Malware Analysis Report

2025-01-18 12:22

Sample ID 221111-l8hvvsed75
Target suBZaIZZSy_ayomover.js
SHA256 f4c467d745b4920e074209e95814ef511c3a239fb7296dc6ea36cd4a4875a743
Tags
vjw0rm wshrat persistence trojan worm
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f4c467d745b4920e074209e95814ef511c3a239fb7296dc6ea36cd4a4875a743

Threat Level: Known bad

The file suBZaIZZSy_ayomover.js was found to be: Known bad.

Malicious Activity Summary

vjw0rm wshrat persistence trojan worm

WSHRAT

Vjw0rm

Blocklisted process makes network request

Checks computer location settings

Drops startup file

Adds Run key to start application

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Script User-Agent

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-11-11 10:12

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-11-11 10:12

Reported

2022-11-11 10:14

Platform

win7-20220812-en

Max time kernel

151s

Max time network

153s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\suBZaIZZSy_ayomover.js

Signatures

Vjw0rm

trojan worm vjw0rm

WSHRAT

trojan wshrat

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\suBZaIZZSy_ayomover.js C:\Windows\system32\wscript.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\YeVbRXLYad.js C:\Windows\System32\wscript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\YeVbRXLYad.js C:\Windows\System32\wscript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\suBZaIZZSy_ayomover.js C:\Windows\System32\wscript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\YeVbRXLYad.js C:\Windows\System32\wscript.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run C:\Windows\System32\wscript.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\suBZaIZZSy_ayomover = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\suBZaIZZSy_ayomover.js\"" C:\Windows\System32\wscript.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\software\microsoft\windows\currentversion\run C:\Windows\system32\wscript.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\suBZaIZZSy_ayomover = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\suBZaIZZSy_ayomover.js\"" C:\Windows\system32\wscript.exe N/A
Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run C:\Windows\system32\wscript.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\suBZaIZZSy_ayomover = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\suBZaIZZSy_ayomover.js\"" C:\Windows\system32\wscript.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\software\microsoft\windows\currentversion\run C:\Windows\System32\wscript.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\suBZaIZZSy_ayomover = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\suBZaIZZSy_ayomover.js\"" C:\Windows\System32\wscript.exe N/A

Enumerates physical storage devices

Script User-Agent

Description Indicator Process Target
HTTP User-Agent header WSHRAT|5C41F0CB|ZERMMMDR|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 11/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|5C41F0CB|ZERMMMDR|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 11/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|5C41F0CB|ZERMMMDR|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 11/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|5C41F0CB|ZERMMMDR|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 11/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|5C41F0CB|ZERMMMDR|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 11/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|5C41F0CB|ZERMMMDR|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 11/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|5C41F0CB|ZERMMMDR|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 11/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|5C41F0CB|ZERMMMDR|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 11/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|5C41F0CB|ZERMMMDR|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 11/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|5C41F0CB|ZERMMMDR|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 11/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|5C41F0CB|ZERMMMDR|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 11/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|5C41F0CB|ZERMMMDR|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 11/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|5C41F0CB|ZERMMMDR|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 11/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|5C41F0CB|ZERMMMDR|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 11/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|5C41F0CB|ZERMMMDR|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 11/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|5C41F0CB|ZERMMMDR|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 11/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|5C41F0CB|ZERMMMDR|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 11/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|5C41F0CB|ZERMMMDR|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 11/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|5C41F0CB|ZERMMMDR|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 11/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|5C41F0CB|ZERMMMDR|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 11/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|5C41F0CB|ZERMMMDR|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 11/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|5C41F0CB|ZERMMMDR|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 11/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|5C41F0CB|ZERMMMDR|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 11/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|5C41F0CB|ZERMMMDR|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 11/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|5C41F0CB|ZERMMMDR|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 11/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|5C41F0CB|ZERMMMDR|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 11/11/2022|JavaScript N/A N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\suBZaIZZSy_ayomover.js

C:\Windows\System32\wscript.exe

"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\YeVbRXLYad.js"

C:\Windows\System32\wscript.exe

"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\suBZaIZZSy_ayomover.js"

C:\Windows\System32\wscript.exe

"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\YeVbRXLYad.js"

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 javaautorun.duia.ro udp
N/A 8.8.8.8:53 javaautorun.duia.ro udp
N/A 95.142.119.17:5465 javaautorun.duia.ro tcp
N/A 95.142.119.17:5465 javaautorun.duia.ro tcp
N/A 45.139.105.174:7670 45.139.105.174 tcp
N/A 45.139.105.174:7670 45.139.105.174 tcp
N/A 45.139.105.174:7670 45.139.105.174 tcp
N/A 45.139.105.174:7670 45.139.105.174 tcp
N/A 45.139.105.174:7670 45.139.105.174 tcp
N/A 45.139.105.174:7670 45.139.105.174 tcp
N/A 95.142.119.17:5465 javaautorun.duia.ro tcp
N/A 95.142.119.17:5465 javaautorun.duia.ro tcp
N/A 45.139.105.174:7670 45.139.105.174 tcp
N/A 45.139.105.174:7670 45.139.105.174 tcp
N/A 45.139.105.174:7670 45.139.105.174 tcp
N/A 45.139.105.174:7670 45.139.105.174 tcp
N/A 45.139.105.174:7670 45.139.105.174 tcp
N/A 95.142.119.17:5465 javaautorun.duia.ro tcp
N/A 95.142.119.17:5465 javaautorun.duia.ro tcp
N/A 45.139.105.174:7670 45.139.105.174 tcp
N/A 45.139.105.174:7670 45.139.105.174 tcp
N/A 45.139.105.174:7670 45.139.105.174 tcp
N/A 45.139.105.174:7670 45.139.105.174 tcp
N/A 45.139.105.174:7670 45.139.105.174 tcp
N/A 45.139.105.174:7670 45.139.105.174 tcp
N/A 95.142.119.17:5465 javaautorun.duia.ro tcp
N/A 95.142.119.17:5465 javaautorun.duia.ro tcp
N/A 45.139.105.174:7670 45.139.105.174 tcp
N/A 45.139.105.174:7670 45.139.105.174 tcp
N/A 45.139.105.174:7670 45.139.105.174 tcp
N/A 45.139.105.174:7670 45.139.105.174 tcp
N/A 45.139.105.174:7670 45.139.105.174 tcp
N/A 95.142.119.17:5465 javaautorun.duia.ro tcp
N/A 95.142.119.17:5465 javaautorun.duia.ro tcp
N/A 45.139.105.174:7670 45.139.105.174 tcp
N/A 45.139.105.174:7670 45.139.105.174 tcp
N/A 45.139.105.174:7670 45.139.105.174 tcp
N/A 45.139.105.174:7670 45.139.105.174 tcp
N/A 45.139.105.174:7670 tcp

Files

memory/1980-54-0x000007FEFB831000-0x000007FEFB833000-memory.dmp

memory/1596-55-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\YeVbRXLYad.js

MD5 894a42de0f6fd6f82f1f3a2a33aac042
SHA1 02c85ad78d6c203b80dedb292810cae930086faf
SHA256 3fac74db0db43eec4faf06e594d5c49d98a9222a5739c2c64bb5249cc85bd4d0
SHA512 01ce16b93b42658f7b314b261fce944e7d07df712c8895291c4d73df38b25ba90563345ec3007e96ed91373f1562bc5b916f98ab64c3fd49e5b0b2b216030b30

memory/1772-57-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\suBZaIZZSy_ayomover.js

MD5 e74c17c1cd2391f4196165b7ff5835cd
SHA1 89fd7a28e6732864e7af863c0db67aa4b7910020
SHA256 f4c467d745b4920e074209e95814ef511c3a239fb7296dc6ea36cd4a4875a743
SHA512 ea31d7b1a77ce34973a0678c3363d1a8257bd98413696737d8546546a49f387ab96e8f9c3bc7bf5aff42e87868e19ee850b434bf819a430658865c6e93bc24ac

C:\Users\Admin\AppData\Roaming\YeVbRXLYad.js

MD5 894a42de0f6fd6f82f1f3a2a33aac042
SHA1 02c85ad78d6c203b80dedb292810cae930086faf
SHA256 3fac74db0db43eec4faf06e594d5c49d98a9222a5739c2c64bb5249cc85bd4d0
SHA512 01ce16b93b42658f7b314b261fce944e7d07df712c8895291c4d73df38b25ba90563345ec3007e96ed91373f1562bc5b916f98ab64c3fd49e5b0b2b216030b30

memory/828-61-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\suBZaIZZSy_ayomover.js

MD5 e74c17c1cd2391f4196165b7ff5835cd
SHA1 89fd7a28e6732864e7af863c0db67aa4b7910020
SHA256 f4c467d745b4920e074209e95814ef511c3a239fb7296dc6ea36cd4a4875a743
SHA512 ea31d7b1a77ce34973a0678c3363d1a8257bd98413696737d8546546a49f387ab96e8f9c3bc7bf5aff42e87868e19ee850b434bf819a430658865c6e93bc24ac

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\YeVbRXLYad.js

MD5 894a42de0f6fd6f82f1f3a2a33aac042
SHA1 02c85ad78d6c203b80dedb292810cae930086faf
SHA256 3fac74db0db43eec4faf06e594d5c49d98a9222a5739c2c64bb5249cc85bd4d0
SHA512 01ce16b93b42658f7b314b261fce944e7d07df712c8895291c4d73df38b25ba90563345ec3007e96ed91373f1562bc5b916f98ab64c3fd49e5b0b2b216030b30

Analysis: behavioral2

Detonation Overview

Submitted

2022-11-11 10:12

Reported

2022-11-11 10:14

Platform

win10v2004-20220901-en

Max time kernel

149s

Max time network

153s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\suBZaIZZSy_ayomover.js

Signatures

Vjw0rm

trojan worm vjw0rm

WSHRAT

trojan wshrat

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation C:\Windows\system32\wscript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation C:\Windows\System32\wscript.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\YeVbRXLYad.js C:\Windows\System32\wscript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\YeVbRXLYad.js C:\Windows\System32\wscript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\suBZaIZZSy_ayomover.js C:\Windows\System32\wscript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\YeVbRXLYad.js C:\Windows\System32\wscript.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\suBZaIZZSy_ayomover.js C:\Windows\system32\wscript.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\software\microsoft\windows\currentversion\run C:\Windows\system32\wscript.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\suBZaIZZSy_ayomover = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\suBZaIZZSy_ayomover.js\"" C:\Windows\system32\wscript.exe N/A
Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run C:\Windows\system32\wscript.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\suBZaIZZSy_ayomover = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\suBZaIZZSy_ayomover.js\"" C:\Windows\system32\wscript.exe N/A
Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\software\microsoft\windows\currentversion\run C:\Windows\System32\wscript.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\suBZaIZZSy_ayomover = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\suBZaIZZSy_ayomover.js\"" C:\Windows\System32\wscript.exe N/A
Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run C:\Windows\System32\wscript.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\suBZaIZZSy_ayomover = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\suBZaIZZSy_ayomover.js\"" C:\Windows\System32\wscript.exe N/A

Enumerates physical storage devices

Script User-Agent

Description Indicator Process Target
HTTP User-Agent header WSHRAT|36F4858E|IYMUGYHL|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 11/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|36F4858E|IYMUGYHL|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 11/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|36F4858E|IYMUGYHL|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 11/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|36F4858E|IYMUGYHL|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 11/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|36F4858E|IYMUGYHL|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 11/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|36F4858E|IYMUGYHL|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 11/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|36F4858E|IYMUGYHL|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 11/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|36F4858E|IYMUGYHL|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 11/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|36F4858E|IYMUGYHL|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 11/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|36F4858E|IYMUGYHL|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 11/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|36F4858E|IYMUGYHL|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 11/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|36F4858E|IYMUGYHL|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 11/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|36F4858E|IYMUGYHL|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 11/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|36F4858E|IYMUGYHL|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 11/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|36F4858E|IYMUGYHL|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 11/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|36F4858E|IYMUGYHL|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 11/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|36F4858E|IYMUGYHL|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 11/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|36F4858E|IYMUGYHL|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 11/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|36F4858E|IYMUGYHL|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 11/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|36F4858E|IYMUGYHL|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 11/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|36F4858E|IYMUGYHL|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 11/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|36F4858E|IYMUGYHL|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 11/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|36F4858E|IYMUGYHL|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 11/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|36F4858E|IYMUGYHL|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 11/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|36F4858E|IYMUGYHL|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 11/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|36F4858E|IYMUGYHL|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 11/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|36F4858E|IYMUGYHL|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 11/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|36F4858E|IYMUGYHL|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 11/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|36F4858E|IYMUGYHL|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 11/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|36F4858E|IYMUGYHL|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 11/11/2022|JavaScript N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1688 wrote to memory of 2248 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe
PID 1688 wrote to memory of 2248 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe
PID 1688 wrote to memory of 2996 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe
PID 1688 wrote to memory of 2996 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe
PID 2996 wrote to memory of 5024 N/A C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe
PID 2996 wrote to memory of 5024 N/A C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\suBZaIZZSy_ayomover.js

C:\Windows\System32\wscript.exe

"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\YeVbRXLYad.js"

C:\Windows\System32\wscript.exe

"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\suBZaIZZSy_ayomover.js"

C:\Windows\System32\wscript.exe

"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\YeVbRXLYad.js"

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 javaautorun.duia.ro udp
N/A 95.142.119.17:5465 javaautorun.duia.ro tcp
N/A 95.142.119.17:5465 javaautorun.duia.ro tcp
N/A 45.139.105.174:7670 45.139.105.174 tcp
N/A 45.139.105.174:7670 45.139.105.174 tcp
N/A 45.139.105.174:7670 45.139.105.174 tcp
N/A 45.139.105.174:7670 45.139.105.174 tcp
N/A 45.139.105.174:7670 45.139.105.174 tcp
N/A 20.42.73.25:443 tcp
N/A 45.139.105.174:7670 45.139.105.174 tcp
N/A 95.142.119.17:5465 javaautorun.duia.ro tcp
N/A 95.142.119.17:5465 javaautorun.duia.ro tcp
N/A 45.139.105.174:7670 45.139.105.174 tcp
N/A 45.139.105.174:7670 45.139.105.174 tcp
N/A 45.139.105.174:7670 45.139.105.174 tcp
N/A 45.139.105.174:7670 45.139.105.174 tcp
N/A 45.139.105.174:7670 45.139.105.174 tcp
N/A 45.139.105.174:7670 45.139.105.174 tcp
N/A 95.142.119.17:5465 javaautorun.duia.ro tcp
N/A 95.142.119.17:5465 javaautorun.duia.ro tcp
N/A 45.139.105.174:7670 45.139.105.174 tcp
N/A 45.139.105.174:7670 45.139.105.174 tcp
N/A 45.139.105.174:7670 45.139.105.174 tcp
N/A 45.139.105.174:7670 45.139.105.174 tcp
N/A 45.139.105.174:7670 45.139.105.174 tcp
N/A 95.142.119.17:5465 javaautorun.duia.ro tcp
N/A 95.142.119.17:5465 javaautorun.duia.ro tcp
N/A 45.139.105.174:7670 45.139.105.174 tcp
N/A 45.139.105.174:7670 45.139.105.174 tcp
N/A 45.139.105.174:7670 45.139.105.174 tcp
N/A 45.139.105.174:7670 45.139.105.174 tcp
N/A 45.139.105.174:7670 45.139.105.174 tcp
N/A 45.139.105.174:7670 45.139.105.174 tcp
N/A 95.142.119.17:5465 javaautorun.duia.ro tcp
N/A 95.142.119.17:5465 javaautorun.duia.ro tcp
N/A 45.139.105.174:7670 45.139.105.174 tcp
N/A 45.139.105.174:7670 45.139.105.174 tcp
N/A 45.139.105.174:7670 45.139.105.174 tcp
N/A 45.139.105.174:7670 45.139.105.174 tcp
N/A 45.139.105.174:7670 45.139.105.174 tcp
N/A 95.142.119.17:5465 javaautorun.duia.ro tcp
N/A 95.142.119.17:5465 javaautorun.duia.ro tcp
N/A 45.139.105.174:7670 45.139.105.174 tcp
N/A 45.139.105.174:7670 45.139.105.174 tcp

Files

memory/2248-132-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\YeVbRXLYad.js

MD5 894a42de0f6fd6f82f1f3a2a33aac042
SHA1 02c85ad78d6c203b80dedb292810cae930086faf
SHA256 3fac74db0db43eec4faf06e594d5c49d98a9222a5739c2c64bb5249cc85bd4d0
SHA512 01ce16b93b42658f7b314b261fce944e7d07df712c8895291c4d73df38b25ba90563345ec3007e96ed91373f1562bc5b916f98ab64c3fd49e5b0b2b216030b30

memory/2996-134-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\suBZaIZZSy_ayomover.js

MD5 e74c17c1cd2391f4196165b7ff5835cd
SHA1 89fd7a28e6732864e7af863c0db67aa4b7910020
SHA256 f4c467d745b4920e074209e95814ef511c3a239fb7296dc6ea36cd4a4875a743
SHA512 ea31d7b1a77ce34973a0678c3363d1a8257bd98413696737d8546546a49f387ab96e8f9c3bc7bf5aff42e87868e19ee850b434bf819a430658865c6e93bc24ac

C:\Users\Admin\AppData\Roaming\YeVbRXLYad.js

MD5 894a42de0f6fd6f82f1f3a2a33aac042
SHA1 02c85ad78d6c203b80dedb292810cae930086faf
SHA256 3fac74db0db43eec4faf06e594d5c49d98a9222a5739c2c64bb5249cc85bd4d0
SHA512 01ce16b93b42658f7b314b261fce944e7d07df712c8895291c4d73df38b25ba90563345ec3007e96ed91373f1562bc5b916f98ab64c3fd49e5b0b2b216030b30

memory/5024-137-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\suBZaIZZSy_ayomover.js

MD5 e74c17c1cd2391f4196165b7ff5835cd
SHA1 89fd7a28e6732864e7af863c0db67aa4b7910020
SHA256 f4c467d745b4920e074209e95814ef511c3a239fb7296dc6ea36cd4a4875a743
SHA512 ea31d7b1a77ce34973a0678c3363d1a8257bd98413696737d8546546a49f387ab96e8f9c3bc7bf5aff42e87868e19ee850b434bf819a430658865c6e93bc24ac

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\YeVbRXLYad.js

MD5 894a42de0f6fd6f82f1f3a2a33aac042
SHA1 02c85ad78d6c203b80dedb292810cae930086faf
SHA256 3fac74db0db43eec4faf06e594d5c49d98a9222a5739c2c64bb5249cc85bd4d0
SHA512 01ce16b93b42658f7b314b261fce944e7d07df712c8895291c4d73df38b25ba90563345ec3007e96ed91373f1562bc5b916f98ab64c3fd49e5b0b2b216030b30