Analysis Overview
SHA256
1f7e9c6aed2b8cb929e3677818bd2b72142254e17f79007f984bb1b8472d99c8
Threat Level: Known bad
The file 1F7E9C6AED2B8CB929E3677818BD2B72142254E17F790.exe was found to be: Known bad.
Malicious Activity Summary
suricata: ET MALWARE WSHRAT CnC Checkin
suricata: ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm Checkin 1
WSHRAT
Blocklisted process makes network request
Drops startup file
Looks up external IP address via web service
Adds Run key to start application
Enumerates physical storage devices
Script User-Agent
Suspicious use of WriteProcessMemory
Modifies registry class
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2021-12-23 20:27
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2021-12-23 20:27
Reported
2021-12-23 20:29
Platform
win7-en-20211208
Max time kernel
150s
Max time network
152s
Command Line
Signatures
WSHRAT
suricata: ET MALWARE WSHRAT CnC Checkin
suricata: ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm Checkin 1
Blocklisted process makes network request
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\daRAjcxavC.js | C:\Windows\SysWOW64\wscript.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\daRAjcxavC.js | C:\Windows\SysWOW64\wscript.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TaxFiles_2019_ref_284942.js | C:\Windows\SysWOW64\wscript.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TaxFiles_2019_ref_284942.js | C:\Windows\SysWOW64\WScript.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\software\microsoft\windows\currentversion\run | C:\Windows\SysWOW64\WScript.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\TaxFiles_2019_ref_284942 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\TaxFiles_2019_ref_284942.js\"" | C:\Windows\SysWOW64\WScript.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\TaxFiles_2019_ref_284942 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\TaxFiles_2019_ref_284942.js\"" | C:\Windows\SysWOW64\WScript.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\daRAjcxavC = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\daRAjcxavC.js\"" | C:\Windows\SysWOW64\wscript.exe | N/A |
| Key created | \REGISTRY\MACHINE\software\Wow6432Node\microsoft\windows\currentversion\run | C:\Windows\SysWOW64\wscript.exe | N/A |
| Key created | \REGISTRY\MACHINE\software\Wow6432Node\microsoft\windows\currentversion\run | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\software\microsoft\windows\currentversion\run | C:\Windows\SysWOW64\wscript.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\daRAjcxavC = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\daRAjcxavC.js\"" | C:\Windows\SysWOW64\wscript.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\software\microsoft\windows\currentversion\run | C:\Windows\SysWOW64\wscript.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\TaxFiles_2019_ref_284942 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\TaxFiles_2019_ref_284942.js\"" | C:\Windows\SysWOW64\wscript.exe | N/A |
| Key created | \REGISTRY\MACHINE\software\Wow6432Node\microsoft\windows\currentversion\run | C:\Windows\SysWOW64\wscript.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\TaxFiles_2019_ref_284942 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\TaxFiles_2019_ref_284942.js\"" | C:\Windows\SysWOW64\wscript.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Enumerates physical storage devices
Script User-Agent
| Description | Indicator | Process | Target |
| HTTP User-Agent header | WSHRAT|8C677431|QSKGHMYQ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 23/12/2021|JavaScript-v1.6 | N/A | N/A |
| HTTP User-Agent header | WSHRAT|8C677431|QSKGHMYQ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 23/12/2021|JavaScript-v1.6 | N/A | N/A |
| HTTP User-Agent header | WSHRAT|8C677431|QSKGHMYQ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 23/12/2021|JavaScript-v1.6 | N/A | N/A |
| HTTP User-Agent header | WSHRAT|8C677431|QSKGHMYQ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 23/12/2021|JavaScript-v1.6 | N/A | N/A |
| HTTP User-Agent header | WSHRAT|8C677431|QSKGHMYQ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 23/12/2021|JavaScript-v1.6 | N/A | N/A |
| HTTP User-Agent header | WSHRAT|8C677431|QSKGHMYQ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 23/12/2021|JavaScript-v1.6 | N/A | N/A |
| HTTP User-Agent header | WSHRAT|8C677431|QSKGHMYQ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 23/12/2021|JavaScript-v1.6 | N/A | N/A |
| HTTP User-Agent header | WSHRAT|8C677431|QSKGHMYQ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 23/12/2021|JavaScript-v1.6 | N/A | N/A |
| HTTP User-Agent header | WSHRAT|8C677431|QSKGHMYQ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 23/12/2021|JavaScript-v1.6 | N/A | N/A |
| HTTP User-Agent header | WSHRAT|8C677431|QSKGHMYQ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 23/12/2021|JavaScript-v1.6 | N/A | N/A |
| HTTP User-Agent header | WSHRAT|8C677431|QSKGHMYQ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 23/12/2021|JavaScript-v1.6 | N/A | N/A |
| HTTP User-Agent header | WSHRAT|8C677431|QSKGHMYQ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 23/12/2021|JavaScript-v1.6 | N/A | N/A |
| HTTP User-Agent header | WSHRAT|8C677431|QSKGHMYQ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 23/12/2021|JavaScript-v1.6 | N/A | N/A |
| HTTP User-Agent header | WSHRAT|8C677431|QSKGHMYQ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 23/12/2021|JavaScript-v1.6 | N/A | N/A |
| HTTP User-Agent header | WSHRAT|8C677431|QSKGHMYQ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 23/12/2021|JavaScript-v1.6 | N/A | N/A |
| HTTP User-Agent header | WSHRAT|8C677431|QSKGHMYQ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 23/12/2021|JavaScript-v1.6 | N/A | N/A |
| HTTP User-Agent header | WSHRAT|8C677431|QSKGHMYQ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 23/12/2021|JavaScript-v1.6 | N/A | N/A |
| HTTP User-Agent header | WSHRAT|8C677431|QSKGHMYQ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 23/12/2021|JavaScript-v1.6 | N/A | N/A |
| HTTP User-Agent header | WSHRAT|8C677431|QSKGHMYQ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 23/12/2021|JavaScript-v1.6 | N/A | N/A |
| HTTP User-Agent header | WSHRAT|8C677431|QSKGHMYQ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 23/12/2021|JavaScript-v1.6 | N/A | N/A |
| HTTP User-Agent header | WSHRAT|8C677431|QSKGHMYQ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 23/12/2021|JavaScript-v1.6 | N/A | N/A |
| HTTP User-Agent header | WSHRAT|8C677431|QSKGHMYQ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 23/12/2021|JavaScript-v1.6 | N/A | N/A |
| HTTP User-Agent header | WSHRAT|8C677431|QSKGHMYQ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 23/12/2021|JavaScript-v1.6 | N/A | N/A |
| HTTP User-Agent header | WSHRAT|8C677431|QSKGHMYQ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 23/12/2021|JavaScript-v1.6 | N/A | N/A |
| HTTP User-Agent header | WSHRAT|8C677431|QSKGHMYQ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 23/12/2021|JavaScript-v1.6 | N/A | N/A |
| HTTP User-Agent header | WSHRAT|8C677431|QSKGHMYQ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 23/12/2021|JavaScript-v1.6 | N/A | N/A |
| HTTP User-Agent header | WSHRAT|8C677431|QSKGHMYQ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 23/12/2021|JavaScript-v1.6 | N/A | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\1F7E9C6AED2B8CB929E3677818BD2B72142254E17F790.exe
"C:\Users\Admin\AppData\Local\Temp\1F7E9C6AED2B8CB929E3677818BD2B72142254E17F790.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\TaxFiles_2019_ref_284942.js"
C:\Windows\SysWOW64\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\daRAjcxavC.js"
C:\Windows\SysWOW64\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Local\Temp\TaxFiles_2019_ref_284942.js"
C:\Windows\SysWOW64\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\daRAjcxavC.js"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | strserver1.duckdns.org | udp |
| US | 192.169.69.25:8001 | strserver1.duckdns.org | tcp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | jrandjcpa.org | udp |
| EE | 91.193.75.222:1196 | jrandjcpa.org | tcp |
| US | 192.169.69.25:8001 | strserver1.duckdns.org | tcp |
| EE | 91.193.75.222:1196 | jrandjcpa.org | tcp |
| US | 192.169.69.25:8001 | strserver1.duckdns.org | tcp |
| EE | 91.193.75.222:1196 | jrandjcpa.org | tcp |
| US | 192.169.69.25:8001 | strserver1.duckdns.org | tcp |
| EE | 91.193.75.222:1196 | jrandjcpa.org | tcp |
| US | 192.169.69.25:8001 | strserver1.duckdns.org | tcp |
| EE | 91.193.75.222:1196 | jrandjcpa.org | tcp |
| US | 192.169.69.25:8001 | strserver1.duckdns.org | tcp |
| EE | 91.193.75.222:1196 | jrandjcpa.org | tcp |
| US | 192.169.69.25:8001 | strserver1.duckdns.org | tcp |
| EE | 91.193.75.222:1196 | jrandjcpa.org | tcp |
| US | 192.169.69.25:8001 | strserver1.duckdns.org | tcp |
| EE | 91.193.75.222:1196 | jrandjcpa.org | tcp |
| US | 192.169.69.25:8001 | strserver1.duckdns.org | tcp |
| EE | 91.193.75.222:1196 | jrandjcpa.org | tcp |
| US | 192.169.69.25:8001 | strserver1.duckdns.org | tcp |
| US | 192.169.69.25:8001 | strserver1.duckdns.org | tcp |
| EE | 91.193.75.222:1196 | jrandjcpa.org | tcp |
| US | 192.169.69.25:8001 | strserver1.duckdns.org | tcp |
| EE | 91.193.75.222:1196 | jrandjcpa.org | tcp |
| US | 192.169.69.25:8001 | strserver1.duckdns.org | tcp |
| EE | 91.193.75.222:1196 | jrandjcpa.org | tcp |
| US | 192.169.69.25:8001 | strserver1.duckdns.org | tcp |
| EE | 91.193.75.222:1196 | jrandjcpa.org | tcp |
| US | 192.169.69.25:8001 | strserver1.duckdns.org | tcp |
| EE | 91.193.75.222:1196 | jrandjcpa.org | tcp |
| US | 192.169.69.25:8001 | strserver1.duckdns.org | tcp |
| EE | 91.193.75.222:1196 | jrandjcpa.org | tcp |
| US | 192.169.69.25:8001 | strserver1.duckdns.org | tcp |
| EE | 91.193.75.222:1196 | jrandjcpa.org | tcp |
| US | 192.169.69.25:8001 | strserver1.duckdns.org | tcp |
| EE | 91.193.75.222:1196 | jrandjcpa.org | tcp |
| US | 192.169.69.25:8001 | strserver1.duckdns.org | tcp |
| US | 192.169.69.25:8001 | strserver1.duckdns.org | tcp |
| EE | 91.193.75.222:1196 | jrandjcpa.org | tcp |
| US | 192.169.69.25:8001 | strserver1.duckdns.org | tcp |
| EE | 91.193.75.222:1196 | jrandjcpa.org | tcp |
| US | 192.169.69.25:8001 | strserver1.duckdns.org | tcp |
| EE | 91.193.75.222:1196 | jrandjcpa.org | tcp |
| US | 192.169.69.25:8001 | strserver1.duckdns.org | tcp |
| EE | 91.193.75.222:1196 | jrandjcpa.org | tcp |
| US | 192.169.69.25:8001 | strserver1.duckdns.org | tcp |
| EE | 91.193.75.222:1196 | jrandjcpa.org | tcp |
| US | 192.169.69.25:8001 | strserver1.duckdns.org | tcp |
| EE | 91.193.75.222:1196 | jrandjcpa.org | tcp |
| US | 192.169.69.25:8001 | strserver1.duckdns.org | tcp |
| EE | 91.193.75.222:1196 | jrandjcpa.org | tcp |
| US | 192.169.69.25:8001 | strserver1.duckdns.org | tcp |
Files
memory/1664-54-0x00000000763F1000-0x00000000763F3000-memory.dmp
memory/1692-55-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\RarSFX0\TaxFiles_2019_ref_284942.js
| MD5 | 6399f172fd1d3ca4610da57564062a13 |
| SHA1 | 8e532b93681ced362ae8449401d881fbfe45cb38 |
| SHA256 | d9b0cac938b0bb20cd1a621b1767fad9432ecb850e81cfc24352aa383f6593b4 |
| SHA512 | d7d13962861603936652d4159b1bd2253e0dbc7333fa37d3ffcd35f3441e5164196c392d9bd7885ef0bdda73d517afa8a6708923c77b4588869026afc08487ef |
memory/1488-58-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\daRAjcxavC.js
| MD5 | bbd665c7c8905ee6d6180a4504b62331 |
| SHA1 | 937af9dcb6cd0bd373921c38db290ce9d1c15723 |
| SHA256 | 7c3c1a64592b99aa9d83c993f26f1afa54936e20d0f05debdbaeeab8665f331c |
| SHA512 | f4432cb9b30b10fd372e48cab4bdf01bbd57e93944ac48fc8007a2ebf21f6eb4d908d7c56f7a41721d0daf675fcdc436610cd6b1fa48b1d19a2d6513b53e03eb |
memory/1104-61-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\TaxFiles_2019_ref_284942.js
| MD5 | 6399f172fd1d3ca4610da57564062a13 |
| SHA1 | 8e532b93681ced362ae8449401d881fbfe45cb38 |
| SHA256 | d9b0cac938b0bb20cd1a621b1767fad9432ecb850e81cfc24352aa383f6593b4 |
| SHA512 | d7d13962861603936652d4159b1bd2253e0dbc7333fa37d3ffcd35f3441e5164196c392d9bd7885ef0bdda73d517afa8a6708923c77b4588869026afc08487ef |
memory/1432-64-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TaxFiles_2019_ref_284942.js
| MD5 | 6399f172fd1d3ca4610da57564062a13 |
| SHA1 | 8e532b93681ced362ae8449401d881fbfe45cb38 |
| SHA256 | d9b0cac938b0bb20cd1a621b1767fad9432ecb850e81cfc24352aa383f6593b4 |
| SHA512 | d7d13962861603936652d4159b1bd2253e0dbc7333fa37d3ffcd35f3441e5164196c392d9bd7885ef0bdda73d517afa8a6708923c77b4588869026afc08487ef |
Analysis: behavioral2
Detonation Overview
Submitted
2021-12-23 20:27
Reported
2021-12-23 20:29
Platform
win10-en-20211208
Max time kernel
146s
Max time network
146s
Command Line
Signatures
WSHRAT
suricata: ET MALWARE WSHRAT CnC Checkin
suricata: ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm Checkin 1
Blocklisted process makes network request
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TaxFiles_2019_ref_284942.js | C:\Windows\SysWOW64\WScript.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\daRAjcxavC.js | C:\Windows\SysWOW64\wscript.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\daRAjcxavC.js | C:\Windows\SysWOW64\wscript.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TaxFiles_2019_ref_284942.js | C:\Windows\SysWOW64\wscript.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\software\WOW6432Node\microsoft\windows\currentversion\run | C:\Windows\SysWOW64\WScript.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Windows\CurrentVersion\Run\daRAjcxavC = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\daRAjcxavC.js\"" | C:\Windows\SysWOW64\wscript.exe | N/A |
| Key created | \REGISTRY\MACHINE\software\WOW6432Node\microsoft\windows\currentversion\run | C:\Windows\SysWOW64\wscript.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\software\microsoft\windows\currentversion\run | C:\Windows\SysWOW64\wscript.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\TaxFiles_2019_ref_284942 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\TaxFiles_2019_ref_284942.js\"" | C:\Windows\SysWOW64\wscript.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\software\microsoft\windows\currentversion\run | C:\Windows\SysWOW64\WScript.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Windows\CurrentVersion\Run\TaxFiles_2019_ref_284942 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\TaxFiles_2019_ref_284942.js\"" | C:\Windows\SysWOW64\WScript.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\TaxFiles_2019_ref_284942 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\TaxFiles_2019_ref_284942.js\"" | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\software\microsoft\windows\currentversion\run | C:\Windows\SysWOW64\wscript.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\daRAjcxavC = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\daRAjcxavC.js\"" | C:\Windows\SysWOW64\wscript.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Windows\CurrentVersion\Run\TaxFiles_2019_ref_284942 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\TaxFiles_2019_ref_284942.js\"" | C:\Windows\SysWOW64\wscript.exe | N/A |
| Key created | \REGISTRY\MACHINE\software\WOW6432Node\microsoft\windows\currentversion\run | C:\Windows\SysWOW64\wscript.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\1F7E9C6AED2B8CB929E3677818BD2B72142254E17F790.exe | N/A |
Script User-Agent
| Description | Indicator | Process | Target |
| HTTP User-Agent header | WSHRAT|A441E75A|MHKKHUYI|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 26/12/2021|JavaScript-v1.6 | N/A | N/A |
| HTTP User-Agent header | WSHRAT|A441E75A|MHKKHUYI|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 26/12/2021|JavaScript-v1.6 | N/A | N/A |
| HTTP User-Agent header | WSHRAT|A441E75A|MHKKHUYI|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 26/12/2021|JavaScript-v1.6 | N/A | N/A |
| HTTP User-Agent header | WSHRAT|A441E75A|MHKKHUYI|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 26/12/2021|JavaScript-v1.6 | N/A | N/A |
| HTTP User-Agent header | WSHRAT|A441E75A|MHKKHUYI|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 26/12/2021|JavaScript-v1.6 | N/A | N/A |
| HTTP User-Agent header | WSHRAT|A441E75A|MHKKHUYI|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 26/12/2021|JavaScript-v1.6 | N/A | N/A |
| HTTP User-Agent header | WSHRAT|A441E75A|MHKKHUYI|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 26/12/2021|JavaScript-v1.6 | N/A | N/A |
| HTTP User-Agent header | WSHRAT|A441E75A|MHKKHUYI|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 26/12/2021|JavaScript-v1.6 | N/A | N/A |
| HTTP User-Agent header | WSHRAT|A441E75A|MHKKHUYI|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 26/12/2021|JavaScript-v1.6 | N/A | N/A |
| HTTP User-Agent header | WSHRAT|A441E75A|MHKKHUYI|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 26/12/2021|JavaScript-v1.6 | N/A | N/A |
| HTTP User-Agent header | WSHRAT|A441E75A|MHKKHUYI|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 26/12/2021|JavaScript-v1.6 | N/A | N/A |
| HTTP User-Agent header | WSHRAT|A441E75A|MHKKHUYI|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 26/12/2021|JavaScript-v1.6 | N/A | N/A |
| HTTP User-Agent header | WSHRAT|A441E75A|MHKKHUYI|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 26/12/2021|JavaScript-v1.6 | N/A | N/A |
| HTTP User-Agent header | WSHRAT|A441E75A|MHKKHUYI|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 26/12/2021|JavaScript-v1.6 | N/A | N/A |
| HTTP User-Agent header | WSHRAT|A441E75A|MHKKHUYI|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 26/12/2021|JavaScript-v1.6 | N/A | N/A |
| HTTP User-Agent header | WSHRAT|A441E75A|MHKKHUYI|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 26/12/2021|JavaScript-v1.6 | N/A | N/A |
| HTTP User-Agent header | WSHRAT|A441E75A|MHKKHUYI|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 26/12/2021|JavaScript-v1.6 | N/A | N/A |
| HTTP User-Agent header | WSHRAT|A441E75A|MHKKHUYI|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 26/12/2021|JavaScript-v1.6 | N/A | N/A |
| HTTP User-Agent header | WSHRAT|A441E75A|MHKKHUYI|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 26/12/2021|JavaScript-v1.6 | N/A | N/A |
| HTTP User-Agent header | WSHRAT|A441E75A|MHKKHUYI|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 26/12/2021|JavaScript-v1.6 | N/A | N/A |
| HTTP User-Agent header | WSHRAT|A441E75A|MHKKHUYI|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 26/12/2021|JavaScript-v1.6 | N/A | N/A |
| HTTP User-Agent header | WSHRAT|A441E75A|MHKKHUYI|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 26/12/2021|JavaScript-v1.6 | N/A | N/A |
| HTTP User-Agent header | WSHRAT|A441E75A|MHKKHUYI|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 26/12/2021|JavaScript-v1.6 | N/A | N/A |
| HTTP User-Agent header | WSHRAT|A441E75A|MHKKHUYI|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 26/12/2021|JavaScript-v1.6 | N/A | N/A |
| HTTP User-Agent header | WSHRAT|A441E75A|MHKKHUYI|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 26/12/2021|JavaScript-v1.6 | N/A | N/A |
| HTTP User-Agent header | WSHRAT|A441E75A|MHKKHUYI|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 26/12/2021|JavaScript-v1.6 | N/A | N/A |
| HTTP User-Agent header | WSHRAT|A441E75A|MHKKHUYI|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 26/12/2021|JavaScript-v1.6 | N/A | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\1F7E9C6AED2B8CB929E3677818BD2B72142254E17F790.exe
"C:\Users\Admin\AppData\Local\Temp\1F7E9C6AED2B8CB929E3677818BD2B72142254E17F790.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\TaxFiles_2019_ref_284942.js"
C:\Windows\SysWOW64\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\daRAjcxavC.js"
C:\Windows\SysWOW64\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Local\Temp\TaxFiles_2019_ref_284942.js"
C:\Windows\SysWOW64\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\daRAjcxavC.js"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | strserver1.duckdns.org | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | jrandjcpa.org | udp |
| US | 192.169.69.25:8001 | strserver1.duckdns.org | tcp |
| EE | 91.193.75.222:1196 | jrandjcpa.org | tcp |
| US | 192.169.69.25:8001 | strserver1.duckdns.org | tcp |
| EE | 91.193.75.222:1196 | jrandjcpa.org | tcp |
| US | 192.169.69.25:8001 | strserver1.duckdns.org | tcp |
| EE | 91.193.75.222:1196 | jrandjcpa.org | tcp |
| US | 192.169.69.25:8001 | strserver1.duckdns.org | tcp |
| EE | 91.193.75.222:1196 | jrandjcpa.org | tcp |
| US | 192.169.69.25:8001 | strserver1.duckdns.org | tcp |
| EE | 91.193.75.222:1196 | jrandjcpa.org | tcp |
| US | 192.169.69.25:8001 | strserver1.duckdns.org | tcp |
| EE | 91.193.75.222:1196 | jrandjcpa.org | tcp |
| US | 192.169.69.25:8001 | strserver1.duckdns.org | tcp |
| EE | 91.193.75.222:1196 | jrandjcpa.org | tcp |
| US | 192.169.69.25:8001 | strserver1.duckdns.org | tcp |
| EE | 91.193.75.222:1196 | jrandjcpa.org | tcp |
| US | 192.169.69.25:8001 | strserver1.duckdns.org | tcp |
| EE | 91.193.75.222:1196 | jrandjcpa.org | tcp |
| US | 192.169.69.25:8001 | strserver1.duckdns.org | tcp |
| US | 192.169.69.25:8001 | strserver1.duckdns.org | tcp |
| EE | 91.193.75.222:1196 | jrandjcpa.org | tcp |
| US | 192.169.69.25:8001 | strserver1.duckdns.org | tcp |
| EE | 91.193.75.222:1196 | jrandjcpa.org | tcp |
| US | 192.169.69.25:8001 | strserver1.duckdns.org | tcp |
| EE | 91.193.75.222:1196 | jrandjcpa.org | tcp |
| US | 192.169.69.25:8001 | strserver1.duckdns.org | tcp |
| EE | 91.193.75.222:1196 | jrandjcpa.org | tcp |
| US | 192.169.69.25:8001 | strserver1.duckdns.org | tcp |
| EE | 91.193.75.222:1196 | jrandjcpa.org | tcp |
| US | 192.169.69.25:8001 | strserver1.duckdns.org | tcp |
| EE | 91.193.75.222:1196 | jrandjcpa.org | tcp |
| US | 192.169.69.25:8001 | strserver1.duckdns.org | tcp |
| EE | 91.193.75.222:1196 | jrandjcpa.org | tcp |
| US | 192.169.69.25:8001 | strserver1.duckdns.org | tcp |
| EE | 91.193.75.222:1196 | jrandjcpa.org | tcp |
| US | 192.169.69.25:8001 | strserver1.duckdns.org | tcp |
| US | 192.169.69.25:8001 | strserver1.duckdns.org | tcp |
| EE | 91.193.75.222:1196 | jrandjcpa.org | tcp |
| US | 192.169.69.25:8001 | strserver1.duckdns.org | tcp |
| EE | 91.193.75.222:1196 | jrandjcpa.org | tcp |
| US | 192.169.69.25:8001 | strserver1.duckdns.org | tcp |
| EE | 91.193.75.222:1196 | jrandjcpa.org | tcp |
| US | 192.169.69.25:8001 | strserver1.duckdns.org | tcp |
| EE | 91.193.75.222:1196 | jrandjcpa.org | tcp |
| US | 192.169.69.25:8001 | strserver1.duckdns.org | tcp |
| EE | 91.193.75.222:1196 | jrandjcpa.org | tcp |
| US | 192.169.69.25:8001 | strserver1.duckdns.org | tcp |
| EE | 91.193.75.222:1196 | jrandjcpa.org | tcp |
| US | 192.169.69.25:8001 | strserver1.duckdns.org | tcp |
| EE | 91.193.75.222:1196 | jrandjcpa.org | tcp |
| US | 192.169.69.25:8001 | strserver1.duckdns.org | tcp |
Files
memory/1020-115-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\RarSFX0\TaxFiles_2019_ref_284942.js
| MD5 | 6399f172fd1d3ca4610da57564062a13 |
| SHA1 | 8e532b93681ced362ae8449401d881fbfe45cb38 |
| SHA256 | d9b0cac938b0bb20cd1a621b1767fad9432ecb850e81cfc24352aa383f6593b4 |
| SHA512 | d7d13962861603936652d4159b1bd2253e0dbc7333fa37d3ffcd35f3441e5164196c392d9bd7885ef0bdda73d517afa8a6708923c77b4588869026afc08487ef |
memory/644-117-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\daRAjcxavC.js
| MD5 | bbd665c7c8905ee6d6180a4504b62331 |
| SHA1 | 937af9dcb6cd0bd373921c38db290ce9d1c15723 |
| SHA256 | 7c3c1a64592b99aa9d83c993f26f1afa54936e20d0f05debdbaeeab8665f331c |
| SHA512 | f4432cb9b30b10fd372e48cab4bdf01bbd57e93944ac48fc8007a2ebf21f6eb4d908d7c56f7a41721d0daf675fcdc436610cd6b1fa48b1d19a2d6513b53e03eb |
memory/620-118-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\TaxFiles_2019_ref_284942.js
| MD5 | 6399f172fd1d3ca4610da57564062a13 |
| SHA1 | 8e532b93681ced362ae8449401d881fbfe45cb38 |
| SHA256 | d9b0cac938b0bb20cd1a621b1767fad9432ecb850e81cfc24352aa383f6593b4 |
| SHA512 | d7d13962861603936652d4159b1bd2253e0dbc7333fa37d3ffcd35f3441e5164196c392d9bd7885ef0bdda73d517afa8a6708923c77b4588869026afc08487ef |
memory/3772-121-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TaxFiles_2019_ref_284942.js
| MD5 | 6399f172fd1d3ca4610da57564062a13 |
| SHA1 | 8e532b93681ced362ae8449401d881fbfe45cb38 |
| SHA256 | d9b0cac938b0bb20cd1a621b1767fad9432ecb850e81cfc24352aa383f6593b4 |
| SHA512 | d7d13962861603936652d4159b1bd2253e0dbc7333fa37d3ffcd35f3441e5164196c392d9bd7885ef0bdda73d517afa8a6708923c77b4588869026afc08487ef |