernel
147s
Max time network
147s
Command Line
Signatures
Vjw0rm
WSHRAT
suricata: ET MALWARE WSHRAT CnC Checkin
suricata: ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm Checkin 1
Blocklisted process makes network request
Drops startup file
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fSHKTxYIwQ.js | C:\Windows\System32\wscript.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CPVN - PO 1910450087085-03 - C.P Việt Nam - CPV-01.js | C:\Windows\system32\wscript.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fSHKTxYIwQ.js | C:\Windows\System32\wscript.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fSHKTxYIwQ.js | C:\Windows\System32\wscript.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CPVN - PO 1910450087085-03 - C.P Việt Nam - CPV-01.js | C:\Windows\System32\wscript.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows\CurrentVersion\Run\CPVN - PO 1910450087085-03 - C = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\CPVN - PO 1910450087085-03 - C.P Vi?t Nam - CPV-01.js\"" | C:\Windows\system32\wscript.exe | N/A |
| Key created | \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run | C:\Windows\system32\wscript.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows\CurrentVersion\Run\CPVN - PO 1910450087085-03 - C = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\CPVN - PO 1910450087085-03 - C.P Vi?t Nam - CPV-01.js\"" | C:\Windows\System32\wscript.exe | N/A |
| Key created | \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run | C:\Windows\System32\wscript.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CPVN - PO 1910450087085-03 - C = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\CPVN - PO 1910450087085-03 - C.P Vi?t Nam - CPV-01.js\"" | C:\Windows\System32\wscript.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\System32\wscript.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows\CurrentVersion\Run\SEJOKAOI5S = "\"C:\\Users\\Admin\\AppData\\Roaming\\fSHKTxYIwQ.js\"" | C:\Windows\System32\wscript.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\software\microsoft\windows\currentversion\run | C:\Windows\system32\wscript.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CPVN - PO 1910450087085-03 - C = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\CPVN - PO 1910450087085-03 - C.P Vi?t Nam - CPV-01.js\"" | C:\Windows\system32\wscript.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\software\microsoft\windows\currentversion\run | C:\Windows\System32\wscript.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows\CurrentVersion\Run\SEJOKAOI5S = "\"C:\\Users\\Admin\\AppData\\Roaming\\fSHKTxYIwQ.js\"" | C:\Windows\System32\wscript.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\System32\wscript.exe | N/A |
Enumerates physical storage devices
Script User-Agent
| Description | Indicator | Process | Target |
| HTTP User-Agent header | WSHRAT|DA5D582B|JQKTJDNJ|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 16/10/2021|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|DA5D582B|JQKTJDNJ|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 16/10/2021|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|DA5D582B|JQKTJDNJ|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 16/10/2021|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|DA5D582B|JQKTJDNJ|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 16/10/2021|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|DA5D582B|JQKTJDNJ|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 16/10/2021|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|DA5D582B|JQKTJDNJ|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 16/10/2021|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|DA5D582B|JQKTJDNJ|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 16/10/2021|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|DA5D582B|JQKTJDNJ|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 16/10/2021|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|DA5D582B|JQKTJDNJ|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 16/10/2021|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|DA5D582B|JQKTJDNJ|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 16/10/2021|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|DA5D582B|JQKTJDNJ|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 16/10/2021|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|DA5D582B|JQKTJDNJ|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 16/10/2021|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|DA5D582B|JQKTJDNJ|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 16/10/2021|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|DA5D582B|JQKTJDNJ|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 16/10/2021|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|DA5D582B|JQKTJDNJ|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 16/10/2021|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|DA5D582B|JQKTJDNJ|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 16/10/2021|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|DA5D582B|JQKTJDNJ|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 16/10/2021|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|DA5D582B|JQKTJDNJ|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 16/10/2021|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|DA5D582B|JQKTJDNJ|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 16/10/2021|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|DA5D582B|JQKTJDNJ|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 16/10/2021|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|DA5D582B|JQKTJDNJ|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 16/10/2021|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|DA5D582B|JQKTJDNJ|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 16/10/2021|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|DA5D582B|JQKTJDNJ|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 16/10/2021|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|DA5D582B|JQKTJDNJ|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 16/10/2021|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|DA5D582B|JQKTJDNJ|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 16/10/2021|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|DA5D582B|JQKTJDNJ|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 16/10/2021|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|DA5D582B|JQKTJDNJ|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 16/10/2021|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|DA5D582B|JQKTJDNJ|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 16/10/2021|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|DA5D582B|JQKTJDNJ|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 16/10/2021|JavaScript | N/A | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4024 wrote to memory of 416 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\wscript.exe |
| PID 4024 wrote to memory of 416 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\wscript.exe |
| PID 4024 wrote to memory of 3348 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\wscript.exe |
| PID 4024 wrote to memory of 3348 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\wscript.exe |
| PID 3348 wrote to memory of 4372 | N/A | C:\Windows\System32\wscript.exe | C:\Windows\System32\wscript.exe |
| PID 3348 wrote to memory of 4372 | N/A | C:\Windows\System32\wscript.exe | C:\Windows\System32\wscript.exe |
Processes
C:\Windows\system32\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Local\Temp\CPVN - PO 1910450087085-03 - C.P Việt Nam - CPV-01.js"
C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\fSHKTxYIwQ.js"
C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\CPVN - PO 1910450087085-03 - C.P Việt Nam - CPV-01.js"
C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\fSHKTxYIwQ.js"
Network
| Country | Destination | Domain | Proto |
| US | 52.109.12.19:443 | tcp | |
| US | 8.8.8.8:53 | time.windows.com | udp |
| NL | 20.101.57.9:123 | time.windows.com | udp |
| US | 8.8.8.8:53 | faxjohn01.dyn.ddnss.de | udp |
| US | 8.8.8.8:53 | gameserver-789.duia.ro | udp |
| NL | 212.193.30.51:1251 | faxjohn01.dyn.ddnss.de | tcp |
| US | 23.105.131.203:6789 | gameserver-789.duia.ro | tcp |
| US | 23.105.131.203:6789 | gameserver-789.duia.ro | tcp |
| NL | 212.193.30.51:1251 | faxjohn01.dyn.ddnss.de | tcp |
| US | 23.105.131.203:6789 | gameserver-789.duia.ro | tcp |
| US | 23.105.131.203:6789 | gameserver-789.duia.ro | tcp |
| NL | 212.193.30.51:1251 | faxjohn01.dyn.ddnss.de | tcp |
| NL | 212.193.30.51:1251 | faxjohn01.dyn.ddnss.de | tcp |
| US | 23.105.131.203:6789 | gameserver-789.duia.ro | tcp |
| US | 23.105.131.203:6789 | gameserver-789.duia.ro | tcp |
| NL | 212.193.30.51:1251 | faxjohn01.dyn.ddnss.de | tcp |
| US | 23.105.131.203:6789 | gameserver-789.duia.ro | tcp |
| US | 23.105.131.203:6789 | gameserver-789.duia.ro | tcp |
| NL | 212.193.30.51:1251 | faxjohn01.dyn.ddnss.de | tcp |
| NL | 212.193.30.51:1251 | faxjohn01.dyn.ddnss.de | tcp |
| US | 23.105.131.203:6789 | gameserver-789.duia.ro | tcp |
| US | 23.105.131.203:6789 | gameserver-789.duia.ro | tcp |
| NL | 212.193.30.51:1251 | faxjohn01.dyn.ddnss.de | tcp |
| NL | 212.193.30.51:1251 | faxjohn01.dyn.ddnss.de | tcp |
| US | 23.105.131.203:6789 | gameserver-789.duia.ro | tcp |
| US | 23.105.131.203:6789 | gameserver-789.duia.ro | tcp |
| NL | 212.193.30.51:1251 | faxjohn01.dyn.ddnss.de | tcp |
| US | 23.105.131.203:6789 | gameserver-789.duia.ro | tcp |
| US | 23.105.131.203:6789 | gameserver-789.duia.ro | tcp |
| NL | 212.193.30.51:1251 | faxjohn01.dyn.ddnss.de | tcp |
| NL | 212.193.30.51:1251 | faxjohn01.dyn.ddnss.de | tcp |
| US | 23.105.131.203:6789 | gameserver-789.duia.ro | tcp |
| US | 23.105.131.203:6789 | gameserver-789.duia.ro | tcp |
| NL | 212.193.30.51:1251 | faxjohn01.dyn.ddnss.de | tcp |
| NL | 212.193.30.51:1251 | faxjohn01.dyn.ddnss.de | tcp |
| US | 23.105.131.203:6789 | gameserver-789.duia.ro | tcp |
| US | 23.105.131.203:6789 | gameserver-789.duia.ro | tcp |
| NL | 212.193.30.51:1251 | faxjohn01.dyn.ddnss.de | tcp |
| US | 23.105.131.203:6789 | gameserver-789.duia.ro | tcp |
| US | 23.105.131.203:6789 | gameserver-789.duia.ro | tcp |
| NL | 212.193.30.51:1251 | faxjohn01.dyn.ddnss.de | tcp |
| NL | 212.193.30.51:1251 | faxjohn01.dyn.ddnss.de | tcp |
| US | 23.105.131.203:6789 | gameserver-789.duia.ro | tcp |
| US | 23.105.131.203:6789 | gameserver-789.duia.ro | tcp |
| NL | 212.193.30.51:1251 | faxjohn01.dyn.ddnss.de | tcp |
| NL | 212.193.30.51:1251 | faxjohn01.dyn.ddnss.de | tcp |
| US | 23.105.131.203:6789 | gameserver-789.duia.ro | tcp |
| US | 23.105.131.203:6789 | gameserver-789.duia.ro | tcp |
| NL | 212.193.30.51:1251 | faxjohn01.dyn.ddnss.de | tcp |
| US | 23.105.131.203:6789 | gameserver-789.duia.ro | tcp |
| US | 23.105.131.203:6789 | gameserver-789.duia.ro | tcp |
| NL | 212.193.30.51:1251 | faxjohn01.dyn.ddnss.de | tcp |
| NL | 212.193.30.51:1251 | faxjohn01.dyn.ddnss.de | tcp |
| US | 23.105.131.203:6789 | gameserver-789.duia.ro | tcp |
| US | 23.105.131.203:6789 | gameserver-789.duia.ro | tcp |
| NL | 212.193.30.51:1251 | faxjohn01.dyn.ddnss.de | tcp |
| NL | 212.193.30.51:1251 | faxjohn01.dyn.ddnss.de | tcp |
| US | 23.105.131.203:6789 | gameserver-789.duia.ro | tcp |
| US | 23.105.131.203:6789 | gameserver-789.duia.ro | tcp |
| NL | 212.193.30.51:1251 | faxjohn01.dyn.ddnss.de | tcp |
| US | 23.105.131.203:6789 | gameserver-789.duia.ro | tcp |
| US | 23.105.131.203:6789 | gameserver-789.duia.ro | tcp |
| NL | 212.193.30.51:1251 | faxjohn01.dyn.ddnss.de | tcp |
| NL | 212.193.30.51:1251 | faxjohn01.dyn.ddnss.de | tcp |
| US | 23.105.131.203:6789 | gameserver-789.duia.ro | tcp |
| US | 23.105.131.203:6789 | gameserver-789.duia.ro | tcp |
| NL | 212.193.30.51:1251 | faxjohn01.dyn.ddnss.de | tcp |
| NL | 212.193.30.51:1251 | faxjohn01.dyn.ddnss.de | tcp |
| US | 23.105.131.203:6789 | gameserver-789.duia.ro | tcp |
| US | 23.105.131.203:6789 | gameserver-789.duia.ro | tcp |
Files
memory/416-115-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\fSHKTxYIwQ.js
| MD5 | b1723af127d01881617d42e94db1a187 |
| SHA1 | 02e312b6a5a1c47baa9dda51a2d887bda2a41d34 |
| SHA256 | 1b004dc8d63c6e9d0084e8fcfe952fad9a0b2355593dfdb8aab585ef3d74e9f3 |
| SHA512 | 5fb793b239795ffee051cade8464c0c98881c3ac4206dd671e8ea41f2ca9e4c06d0b368dcf5eeaaee62d23510a5e81a251dc282e49a025b9682e40cac0b9ed4d |
memory/3348-117-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\CPVN - PO 1910450087085-03 - C.P Việt Nam - CPV-01.js
| MD5 | 8c7d90878061ce94f70b41a3d2678379 |
| SHA1 | 7d08d5be9c64a49ccfeeb14aee806cb017d941db |
| SHA256 | d52a0835e1845e89e134b1701d39b4f1fe4091814d9c1746f2f722599328dd13 |
| SHA512 | e510040078a0dc4b305abaf1a6d33d44f871f77f91c90c721c810fbb629b3c633e44654193bebd9b4bf537b9d124696432f808bdfbc60daf7c49e206eadb0792 |
memory/4372-119-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CPVN - PO 1910450087085-03 - C.P Việt Nam - CPV-01.js
| MD5 | 8c7d90878061ce94f70b41a3d2678379 |
| SHA1 | 7d08d5be9c64a49ccfeeb14aee806cb017d941db |
| SHA256 | d52a0835e1845e89e134b1701d39b4f1fe4091814d9c1746f2f722599328dd13 |
| SHA512 | e510040078a0dc4b305abaf1a6d33d44f871f77f91c90c721c810fbb629b3c633e44654193bebd9b4bf537b9d124696432f808bdfbc60daf7c49e206eadb0792 |
C:\Users\Admin\AppData\Roaming\fSHKTxYIwQ.js
| MD5 | b1723af127d01881617d42e94db1a187 |
| SHA1 | 02e312b6a5a1c47baa9dda51a2d887bda2a41d34 |
| SHA256 | 1b004dc8d63c6e9d0084e8fcfe952fad9a0b2355593dfdb8aab585ef3d74e9f3 |
| SHA512 | 5fb793b239795ffee051cade8464c0c98881c3ac4206dd671e8ea41f2ca9e4c06d0b368dcf5eeaaee62d23510a5e81a251dc282e49a025b9682e40cac0b9ed4d |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fSHKTxYIwQ.js
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |