Malware Analysis Report

2025-01-18 12:22

Sample ID 221108-lnzymsaah8
Target payment receipt.js
SHA256 5619ede0802eae9659da207f84f3bb00d576bc80601609557f0cce017dc35501
Tags
vjw0rm wshrat persistence trojan worm
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5619ede0802eae9659da207f84f3bb00d576bc80601609557f0cce017dc35501

Threat Level: Known bad

The file payment receipt.js was found to be: Known bad.

Malicious Activity Summary

vjw0rm wshrat persistence trojan worm

Vjw0rm

WSHRAT

Blocklisted process makes network request

Drops startup file

Checks computer location settings

Adds Run key to start application

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Script User-Agent

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-11-08 09:41

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-11-08 09:41

Reported

2022-11-08 09:44

Platform

win7-20220812-en

Max time kernel

151s

Max time network

190s

Command Line

wscript.exe "C:\Users\Admin\AppData\Local\Temp\payment receipt.js"

Signatures

Vjw0rm

trojan worm vjw0rm

WSHRAT

trojan wshrat

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nmLrNiYocF.js C:\Windows\System32\wscript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nmLrNiYocF.js C:\Windows\System32\wscript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\payment receipt.js C:\Windows\System32\wscript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nmLrNiYocF.js C:\Windows\System32\wscript.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\payment receipt.js C:\Windows\system32\wscript.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\payment receipt = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\payment receipt.js\"" C:\Windows\system32\wscript.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\software\microsoft\windows\currentversion\run C:\Windows\System32\wscript.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\payment receipt = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\payment receipt.js\"" C:\Windows\System32\wscript.exe N/A
Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run C:\Windows\System32\wscript.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\payment receipt = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\payment receipt.js\"" C:\Windows\System32\wscript.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\software\microsoft\windows\currentversion\run C:\Windows\system32\wscript.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\payment receipt = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\payment receipt.js\"" C:\Windows\system32\wscript.exe N/A
Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run C:\Windows\system32\wscript.exe N/A

Enumerates physical storage devices

Script User-Agent

Description Indicator Process Target
HTTP User-Agent header WSHRAT|5C41F0CB|ZERMMMDR|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 8/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|5C41F0CB|ZERMMMDR|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 8/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|5C41F0CB|ZERMMMDR|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 8/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|5C41F0CB|ZERMMMDR|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 8/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|5C41F0CB|ZERMMMDR|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 8/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|5C41F0CB|ZERMMMDR|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 8/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|5C41F0CB|ZERMMMDR|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 8/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|5C41F0CB|ZERMMMDR|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 8/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|5C41F0CB|ZERMMMDR|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 8/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|5C41F0CB|ZERMMMDR|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 8/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|5C41F0CB|ZERMMMDR|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 8/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|5C41F0CB|ZERMMMDR|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 8/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|5C41F0CB|ZERMMMDR|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 8/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|5C41F0CB|ZERMMMDR|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 8/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|5C41F0CB|ZERMMMDR|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 8/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|5C41F0CB|ZERMMMDR|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 8/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|5C41F0CB|ZERMMMDR|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 8/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|5C41F0CB|ZERMMMDR|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 8/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|5C41F0CB|ZERMMMDR|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 8/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|5C41F0CB|ZERMMMDR|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 8/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|5C41F0CB|ZERMMMDR|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 8/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|5C41F0CB|ZERMMMDR|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 8/11/2022|JavaScript N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe "C:\Users\Admin\AppData\Local\Temp\payment receipt.js"

C:\Windows\System32\wscript.exe

"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\nmLrNiYocF.js"

C:\Windows\System32\wscript.exe

"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\payment receipt.js"

C:\Windows\System32\wscript.exe

"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\nmLrNiYocF.js"

C:\Windows\explorer.exe

"C:\Windows\explorer.exe"

C:\Windows\explorer.exe

"C:\Windows\explorer.exe"

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x490

Network

Country Destination Domain Proto
US 8.8.8.8:53 javaautorun.duia.ro udp
US 8.8.8.8:53 javaautorun.duia.ro udp
US 8.8.8.8:53 takeall.duckdns.org udp
NG 154.120.66.114:5465 javaautorun.duia.ro tcp
NL 109.206.243.241:1991 takeall.duckdns.org tcp
NG 154.120.66.114:5465 javaautorun.duia.ro tcp
NL 109.206.243.241:1991 takeall.duckdns.org tcp
NG 154.120.66.114:5465 javaautorun.duia.ro tcp
NG 154.120.66.114:5465 javaautorun.duia.ro tcp
NL 109.206.243.241:1991 takeall.duckdns.org tcp
NG 154.120.66.114:5465 javaautorun.duia.ro tcp
NG 154.120.66.114:5465 javaautorun.duia.ro tcp
NG 154.120.66.114:5465 javaautorun.duia.ro tcp
NG 154.120.66.114:5465 javaautorun.duia.ro tcp
NL 109.206.243.241:1991 takeall.duckdns.org tcp
NG 154.120.66.114:5465 javaautorun.duia.ro tcp
NG 154.120.66.114:5465 javaautorun.duia.ro tcp
NL 109.206.243.241:1991 takeall.duckdns.org tcp
NL 109.206.243.241:1991 takeall.duckdns.org tcp
NG 154.120.66.114:5465 javaautorun.duia.ro tcp
NG 154.120.66.114:5465 javaautorun.duia.ro tcp
NL 109.206.243.241:1991 takeall.duckdns.org tcp
NL 109.206.243.241:1991 takeall.duckdns.org tcp
NG 154.120.66.114:5465 javaautorun.duia.ro tcp
NG 154.120.66.114:5465 javaautorun.duia.ro tcp
NL 109.206.243.241:1991 takeall.duckdns.org tcp
NG 154.120.66.114:5465 javaautorun.duia.ro tcp
NG 154.120.66.114:5465 javaautorun.duia.ro tcp
NL 109.206.243.241:1991 takeall.duckdns.org tcp
NL 109.206.243.241:1991 takeall.duckdns.org tcp
NG 154.120.66.114:5465 javaautorun.duia.ro tcp
NG 154.120.66.114:5465 javaautorun.duia.ro tcp
NL 109.206.243.241:1991 takeall.duckdns.org tcp
NL 109.206.243.241:1991 takeall.duckdns.org tcp
NG 154.120.66.114:5465 javaautorun.duia.ro tcp
NG 154.120.66.114:5465 javaautorun.duia.ro tcp
NL 109.206.243.241:1991 takeall.duckdns.org tcp
NG 154.120.66.114:5465 javaautorun.duia.ro tcp
NG 154.120.66.114:5465 javaautorun.duia.ro tcp
NL 109.206.243.241:1991 takeall.duckdns.org tcp
NL 109.206.243.241:1991 takeall.duckdns.org tcp
NG 154.120.66.114:5465 javaautorun.duia.ro tcp
NG 154.120.66.114:5465 javaautorun.duia.ro tcp
NL 109.206.243.241:1991 takeall.duckdns.org tcp
NL 109.206.243.241:1991 takeall.duckdns.org tcp
NG 154.120.66.114:5465 javaautorun.duia.ro tcp
NG 154.120.66.114:5465 javaautorun.duia.ro tcp
NL 109.206.243.241:1991 takeall.duckdns.org tcp
NG 154.120.66.114:5465 javaautorun.duia.ro tcp
NL 109.206.243.241:1991 takeall.duckdns.org tcp
NG 154.120.66.114:5465 javaautorun.duia.ro tcp
NL 109.206.243.241:1991 takeall.duckdns.org tcp
NG 154.120.66.114:5465 javaautorun.duia.ro tcp
NL 109.206.243.241:1991 takeall.duckdns.org tcp
NG 154.120.66.114:5465 javaautorun.duia.ro tcp
NL 109.206.243.241:1991 takeall.duckdns.org tcp
NG 154.120.66.114:5465 javaautorun.duia.ro tcp

Files

memory/2032-54-0x000007FEFC2C1000-0x000007FEFC2C3000-memory.dmp

memory/1108-55-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\nmLrNiYocF.js

MD5 0965c7783112318b1bec9aad1ae0db0f
SHA1 6d204c9b64ea25ae7e2098e6fc3cf2480c8933fc
SHA256 cb1ba05e3d6b07acc0f22c867a18e9216d57e4a09dd7577a3501f9f80fcc4d59
SHA512 32a0d75c68f3ada0d94df0fb3d7926fc749ba4fbcdbb8814f14f90382a7431653190d9cceefb4982fc56a7fff18e0d6afe676cf4a84924d31482522665f36c93

memory/2040-57-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\payment receipt.js

MD5 7bdc2ed878e95f7b8b20656f2758d252
SHA1 fabccf889c3621122cedb7187992f107a9ebf4e3
SHA256 5619ede0802eae9659da207f84f3bb00d576bc80601609557f0cce017dc35501
SHA512 9c70289013d254a60baf0dd9b262c1e9fe0bb83afc2eb964d861ea46433efff80485c924cb4fe9df5695a9ef8a9cf214ef0bb3042730346935c517c21c7f7874

memory/1880-61-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\nmLrNiYocF.js

MD5 0965c7783112318b1bec9aad1ae0db0f
SHA1 6d204c9b64ea25ae7e2098e6fc3cf2480c8933fc
SHA256 cb1ba05e3d6b07acc0f22c867a18e9216d57e4a09dd7577a3501f9f80fcc4d59
SHA512 32a0d75c68f3ada0d94df0fb3d7926fc749ba4fbcdbb8814f14f90382a7431653190d9cceefb4982fc56a7fff18e0d6afe676cf4a84924d31482522665f36c93

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\payment receipt.js

MD5 7bdc2ed878e95f7b8b20656f2758d252
SHA1 fabccf889c3621122cedb7187992f107a9ebf4e3
SHA256 5619ede0802eae9659da207f84f3bb00d576bc80601609557f0cce017dc35501
SHA512 9c70289013d254a60baf0dd9b262c1e9fe0bb83afc2eb964d861ea46433efff80485c924cb4fe9df5695a9ef8a9cf214ef0bb3042730346935c517c21c7f7874

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nmLrNiYocF.js

MD5 0965c7783112318b1bec9aad1ae0db0f
SHA1 6d204c9b64ea25ae7e2098e6fc3cf2480c8933fc
SHA256 cb1ba05e3d6b07acc0f22c867a18e9216d57e4a09dd7577a3501f9f80fcc4d59
SHA512 32a0d75c68f3ada0d94df0fb3d7926fc749ba4fbcdbb8814f14f90382a7431653190d9cceefb4982fc56a7fff18e0d6afe676cf4a84924d31482522665f36c93

Analysis: behavioral2

Detonation Overview

Submitted

2022-11-08 09:41

Reported

2022-11-08 09:44

Platform

win10-20220901-en

Max time kernel

148s

Max time network

153s

Command Line

wscript.exe "C:\Users\Admin\AppData\Local\Temp\payment receipt.js"

Signatures

Vjw0rm

trojan worm vjw0rm

WSHRAT

trojan wshrat

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\payment receipt.js C:\Windows\system32\wscript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\payment receipt.js C:\Windows\System32\wscript.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nmLrNiYocF.js C:\Windows\System32\wscript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nmLrNiYocF.js C:\Windows\System32\wscript.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nmLrNiYocF.js C:\Windows\System32\wscript.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run C:\Windows\System32\wscript.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\payment receipt = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\payment receipt.js\"" C:\Windows\System32\wscript.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\software\microsoft\windows\currentversion\run C:\Windows\system32\wscript.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Windows\CurrentVersion\Run\payment receipt = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\payment receipt.js\"" C:\Windows\system32\wscript.exe N/A
Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run C:\Windows\system32\wscript.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\payment receipt = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\payment receipt.js\"" C:\Windows\system32\wscript.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\software\microsoft\windows\currentversion\run C:\Windows\System32\wscript.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Windows\CurrentVersion\Run\payment receipt = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\payment receipt.js\"" C:\Windows\System32\wscript.exe N/A

Enumerates physical storage devices

Script User-Agent

Description Indicator Process Target
HTTP User-Agent header WSHRAT|16761A4A|JBYQTQBO|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 8/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|16761A4A|JBYQTQBO|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 8/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|16761A4A|JBYQTQBO|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 8/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|16761A4A|JBYQTQBO|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 8/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|16761A4A|JBYQTQBO|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 8/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|16761A4A|JBYQTQBO|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 8/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|16761A4A|JBYQTQBO|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 8/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|16761A4A|JBYQTQBO|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 8/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|16761A4A|JBYQTQBO|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 8/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|16761A4A|JBYQTQBO|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 8/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|16761A4A|JBYQTQBO|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 8/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|16761A4A|JBYQTQBO|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 8/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|16761A4A|JBYQTQBO|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 8/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|16761A4A|JBYQTQBO|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 8/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|16761A4A|JBYQTQBO|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 8/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|16761A4A|JBYQTQBO|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 8/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|16761A4A|JBYQTQBO|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 8/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|16761A4A|JBYQTQBO|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 8/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|16761A4A|JBYQTQBO|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 8/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|16761A4A|JBYQTQBO|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 8/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|16761A4A|JBYQTQBO|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 8/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|16761A4A|JBYQTQBO|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 8/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|16761A4A|JBYQTQBO|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 8/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|16761A4A|JBYQTQBO|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 8/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|16761A4A|JBYQTQBO|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 8/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|16761A4A|JBYQTQBO|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 8/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|16761A4A|JBYQTQBO|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 8/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|16761A4A|JBYQTQBO|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 8/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|16761A4A|JBYQTQBO|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 8/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|16761A4A|JBYQTQBO|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 8/11/2022|JavaScript N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4528 wrote to memory of 4832 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe
PID 4528 wrote to memory of 4832 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe
PID 4528 wrote to memory of 364 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe
PID 4528 wrote to memory of 364 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe
PID 364 wrote to memory of 3604 N/A C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe
PID 364 wrote to memory of 3604 N/A C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe

Processes

C:\Windows\system32\wscript.exe

wscript.exe "C:\Users\Admin\AppData\Local\Temp\payment receipt.js"

C:\Windows\System32\wscript.exe

"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\nmLrNiYocF.js"

C:\Windows\System32\wscript.exe

"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\payment receipt.js"

C:\Windows\System32\wscript.exe

"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\nmLrNiYocF.js"

Network

Country Destination Domain Proto
US 8.8.8.8:53 javaautorun.duia.ro udp
US 8.8.8.8:53 takeall.duckdns.org udp
NG 154.120.66.114:5465 javaautorun.duia.ro tcp
NG 154.120.66.114:5465 javaautorun.duia.ro tcp
NL 109.206.243.241:1991 takeall.duckdns.org tcp
NL 109.206.243.241:1991 takeall.duckdns.org tcp
NG 154.120.66.114:5465 javaautorun.duia.ro tcp
NG 154.120.66.114:5465 javaautorun.duia.ro tcp
NL 109.206.243.241:1991 takeall.duckdns.org tcp
NL 109.206.243.241:1991 takeall.duckdns.org tcp
NG 154.120.66.114:5465 javaautorun.duia.ro tcp
NG 154.120.66.114:5465 javaautorun.duia.ro tcp
NL 109.206.243.241:1991 takeall.duckdns.org tcp
NL 109.206.243.241:1991 takeall.duckdns.org tcp
NG 154.120.66.114:5465 javaautorun.duia.ro tcp
NG 154.120.66.114:5465 javaautorun.duia.ro tcp
IE 20.50.80.210:443 tcp
NL 109.206.243.241:1991 takeall.duckdns.org tcp
NG 154.120.66.114:5465 javaautorun.duia.ro tcp
NG 154.120.66.114:5465 javaautorun.duia.ro tcp
NL 109.206.243.241:1991 takeall.duckdns.org tcp
NL 8.248.7.254:80 tcp
NL 109.206.243.241:1991 takeall.duckdns.org tcp
NG 154.120.66.114:5465 javaautorun.duia.ro tcp
NG 154.120.66.114:5465 javaautorun.duia.ro tcp
NL 109.206.243.241:1991 takeall.duckdns.org tcp
NL 109.206.243.241:1991 takeall.duckdns.org tcp
NG 154.120.66.114:5465 javaautorun.duia.ro tcp
NG 154.120.66.114:5465 javaautorun.duia.ro tcp
NL 109.206.243.241:1991 takeall.duckdns.org tcp
NG 154.120.66.114:5465 javaautorun.duia.ro tcp
NG 154.120.66.114:5465 javaautorun.duia.ro tcp
NL 109.206.243.241:1991 takeall.duckdns.org tcp
NL 109.206.243.241:1991 takeall.duckdns.org tcp
NG 154.120.66.114:5465 javaautorun.duia.ro tcp
NG 154.120.66.114:5465 javaautorun.duia.ro tcp
NL 109.206.243.241:1991 takeall.duckdns.org tcp
NL 109.206.243.241:1991 takeall.duckdns.org tcp
NG 154.120.66.114:5465 javaautorun.duia.ro tcp
NG 154.120.66.114:5465 javaautorun.duia.ro tcp
NL 109.206.243.241:1991 takeall.duckdns.org tcp
NG 154.120.66.114:5465 javaautorun.duia.ro tcp
NG 154.120.66.114:5465 javaautorun.duia.ro tcp
NL 109.206.243.241:1991 takeall.duckdns.org tcp
NL 109.206.243.241:1991 takeall.duckdns.org tcp
NG 154.120.66.114:5465 javaautorun.duia.ro tcp
NG 154.120.66.114:5465 javaautorun.duia.ro tcp
NL 109.206.243.241:1991 takeall.duckdns.org tcp
NL 109.206.243.241:1991 takeall.duckdns.org tcp
NG 154.120.66.114:5465 javaautorun.duia.ro tcp
NG 154.120.66.114:5465 javaautorun.duia.ro tcp
NL 109.206.243.241:1991 takeall.duckdns.org tcp
NL 109.206.243.241:1991 takeall.duckdns.org tcp
NG 154.120.66.114:5465 javaautorun.duia.ro tcp
NG 154.120.66.114:5465 javaautorun.duia.ro tcp
NL 109.206.243.241:1991 takeall.duckdns.org tcp
NG 154.120.66.114:5465 javaautorun.duia.ro tcp
NG 154.120.66.114:5465 javaautorun.duia.ro tcp
NL 109.206.243.241:1991 takeall.duckdns.org tcp
NL 109.206.243.241:1991 takeall.duckdns.org tcp
NG 154.120.66.114:5465 javaautorun.duia.ro tcp
NG 154.120.66.114:5465 javaautorun.duia.ro tcp
NL 109.206.243.241:1991 takeall.duckdns.org tcp
NL 109.206.243.241:1991 takeall.duckdns.org tcp
NG 154.120.66.114:5465 javaautorun.duia.ro tcp
NG 154.120.66.114:5465 javaautorun.duia.ro tcp
NL 109.206.243.241:1991 takeall.duckdns.org tcp
NG 154.120.66.114:5465 javaautorun.duia.ro tcp
NG 154.120.66.114:5465 javaautorun.duia.ro tcp
NL 109.206.243.241:1991 takeall.duckdns.org tcp

Files

memory/4832-120-0x0000000000000000-mapping.dmp

memory/364-122-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\nmLrNiYocF.js

MD5 0965c7783112318b1bec9aad1ae0db0f
SHA1 6d204c9b64ea25ae7e2098e6fc3cf2480c8933fc
SHA256 cb1ba05e3d6b07acc0f22c867a18e9216d57e4a09dd7577a3501f9f80fcc4d59
SHA512 32a0d75c68f3ada0d94df0fb3d7926fc749ba4fbcdbb8814f14f90382a7431653190d9cceefb4982fc56a7fff18e0d6afe676cf4a84924d31482522665f36c93

C:\Users\Admin\AppData\Roaming\payment receipt.js

MD5 7bdc2ed878e95f7b8b20656f2758d252
SHA1 fabccf889c3621122cedb7187992f107a9ebf4e3
SHA256 5619ede0802eae9659da207f84f3bb00d576bc80601609557f0cce017dc35501
SHA512 9c70289013d254a60baf0dd9b262c1e9fe0bb83afc2eb964d861ea46433efff80485c924cb4fe9df5695a9ef8a9cf214ef0bb3042730346935c517c21c7f7874

memory/3604-124-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\payment receipt.js

MD5 7bdc2ed878e95f7b8b20656f2758d252
SHA1 fabccf889c3621122cedb7187992f107a9ebf4e3
SHA256 5619ede0802eae9659da207f84f3bb00d576bc80601609557f0cce017dc35501
SHA512 9c70289013d254a60baf0dd9b262c1e9fe0bb83afc2eb964d861ea46433efff80485c924cb4fe9df5695a9ef8a9cf214ef0bb3042730346935c517c21c7f7874

C:\Users\Admin\AppData\Roaming\nmLrNiYocF.js

MD5 0965c7783112318b1bec9aad1ae0db0f
SHA1 6d204c9b64ea25ae7e2098e6fc3cf2480c8933fc
SHA256 cb1ba05e3d6b07acc0f22c867a18e9216d57e4a09dd7577a3501f9f80fcc4d59
SHA512 32a0d75c68f3ada0d94df0fb3d7926fc749ba4fbcdbb8814f14f90382a7431653190d9cceefb4982fc56a7fff18e0d6afe676cf4a84924d31482522665f36c93

Analysis: behavioral3

Detonation Overview

Submitted

2022-11-08 09:41

Reported

2022-11-08 09:45

Platform

win10v2004-20220812-en

Max time kernel

149s

Max time network

153s

Command Line

wscript.exe "C:\Users\Admin\AppData\Local\Temp\payment receipt.js"

Signatures

Vjw0rm

trojan worm vjw0rm

WSHRAT

trojan wshrat

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation C:\Windows\system32\wscript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation C:\Windows\System32\wscript.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\payment receipt.js C:\Windows\system32\wscript.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nmLrNiYocF.js C:\Windows\System32\wscript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nmLrNiYocF.js C:\Windows\System32\wscript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\payment receipt.js C:\Windows\System32\wscript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nmLrNiYocF.js C:\Windows\System32\wscript.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\payment receipt = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\payment receipt.js\"" C:\Windows\System32\wscript.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\software\microsoft\windows\currentversion\run C:\Windows\system32\wscript.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\payment receipt = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\payment receipt.js\"" C:\Windows\system32\wscript.exe N/A
Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run C:\Windows\system32\wscript.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\payment receipt = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\payment receipt.js\"" C:\Windows\system32\wscript.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\software\microsoft\windows\currentversion\run C:\Windows\System32\wscript.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\payment receipt = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\payment receipt.js\"" C:\Windows\System32\wscript.exe N/A
Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run C:\Windows\System32\wscript.exe N/A

Enumerates physical storage devices

Script User-Agent

Description Indicator Process Target
HTTP User-Agent header WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 8/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 8/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 8/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 8/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 8/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 8/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 8/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 8/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 8/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 8/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 8/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 8/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 8/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 8/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 8/11/2022|JavaScript N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4676 wrote to memory of 516 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe
PID 4676 wrote to memory of 516 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe
PID 4676 wrote to memory of 4568 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe
PID 4676 wrote to memory of 4568 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe
PID 4568 wrote to memory of 544 N/A C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe
PID 4568 wrote to memory of 544 N/A C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe

Processes

C:\Windows\system32\wscript.exe

wscript.exe "C:\Users\Admin\AppData\Local\Temp\payment receipt.js"

C:\Windows\System32\wscript.exe

"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\nmLrNiYocF.js"

C:\Windows\System32\wscript.exe

"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\payment receipt.js"

C:\Windows\System32\wscript.exe

"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\nmLrNiYocF.js"

Network

Country Destination Domain Proto
US 8.8.8.8:53 javaautorun.duia.ro udp
NG 154.120.66.114:5465 javaautorun.duia.ro tcp
NG 154.120.66.114:5465 javaautorun.duia.ro tcp
US 8.8.8.8:53 takeall.duckdns.org udp
NL 109.206.243.241:1991 takeall.duckdns.org tcp
NL 109.206.243.241:1991 takeall.duckdns.org tcp
NG 154.120.66.114:5465 javaautorun.duia.ro tcp
NG 154.120.66.114:5465 javaautorun.duia.ro tcp
NL 8.238.23.254:80 tcp
NL 8.238.23.254:80 tcp
NG 154.120.66.114:5465 javaautorun.duia.ro tcp
NL 109.206.243.241:1991 takeall.duckdns.org tcp
NG 154.120.66.114:5465 javaautorun.duia.ro tcp
NL 109.206.243.241:1991 takeall.duckdns.org tcp
DE 51.116.253.170:443 tcp
NG 154.120.66.114:5465 javaautorun.duia.ro tcp
US 93.184.221.240:80 tcp
US 93.184.221.240:80 tcp
US 93.184.221.240:80 tcp
NG 154.120.66.114:5465 javaautorun.duia.ro tcp
US 8.8.8.8:53 151.122.125.40.in-addr.arpa udp
NL 109.206.243.241:1991 takeall.duckdns.org tcp
NG 154.120.66.114:5465 javaautorun.duia.ro tcp
US 93.184.221.240:80 tcp
US 93.184.220.29:80 tcp
NG 154.120.66.114:5465 javaautorun.duia.ro tcp
US 8.8.8.8:53 f.7.6.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.7.0.0.0.0.3.0.1.3.0.6.2.ip6.arpa udp
NG 154.120.66.114:5465 javaautorun.duia.ro tcp
NL 109.206.243.241:1991 takeall.duckdns.org tcp
NG 154.120.66.114:5465 javaautorun.duia.ro tcp
NL 109.206.243.241:1991 takeall.duckdns.org tcp
NG 154.120.66.114:5465 javaautorun.duia.ro tcp
NG 154.120.66.114:5465 javaautorun.duia.ro tcp
NL 109.206.243.241:1991 takeall.duckdns.org tcp
NG 154.120.66.114:5465 javaautorun.duia.ro tcp
NG 154.120.66.114:5465 javaautorun.duia.ro tcp
NL 109.206.243.241:1991 takeall.duckdns.org tcp
NL 109.206.243.241:1991 takeall.duckdns.org tcp
NG 154.120.66.114:5465 javaautorun.duia.ro tcp
NG 154.120.66.114:5465 javaautorun.duia.ro tcp
NL 109.206.243.241:1991 takeall.duckdns.org tcp
NL 109.206.243.241:1991 takeall.duckdns.org tcp
NG 154.120.66.114:5465 javaautorun.duia.ro tcp
NG 154.120.66.114:5465 javaautorun.duia.ro tcp
NL 109.206.243.241:1991 takeall.duckdns.org tcp
NL 109.206.243.241:1991 takeall.duckdns.org tcp
NG 154.120.66.114:5465 javaautorun.duia.ro tcp
NG 154.120.66.114:5465 javaautorun.duia.ro tcp
NL 109.206.243.241:1991 takeall.duckdns.org tcp
NL 109.206.243.241:1991 takeall.duckdns.org tcp
NG 154.120.66.114:5465 javaautorun.duia.ro tcp
NG 154.120.66.114:5465 javaautorun.duia.ro tcp
NL 109.206.243.241:1991 takeall.duckdns.org tcp
NL 109.206.243.241:1991 takeall.duckdns.org tcp
NG 154.120.66.114:5465 javaautorun.duia.ro tcp

Files

memory/516-132-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\nmLrNiYocF.js

MD5 0965c7783112318b1bec9aad1ae0db0f
SHA1 6d204c9b64ea25ae7e2098e6fc3cf2480c8933fc
SHA256 cb1ba05e3d6b07acc0f22c867a18e9216d57e4a09dd7577a3501f9f80fcc4d59
SHA512 32a0d75c68f3ada0d94df0fb3d7926fc749ba4fbcdbb8814f14f90382a7431653190d9cceefb4982fc56a7fff18e0d6afe676cf4a84924d31482522665f36c93

memory/4568-134-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\payment receipt.js

MD5 7bdc2ed878e95f7b8b20656f2758d252
SHA1 fabccf889c3621122cedb7187992f107a9ebf4e3
SHA256 5619ede0802eae9659da207f84f3bb00d576bc80601609557f0cce017dc35501
SHA512 9c70289013d254a60baf0dd9b262c1e9fe0bb83afc2eb964d861ea46433efff80485c924cb4fe9df5695a9ef8a9cf214ef0bb3042730346935c517c21c7f7874

C:\Users\Admin\AppData\Roaming\nmLrNiYocF.js

MD5 0965c7783112318b1bec9aad1ae0db0f
SHA1 6d204c9b64ea25ae7e2098e6fc3cf2480c8933fc
SHA256 cb1ba05e3d6b07acc0f22c867a18e9216d57e4a09dd7577a3501f9f80fcc4d59
SHA512 32a0d75c68f3ada0d94df0fb3d7926fc749ba4fbcdbb8814f14f90382a7431653190d9cceefb4982fc56a7fff18e0d6afe676cf4a84924d31482522665f36c93

memory/544-137-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\payment receipt.js

MD5 7bdc2ed878e95f7b8b20656f2758d252
SHA1 fabccf889c3621122cedb7187992f107a9ebf4e3
SHA256 5619ede0802eae9659da207f84f3bb00d576bc80601609557f0cce017dc35501
SHA512 9c70289013d254a60baf0dd9b262c1e9fe0bb83afc2eb964d861ea46433efff80485c924cb4fe9df5695a9ef8a9cf214ef0bb3042730346935c517c21c7f7874

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nmLrNiYocF.js

MD5 0965c7783112318b1bec9aad1ae0db0f
SHA1 6d204c9b64ea25ae7e2098e6fc3cf2480c8933fc
SHA256 cb1ba05e3d6b07acc0f22c867a18e9216d57e4a09dd7577a3501f9f80fcc4d59
SHA512 32a0d75c68f3ada0d94df0fb3d7926fc749ba4fbcdbb8814f14f90382a7431653190d9cceefb4982fc56a7fff18e0d6afe676cf4a84924d31482522665f36c93