Malware Analysis Report

2025-04-14 08:30

Sample ID 220130-tap6aaece3
Target 27f9c7625c39cc1ce7d0af02dbf8de4a60bc674e17aa5276e708ab366fad7953
SHA256 27f9c7625c39cc1ce7d0af02dbf8de4a60bc674e17aa5276e708ab366fad7953
Tags
wshrat persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

27f9c7625c39cc1ce7d0af02dbf8de4a60bc674e17aa5276e708ab366fad7953

Threat Level: Known bad

The file 27f9c7625c39cc1ce7d0af02dbf8de4a60bc674e17aa5276e708ab366fad7953 was found to be: Known bad.

Malicious Activity Summary

wshrat persistence trojan

WSHRAT

Blocklisted process makes network request

Drops startup file

Adds Run key to start application

Enumerates physical storage devices

Script User-Agent

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-01-30 15:51

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-01-30 15:51

Reported

2022-01-30 21:17

Platform

win7-en-20211208

Max time kernel

158s

Max time network

157s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\RFQ2019240611111111111111_ENQUIRY19995C_PDF.js

Signatures

WSHRAT

trojan wshrat

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RFQ2019240611111111111111_ENQUIRY19995C_PDF.js C:\Windows\system32\wscript.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gfjtkqqyNj.js C:\Windows\System32\wscript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gfjtkqqyNj.js C:\Windows\System32\wscript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RFQ2019240611111111111111_ENQUIRY19995C_PDF.js C:\Windows\System32\wscript.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\software\microsoft\windows\currentversion\run C:\Windows\system32\wscript.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gfjtkqqyNj = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\gfjtkqqyNj.js\"" C:\Windows\System32\wscript.exe N/A
Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run C:\Windows\System32\wscript.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\gfjtkqqyNj = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\gfjtkqqyNj.js\"" C:\Windows\System32\wscript.exe N/A
Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run C:\Windows\System32\wscript.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\software\microsoft\windows\currentversion\run C:\Windows\System32\wscript.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\RFQ2019240611111111111111_ENQUIRY19995C_PDF = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\RFQ2019240611111111111111_ENQUIRY19995C_PDF.js\"" C:\Windows\System32\wscript.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\RFQ2019240611111111111111_ENQUIRY19995C_PDF = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\RFQ2019240611111111111111_ENQUIRY19995C_PDF.js\"" C:\Windows\system32\wscript.exe N/A
Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run C:\Windows\system32\wscript.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RFQ2019240611111111111111_ENQUIRY19995C_PDF = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\RFQ2019240611111111111111_ENQUIRY19995C_PDF.js\"" C:\Windows\system32\wscript.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\software\microsoft\windows\currentversion\run C:\Windows\System32\wscript.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RFQ2019240611111111111111_ENQUIRY19995C_PDF = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\RFQ2019240611111111111111_ENQUIRY19995C_PDF.js\"" C:\Windows\System32\wscript.exe N/A

Enumerates physical storage devices

Script User-Agent

Description Indicator Process Target
HTTP User-Agent header WSHRAT|8C677431|QSKGHMYQ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 30/1/2022|JavaScript-v1.3 N/A N/A
HTTP User-Agent header WSHRAT|8C677431|QSKGHMYQ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 30/1/2022|JavaScript-v1.3 N/A N/A
HTTP User-Agent header WSHRAT|8C677431|QSKGHMYQ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 30/1/2022|JavaScript-v1.3 N/A N/A
HTTP User-Agent header WSHRAT|8C677431|QSKGHMYQ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 30/1/2022|JavaScript-v1.3 N/A N/A
HTTP User-Agent header WSHRAT|8C677431|QSKGHMYQ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 30/1/2022|JavaScript-v1.3 N/A N/A
HTTP User-Agent header WSHRAT|8C677431|QSKGHMYQ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 30/1/2022|JavaScript-v1.3 N/A N/A
HTTP User-Agent header WSHRAT|8C677431|QSKGHMYQ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 30/1/2022|JavaScript-v1.3 N/A N/A
HTTP User-Agent header WSHRAT|8C677431|QSKGHMYQ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 30/1/2022|JavaScript-v1.3 N/A N/A
HTTP User-Agent header WSHRAT|8C677431|QSKGHMYQ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 30/1/2022|JavaScript-v1.3 N/A N/A
HTTP User-Agent header WSHRAT|8C677431|QSKGHMYQ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 30/1/2022|JavaScript-v1.3 N/A N/A
HTTP User-Agent header WSHRAT|8C677431|QSKGHMYQ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 30/1/2022|JavaScript-v1.3 N/A N/A
HTTP User-Agent header WSHRAT|8C677431|QSKGHMYQ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 30/1/2022|JavaScript-v1.3 N/A N/A
HTTP User-Agent header WSHRAT|8C677431|QSKGHMYQ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 30/1/2022|JavaScript-v1.3 N/A N/A
HTTP User-Agent header WSHRAT|8C677431|QSKGHMYQ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 30/1/2022|JavaScript-v1.3 N/A N/A
HTTP User-Agent header WSHRAT|8C677431|QSKGHMYQ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 30/1/2022|JavaScript-v1.3 N/A N/A
HTTP User-Agent header WSHRAT|8C677431|QSKGHMYQ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 30/1/2022|JavaScript-v1.3 N/A N/A
HTTP User-Agent header WSHRAT|8C677431|QSKGHMYQ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 30/1/2022|JavaScript-v1.3 N/A N/A
HTTP User-Agent header WSHRAT|8C677431|QSKGHMYQ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 30/1/2022|JavaScript-v1.3 N/A N/A
HTTP User-Agent header WSHRAT|8C677431|QSKGHMYQ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 30/1/2022|JavaScript-v1.3 N/A N/A
HTTP User-Agent header WSHRAT|8C677431|QSKGHMYQ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 30/1/2022|JavaScript-v1.3 N/A N/A
HTTP User-Agent header WSHRAT|8C677431|QSKGHMYQ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 30/1/2022|JavaScript-v1.3 N/A N/A
HTTP User-Agent header WSHRAT|8C677431|QSKGHMYQ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 30/1/2022|JavaScript-v1.3 N/A N/A
HTTP User-Agent header WSHRAT|8C677431|QSKGHMYQ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 30/1/2022|JavaScript-v1.3 N/A N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\RFQ2019240611111111111111_ENQUIRY19995C_PDF.js

C:\Windows\System32\wscript.exe

"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\gfjtkqqyNj.js"

C:\Windows\System32\wscript.exe

"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\RFQ2019240611111111111111_ENQUIRY19995C_PDF.js"

C:\Windows\System32\wscript.exe

"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\gfjtkqqyNj.js"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8896wsh.ddns.net udp
US 8.8.8.8:53 unknownsoft.duckdns.org udp
US 192.169.69.25:7755 unknownsoft.duckdns.org tcp
US 192.169.69.25:7755 unknownsoft.duckdns.org tcp
US 192.169.69.25:7755 unknownsoft.duckdns.org tcp
US 192.169.69.25:7755 unknownsoft.duckdns.org tcp
US 192.169.69.25:7755 unknownsoft.duckdns.org tcp
US 192.169.69.25:7755 unknownsoft.duckdns.org tcp
US 192.169.69.25:7755 unknownsoft.duckdns.org tcp
US 192.169.69.25:7755 unknownsoft.duckdns.org tcp
US 192.169.69.25:7755 unknownsoft.duckdns.org tcp
US 192.169.69.25:7755 unknownsoft.duckdns.org tcp
US 192.169.69.25:7755 unknownsoft.duckdns.org tcp
US 192.169.69.25:7755 unknownsoft.duckdns.org tcp
US 192.169.69.25:7755 unknownsoft.duckdns.org tcp
US 192.169.69.25:7755 unknownsoft.duckdns.org tcp
US 192.169.69.25:7755 unknownsoft.duckdns.org tcp
US 192.169.69.25:7755 unknownsoft.duckdns.org tcp
US 192.169.69.25:7755 unknownsoft.duckdns.org tcp
US 192.169.69.25:7755 unknownsoft.duckdns.org tcp
US 192.169.69.25:7755 unknownsoft.duckdns.org tcp
US 192.169.69.25:7755 unknownsoft.duckdns.org tcp
US 192.169.69.25:7755 unknownsoft.duckdns.org tcp
US 192.169.69.25:7755 unknownsoft.duckdns.org tcp
US 192.169.69.25:7755 unknownsoft.duckdns.org tcp

Files

C:\Users\Admin\AppData\Roaming\gfjtkqqyNj.js

MD5 8456951c972471f558412b57a569948f
SHA1 b37fff6b315ce195d6beea07983218ba668a900f
SHA256 1537d05749ad41248c7f246da241d6acb10a17819ee34e8ffeee6dbd4c146ddd
SHA512 5d3e0b28b2c25fdc78f9b52fe4942b16d4a89696a7d403afd36df7dbf64729cfeb9287561854cffbe4ecce13efb506bf117ed0ab2fdb73044416d416c08619b4

memory/964-57-0x00000000044B0000-0x0000000004CA0000-memory.dmp

memory/468-56-0x000007FEFBC31000-0x000007FEFBC33000-memory.dmp

memory/468-58-0x0000000004340000-0x0000000004342000-memory.dmp

C:\Users\Admin\AppData\Roaming\RFQ2019240611111111111111_ENQUIRY19995C_PDF.js

MD5 3e1d45dd6fef116c4a45cc81997027dc
SHA1 a2cd3a0ecc900664510a9c3e2ff00faa943d3d6b
SHA256 4eb6e69e7df76b5e84ecc4dc6f569fe2ad0f9763fc015014c2b23aa1c82f7332
SHA512 4d9052a10888af2c0feb5ec301681736b3c3374e84733d5edef5f7d026ab951b1e69760c72e53fc904b58733ea0fb680787980e0a7aacbc3051be85a34df3fd4

memory/1820-60-0x0000000004220000-0x0000000004222000-memory.dmp

C:\Users\Admin\AppData\Roaming\gfjtkqqyNj.js

MD5 8456951c972471f558412b57a569948f
SHA1 b37fff6b315ce195d6beea07983218ba668a900f
SHA256 1537d05749ad41248c7f246da241d6acb10a17819ee34e8ffeee6dbd4c146ddd
SHA512 5d3e0b28b2c25fdc78f9b52fe4942b16d4a89696a7d403afd36df7dbf64729cfeb9287561854cffbe4ecce13efb506bf117ed0ab2fdb73044416d416c08619b4

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RFQ2019240611111111111111_ENQUIRY19995C_PDF.js

MD5 fdc6ee34b65ad00cbcb5751e28951f1b
SHA1 59a4d605c4bbfd952f90baf96f3915a7abd1cf6d
SHA256 17260a9be83c6dac6a902da7f5df125bb5de0a56607f75390fca5da20ace87c0
SHA512 82dfcc7c04c1a5bf7552ef2ca03add3b20e901ed7ada3d5f021ecb6c303f8c3f7cd7319204318930f09605fc8a59140d3fceb9bc11f5e3a120e05178fab90660

Analysis: behavioral2

Detonation Overview

Submitted

2022-01-30 15:51

Reported

2022-01-30 21:17

Platform

win10-en-20211208

Max time kernel

155s

Max time network

171s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\RFQ2019240611111111111111_ENQUIRY19995C_PDF.js

Signatures

WSHRAT

trojan wshrat

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gfjtkqqyNj.js C:\Windows\System32\wscript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gfjtkqqyNj.js C:\Windows\System32\wscript.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RFQ2019240611111111111111_ENQUIRY19995C_PDF.js C:\Windows\system32\wscript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RFQ2019240611111111111111_ENQUIRY19995C_PDF.js C:\Windows\System32\wscript.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run C:\Windows\System32\wscript.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\software\microsoft\windows\currentversion\run C:\Windows\system32\wscript.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RFQ2019240611111111111111_ENQUIRY19995C_PDF = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\RFQ2019240611111111111111_ENQUIRY19995C_PDF.js\"" C:\Windows\System32\wscript.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\software\microsoft\windows\currentversion\run C:\Windows\System32\wscript.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gfjtkqqyNj = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\gfjtkqqyNj.js\"" C:\Windows\System32\wscript.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Windows\CurrentVersion\Run\RFQ2019240611111111111111_ENQUIRY19995C_PDF = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\RFQ2019240611111111111111_ENQUIRY19995C_PDF.js\"" C:\Windows\system32\wscript.exe N/A
Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run C:\Windows\system32\wscript.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RFQ2019240611111111111111_ENQUIRY19995C_PDF = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\RFQ2019240611111111111111_ENQUIRY19995C_PDF.js\"" C:\Windows\system32\wscript.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\software\microsoft\windows\currentversion\run C:\Windows\System32\wscript.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Windows\CurrentVersion\Run\RFQ2019240611111111111111_ENQUIRY19995C_PDF = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\RFQ2019240611111111111111_ENQUIRY19995C_PDF.js\"" C:\Windows\System32\wscript.exe N/A
Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run C:\Windows\System32\wscript.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Windows\CurrentVersion\Run\gfjtkqqyNj = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\gfjtkqqyNj.js\"" C:\Windows\System32\wscript.exe N/A

Enumerates physical storage devices

Script User-Agent

Description Indicator Process Target
HTTP User-Agent header WSHRAT|2C782127|EZNBLWLT|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 10/12/2021|JavaScript-v1.3 N/A N/A
HTTP User-Agent header WSHRAT|2C782127|EZNBLWLT|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 10/12/2021|JavaScript-v1.3 N/A N/A
HTTP User-Agent header WSHRAT|2C782127|EZNBLWLT|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 10/12/2021|JavaScript-v1.3 N/A N/A
HTTP User-Agent header WSHRAT|2C782127|EZNBLWLT|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 10/12/2021|JavaScript-v1.3 N/A N/A
HTTP User-Agent header WSHRAT|2C782127|EZNBLWLT|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 10/12/2021|JavaScript-v1.3 N/A N/A
HTTP User-Agent header WSHRAT|2C782127|EZNBLWLT|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 10/12/2021|JavaScript-v1.3 N/A N/A
HTTP User-Agent header WSHRAT|2C782127|EZNBLWLT|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 10/12/2021|JavaScript-v1.3 N/A N/A
HTTP User-Agent header WSHRAT|2C782127|EZNBLWLT|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 10/12/2021|JavaScript-v1.3 N/A N/A
HTTP User-Agent header WSHRAT|2C782127|EZNBLWLT|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 10/12/2021|JavaScript-v1.3 N/A N/A
HTTP User-Agent header WSHRAT|2C782127|EZNBLWLT|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 10/12/2021|JavaScript-v1.3 N/A N/A
HTTP User-Agent header WSHRAT|2C782127|EZNBLWLT|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 10/12/2021|JavaScript-v1.3 N/A N/A
HTTP User-Agent header WSHRAT|2C782127|EZNBLWLT|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 10/12/2021|JavaScript-v1.3 N/A N/A
HTTP User-Agent header WSHRAT|2C782127|EZNBLWLT|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 10/12/2021|JavaScript-v1.3 N/A N/A
HTTP User-Agent header WSHRAT|2C782127|EZNBLWLT|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 10/12/2021|JavaScript-v1.3 N/A N/A
HTTP User-Agent header WSHRAT|2C782127|EZNBLWLT|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 10/12/2021|JavaScript-v1.3 N/A N/A
HTTP User-Agent header WSHRAT|2C782127|EZNBLWLT|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 10/12/2021|JavaScript-v1.3 N/A N/A
HTTP User-Agent header WSHRAT|2C782127|EZNBLWLT|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 10/12/2021|JavaScript-v1.3 N/A N/A
HTTP User-Agent header WSHRAT|2C782127|EZNBLWLT|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 10/12/2021|JavaScript-v1.3 N/A N/A
HTTP User-Agent header WSHRAT|2C782127|EZNBLWLT|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 10/12/2021|JavaScript-v1.3 N/A N/A
HTTP User-Agent header WSHRAT|2C782127|EZNBLWLT|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 10/12/2021|JavaScript-v1.3 N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2772 wrote to memory of 4028 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe
PID 2772 wrote to memory of 4028 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe
PID 2772 wrote to memory of 620 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe
PID 2772 wrote to memory of 620 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe
PID 620 wrote to memory of 1396 N/A C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe
PID 620 wrote to memory of 1396 N/A C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\RFQ2019240611111111111111_ENQUIRY19995C_PDF.js

C:\Windows\System32\wscript.exe

"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\gfjtkqqyNj.js"

C:\Windows\System32\wscript.exe

"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\RFQ2019240611111111111111_ENQUIRY19995C_PDF.js"

C:\Windows\System32\wscript.exe

"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\gfjtkqqyNj.js"

Network

Country Destination Domain Proto
US 8.8.8.8:53 unknownsoft.duckdns.org udp
US 8.8.8.8:53 8896wsh.ddns.net udp
US 192.169.69.25:7755 unknownsoft.duckdns.org tcp
US 8.8.8.8:53 8896wsh.ddns.net udp
US 192.169.69.25:7755 unknownsoft.duckdns.org tcp
US 8.8.8.8:53 8896wsh.ddns.net udp
US 192.169.69.25:7755 unknownsoft.duckdns.org tcp
US 8.8.8.8:53 8896wsh.ddns.net udp
US 192.169.69.25:7755 unknownsoft.duckdns.org tcp
US 8.8.8.8:53 8896wsh.ddns.net udp
US 192.169.69.25:7755 unknownsoft.duckdns.org tcp
US 8.8.8.8:53 8896wsh.ddns.net udp
US 192.169.69.25:7755 unknownsoft.duckdns.org tcp
US 8.8.8.8:53 8896wsh.ddns.net udp
US 192.169.69.25:7755 unknownsoft.duckdns.org tcp
US 8.8.8.8:53 8896wsh.ddns.net udp
US 192.169.69.25:7755 unknownsoft.duckdns.org tcp
US 8.8.8.8:53 8896wsh.ddns.net udp
US 192.169.69.25:7755 unknownsoft.duckdns.org tcp
US 8.8.8.8:53 8896wsh.ddns.net udp
US 192.169.69.25:7755 unknownsoft.duckdns.org tcp
US 8.8.8.8:53 8896wsh.ddns.net udp
US 192.169.69.25:7755 unknownsoft.duckdns.org tcp
US 8.8.8.8:53 8896wsh.ddns.net udp
US 192.169.69.25:7755 unknownsoft.duckdns.org tcp
US 8.8.8.8:53 8896wsh.ddns.net udp
US 192.169.69.25:7755 unknownsoft.duckdns.org tcp
US 8.8.8.8:53 8896wsh.ddns.net udp
US 192.169.69.25:7755 unknownsoft.duckdns.org tcp
US 8.8.8.8:53 8896wsh.ddns.net udp
US 192.169.69.25:7755 unknownsoft.duckdns.org tcp
US 8.8.8.8:53 8896wsh.ddns.net udp
US 192.169.69.25:7755 unknownsoft.duckdns.org tcp
US 8.8.8.8:53 8896wsh.ddns.net udp
US 8.8.8.8:53 8896wsh.ddns.net udp
US 192.169.69.25:7755 unknownsoft.duckdns.org tcp
US 8.8.8.8:53 8896wsh.ddns.net udp
US 192.169.69.25:7755 unknownsoft.duckdns.org tcp
US 8.8.8.8:53 8896wsh.ddns.net udp
US 192.169.69.25:7755 unknownsoft.duckdns.org tcp
US 8.8.8.8:53 8896wsh.ddns.net udp
US 192.169.69.25:7755 unknownsoft.duckdns.org tcp

Files

memory/2772-118-0x000001C807EA6000-0x000001C808B40000-memory.dmp

C:\Users\Admin\AppData\Roaming\gfjtkqqyNj.js

MD5 8456951c972471f558412b57a569948f
SHA1 b37fff6b315ce195d6beea07983218ba668a900f
SHA256 1537d05749ad41248c7f246da241d6acb10a17819ee34e8ffeee6dbd4c146ddd
SHA512 5d3e0b28b2c25fdc78f9b52fe4942b16d4a89696a7d403afd36df7dbf64729cfeb9287561854cffbe4ecce13efb506bf117ed0ab2fdb73044416d416c08619b4

C:\Users\Admin\AppData\Roaming\RFQ2019240611111111111111_ENQUIRY19995C_PDF.js

MD5 3e1d45dd6fef116c4a45cc81997027dc
SHA1 a2cd3a0ecc900664510a9c3e2ff00faa943d3d6b
SHA256 4eb6e69e7df76b5e84ecc4dc6f569fe2ad0f9763fc015014c2b23aa1c82f7332
SHA512 4d9052a10888af2c0feb5ec301681736b3c3374e84733d5edef5f7d026ab951b1e69760c72e53fc904b58733ea0fb680787980e0a7aacbc3051be85a34df3fd4

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0\UsageLogs\wscript.exe.log

MD5 b3ac9d09e3a47d5fd00c37e075a70ecb
SHA1 ad14e6d0e07b00bd10d77a06d68841b20675680b
SHA256 7a23c6e7ccd8811ecdf038d3a89d5c7d68ed37324bae2d4954125d9128fa9432
SHA512 09b609ee1061205aa45b3c954efc6c1a03c8fd6b3011ff88cf2c060e19b1d7fd51ee0cb9d02a39310125f3a66aa0146261bdee3d804f472034df711bc942e316

memory/4028-150-0x000001D224880000-0x000001D224882000-memory.dmp

memory/620-152-0x00000285C0E36000-0x00000285C1BE0000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RFQ2019240611111111111111_ENQUIRY19995C_PDF.js

MD5 3e1d45dd6fef116c4a45cc81997027dc
SHA1 a2cd3a0ecc900664510a9c3e2ff00faa943d3d6b
SHA256 4eb6e69e7df76b5e84ecc4dc6f569fe2ad0f9763fc015014c2b23aa1c82f7332
SHA512 4d9052a10888af2c0feb5ec301681736b3c3374e84733d5edef5f7d026ab951b1e69760c72e53fc904b58733ea0fb680787980e0a7aacbc3051be85a34df3fd4