Malware Analysis Report

2025-01-18 12:21

Sample ID 221101-p6cgvachhm
Target PO N°CF004303.js
SHA256 63def6511d6202684199b8135f9294a1ed0842f30cdb9788a6e6af08ded2bf0b
Tags
vjw0rm wshrat persistence trojan worm
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

63def6511d6202684199b8135f9294a1ed0842f30cdb9788a6e6af08ded2bf0b

Threat Level: Known bad

The file PO N°CF004303.js was found to be: Known bad.

Malicious Activity Summary

vjw0rm wshrat persistence trojan worm

Vjw0rm

WSHRAT

Blocklisted process makes network request

Checks computer location settings

Drops startup file

Adds Run key to start application

Enumerates physical storage devices

Script User-Agent

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-11-01 12:56

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-11-01 12:56

Reported

2022-11-01 12:58

Platform

win7-20220901-en

Max time kernel

150s

Max time network

153s

Command Line

wscript.exe "C:\Users\Admin\AppData\Local\Temp\PO N°CF004303.js"

Signatures

Vjw0rm

trojan worm vjw0rm

WSHRAT

trojan wshrat

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PO N°CF004303.js C:\Windows\System32\wscript.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xaRVcbREmE.js C:\Windows\System32\wscript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xaRVcbREmE.js C:\Windows\System32\wscript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xaRVcbREmE.js C:\Windows\System32\wscript.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PO N°CF004303.js C:\Windows\system32\wscript.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\PO N°CF004303 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\PO N°CF004303.js\"" C:\Windows\System32\wscript.exe N/A
Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run C:\Windows\System32\wscript.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PO N°CF004303 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\PO N°CF004303.js\"" C:\Windows\System32\wscript.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\software\microsoft\windows\currentversion\run C:\Windows\system32\wscript.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\PO N°CF004303 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\PO N°CF004303.js\"" C:\Windows\system32\wscript.exe N/A
Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run C:\Windows\system32\wscript.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PO N°CF004303 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\PO N°CF004303.js\"" C:\Windows\system32\wscript.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\software\microsoft\windows\currentversion\run C:\Windows\System32\wscript.exe N/A

Enumerates physical storage devices

Script User-Agent

Description Indicator Process Target
HTTP User-Agent header WSHRAT|94A7BB46|RYNKSFQE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 1/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|94A7BB46|RYNKSFQE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 1/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|94A7BB46|RYNKSFQE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 1/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|94A7BB46|RYNKSFQE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 1/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|94A7BB46|RYNKSFQE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 1/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|94A7BB46|RYNKSFQE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 1/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|94A7BB46|RYNKSFQE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 1/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|94A7BB46|RYNKSFQE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 1/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|94A7BB46|RYNKSFQE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 1/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|94A7BB46|RYNKSFQE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 1/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|94A7BB46|RYNKSFQE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 1/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|94A7BB46|RYNKSFQE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 1/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|94A7BB46|RYNKSFQE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 1/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|94A7BB46|RYNKSFQE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 1/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|94A7BB46|RYNKSFQE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 1/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|94A7BB46|RYNKSFQE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 1/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|94A7BB46|RYNKSFQE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 1/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|94A7BB46|RYNKSFQE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 1/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|94A7BB46|RYNKSFQE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 1/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|94A7BB46|RYNKSFQE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 1/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|94A7BB46|RYNKSFQE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 1/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|94A7BB46|RYNKSFQE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 1/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|94A7BB46|RYNKSFQE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 1/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|94A7BB46|RYNKSFQE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 1/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|94A7BB46|RYNKSFQE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 1/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|94A7BB46|RYNKSFQE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 1/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|94A7BB46|RYNKSFQE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 1/11/2022|JavaScript N/A N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe "C:\Users\Admin\AppData\Local\Temp\PO N°CF004303.js"

C:\Windows\System32\wscript.exe

"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\xaRVcbREmE.js"

C:\Windows\System32\wscript.exe

"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\PO N°CF004303.js"

C:\Windows\System32\wscript.exe

"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\xaRVcbREmE.js"

Network

Country Destination Domain Proto
US 8.8.8.8:53 javaautorun.duia.ro udp
US 8.8.8.8:53 javaautorun.duia.ro udp
NG 41.217.12.189:5465 javaautorun.duia.ro tcp
NG 41.217.12.189:5465 javaautorun.duia.ro tcp
NO 194.5.98.198:1604 194.5.98.198 tcp
NO 194.5.98.198:1604 194.5.98.198 tcp
NO 194.5.98.198:1604 194.5.98.198 tcp
NO 194.5.98.198:1604 194.5.98.198 tcp
NO 194.5.98.198:1604 194.5.98.198 tcp
NO 194.5.98.198:1604 194.5.98.198 tcp
NG 41.217.12.189:5465 javaautorun.duia.ro tcp
NG 41.217.12.189:5465 javaautorun.duia.ro tcp
NO 194.5.98.198:1604 194.5.98.198 tcp
NO 194.5.98.198:1604 194.5.98.198 tcp
NO 194.5.98.198:1604 194.5.98.198 tcp
NO 194.5.98.198:1604 194.5.98.198 tcp
NO 194.5.98.198:1604 194.5.98.198 tcp
NO 194.5.98.198:1604 194.5.98.198 tcp
NG 41.217.12.189:5465 javaautorun.duia.ro tcp
NG 41.217.12.189:5465 javaautorun.duia.ro tcp
NO 194.5.98.198:1604 194.5.98.198 tcp
NO 194.5.98.198:1604 194.5.98.198 tcp
NO 194.5.98.198:1604 194.5.98.198 tcp
NO 194.5.98.198:1604 194.5.98.198 tcp
NO 194.5.98.198:1604 194.5.98.198 tcp
NG 41.217.12.189:5465 javaautorun.duia.ro tcp
NG 41.217.12.189:5465 javaautorun.duia.ro tcp
NO 194.5.98.198:1604 194.5.98.198 tcp
NO 194.5.98.198:1604 194.5.98.198 tcp
NO 194.5.98.198:1604 194.5.98.198 tcp
NO 194.5.98.198:1604 194.5.98.198 tcp
NO 194.5.98.198:1604 194.5.98.198 tcp
NO 194.5.98.198:1604 194.5.98.198 tcp
NG 41.217.12.189:5465 javaautorun.duia.ro tcp
NG 41.217.12.189:5465 javaautorun.duia.ro tcp
NO 194.5.98.198:1604 194.5.98.198 tcp
NO 194.5.98.198:1604 194.5.98.198 tcp
NO 194.5.98.198:1604 194.5.98.198 tcp
NO 194.5.98.198:1604 194.5.98.198 tcp

Files

memory/1056-54-0x000007FEFC2F1000-0x000007FEFC2F3000-memory.dmp

memory/980-55-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\xaRVcbREmE.js

MD5 f9332f9e18de0d77598ea6b6ca069da2
SHA1 09f7ba47ca4f682f500b2aa262326d7f60ef1cfa
SHA256 c0f0acfd56e2319b12d4a903e3fa99dce5d9afe751cfb13c939615b4fa92bb99
SHA512 76bdb8a2a519c788f4d2248474e8b68d96eba76e3609d1c7e87f0bed684231d66e01868ea358fe02634b2feac147655e20274adef4920dee07d199d7e1e82aac

memory/656-57-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\PO N°CF004303.js

MD5 587ad35d06bccec7b8ff387dc0e5797e
SHA1 f8729b7d69e638887de8de9afd49f134b8c58025
SHA256 63def6511d6202684199b8135f9294a1ed0842f30cdb9788a6e6af08ded2bf0b
SHA512 9d71e0eda2492f26bbabab0344b9ab8ad9f11955d8b6a0a9ae4cb0486055ceb83afdcd95747c9739c56477b9346366ccc3e8f1f2a63f101a1c75d4d631cdb96c

memory/568-60-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PO N°CF004303.js

MD5 587ad35d06bccec7b8ff387dc0e5797e
SHA1 f8729b7d69e638887de8de9afd49f134b8c58025
SHA256 63def6511d6202684199b8135f9294a1ed0842f30cdb9788a6e6af08ded2bf0b
SHA512 9d71e0eda2492f26bbabab0344b9ab8ad9f11955d8b6a0a9ae4cb0486055ceb83afdcd95747c9739c56477b9346366ccc3e8f1f2a63f101a1c75d4d631cdb96c

C:\Users\Admin\AppData\Roaming\xaRVcbREmE.js

MD5 f9332f9e18de0d77598ea6b6ca069da2
SHA1 09f7ba47ca4f682f500b2aa262326d7f60ef1cfa
SHA256 c0f0acfd56e2319b12d4a903e3fa99dce5d9afe751cfb13c939615b4fa92bb99
SHA512 76bdb8a2a519c788f4d2248474e8b68d96eba76e3609d1c7e87f0bed684231d66e01868ea358fe02634b2feac147655e20274adef4920dee07d199d7e1e82aac

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xaRVcbREmE.js

MD5 f9332f9e18de0d77598ea6b6ca069da2
SHA1 09f7ba47ca4f682f500b2aa262326d7f60ef1cfa
SHA256 c0f0acfd56e2319b12d4a903e3fa99dce5d9afe751cfb13c939615b4fa92bb99
SHA512 76bdb8a2a519c788f4d2248474e8b68d96eba76e3609d1c7e87f0bed684231d66e01868ea358fe02634b2feac147655e20274adef4920dee07d199d7e1e82aac

Analysis: behavioral2

Detonation Overview

Submitted

2022-11-01 12:56

Reported

2022-11-01 12:58

Platform

win10v2004-20220812-en

Max time kernel

147s

Max time network

151s

Command Line

wscript.exe "C:\Users\Admin\AppData\Local\Temp\PO N°CF004303.js"

Signatures

Vjw0rm

trojan worm vjw0rm

WSHRAT

trojan wshrat

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation C:\Windows\system32\wscript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation C:\Windows\System32\wscript.exe N/A

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xaRVcbREmE.js C:\Windows\System32\wscript.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PO N°CF004303.js C:\Windows\system32\wscript.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xaRVcbREmE.js C:\Windows\System32\wscript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xaRVcbREmE.js C:\Windows\System32\wscript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PO N°CF004303.js C:\Windows\System32\wscript.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run C:\Windows\system32\wscript.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PO N°CF004303 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\PO N°CF004303.js\"" C:\Windows\system32\wscript.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\software\microsoft\windows\currentversion\run C:\Windows\System32\wscript.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PO N°CF004303 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\PO N°CF004303.js\"" C:\Windows\System32\wscript.exe N/A
Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run C:\Windows\System32\wscript.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PO N°CF004303 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\PO N°CF004303.js\"" C:\Windows\System32\wscript.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\software\microsoft\windows\currentversion\run C:\Windows\system32\wscript.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PO N°CF004303 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\PO N°CF004303.js\"" C:\Windows\system32\wscript.exe N/A

Enumerates physical storage devices

Script User-Agent

Description Indicator Process Target
HTTP User-Agent header WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 1/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 1/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 1/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 1/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 1/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 1/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 1/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 1/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 1/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 1/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 1/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 1/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 1/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 1/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 1/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 1/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 1/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 1/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 1/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 1/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 1/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 1/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 1/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 1/11/2022|JavaScript N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4692 wrote to memory of 1936 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe
PID 4692 wrote to memory of 1936 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe
PID 4692 wrote to memory of 3220 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe
PID 4692 wrote to memory of 3220 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe
PID 3220 wrote to memory of 1336 N/A C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe
PID 3220 wrote to memory of 1336 N/A C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe

Processes

C:\Windows\system32\wscript.exe

wscript.exe "C:\Users\Admin\AppData\Local\Temp\PO N°CF004303.js"

C:\Windows\System32\wscript.exe

"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\xaRVcbREmE.js"

C:\Windows\System32\wscript.exe

"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\PO N°CF004303.js"

C:\Windows\System32\wscript.exe

"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\xaRVcbREmE.js"

Network

Country Destination Domain Proto
US 8.8.8.8:53 javaautorun.duia.ro udp
NG 41.217.12.189:5465 javaautorun.duia.ro tcp
NG 41.217.12.189:5465 javaautorun.duia.ro tcp
NO 194.5.98.198:1604 194.5.98.198 tcp
NO 194.5.98.198:1604 194.5.98.198 tcp
NO 194.5.98.198:1604 194.5.98.198 tcp
NO 194.5.98.198:1604 194.5.98.198 tcp
NO 194.5.98.198:1604 194.5.98.198 tcp
NO 194.5.98.198:1604 194.5.98.198 tcp
NG 41.217.12.189:5465 javaautorun.duia.ro tcp
NG 41.217.12.189:5465 javaautorun.duia.ro tcp
NO 194.5.98.198:1604 194.5.98.198 tcp
NO 194.5.98.198:1604 tcp
IE 13.69.239.72:443 tcp
NG 41.217.12.189:5465 javaautorun.duia.ro tcp
NG 41.217.12.189:5465 javaautorun.duia.ro tcp
NO 194.5.98.198:1604 194.5.98.198 tcp
NO 194.5.98.198:1604 194.5.98.198 tcp
NO 194.5.98.198:1604 194.5.98.198 tcp
NO 194.5.98.198:1604 194.5.98.198 tcp
NO 194.5.98.198:1604 194.5.98.198 tcp
NG 41.217.12.189:5465 javaautorun.duia.ro tcp
NG 41.217.12.189:5465 javaautorun.duia.ro tcp
NO 194.5.98.198:1604 194.5.98.198 tcp
NO 194.5.98.198:1604 194.5.98.198 tcp
NO 194.5.98.198:1604 194.5.98.198 tcp
NO 194.5.98.198:1604 194.5.98.198 tcp
NO 194.5.98.198:1604 194.5.98.198 tcp
NG 41.217.12.189:5465 javaautorun.duia.ro tcp
NG 41.217.12.189:5465 javaautorun.duia.ro tcp
NO 194.5.98.198:1604 194.5.98.198 tcp
NO 194.5.98.198:1604 194.5.98.198 tcp
NO 194.5.98.198:1604 194.5.98.198 tcp
NO 194.5.98.198:1604 194.5.98.198 tcp
NO 194.5.98.198:1604 194.5.98.198 tcp
NG 41.217.12.189:5465 javaautorun.duia.ro tcp
NG 41.217.12.189:5465 javaautorun.duia.ro tcp
NO 194.5.98.198:1604 194.5.98.198 tcp
NO 194.5.98.198:1604 194.5.98.198 tcp

Files

memory/1936-132-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\xaRVcbREmE.js

MD5 f9332f9e18de0d77598ea6b6ca069da2
SHA1 09f7ba47ca4f682f500b2aa262326d7f60ef1cfa
SHA256 c0f0acfd56e2319b12d4a903e3fa99dce5d9afe751cfb13c939615b4fa92bb99
SHA512 76bdb8a2a519c788f4d2248474e8b68d96eba76e3609d1c7e87f0bed684231d66e01868ea358fe02634b2feac147655e20274adef4920dee07d199d7e1e82aac

memory/3220-134-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\PO N°CF004303.js

MD5 587ad35d06bccec7b8ff387dc0e5797e
SHA1 f8729b7d69e638887de8de9afd49f134b8c58025
SHA256 63def6511d6202684199b8135f9294a1ed0842f30cdb9788a6e6af08ded2bf0b
SHA512 9d71e0eda2492f26bbabab0344b9ab8ad9f11955d8b6a0a9ae4cb0486055ceb83afdcd95747c9739c56477b9346366ccc3e8f1f2a63f101a1c75d4d631cdb96c

memory/1336-136-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\xaRVcbREmE.js

MD5 f9332f9e18de0d77598ea6b6ca069da2
SHA1 09f7ba47ca4f682f500b2aa262326d7f60ef1cfa
SHA256 c0f0acfd56e2319b12d4a903e3fa99dce5d9afe751cfb13c939615b4fa92bb99
SHA512 76bdb8a2a519c788f4d2248474e8b68d96eba76e3609d1c7e87f0bed684231d66e01868ea358fe02634b2feac147655e20274adef4920dee07d199d7e1e82aac

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PO N°CF004303.js

MD5 587ad35d06bccec7b8ff387dc0e5797e
SHA1 f8729b7d69e638887de8de9afd49f134b8c58025
SHA256 63def6511d6202684199b8135f9294a1ed0842f30cdb9788a6e6af08ded2bf0b
SHA512 9d71e0eda2492f26bbabab0344b9ab8ad9f11955d8b6a0a9ae4cb0486055ceb83afdcd95747c9739c56477b9346366ccc3e8f1f2a63f101a1c75d4d631cdb96c

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xaRVcbREmE.js

MD5 f9332f9e18de0d77598ea6b6ca069da2
SHA1 09f7ba47ca4f682f500b2aa262326d7f60ef1cfa
SHA256 c0f0acfd56e2319b12d4a903e3fa99dce5d9afe751cfb13c939615b4fa92bb99
SHA512 76bdb8a2a519c788f4d2248474e8b68d96eba76e3609d1c7e87f0bed684231d66e01868ea358fe02634b2feac147655e20274adef4920dee07d199d7e1e82aac