Analysis Overview
SHA256
27f9c7625c39cc1ce7d0af02dbf8de4a60bc674e17aa5276e708ab366fad7953
Threat Level: Known bad
The file 27f9c7625c39cc1ce7d0af02dbf8de4a60bc674e17aa5276e708ab366fad7953 was found to be: Known bad.
Malicious Activity Summary
WSHRAT
Blocklisted process makes network request
Drops startup file
Adds Run key to start application
Enumerates physical storage devices
Script User-Agent
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-01-30 15:51
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-01-30 15:51
Reported
2022-01-30 21:17
Platform
win7-en-20211208
Max time kernel
158s
Max time network
157s
Command Line
Signatures
WSHRAT
Blocklisted process makes network request
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RFQ2019240611111111111111_ENQUIRY19995C_PDF.js | C:\Windows\system32\wscript.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gfjtkqqyNj.js | C:\Windows\System32\wscript.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gfjtkqqyNj.js | C:\Windows\System32\wscript.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RFQ2019240611111111111111_ENQUIRY19995C_PDF.js | C:\Windows\System32\wscript.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\software\microsoft\windows\currentversion\run | C:\Windows\system32\wscript.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gfjtkqqyNj = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\gfjtkqqyNj.js\"" | C:\Windows\System32\wscript.exe | N/A |
| Key created | \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run | C:\Windows\System32\wscript.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\gfjtkqqyNj = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\gfjtkqqyNj.js\"" | C:\Windows\System32\wscript.exe | N/A |
| Key created | \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run | C:\Windows\System32\wscript.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\software\microsoft\windows\currentversion\run | C:\Windows\System32\wscript.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\RFQ2019240611111111111111_ENQUIRY19995C_PDF = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\RFQ2019240611111111111111_ENQUIRY19995C_PDF.js\"" | C:\Windows\System32\wscript.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\RFQ2019240611111111111111_ENQUIRY19995C_PDF = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\RFQ2019240611111111111111_ENQUIRY19995C_PDF.js\"" | C:\Windows\system32\wscript.exe | N/A |
| Key created | \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run | C:\Windows\system32\wscript.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RFQ2019240611111111111111_ENQUIRY19995C_PDF = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\RFQ2019240611111111111111_ENQUIRY19995C_PDF.js\"" | C:\Windows\system32\wscript.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\software\microsoft\windows\currentversion\run | C:\Windows\System32\wscript.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RFQ2019240611111111111111_ENQUIRY19995C_PDF = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\RFQ2019240611111111111111_ENQUIRY19995C_PDF.js\"" | C:\Windows\System32\wscript.exe | N/A |
Enumerates physical storage devices
Script User-Agent
| Description | Indicator | Process | Target |
| HTTP User-Agent header | WSHRAT|8C677431|QSKGHMYQ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 30/1/2022|JavaScript-v1.3 | N/A | N/A |
| HTTP User-Agent header | WSHRAT|8C677431|QSKGHMYQ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 30/1/2022|JavaScript-v1.3 | N/A | N/A |
| HTTP User-Agent header | WSHRAT|8C677431|QSKGHMYQ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 30/1/2022|JavaScript-v1.3 | N/A | N/A |
| HTTP User-Agent header | WSHRAT|8C677431|QSKGHMYQ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 30/1/2022|JavaScript-v1.3 | N/A | N/A |
| HTTP User-Agent header | WSHRAT|8C677431|QSKGHMYQ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 30/1/2022|JavaScript-v1.3 | N/A | N/A |
| HTTP User-Agent header | WSHRAT|8C677431|QSKGHMYQ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 30/1/2022|JavaScript-v1.3 | N/A | N/A |
| HTTP User-Agent header | WSHRAT|8C677431|QSKGHMYQ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 30/1/2022|JavaScript-v1.3 | N/A | N/A |
| HTTP User-Agent header | WSHRAT|8C677431|QSKGHMYQ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 30/1/2022|JavaScript-v1.3 | N/A | N/A |
| HTTP User-Agent header | WSHRAT|8C677431|QSKGHMYQ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 30/1/2022|JavaScript-v1.3 | N/A | N/A |
| HTTP User-Agent header | WSHRAT|8C677431|QSKGHMYQ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 30/1/2022|JavaScript-v1.3 | N/A | N/A |
| HTTP User-Agent header | WSHRAT|8C677431|QSKGHMYQ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 30/1/2022|JavaScript-v1.3 | N/A | N/A |
| HTTP User-Agent header | WSHRAT|8C677431|QSKGHMYQ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 30/1/2022|JavaScript-v1.3 | N/A | N/A |
| HTTP User-Agent header | WSHRAT|8C677431|QSKGHMYQ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 30/1/2022|JavaScript-v1.3 | N/A | N/A |
| HTTP User-Agent header | WSHRAT|8C677431|QSKGHMYQ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 30/1/2022|JavaScript-v1.3 | N/A | N/A |
| HTTP User-Agent header | WSHRAT|8C677431|QSKGHMYQ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 30/1/2022|JavaScript-v1.3 | N/A | N/A |
| HTTP User-Agent header | WSHRAT|8C677431|QSKGHMYQ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 30/1/2022|JavaScript-v1.3 | N/A | N/A |
| HTTP User-Agent header | WSHRAT|8C677431|QSKGHMYQ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 30/1/2022|JavaScript-v1.3 | N/A | N/A |
| HTTP User-Agent header | WSHRAT|8C677431|QSKGHMYQ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 30/1/2022|JavaScript-v1.3 | N/A | N/A |
| HTTP User-Agent header | WSHRAT|8C677431|QSKGHMYQ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 30/1/2022|JavaScript-v1.3 | N/A | N/A |
| HTTP User-Agent header | WSHRAT|8C677431|QSKGHMYQ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 30/1/2022|JavaScript-v1.3 | N/A | N/A |
| HTTP User-Agent header | WSHRAT|8C677431|QSKGHMYQ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 30/1/2022|JavaScript-v1.3 | N/A | N/A |
| HTTP User-Agent header | WSHRAT|8C677431|QSKGHMYQ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 30/1/2022|JavaScript-v1.3 | N/A | N/A |
| HTTP User-Agent header | WSHRAT|8C677431|QSKGHMYQ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 30/1/2022|JavaScript-v1.3 | N/A | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 964 wrote to memory of 468 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\wscript.exe |
| PID 964 wrote to memory of 468 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\wscript.exe |
| PID 964 wrote to memory of 468 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\wscript.exe |
| PID 964 wrote to memory of 1820 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\wscript.exe |
| PID 964 wrote to memory of 1820 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\wscript.exe |
| PID 964 wrote to memory of 1820 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\wscript.exe |
| PID 1820 wrote to memory of 1696 | N/A | C:\Windows\System32\wscript.exe | C:\Windows\System32\wscript.exe |
| PID 1820 wrote to memory of 1696 | N/A | C:\Windows\System32\wscript.exe | C:\Windows\System32\wscript.exe |
| PID 1820 wrote to memory of 1696 | N/A | C:\Windows\System32\wscript.exe | C:\Windows\System32\wscript.exe |
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\RFQ2019240611111111111111_ENQUIRY19995C_PDF.js
C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\gfjtkqqyNj.js"
C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\RFQ2019240611111111111111_ENQUIRY19995C_PDF.js"
C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\gfjtkqqyNj.js"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8896wsh.ddns.net | udp |
| US | 8.8.8.8:53 | unknownsoft.duckdns.org | udp |
| US | 192.169.69.25:7755 | unknownsoft.duckdns.org | tcp |
| US | 192.169.69.25:7755 | unknownsoft.duckdns.org | tcp |
| US | 192.169.69.25:7755 | unknownsoft.duckdns.org | tcp |
| US | 192.169.69.25:7755 | unknownsoft.duckdns.org | tcp |
| US | 192.169.69.25:7755 | unknownsoft.duckdns.org | tcp |
| US | 192.169.69.25:7755 | unknownsoft.duckdns.org | tcp |
| US | 192.169.69.25:7755 | unknownsoft.duckdns.org | tcp |
| US | 192.169.69.25:7755 | unknownsoft.duckdns.org | tcp |
| US | 192.169.69.25:7755 | unknownsoft.duckdns.org | tcp |
| US | 192.169.69.25:7755 | unknownsoft.duckdns.org | tcp |
| US | 192.169.69.25:7755 | unknownsoft.duckdns.org | tcp |
| US | 192.169.69.25:7755 | unknownsoft.duckdns.org | tcp |
| US | 192.169.69.25:7755 | unknownsoft.duckdns.org | tcp |
| US | 192.169.69.25:7755 | unknownsoft.duckdns.org | tcp |
| US | 192.169.69.25:7755 | unknownsoft.duckdns.org | tcp |
| US | 192.169.69.25:7755 | unknownsoft.duckdns.org | tcp |
| US | 192.169.69.25:7755 | unknownsoft.duckdns.org | tcp |
| US | 192.169.69.25:7755 | unknownsoft.duckdns.org | tcp |
| US | 192.169.69.25:7755 | unknownsoft.duckdns.org | tcp |
| US | 192.169.69.25:7755 | unknownsoft.duckdns.org | tcp |
| US | 192.169.69.25:7755 | unknownsoft.duckdns.org | tcp |
| US | 192.169.69.25:7755 | unknownsoft.duckdns.org | tcp |
| US | 192.169.69.25:7755 | unknownsoft.duckdns.org | tcp |
Files
C:\Users\Admin\AppData\Roaming\gfjtkqqyNj.js
| MD5 | 8456951c972471f558412b57a569948f |
| SHA1 | b37fff6b315ce195d6beea07983218ba668a900f |
| SHA256 | 1537d05749ad41248c7f246da241d6acb10a17819ee34e8ffeee6dbd4c146ddd |
| SHA512 | 5d3e0b28b2c25fdc78f9b52fe4942b16d4a89696a7d403afd36df7dbf64729cfeb9287561854cffbe4ecce13efb506bf117ed0ab2fdb73044416d416c08619b4 |
memory/964-57-0x00000000044B0000-0x0000000004CA0000-memory.dmp
memory/468-56-0x000007FEFBC31000-0x000007FEFBC33000-memory.dmp
memory/468-58-0x0000000004340000-0x0000000004342000-memory.dmp
C:\Users\Admin\AppData\Roaming\RFQ2019240611111111111111_ENQUIRY19995C_PDF.js
| MD5 | 3e1d45dd6fef116c4a45cc81997027dc |
| SHA1 | a2cd3a0ecc900664510a9c3e2ff00faa943d3d6b |
| SHA256 | 4eb6e69e7df76b5e84ecc4dc6f569fe2ad0f9763fc015014c2b23aa1c82f7332 |
| SHA512 | 4d9052a10888af2c0feb5ec301681736b3c3374e84733d5edef5f7d026ab951b1e69760c72e53fc904b58733ea0fb680787980e0a7aacbc3051be85a34df3fd4 |
memory/1820-60-0x0000000004220000-0x0000000004222000-memory.dmp
C:\Users\Admin\AppData\Roaming\gfjtkqqyNj.js
| MD5 | 8456951c972471f558412b57a569948f |
| SHA1 | b37fff6b315ce195d6beea07983218ba668a900f |
| SHA256 | 1537d05749ad41248c7f246da241d6acb10a17819ee34e8ffeee6dbd4c146ddd |
| SHA512 | 5d3e0b28b2c25fdc78f9b52fe4942b16d4a89696a7d403afd36df7dbf64729cfeb9287561854cffbe4ecce13efb506bf117ed0ab2fdb73044416d416c08619b4 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RFQ2019240611111111111111_ENQUIRY19995C_PDF.js
| MD5 | fdc6ee34b65ad00cbcb5751e28951f1b |
| SHA1 | 59a4d605c4bbfd952f90baf96f3915a7abd1cf6d |
| SHA256 | 17260a9be83c6dac6a902da7f5df125bb5de0a56607f75390fca5da20ace87c0 |
| SHA512 | 82dfcc7c04c1a5bf7552ef2ca03add3b20e901ed7ada3d5f021ecb6c303f8c3f7cd7319204318930f09605fc8a59140d3fceb9bc11f5e3a120e05178fab90660 |
Analysis: behavioral2
Detonation Overview
Submitted
2022-01-30 15:51
Reported
2022-01-30 21:17
Platform
win10-en-20211208
Max time kernel
155s
Max time network
171s
Command Line
Signatures
WSHRAT
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gfjtkqqyNj.js | C:\Windows\System32\wscript.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gfjtkqqyNj.js | C:\Windows\System32\wscript.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RFQ2019240611111111111111_ENQUIRY19995C_PDF.js | C:\Windows\system32\wscript.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RFQ2019240611111111111111_ENQUIRY19995C_PDF.js | C:\Windows\System32\wscript.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run | C:\Windows\System32\wscript.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\software\microsoft\windows\currentversion\run | C:\Windows\system32\wscript.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RFQ2019240611111111111111_ENQUIRY19995C_PDF = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\RFQ2019240611111111111111_ENQUIRY19995C_PDF.js\"" | C:\Windows\System32\wscript.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\software\microsoft\windows\currentversion\run | C:\Windows\System32\wscript.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gfjtkqqyNj = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\gfjtkqqyNj.js\"" | C:\Windows\System32\wscript.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Windows\CurrentVersion\Run\RFQ2019240611111111111111_ENQUIRY19995C_PDF = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\RFQ2019240611111111111111_ENQUIRY19995C_PDF.js\"" | C:\Windows\system32\wscript.exe | N/A |
| Key created | \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run | C:\Windows\system32\wscript.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RFQ2019240611111111111111_ENQUIRY19995C_PDF = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\RFQ2019240611111111111111_ENQUIRY19995C_PDF.js\"" | C:\Windows\system32\wscript.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\software\microsoft\windows\currentversion\run | C:\Windows\System32\wscript.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Windows\CurrentVersion\Run\RFQ2019240611111111111111_ENQUIRY19995C_PDF = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\RFQ2019240611111111111111_ENQUIRY19995C_PDF.js\"" | C:\Windows\System32\wscript.exe | N/A |
| Key created | \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run | C:\Windows\System32\wscript.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Windows\CurrentVersion\Run\gfjtkqqyNj = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\gfjtkqqyNj.js\"" | C:\Windows\System32\wscript.exe | N/A |
Enumerates physical storage devices
Script User-Agent
| Description | Indicator | Process | Target |
| HTTP User-Agent header | WSHRAT|2C782127|EZNBLWLT|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 10/12/2021|JavaScript-v1.3 | N/A | N/A |
| HTTP User-Agent header | WSHRAT|2C782127|EZNBLWLT|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 10/12/2021|JavaScript-v1.3 | N/A | N/A |
| HTTP User-Agent header | WSHRAT|2C782127|EZNBLWLT|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 10/12/2021|JavaScript-v1.3 | N/A | N/A |
| HTTP User-Agent header | WSHRAT|2C782127|EZNBLWLT|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 10/12/2021|JavaScript-v1.3 | N/A | N/A |
| HTTP User-Agent header | WSHRAT|2C782127|EZNBLWLT|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 10/12/2021|JavaScript-v1.3 | N/A | N/A |
| HTTP User-Agent header | WSHRAT|2C782127|EZNBLWLT|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 10/12/2021|JavaScript-v1.3 | N/A | N/A |
| HTTP User-Agent header | WSHRAT|2C782127|EZNBLWLT|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 10/12/2021|JavaScript-v1.3 | N/A | N/A |
| HTTP User-Agent header | WSHRAT|2C782127|EZNBLWLT|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 10/12/2021|JavaScript-v1.3 | N/A | N/A |
| HTTP User-Agent header | WSHRAT|2C782127|EZNBLWLT|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 10/12/2021|JavaScript-v1.3 | N/A | N/A |
| HTTP User-Agent header | WSHRAT|2C782127|EZNBLWLT|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 10/12/2021|JavaScript-v1.3 | N/A | N/A |
| HTTP User-Agent header | WSHRAT|2C782127|EZNBLWLT|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 10/12/2021|JavaScript-v1.3 | N/A | N/A |
| HTTP User-Agent header | WSHRAT|2C782127|EZNBLWLT|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 10/12/2021|JavaScript-v1.3 | N/A | N/A |
| HTTP User-Agent header | WSHRAT|2C782127|EZNBLWLT|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 10/12/2021|JavaScript-v1.3 | N/A | N/A |
| HTTP User-Agent header | WSHRAT|2C782127|EZNBLWLT|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 10/12/2021|JavaScript-v1.3 | N/A | N/A |
| HTTP User-Agent header | WSHRAT|2C782127|EZNBLWLT|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 10/12/2021|JavaScript-v1.3 | N/A | N/A |
| HTTP User-Agent header | WSHRAT|2C782127|EZNBLWLT|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 10/12/2021|JavaScript-v1.3 | N/A | N/A |
| HTTP User-Agent header | WSHRAT|2C782127|EZNBLWLT|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 10/12/2021|JavaScript-v1.3 | N/A | N/A |
| HTTP User-Agent header | WSHRAT|2C782127|EZNBLWLT|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 10/12/2021|JavaScript-v1.3 | N/A | N/A |
| HTTP User-Agent header | WSHRAT|2C782127|EZNBLWLT|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 10/12/2021|JavaScript-v1.3 | N/A | N/A |
| HTTP User-Agent header | WSHRAT|2C782127|EZNBLWLT|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 10/12/2021|JavaScript-v1.3 | N/A | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2772 wrote to memory of 4028 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\wscript.exe |
| PID 2772 wrote to memory of 4028 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\wscript.exe |
| PID 2772 wrote to memory of 620 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\wscript.exe |
| PID 2772 wrote to memory of 620 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\wscript.exe |
| PID 620 wrote to memory of 1396 | N/A | C:\Windows\System32\wscript.exe | C:\Windows\System32\wscript.exe |
| PID 620 wrote to memory of 1396 | N/A | C:\Windows\System32\wscript.exe | C:\Windows\System32\wscript.exe |
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\RFQ2019240611111111111111_ENQUIRY19995C_PDF.js
C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\gfjtkqqyNj.js"
C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\RFQ2019240611111111111111_ENQUIRY19995C_PDF.js"
C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\gfjtkqqyNj.js"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | unknownsoft.duckdns.org | udp |
| US | 8.8.8.8:53 | 8896wsh.ddns.net | udp |
| US | 192.169.69.25:7755 | unknownsoft.duckdns.org | tcp |
| US | 8.8.8.8:53 | 8896wsh.ddns.net | udp |
| US | 192.169.69.25:7755 | unknownsoft.duckdns.org | tcp |
| US | 8.8.8.8:53 | 8896wsh.ddns.net | udp |
| US | 192.169.69.25:7755 | unknownsoft.duckdns.org | tcp |
| US | 8.8.8.8:53 | 8896wsh.ddns.net | udp |
| US | 192.169.69.25:7755 | unknownsoft.duckdns.org | tcp |
| US | 8.8.8.8:53 | 8896wsh.ddns.net | udp |
| US | 192.169.69.25:7755 | unknownsoft.duckdns.org | tcp |
| US | 8.8.8.8:53 | 8896wsh.ddns.net | udp |
| US | 192.169.69.25:7755 | unknownsoft.duckdns.org | tcp |
| US | 8.8.8.8:53 | 8896wsh.ddns.net | udp |
| US | 192.169.69.25:7755 | unknownsoft.duckdns.org | tcp |
| US | 8.8.8.8:53 | 8896wsh.ddns.net | udp |
| US | 192.169.69.25:7755 | unknownsoft.duckdns.org | tcp |
| US | 8.8.8.8:53 | 8896wsh.ddns.net | udp |
| US | 192.169.69.25:7755 | unknownsoft.duckdns.org | tcp |
| US | 8.8.8.8:53 | 8896wsh.ddns.net | udp |
| US | 192.169.69.25:7755 | unknownsoft.duckdns.org | tcp |
| US | 8.8.8.8:53 | 8896wsh.ddns.net | udp |
| US | 192.169.69.25:7755 | unknownsoft.duckdns.org | tcp |
| US | 8.8.8.8:53 | 8896wsh.ddns.net | udp |
| US | 192.169.69.25:7755 | unknownsoft.duckdns.org | tcp |
| US | 8.8.8.8:53 | 8896wsh.ddns.net | udp |
| US | 192.169.69.25:7755 | unknownsoft.duckdns.org | tcp |
| US | 8.8.8.8:53 | 8896wsh.ddns.net | udp |
| US | 192.169.69.25:7755 | unknownsoft.duckdns.org | tcp |
| US | 8.8.8.8:53 | 8896wsh.ddns.net | udp |
| US | 192.169.69.25:7755 | unknownsoft.duckdns.org | tcp |
| US | 8.8.8.8:53 | 8896wsh.ddns.net | udp |
| US | 192.169.69.25:7755 | unknownsoft.duckdns.org | tcp |
| US | 8.8.8.8:53 | 8896wsh.ddns.net | udp |
| US | 8.8.8.8:53 | 8896wsh.ddns.net | udp |
| US | 192.169.69.25:7755 | unknownsoft.duckdns.org | tcp |
| US | 8.8.8.8:53 | 8896wsh.ddns.net | udp |
| US | 192.169.69.25:7755 | unknownsoft.duckdns.org | tcp |
| US | 8.8.8.8:53 | 8896wsh.ddns.net | udp |
| US | 192.169.69.25:7755 | unknownsoft.duckdns.org | tcp |
| US | 8.8.8.8:53 | 8896wsh.ddns.net | udp |
| US | 192.169.69.25:7755 | unknownsoft.duckdns.org | tcp |
Files
memory/2772-118-0x000001C807EA6000-0x000001C808B40000-memory.dmp
C:\Users\Admin\AppData\Roaming\gfjtkqqyNj.js
| MD5 | 8456951c972471f558412b57a569948f |
| SHA1 | b37fff6b315ce195d6beea07983218ba668a900f |
| SHA256 | 1537d05749ad41248c7f246da241d6acb10a17819ee34e8ffeee6dbd4c146ddd |
| SHA512 | 5d3e0b28b2c25fdc78f9b52fe4942b16d4a89696a7d403afd36df7dbf64729cfeb9287561854cffbe4ecce13efb506bf117ed0ab2fdb73044416d416c08619b4 |
C:\Users\Admin\AppData\Roaming\RFQ2019240611111111111111_ENQUIRY19995C_PDF.js
| MD5 | 3e1d45dd6fef116c4a45cc81997027dc |
| SHA1 | a2cd3a0ecc900664510a9c3e2ff00faa943d3d6b |
| SHA256 | 4eb6e69e7df76b5e84ecc4dc6f569fe2ad0f9763fc015014c2b23aa1c82f7332 |
| SHA512 | 4d9052a10888af2c0feb5ec301681736b3c3374e84733d5edef5f7d026ab951b1e69760c72e53fc904b58733ea0fb680787980e0a7aacbc3051be85a34df3fd4 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0\UsageLogs\wscript.exe.log
| MD5 | b3ac9d09e3a47d5fd00c37e075a70ecb |
| SHA1 | ad14e6d0e07b00bd10d77a06d68841b20675680b |
| SHA256 | 7a23c6e7ccd8811ecdf038d3a89d5c7d68ed37324bae2d4954125d9128fa9432 |
| SHA512 | 09b609ee1061205aa45b3c954efc6c1a03c8fd6b3011ff88cf2c060e19b1d7fd51ee0cb9d02a39310125f3a66aa0146261bdee3d804f472034df711bc942e316 |
memory/4028-150-0x000001D224880000-0x000001D224882000-memory.dmp
memory/620-152-0x00000285C0E36000-0x00000285C1BE0000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RFQ2019240611111111111111_ENQUIRY19995C_PDF.js
| MD5 | 3e1d45dd6fef116c4a45cc81997027dc |
| SHA1 | a2cd3a0ecc900664510a9c3e2ff00faa943d3d6b |
| SHA256 | 4eb6e69e7df76b5e84ecc4dc6f569fe2ad0f9763fc015014c2b23aa1c82f7332 |
| SHA512 | 4d9052a10888af2c0feb5ec301681736b3c3374e84733d5edef5f7d026ab951b1e69760c72e53fc904b58733ea0fb680787980e0a7aacbc3051be85a34df3fd4 |