Analysis Overview
SHA256
1555172a8ed40bc21eb2136625a097d1d4c7c376a71ee89d657d070ec513c4be
Threat Level: Known bad
The file PO MFG ORDER W124494 - 2021-10-18 0009.js was found to be: Known bad.
Malicious Activity Summary
Vjw0rm
WSHRAT
Blocklisted process makes network request
Drops startup file
Adds Run key to start application
Enumerates physical storage devices
Script User-Agent
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2021-10-19 08:32
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2021-10-19 08:32
Reported
2021-10-19 08:34
Platform
win7-en-20210920
Max time kernel
151s
Max time network
154s
Command Line
Signatures
Vjw0rm
WSHRAT
Blocklisted process makes network request
Drops startup file
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\JDopwXUrEP.js | C:\Windows\System32\wscript.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\JDopwXUrEP.js | C:\Windows\System32\wscript.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PO MFG ORDER W124494 - 2021-10-18 0009.js | C:\Windows\system32\wscript.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PO MFG ORDER W124494 - 2021-10-18 0009.js | C:\Windows\System32\wscript.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\JDopwXUrEP.js | C:\Windows\System32\wscript.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\System32\wscript.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows\CurrentVersion\Run\PO MFG ORDER W124494 - 2021-10-18 0009 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\PO MFG ORDER W124494 - 2021-10-18 0009.js\"" | C:\Windows\System32\wscript.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PO MFG ORDER W124494 - 2021-10-18 0009 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\PO MFG ORDER W124494 - 2021-10-18 0009.js\"" | C:\Windows\System32\wscript.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\System32\wscript.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PO MFG ORDER W124494 - 2021-10-18 0009 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\PO MFG ORDER W124494 - 2021-10-18 0009.js\"" | C:\Windows\system32\wscript.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\software\microsoft\windows\currentversion\run | C:\Windows\System32\wscript.exe | N/A |
| Key created | \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run | C:\Windows\System32\wscript.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows\CurrentVersion\Run\SEJOKAOI5S = "\"C:\\Users\\Admin\\AppData\\Roaming\\JDopwXUrEP.js\"" | C:\Windows\System32\wscript.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows\CurrentVersion\Run\SEJOKAOI5S = "\"C:\\Users\\Admin\\AppData\\Roaming\\JDopwXUrEP.js\"" | C:\Windows\System32\wscript.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\software\microsoft\windows\currentversion\run | C:\Windows\system32\wscript.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows\CurrentVersion\Run\PO MFG ORDER W124494 - 2021-10-18 0009 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\PO MFG ORDER W124494 - 2021-10-18 0009.js\"" | C:\Windows\system32\wscript.exe | N/A |
| Key created | \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run | C:\Windows\system32\wscript.exe | N/A |
Enumerates physical storage devices
Script User-Agent
| Description | Indicator | Process | Target |
| HTTP User-Agent header | WSHRAT|DCE526E0|JZCKHXIN|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 19/10/2021|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|DCE526E0|JZCKHXIN|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 19/10/2021|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|DCE526E0|JZCKHXIN|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 19/10/2021|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|DCE526E0|JZCKHXIN|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 19/10/2021|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|DCE526E0|JZCKHXIN|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 19/10/2021|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|DCE526E0|JZCKHXIN|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 19/10/2021|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|DCE526E0|JZCKHXIN|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 19/10/2021|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|DCE526E0|JZCKHXIN|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 19/10/2021|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|DCE526E0|JZCKHXIN|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 19/10/2021|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|DCE526E0|JZCKHXIN|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 19/10/2021|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|DCE526E0|JZCKHXIN|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 19/10/2021|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|DCE526E0|JZCKHXIN|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 19/10/2021|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|DCE526E0|JZCKHXIN|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 19/10/2021|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|DCE526E0|JZCKHXIN|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 19/10/2021|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|DCE526E0|JZCKHXIN|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 19/10/2021|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|DCE526E0|JZCKHXIN|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 19/10/2021|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|DCE526E0|JZCKHXIN|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 19/10/2021|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|DCE526E0|JZCKHXIN|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 19/10/2021|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|DCE526E0|JZCKHXIN|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 19/10/2021|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|DCE526E0|JZCKHXIN|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 19/10/2021|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|DCE526E0|JZCKHXIN|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 19/10/2021|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|DCE526E0|JZCKHXIN|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 19/10/2021|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|DCE526E0|JZCKHXIN|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 19/10/2021|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|DCE526E0|JZCKHXIN|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 19/10/2021|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|DCE526E0|JZCKHXIN|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 19/10/2021|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|DCE526E0|JZCKHXIN|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 19/10/2021|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|DCE526E0|JZCKHXIN|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 19/10/2021|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|DCE526E0|JZCKHXIN|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 19/10/2021|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|DCE526E0|JZCKHXIN|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 19/10/2021|JavaScript | N/A | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1356 wrote to memory of 648 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\wscript.exe |
| PID 1356 wrote to memory of 648 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\wscript.exe |
| PID 1356 wrote to memory of 648 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\wscript.exe |
| PID 1356 wrote to memory of 1468 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\wscript.exe |
| PID 1356 wrote to memory of 1468 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\wscript.exe |
| PID 1356 wrote to memory of 1468 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\wscript.exe |
| PID 1468 wrote to memory of 1072 | N/A | C:\Windows\System32\wscript.exe | C:\Windows\System32\wscript.exe |
| PID 1468 wrote to memory of 1072 | N/A | C:\Windows\System32\wscript.exe | C:\Windows\System32\wscript.exe |
| PID 1468 wrote to memory of 1072 | N/A | C:\Windows\System32\wscript.exe | C:\Windows\System32\wscript.exe |
Processes
C:\Windows\system32\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Local\Temp\PO MFG ORDER W124494 - 2021-10-18 0009.js"
C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\JDopwXUrEP.js"
C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\PO MFG ORDER W124494 - 2021-10-18 0009.js"
C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\JDopwXUrEP.js"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | gameserver-789.duia.ro | udp |
| US | 8.8.8.8:53 | fax-joh.dyn-ip24.de | udp |
| US | 8.8.8.8:53 | gameserver-789.duia.ro | udp |
| US | 23.105.131.203:6789 | gameserver-789.duia.ro | tcp |
| NL | 31.210.20.224:20224 | fax-joh.dyn-ip24.de | tcp |
| US | 23.105.131.203:6789 | gameserver-789.duia.ro | tcp |
| NL | 31.210.20.224:20224 | fax-joh.dyn-ip24.de | tcp |
| US | 23.105.131.203:6789 | gameserver-789.duia.ro | tcp |
| US | 23.105.131.203:6789 | gameserver-789.duia.ro | tcp |
| NL | 31.210.20.224:20224 | fax-joh.dyn-ip24.de | tcp |
| US | 23.105.131.203:6789 | gameserver-789.duia.ro | tcp |
| US | 23.105.131.203:6789 | gameserver-789.duia.ro | tcp |
| NL | 31.210.20.224:20224 | fax-joh.dyn-ip24.de | tcp |
| NL | 31.210.20.224:20224 | fax-joh.dyn-ip24.de | tcp |
| US | 23.105.131.203:6789 | gameserver-789.duia.ro | tcp |
| US | 23.105.131.203:6789 | gameserver-789.duia.ro | tcp |
| NL | 31.210.20.224:20224 | fax-joh.dyn-ip24.de | tcp |
| NL | 31.210.20.224:20224 | fax-joh.dyn-ip24.de | tcp |
| US | 23.105.131.203:6789 | gameserver-789.duia.ro | tcp |
| US | 23.105.131.203:6789 | gameserver-789.duia.ro | tcp |
| NL | 31.210.20.224:20224 | fax-joh.dyn-ip24.de | tcp |
| US | 23.105.131.203:6789 | gameserver-789.duia.ro | tcp |
| US | 23.105.131.203:6789 | gameserver-789.duia.ro | tcp |
| NL | 31.210.20.224:20224 | fax-joh.dyn-ip24.de | tcp |
| NL | 31.210.20.224:20224 | fax-joh.dyn-ip24.de | tcp |
| US | 23.105.131.203:6789 | gameserver-789.duia.ro | tcp |
| US | 23.105.131.203:6789 | gameserver-789.duia.ro | tcp |
| NL | 31.210.20.224:20224 | fax-joh.dyn-ip24.de | tcp |
| NL | 31.210.20.224:20224 | fax-joh.dyn-ip24.de | tcp |
| US | 23.105.131.203:6789 | gameserver-789.duia.ro | tcp |
| US | 23.105.131.203:6789 | gameserver-789.duia.ro | tcp |
| NL | 31.210.20.224:20224 | fax-joh.dyn-ip24.de | tcp |
| US | 23.105.131.203:6789 | gameserver-789.duia.ro | tcp |
| US | 23.105.131.203:6789 | gameserver-789.duia.ro | tcp |
| NL | 31.210.20.224:20224 | fax-joh.dyn-ip24.de | tcp |
| NL | 31.210.20.224:20224 | fax-joh.dyn-ip24.de | tcp |
| US | 23.105.131.203:6789 | gameserver-789.duia.ro | tcp |
| US | 23.105.131.203:6789 | gameserver-789.duia.ro | tcp |
| NL | 31.210.20.224:20224 | fax-joh.dyn-ip24.de | tcp |
| NL | 31.210.20.224:20224 | fax-joh.dyn-ip24.de | tcp |
| US | 23.105.131.203:6789 | gameserver-789.duia.ro | tcp |
| US | 23.105.131.203:6789 | gameserver-789.duia.ro | tcp |
| NL | 31.210.20.224:20224 | fax-joh.dyn-ip24.de | tcp |
| US | 23.105.131.203:6789 | gameserver-789.duia.ro | tcp |
| US | 23.105.131.203:6789 | gameserver-789.duia.ro | tcp |
| NL | 31.210.20.224:20224 | fax-joh.dyn-ip24.de | tcp |
| NL | 31.210.20.224:20224 | fax-joh.dyn-ip24.de | tcp |
| US | 23.105.131.203:6789 | gameserver-789.duia.ro | tcp |
| US | 23.105.131.203:6789 | gameserver-789.duia.ro | tcp |
| NL | 31.210.20.224:20224 | fax-joh.dyn-ip24.de | tcp |
| NL | 31.210.20.224:20224 | fax-joh.dyn-ip24.de | tcp |
| US | 23.105.131.203:6789 | gameserver-789.duia.ro | tcp |
| US | 23.105.131.203:6789 | gameserver-789.duia.ro | tcp |
| NL | 31.210.20.224:20224 | fax-joh.dyn-ip24.de | tcp |
| US | 23.105.131.203:6789 | gameserver-789.duia.ro | tcp |
| US | 23.105.131.203:6789 | gameserver-789.duia.ro | tcp |
| NL | 31.210.20.224:20224 | fax-joh.dyn-ip24.de | tcp |
| NL | 31.210.20.224:20224 | fax-joh.dyn-ip24.de | tcp |
| US | 23.105.131.203:6789 | gameserver-789.duia.ro | tcp |
| US | 23.105.131.203:6789 | gameserver-789.duia.ro | tcp |
| NL | 31.210.20.224:20224 | fax-joh.dyn-ip24.de | tcp |
| NL | 31.210.20.224:20224 | fax-joh.dyn-ip24.de | tcp |
| US | 23.105.131.203:6789 | gameserver-789.duia.ro | tcp |
| US | 23.105.131.203:6789 | gameserver-789.duia.ro | tcp |
| NL | 31.210.20.224:20224 | fax-joh.dyn-ip24.de | tcp |
| US | 23.105.131.203:6789 | gameserver-789.duia.ro | tcp |
| US | 23.105.131.203:6789 | gameserver-789.duia.ro | tcp |
| NL | 31.210.20.224:20224 | fax-joh.dyn-ip24.de | tcp |
Files
memory/1356-54-0x000007FEFC271000-0x000007FEFC273000-memory.dmp
memory/648-55-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\JDopwXUrEP.js
| MD5 | a1fdbd734df28b3f6fb27e2ce94cf4e3 |
| SHA1 | 52c0d7adbc91254fbb991e14917917b607de3bf2 |
| SHA256 | 536643c55df3d89833f33ffb0af1b1171803684e245f8ee333187756c21e3051 |
| SHA512 | ee1ea52f8513f19ec4ec954416d320b52079803cdb2cbc04046aec45444758bac1ede4b1985e4394853d7d7610a2fe20bba0c21b3303bb4a9351299febd7b32e |
memory/1468-57-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\PO MFG ORDER W124494 - 2021-10-18 0009.js
| MD5 | 225bff43c2aa2095bbc11f358628e2a1 |
| SHA1 | 81645b5fa0518200da4b145cb3428e702cb76244 |
| SHA256 | 1555172a8ed40bc21eb2136625a097d1d4c7c376a71ee89d657d070ec513c4be |
| SHA512 | af5185929580578438032672b418148391b280180cd7b3e1c35435b485809519a67592d0fe99316f8b7253f9bb1536230036ae21c92c635316417278be4c5cd1 |
memory/1072-59-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PO MFG ORDER W124494 - 2021-10-18 0009.js
| MD5 | 225bff43c2aa2095bbc11f358628e2a1 |
| SHA1 | 81645b5fa0518200da4b145cb3428e702cb76244 |
| SHA256 | 1555172a8ed40bc21eb2136625a097d1d4c7c376a71ee89d657d070ec513c4be |
| SHA512 | af5185929580578438032672b418148391b280180cd7b3e1c35435b485809519a67592d0fe99316f8b7253f9bb1536230036ae21c92c635316417278be4c5cd1 |
C:\Users\Admin\AppData\Roaming\JDopwXUrEP.js
| MD5 | a1fdbd734df28b3f6fb27e2ce94cf4e3 |
| SHA1 | 52c0d7adbc91254fbb991e14917917b607de3bf2 |
| SHA256 | 536643c55df3d89833f33ffb0af1b1171803684e245f8ee333187756c21e3051 |
| SHA512 | ee1ea52f8513f19ec4ec954416d320b52079803cdb2cbc04046aec45444758bac1ede4b1985e4394853d7d7610a2fe20bba0c21b3303bb4a9351299febd7b32e |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\JDopwXUrEP.js
| MD5 | a1fdbd734df28b3f6fb27e2ce94cf4e3 |
| SHA1 | 52c0d7adbc91254fbb991e14917917b607de3bf2 |
| SHA256 | 536643c55df3d89833f33ffb0af1b1171803684e245f8ee333187756c21e3051 |
| SHA512 | ee1ea52f8513f19ec4ec954416d320b52079803cdb2cbc04046aec45444758bac1ede4b1985e4394853d7d7610a2fe20bba0c21b3303bb4a9351299febd7b32e |
Analysis: behavioral2
Detonation Overview
Submitted
2021-10-19 08:32
Reported
2021-10-19 08:34
Platform
win10-en-20211014
Max time kernel
150s
Max time network
150s
Command Line
Signatures
Vjw0rm
WSHRAT
Blocklisted process makes network request
Drops startup file
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PO MFG ORDER W124494 - 2021-10-18 0009.js | C:\Windows\System32\wscript.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\JDopwXUrEP.js | C:\Windows\System32\wscript.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\JDopwXUrEP.js | C:\Windows\System32\wscript.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\JDopwXUrEP.js | C:\Windows\System32\wscript.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PO MFG ORDER W124494 - 2021-10-18 0009.js | C:\Windows\system32\wscript.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\software\microsoft\windows\currentversion\run | C:\Windows\System32\wscript.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\System32\wscript.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows\CurrentVersion\Run\SEJOKAOI5S = "\"C:\\Users\\Admin\\AppData\\Roaming\\JDopwXUrEP.js\"" | C:\Windows\System32\wscript.exe | N/A |
| Key created | \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run | C:\Windows\System32\wscript.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PO MFG ORDER W124494 - 2021-10-18 0009 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\PO MFG ORDER W124494 - 2021-10-18 0009.js\"" | C:\Windows\System32\wscript.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\System32\wscript.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\software\microsoft\windows\currentversion\run | C:\Windows\system32\wscript.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows\CurrentVersion\Run\PO MFG ORDER W124494 - 2021-10-18 0009 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\PO MFG ORDER W124494 - 2021-10-18 0009.js\"" | C:\Windows\system32\wscript.exe | N/A |
| Key created | \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run | C:\Windows\system32\wscript.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PO MFG ORDER W124494 - 2021-10-18 0009 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\PO MFG ORDER W124494 - 2021-10-18 0009.js\"" | C:\Windows\system32\wscript.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows\CurrentVersion\Run\PO MFG ORDER W124494 - 2021-10-18 0009 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\PO MFG ORDER W124494 - 2021-10-18 0009.js\"" | C:\Windows\System32\wscript.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows\CurrentVersion\Run\SEJOKAOI5S = "\"C:\\Users\\Admin\\AppData\\Roaming\\JDopwXUrEP.js\"" | C:\Windows\System32\wscript.exe | N/A |
Enumerates physical storage devices
Script User-Agent
| Description | Indicator | Process | Target |
| HTTP User-Agent header | WSHRAT|DA5D582B|JQKTJDNJ|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 22/10/2021|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|DA5D582B|JQKTJDNJ|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 22/10/2021|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|DA5D582B|JQKTJDNJ|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 22/10/2021|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|DA5D582B|JQKTJDNJ|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 22/10/2021|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|DA5D582B|JQKTJDNJ|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 22/10/2021|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|DA5D582B|JQKTJDNJ|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 22/10/2021|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|DA5D582B|JQKTJDNJ|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 22/10/2021|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|DA5D582B|JQKTJDNJ|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 22/10/2021|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|DA5D582B|JQKTJDNJ|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 22/10/2021|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|DA5D582B|JQKTJDNJ|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 22/10/2021|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|DA5D582B|JQKTJDNJ|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 22/10/2021|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|DA5D582B|JQKTJDNJ|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 22/10/2021|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|DA5D582B|JQKTJDNJ|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 22/10/2021|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|DA5D582B|JQKTJDNJ|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 22/10/2021|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|DA5D582B|JQKTJDNJ|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 22/10/2021|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|DA5D582B|JQKTJDNJ|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 22/10/2021|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|DA5D582B|JQKTJDNJ|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 22/10/2021|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|DA5D582B|JQKTJDNJ|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 22/10/2021|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|DA5D582B|JQKTJDNJ|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 22/10/2021|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|DA5D582B|JQKTJDNJ|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 22/10/2021|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|DA5D582B|JQKTJDNJ|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 22/10/2021|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|DA5D582B|JQKTJDNJ|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 22/10/2021|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|DA5D582B|JQKTJDNJ|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 22/10/2021|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|DA5D582B|JQKTJDNJ|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 22/10/2021|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|DA5D582B|JQKTJDNJ|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 22/10/2021|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|DA5D582B|JQKTJDNJ|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 22/10/2021|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|DA5D582B|JQKTJDNJ|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 22/10/2021|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|DA5D582B|JQKTJDNJ|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 22/10/2021|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|DA5D582B|JQKTJDNJ|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 22/10/2021|JavaScript | N/A | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3504 wrote to memory of 3460 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\wscript.exe |
| PID 3504 wrote to memory of 3460 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\wscript.exe |
| PID 3504 wrote to memory of 4056 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\wscript.exe |
| PID 3504 wrote to memory of 4056 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\wscript.exe |
| PID 4056 wrote to memory of 4524 | N/A | C:\Windows\System32\wscript.exe | C:\Windows\System32\wscript.exe |
| PID 4056 wrote to memory of 4524 | N/A | C:\Windows\System32\wscript.exe | C:\Windows\System32\wscript.exe |
Processes
C:\Windows\system32\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Local\Temp\PO MFG ORDER W124494 - 2021-10-18 0009.js"
C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\JDopwXUrEP.js"
C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\PO MFG ORDER W124494 - 2021-10-18 0009.js"
C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\JDopwXUrEP.js"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | fax-joh.dyn-ip24.de | udp |
| US | 8.8.8.8:53 | gameserver-789.duia.ro | udp |
| NL | 31.210.20.224:20224 | fax-joh.dyn-ip24.de | tcp |
| US | 23.105.131.203:6789 | gameserver-789.duia.ro | tcp |
| US | 23.105.131.203:6789 | gameserver-789.duia.ro | tcp |
| NL | 31.210.20.224:20224 | fax-joh.dyn-ip24.de | tcp |
| US | 23.105.131.203:6789 | gameserver-789.duia.ro | tcp |
| US | 23.105.131.203:6789 | gameserver-789.duia.ro | tcp |
| NL | 31.210.20.224:20224 | fax-joh.dyn-ip24.de | tcp |
| NL | 31.210.20.224:20224 | fax-joh.dyn-ip24.de | tcp |
| US | 23.105.131.203:6789 | gameserver-789.duia.ro | tcp |
| US | 23.105.131.203:6789 | gameserver-789.duia.ro | tcp |
| US | 8.8.8.8:53 | time.windows.com | udp |
| NL | 20.101.57.9:123 | time.windows.com | udp |
| NL | 31.210.20.224:20224 | fax-joh.dyn-ip24.de | tcp |
| US | 23.105.131.203:6789 | gameserver-789.duia.ro | tcp |
| US | 23.105.131.203:6789 | gameserver-789.duia.ro | tcp |
| NL | 31.210.20.224:20224 | fax-joh.dyn-ip24.de | tcp |
| NL | 31.210.20.224:20224 | fax-joh.dyn-ip24.de | tcp |
| US | 23.105.131.203:6789 | gameserver-789.duia.ro | tcp |
| US | 23.105.131.203:6789 | gameserver-789.duia.ro | tcp |
| NL | 31.210.20.224:20224 | fax-joh.dyn-ip24.de | tcp |
| US | 23.105.131.203:6789 | gameserver-789.duia.ro | tcp |
| US | 23.105.131.203:6789 | gameserver-789.duia.ro | tcp |
| NL | 31.210.20.224:20224 | fax-joh.dyn-ip24.de | tcp |
| NL | 31.210.20.224:20224 | fax-joh.dyn-ip24.de | tcp |
| US | 23.105.131.203:6789 | gameserver-789.duia.ro | tcp |
| US | 23.105.131.203:6789 | gameserver-789.duia.ro | tcp |
| NL | 31.210.20.224:20224 | fax-joh.dyn-ip24.de | tcp |
| NL | 31.210.20.224:20224 | fax-joh.dyn-ip24.de | tcp |
| US | 23.105.131.203:6789 | gameserver-789.duia.ro | tcp |
| US | 23.105.131.203:6789 | gameserver-789.duia.ro | tcp |
| NL | 31.210.20.224:20224 | fax-joh.dyn-ip24.de | tcp |
| US | 23.105.131.203:6789 | gameserver-789.duia.ro | tcp |
| US | 23.105.131.203:6789 | gameserver-789.duia.ro | tcp |
| NL | 31.210.20.224:20224 | fax-joh.dyn-ip24.de | tcp |
| NL | 31.210.20.224:20224 | fax-joh.dyn-ip24.de | tcp |
| US | 23.105.131.203:6789 | gameserver-789.duia.ro | tcp |
| US | 23.105.131.203:6789 | gameserver-789.duia.ro | tcp |
| NL | 31.210.20.224:20224 | fax-joh.dyn-ip24.de | tcp |
| NL | 31.210.20.224:20224 | fax-joh.dyn-ip24.de | tcp |
| US | 23.105.131.203:6789 | gameserver-789.duia.ro | tcp |
| US | 23.105.131.203:6789 | gameserver-789.duia.ro | tcp |
| NL | 31.210.20.224:20224 | fax-joh.dyn-ip24.de | tcp |
| US | 23.105.131.203:6789 | gameserver-789.duia.ro | tcp |
| US | 23.105.131.203:6789 | gameserver-789.duia.ro | tcp |
| NL | 31.210.20.224:20224 | fax-joh.dyn-ip24.de | tcp |
| NL | 31.210.20.224:20224 | fax-joh.dyn-ip24.de | tcp |
| US | 23.105.131.203:6789 | gameserver-789.duia.ro | tcp |
| US | 23.105.131.203:6789 | gameserver-789.duia.ro | tcp |
| NL | 31.210.20.224:20224 | fax-joh.dyn-ip24.de | tcp |
| NL | 31.210.20.224:20224 | fax-joh.dyn-ip24.de | tcp |
| US | 23.105.131.203:6789 | gameserver-789.duia.ro | tcp |
| US | 23.105.131.203:6789 | gameserver-789.duia.ro | tcp |
| NL | 31.210.20.224:20224 | fax-joh.dyn-ip24.de | tcp |
| US | 23.105.131.203:6789 | gameserver-789.duia.ro | tcp |
| US | 23.105.131.203:6789 | gameserver-789.duia.ro | tcp |
| NL | 31.210.20.224:20224 | fax-joh.dyn-ip24.de | tcp |
| NL | 31.210.20.224:20224 | fax-joh.dyn-ip24.de | tcp |
| US | 23.105.131.203:6789 | gameserver-789.duia.ro | tcp |
| US | 23.105.131.203:6789 | gameserver-789.duia.ro | tcp |
| NL | 31.210.20.224:20224 | fax-joh.dyn-ip24.de | tcp |
| US | 23.105.131.203:6789 | gameserver-789.duia.ro | tcp |
| US | 23.105.131.203:6789 | gameserver-789.duia.ro | tcp |
| NL | 31.210.20.224:20224 | fax-joh.dyn-ip24.de | tcp |
| NL | 31.210.20.224:20224 | fax-joh.dyn-ip24.de | tcp |
| US | 23.105.131.203:6789 | gameserver-789.duia.ro | tcp |
| US | 23.105.131.203:6789 | gameserver-789.duia.ro | tcp |
| NL | 31.210.20.224:20224 | fax-joh.dyn-ip24.de | tcp |
Files
memory/3460-115-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\JDopwXUrEP.js
| MD5 | a1fdbd734df28b3f6fb27e2ce94cf4e3 |
| SHA1 | 52c0d7adbc91254fbb991e14917917b607de3bf2 |
| SHA256 | 536643c55df3d89833f33ffb0af1b1171803684e245f8ee333187756c21e3051 |
| SHA512 | ee1ea52f8513f19ec4ec954416d320b52079803cdb2cbc04046aec45444758bac1ede4b1985e4394853d7d7610a2fe20bba0c21b3303bb4a9351299febd7b32e |
memory/4056-117-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\PO MFG ORDER W124494 - 2021-10-18 0009.js
| MD5 | 225bff43c2aa2095bbc11f358628e2a1 |
| SHA1 | 81645b5fa0518200da4b145cb3428e702cb76244 |
| SHA256 | 1555172a8ed40bc21eb2136625a097d1d4c7c376a71ee89d657d070ec513c4be |
| SHA512 | af5185929580578438032672b418148391b280180cd7b3e1c35435b485809519a67592d0fe99316f8b7253f9bb1536230036ae21c92c635316417278be4c5cd1 |
memory/4524-119-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PO MFG ORDER W124494 - 2021-10-18 0009.js
| MD5 | 225bff43c2aa2095bbc11f358628e2a1 |
| SHA1 | 81645b5fa0518200da4b145cb3428e702cb76244 |
| SHA256 | 1555172a8ed40bc21eb2136625a097d1d4c7c376a71ee89d657d070ec513c4be |
| SHA512 | af5185929580578438032672b418148391b280180cd7b3e1c35435b485809519a67592d0fe99316f8b7253f9bb1536230036ae21c92c635316417278be4c5cd1 |
C:\Users\Admin\AppData\Roaming\JDopwXUrEP.js
| MD5 | a1fdbd734df28b3f6fb27e2ce94cf4e3 |
| SHA1 | 52c0d7adbc91254fbb991e14917917b607de3bf2 |
| SHA256 | 536643c55df3d89833f33ffb0af1b1171803684e245f8ee333187756c21e3051 |
| SHA512 | ee1ea52f8513f19ec4ec954416d320b52079803cdb2cbc04046aec45444758bac1ede4b1985e4394853d7d7610a2fe20bba0c21b3303bb4a9351299febd7b32e |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\JDopwXUrEP.js
| MD5 | a1fdbd734df28b3f6fb27e2ce94cf4e3 |
| SHA1 | 52c0d7adbc91254fbb991e14917917b607de3bf2 |
| SHA256 | 536643c55df3d89833f33ffb0af1b1171803684e245f8ee333187756c21e3051 |
| SHA512 | ee1ea52f8513f19ec4ec954416d320b52079803cdb2cbc04046aec45444758bac1ede4b1985e4394853d7d7610a2fe20bba0c21b3303bb4a9351299febd7b32e |