Analysis Overview
SHA256
b04ebbaab95d8941912761529774630b138c48e08c55462dc1191c5258d909fd
Threat Level: Known bad
The file b04ebbaab95d8941912761529774630b138c48e08c55462dc1191c5258d909fd was found to be: Known bad.
Malicious Activity Summary
WSHRAT
Blocklisted process makes network request
Drops startup file
Adds Run key to start application
Enumerates physical storage devices
Script User-Agent
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-01-21 23:18
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-01-21 23:18
Reported
2022-01-22 00:17
Platform
win7-en-20211208
Max time kernel
158s
Max time network
160s
Command Line
Signatures
WSHRAT
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\system32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\system32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\system32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\system32\wscript.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\GH2-19062016_PO_TOP URGENT.js | C:\Windows\system32\wscript.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\GH2-19062016_PO_TOP URGENT.js | C:\Windows\system32\wscript.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gXuCYRVlKo.js | C:\Windows\System32\wscript.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gXuCYRVlKo.js | C:\Windows\System32\wscript.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\GH2-19062016_PO_TOP URGENT = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\GH2-19062016_PO_TOP URGENT.js\"" | C:\Windows\system32\wscript.exe | N/A |
| Key created | \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run | C:\Windows\system32\wscript.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\GH2-19062016_PO_TOP URGENT = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\GH2-19062016_PO_TOP URGENT.js\"" | C:\Windows\system32\wscript.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\software\microsoft\windows\currentversion\run | C:\Windows\System32\wscript.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\gXuCYRVlKo = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\gXuCYRVlKo.js\"" | C:\Windows\System32\wscript.exe | N/A |
| Key created | \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run | C:\Windows\System32\wscript.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gXuCYRVlKo = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\gXuCYRVlKo.js\"" | C:\Windows\System32\wscript.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\software\microsoft\windows\currentversion\run | C:\Windows\system32\wscript.exe | N/A |
Enumerates physical storage devices
Script User-Agent
| Description | Indicator | Process | Target |
| HTTP User-Agent header | WSHRAT|8C677431|QSKGHMYQ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 22/1/2022|JavaScript-v1.3 | N/A | N/A |
| HTTP User-Agent header | WSHRAT|8C677431|QSKGHMYQ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 22/1/2022|JavaScript-v1.3 | N/A | N/A |
| HTTP User-Agent header | WSHRAT|8C677431|QSKGHMYQ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 22/1/2022|JavaScript-v1.3 | N/A | N/A |
| HTTP User-Agent header | WSHRAT|8C677431|QSKGHMYQ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 22/1/2022|JavaScript-v1.3 | N/A | N/A |
| HTTP User-Agent header | WSHRAT|8C677431|QSKGHMYQ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 22/1/2022|JavaScript-v1.3 | N/A | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 812 wrote to memory of 1644 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\wscript.exe |
| PID 812 wrote to memory of 1644 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\wscript.exe |
| PID 812 wrote to memory of 1644 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\wscript.exe |
Processes
C:\Windows\system32\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Local\Temp\GH2-19062016_PO_TOP URGENT.js"
C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\gXuCYRVlKo.js"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ghostwsh4191.ddns.net | udp |
| US | 8.8.8.8:53 | unknownsoft.duckdns.org | udp |
| US | 184.105.237.199:4191 | ghostwsh4191.ddns.net | tcp |
| US | 192.169.69.25:7755 | unknownsoft.duckdns.org | tcp |
| US | 192.169.69.25:7755 | unknownsoft.duckdns.org | tcp |
| US | 184.105.237.199:4191 | ghostwsh4191.ddns.net | tcp |
| US | 192.169.69.25:7755 | unknownsoft.duckdns.org | tcp |
| US | 184.105.237.199:4191 | ghostwsh4191.ddns.net | tcp |
| US | 192.169.69.25:7755 | unknownsoft.duckdns.org | tcp |
| US | 184.105.237.199:4191 | ghostwsh4191.ddns.net | tcp |
| US | 192.169.69.25:7755 | unknownsoft.duckdns.org | tcp |
| US | 184.105.237.199:4191 | ghostwsh4191.ddns.net | tcp |
Files
memory/812-55-0x0000000003FB0000-0x0000000003FB2000-memory.dmp
C:\Users\Admin\AppData\Roaming\gXuCYRVlKo.js
| MD5 | 018f2941af58337d85db9b0720be1eb2 |
| SHA1 | b55e33bf1763c1424960c5d27e5ce5a9dd12b0f6 |
| SHA256 | 01002e1147978d69e578423c67e0f252c2918949b4c2442ba9342cf2a34545d4 |
| SHA512 | 851ad74b58b4b24b756beae67f62d9aa3159ce1309aaf79b6112029339a46ad604cf46aa8535f7fcce0770014da57edfe0931daa5532f6da5bc6ba32664dd7f4 |
memory/1644-57-0x0000000004270000-0x00000000047C0000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-01-21 23:18
Reported
2022-01-22 00:16
Platform
win10-en-20211208
Max time kernel
151s
Max time network
164s
Command Line
Signatures
WSHRAT
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\system32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\system32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\system32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\system32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\system32\wscript.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\GH2-19062016_PO_TOP URGENT.js | C:\Windows\system32\wscript.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\GH2-19062016_PO_TOP URGENT.js | C:\Windows\system32\wscript.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gXuCYRVlKo.js | C:\Windows\System32\wscript.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gXuCYRVlKo.js | C:\Windows\System32\wscript.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\GH2-19062016_PO_TOP URGENT = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\GH2-19062016_PO_TOP URGENT.js\"" | C:\Windows\system32\wscript.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\software\microsoft\windows\currentversion\run | C:\Windows\System32\wscript.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Windows\CurrentVersion\Run\gXuCYRVlKo = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\gXuCYRVlKo.js\"" | C:\Windows\System32\wscript.exe | N/A |
| Key created | \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run | C:\Windows\System32\wscript.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gXuCYRVlKo = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\gXuCYRVlKo.js\"" | C:\Windows\System32\wscript.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\software\microsoft\windows\currentversion\run | C:\Windows\system32\wscript.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Windows\CurrentVersion\Run\GH2-19062016_PO_TOP URGENT = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\GH2-19062016_PO_TOP URGENT.js\"" | C:\Windows\system32\wscript.exe | N/A |
| Key created | \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run | C:\Windows\system32\wscript.exe | N/A |
Enumerates physical storage devices
Script User-Agent
| Description | Indicator | Process | Target |
| HTTP User-Agent header | WSHRAT|A441E75A|MHKKHUYI|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 25/1/2022|JavaScript-v1.3 | N/A | N/A |
| HTTP User-Agent header | WSHRAT|A441E75A|MHKKHUYI|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 25/1/2022|JavaScript-v1.3 | N/A | N/A |
| HTTP User-Agent header | WSHRAT|A441E75A|MHKKHUYI|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 25/1/2022|JavaScript-v1.3 | N/A | N/A |
| HTTP User-Agent header | WSHRAT|A441E75A|MHKKHUYI|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 25/1/2022|JavaScript-v1.3 | N/A | N/A |
| HTTP User-Agent header | WSHRAT|A441E75A|MHKKHUYI|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 25/1/2022|JavaScript-v1.3 | N/A | N/A |
| HTTP User-Agent header | WSHRAT|A441E75A|MHKKHUYI|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 25/1/2022|JavaScript-v1.3 | N/A | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2424 wrote to memory of 988 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\wscript.exe |
| PID 2424 wrote to memory of 988 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\wscript.exe |
Processes
C:\Windows\system32\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Local\Temp\GH2-19062016_PO_TOP URGENT.js"
C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\gXuCYRVlKo.js"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ghostwsh4191.ddns.net | udp |
| US | 8.8.8.8:53 | unknownsoft.duckdns.org | udp |
| US | 184.105.237.199:4191 | ghostwsh4191.ddns.net | tcp |
| US | 192.169.69.25:7755 | unknownsoft.duckdns.org | tcp |
| US | 184.105.237.199:4191 | ghostwsh4191.ddns.net | tcp |
| US | 192.169.69.25:7755 | unknownsoft.duckdns.org | tcp |
| US | 192.169.69.25:7755 | unknownsoft.duckdns.org | tcp |
| US | 184.105.237.199:4191 | ghostwsh4191.ddns.net | tcp |
| US | 192.169.69.25:7755 | unknownsoft.duckdns.org | tcp |
| US | 184.105.237.199:4191 | ghostwsh4191.ddns.net | tcp |
| US | 192.169.69.25:7755 | unknownsoft.duckdns.org | tcp |
| US | 184.105.237.199:4191 | ghostwsh4191.ddns.net | tcp |
| US | 192.169.69.25:7755 | unknownsoft.duckdns.org | tcp |
| US | 184.105.237.199:4191 | ghostwsh4191.ddns.net | tcp |
Files
memory/2424-122-0x0000020771410000-0x0000020772100000-memory.dmp
C:\Users\Admin\AppData\Roaming\gXuCYRVlKo.js
| MD5 | 018f2941af58337d85db9b0720be1eb2 |
| SHA1 | b55e33bf1763c1424960c5d27e5ce5a9dd12b0f6 |
| SHA256 | 01002e1147978d69e578423c67e0f252c2918949b4c2442ba9342cf2a34545d4 |
| SHA512 | 851ad74b58b4b24b756beae67f62d9aa3159ce1309aaf79b6112029339a46ad604cf46aa8535f7fcce0770014da57edfe0931daa5532f6da5bc6ba32664dd7f4 |
memory/988-140-0x0000014F97B3B000-0x0000014F98760000-memory.dmp