Analysis Overview
SHA256
0eda80c7f56ee8ebbefcaebaf92f9bd4374249076cce2db1361b8292c7537ff2
Threat Level: Known bad
The file wynwormi (1).js was found to be: Known bad.
Malicious Activity Summary
Vjw0rm
WSHRAT
Blocklisted process makes network request
Drops startup file
Adds Run key to start application
Enumerates physical storage devices
Script User-Agent
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-11-01 06:41
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-11-01 06:41
Reported
2022-11-01 06:43
Platform
win7-20220812-en
Max time kernel
150s
Max time network
153s
Command Line
Signatures
Vjw0rm
WSHRAT
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ZX6S7BKN8U.js | C:\Windows\System32\WScript.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ZX6S7BKN8U.js | C:\Windows\System32\wscript.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wynwormi (1).js | C:\Windows\system32\wscript.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wynwormi (1).js | C:\Windows\system32\wscript.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\software\microsoft\windows\currentversion\run | C:\Windows\System32\WScript.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ZX6S7BKN8U = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\ZX6S7BKN8U.js\"" | C:\Windows\System32\WScript.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ZX6S7BKN8U = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\ZX6S7BKN8U.js\"" | C:\Windows\System32\wscript.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\system32\wscript.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\YQUCHB7BKJ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\wynwormi (1).js\"" | C:\Windows\system32\wscript.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\ZX6S7BKN8U = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\ZX6S7BKN8U.js\"" | C:\Windows\System32\WScript.exe | N/A |
| Key created | \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run | C:\Windows\System32\WScript.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\software\microsoft\windows\currentversion\run | C:\Windows\System32\wscript.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\ZX6S7BKN8U = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\ZX6S7BKN8U.js\"" | C:\Windows\System32\wscript.exe | N/A |
| Key created | \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run | C:\Windows\System32\wscript.exe | N/A |
Enumerates physical storage devices
Script User-Agent
| Description | Indicator | Process | Target |
| HTTP User-Agent header | WSHRAT|5C41F0CB|ZERMMMDR|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 1/11/2022|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|5C41F0CB|ZERMMMDR|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 1/11/2022|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|5C41F0CB|ZERMMMDR|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 1/11/2022|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|5C41F0CB|ZERMMMDR|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 1/11/2022|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|5C41F0CB|ZERMMMDR|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 1/11/2022|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|5C41F0CB|ZERMMMDR|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 1/11/2022|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|5C41F0CB|ZERMMMDR|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 1/11/2022|JavaScript | N/A | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1980 wrote to memory of 688 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\WScript.exe |
| PID 1980 wrote to memory of 688 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\WScript.exe |
| PID 1980 wrote to memory of 688 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\WScript.exe |
| PID 688 wrote to memory of 1620 | N/A | C:\Windows\System32\WScript.exe | C:\Windows\System32\wscript.exe |
| PID 688 wrote to memory of 1620 | N/A | C:\Windows\System32\WScript.exe | C:\Windows\System32\wscript.exe |
| PID 688 wrote to memory of 1620 | N/A | C:\Windows\System32\WScript.exe | C:\Windows\System32\wscript.exe |
Processes
C:\Windows\system32\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Local\Temp\wynwormi (1).js"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ZX6S7BKN8U.js"
C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\ZX6S7BKN8U.js"
Network
| Country | Destination | Domain | Proto |
| NL | 45.139.105.174:6605 | 45.139.105.174 | tcp |
| NL | 45.139.105.174:7670 | 45.139.105.174 | tcp |
| NL | 45.139.105.174:7670 | 45.139.105.174 | tcp |
| NL | 45.139.105.174:7670 | 45.139.105.174 | tcp |
| NL | 45.139.105.174:7670 | 45.139.105.174 | tcp |
| NL | 45.139.105.174:7670 | 45.139.105.174 | tcp |
| US | 8.8.8.8:53 | files.catbox.moe | udp |
| US | 107.160.74.131:443 | files.catbox.moe | tcp |
| US | 107.160.74.131:443 | files.catbox.moe | tcp |
| NL | 45.139.105.174:7670 | 45.139.105.174 | tcp |
| NL | 45.139.105.174:7670 | 45.139.105.174 | tcp |
| NL | 45.139.105.174:7670 | tcp |
Files
memory/1980-54-0x000007FEFB831000-0x000007FEFB833000-memory.dmp
memory/688-55-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\ZX6S7BKN8U.js
| MD5 | 3d8c14e2a64c3fca48e9b06ee1ae3350 |
| SHA1 | e5eb776289ddb44203c564cda9c2c00f1485b079 |
| SHA256 | ed912ccf4f283846786993b1866a0ab07d70d11c9e88c2174fd2986130dda059 |
| SHA512 | f2759ffcbfd99bf6921aab0afe7e2506a898e17a3c7f700e392da816556e8e74242a2355830af0e1b0851cfa2443e502db6f9221ee6f3ec28ef4d13d5e900a26 |
memory/1620-58-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\ZX6S7BKN8U.js
| MD5 | 3d8c14e2a64c3fca48e9b06ee1ae3350 |
| SHA1 | e5eb776289ddb44203c564cda9c2c00f1485b079 |
| SHA256 | ed912ccf4f283846786993b1866a0ab07d70d11c9e88c2174fd2986130dda059 |
| SHA512 | f2759ffcbfd99bf6921aab0afe7e2506a898e17a3c7f700e392da816556e8e74242a2355830af0e1b0851cfa2443e502db6f9221ee6f3ec28ef4d13d5e900a26 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ZX6S7BKN8U.js
| MD5 | 3d8c14e2a64c3fca48e9b06ee1ae3350 |
| SHA1 | e5eb776289ddb44203c564cda9c2c00f1485b079 |
| SHA256 | ed912ccf4f283846786993b1866a0ab07d70d11c9e88c2174fd2986130dda059 |
| SHA512 | f2759ffcbfd99bf6921aab0afe7e2506a898e17a3c7f700e392da816556e8e74242a2355830af0e1b0851cfa2443e502db6f9221ee6f3ec28ef4d13d5e900a26 |
Analysis: behavioral2
Detonation Overview
Submitted
2022-11-01 06:41
Reported
2022-11-01 06:43
Platform
win10v2004-20220812-en
Max time kernel
149s
Max time network
152s
Command Line
Signatures
Vjw0rm
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\wscript.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wynwormi (1).js | C:\Windows\system32\wscript.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wynwormi (1).js | C:\Windows\system32\wscript.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\system32\wscript.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\YQUCHB7BKJ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\wynwormi (1).js\"" | C:\Windows\system32\wscript.exe | N/A |
Enumerates physical storage devices
Processes
C:\Windows\system32\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Local\Temp\wynwormi (1).js"
Network
| Country | Destination | Domain | Proto |
| NL | 45.139.105.174:6605 | 45.139.105.174 | tcp |
| US | 93.184.220.29:80 | tcp | |
| NL | 95.101.78.82:80 | tcp | |
| NL | 95.101.78.82:80 | tcp | |
| NL | 104.80.225.205:443 | tcp | |
| FR | 51.11.192.48:443 | tcp | |
| US | 209.197.3.8:80 | tcp | |
| US | 209.197.3.8:80 | tcp | |
| US | 209.197.3.8:80 | tcp |