Malware Analysis Report

2025-01-18 12:23

Sample ID 221117-wh1cbsbb2w
Target ECEX2240 304 sheets 42.047mt RFQ-221115-1.js
SHA256 70f6448c7123a3fdfeeea3f8a1bff79b749f622c9d1a5b6542e0cafc6e6372ce
Tags
vjw0rm wshrat persistence trojan worm
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

70f6448c7123a3fdfeeea3f8a1bff79b749f622c9d1a5b6542e0cafc6e6372ce

Threat Level: Known bad

The file ECEX2240 304 sheets 42.047mt RFQ-221115-1.js was found to be: Known bad.

Malicious Activity Summary

vjw0rm wshrat persistence trojan worm

Vjw0rm

WSHRAT

Blocklisted process makes network request

Checks computer location settings

Drops startup file

Adds Run key to start application

Enumerates physical storage devices

Script User-Agent

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-11-17 17:56

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-11-17 17:56

Reported

2022-11-17 17:58

Platform

win7-20220812-en

Max time kernel

150s

Max time network

153s

Command Line

wscript.exe "C:\Users\Admin\AppData\Local\Temp\ECEX2240 304 sheets 42.047mt RFQ-221115-1.js"

Signatures

Vjw0rm

trojan worm vjw0rm

WSHRAT

trojan wshrat

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ECEX2240 304 sheets 42.047mt RFQ-221115-1.js C:\Windows\system32\wscript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ECEX2240 304 sheets 42.047mt RFQ-221115-1.js C:\Windows\System32\wscript.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QhFBKsXrcc.js C:\Windows\System32\wscript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QhFBKsXrcc.js C:\Windows\System32\wscript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QhFBKsXrcc.js C:\Windows\System32\wscript.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ECEX2240 304 sheets 42 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\ECEX2240 304 sheets 42.047mt RFQ-221115-1.js\"" C:\Windows\system32\wscript.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\software\microsoft\windows\currentversion\run C:\Windows\System32\wscript.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\ECEX2240 304 sheets 42 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\ECEX2240 304 sheets 42.047mt RFQ-221115-1.js\"" C:\Windows\System32\wscript.exe N/A
Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run C:\Windows\System32\wscript.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ECEX2240 304 sheets 42 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\ECEX2240 304 sheets 42.047mt RFQ-221115-1.js\"" C:\Windows\System32\wscript.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\software\microsoft\windows\currentversion\run C:\Windows\system32\wscript.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\ECEX2240 304 sheets 42 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\ECEX2240 304 sheets 42.047mt RFQ-221115-1.js\"" C:\Windows\system32\wscript.exe N/A
Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run C:\Windows\system32\wscript.exe N/A

Enumerates physical storage devices

Script User-Agent

Description Indicator Process Target
HTTP User-Agent header WSHRAT|BC40DA2B|GRXNNIIE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 17/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|BC40DA2B|GRXNNIIE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 17/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|BC40DA2B|GRXNNIIE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 17/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|BC40DA2B|GRXNNIIE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 17/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|BC40DA2B|GRXNNIIE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 17/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|BC40DA2B|GRXNNIIE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 17/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|BC40DA2B|GRXNNIIE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 17/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|BC40DA2B|GRXNNIIE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 17/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|BC40DA2B|GRXNNIIE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 17/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|BC40DA2B|GRXNNIIE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 17/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|BC40DA2B|GRXNNIIE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 17/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|BC40DA2B|GRXNNIIE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 17/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|BC40DA2B|GRXNNIIE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 17/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|BC40DA2B|GRXNNIIE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 17/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|BC40DA2B|GRXNNIIE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 17/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|BC40DA2B|GRXNNIIE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 17/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|BC40DA2B|GRXNNIIE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 17/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|BC40DA2B|GRXNNIIE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 17/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|BC40DA2B|GRXNNIIE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 17/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|BC40DA2B|GRXNNIIE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 17/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|BC40DA2B|GRXNNIIE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 17/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|BC40DA2B|GRXNNIIE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 17/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|BC40DA2B|GRXNNIIE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 17/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|BC40DA2B|GRXNNIIE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 17/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|BC40DA2B|GRXNNIIE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 17/11/2022|JavaScript N/A N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe "C:\Users\Admin\AppData\Local\Temp\ECEX2240 304 sheets 42.047mt RFQ-221115-1.js"

C:\Windows\System32\wscript.exe

"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\QhFBKsXrcc.js"

C:\Windows\System32\wscript.exe

"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\ECEX2240 304 sheets 42.047mt RFQ-221115-1.js"

C:\Windows\System32\wscript.exe

"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\QhFBKsXrcc.js"

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 javaautorun.duia.ro udp
N/A 8.8.8.8:53 javaautorun.duia.ro udp
N/A 8.8.8.8:53 vipdata2.ddns.net udp
N/A 134.19.179.235:21234 vipdata2.ddns.net tcp
N/A 154.120.76.213:5465 javaautorun.duia.ro tcp
N/A 154.120.76.213:5465 javaautorun.duia.ro tcp
N/A 134.19.179.235:21234 vipdata2.ddns.net tcp
N/A 134.19.179.235:21234 vipdata2.ddns.net tcp
N/A 134.19.179.235:21234 vipdata2.ddns.net tcp
N/A 134.19.179.235:21234 vipdata2.ddns.net tcp
N/A 134.19.179.235:21234 vipdata2.ddns.net tcp
N/A 154.120.76.213:5465 javaautorun.duia.ro tcp
N/A 154.120.76.213:5465 javaautorun.duia.ro tcp
N/A 134.19.179.235:21234 vipdata2.ddns.net tcp
N/A 134.19.179.235:21234 vipdata2.ddns.net tcp
N/A 134.19.179.235:21234 vipdata2.ddns.net tcp
N/A 134.19.179.235:21234 vipdata2.ddns.net tcp
N/A 134.19.179.235:21234 vipdata2.ddns.net tcp
N/A 154.120.76.213:5465 javaautorun.duia.ro tcp
N/A 154.120.76.213:5465 javaautorun.duia.ro tcp
N/A 134.19.179.235:21234 vipdata2.ddns.net tcp
N/A 134.19.179.235:21234 vipdata2.ddns.net tcp
N/A 134.19.179.235:21234 vipdata2.ddns.net tcp
N/A 134.19.179.235:21234 vipdata2.ddns.net tcp
N/A 154.120.76.213:5465 javaautorun.duia.ro tcp
N/A 134.19.179.235:21234 vipdata2.ddns.net tcp
N/A 154.120.76.213:5465 javaautorun.duia.ro tcp
N/A 134.19.179.235:21234 vipdata2.ddns.net tcp
N/A 134.19.179.235:21234 vipdata2.ddns.net tcp
N/A 134.19.179.235:21234 vipdata2.ddns.net tcp
N/A 134.19.179.235:21234 vipdata2.ddns.net tcp
N/A 134.19.179.235:21234 vipdata2.ddns.net tcp
N/A 154.120.76.213:5465 javaautorun.duia.ro tcp
N/A 154.120.76.213:5465 javaautorun.duia.ro tcp
N/A 134.19.179.235:21234 vipdata2.ddns.net tcp
N/A 134.19.179.235:21234 vipdata2.ddns.net tcp
N/A 134.19.179.235:21234 vipdata2.ddns.net tcp
N/A 134.19.179.235:21234 vipdata2.ddns.net tcp

Files

memory/1440-54-0x000007FEFC621000-0x000007FEFC623000-memory.dmp

memory/612-55-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\QhFBKsXrcc.js

MD5 489b6394d8868b203a2b62e4f4811713
SHA1 379205c5e6523ebff4ad1d7e8e9fbdde56db2b8e
SHA256 4f9d9d8215eb52c5ba734d8c9afdd52d620ba5ad7475c78ae1f3af5c64d7fc20
SHA512 777967c33506df8c189efaf255d4c45b4406aa969fa6611710acfdb3cc3630884b25500887461d3820e9adf1ab328758eeb8c98d4e0b91655554f7cc351c23ed

memory/1752-57-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\ECEX2240 304 sheets 42.047mt RFQ-221115-1.js

MD5 930fe12236c4f4fb72dede56a721b9d5
SHA1 af54639ddd3a2585635cc0699374de872bdf588a
SHA256 70f6448c7123a3fdfeeea3f8a1bff79b749f622c9d1a5b6542e0cafc6e6372ce
SHA512 c100ad6a6f7b46c8dd0516d9b3139fe663adcd43f22d38a68bc9282617b0c98b5ab5c2145c815c03793391eb086fd1bf79134471565337003b5125f0944219c9

memory/1532-60-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ECEX2240 304 sheets 42.047mt RFQ-221115-1.js

MD5 930fe12236c4f4fb72dede56a721b9d5
SHA1 af54639ddd3a2585635cc0699374de872bdf588a
SHA256 70f6448c7123a3fdfeeea3f8a1bff79b749f622c9d1a5b6542e0cafc6e6372ce
SHA512 c100ad6a6f7b46c8dd0516d9b3139fe663adcd43f22d38a68bc9282617b0c98b5ab5c2145c815c03793391eb086fd1bf79134471565337003b5125f0944219c9

C:\Users\Admin\AppData\Roaming\QhFBKsXrcc.js

MD5 489b6394d8868b203a2b62e4f4811713
SHA1 379205c5e6523ebff4ad1d7e8e9fbdde56db2b8e
SHA256 4f9d9d8215eb52c5ba734d8c9afdd52d620ba5ad7475c78ae1f3af5c64d7fc20
SHA512 777967c33506df8c189efaf255d4c45b4406aa969fa6611710acfdb3cc3630884b25500887461d3820e9adf1ab328758eeb8c98d4e0b91655554f7cc351c23ed

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QhFBKsXrcc.js

MD5 489b6394d8868b203a2b62e4f4811713
SHA1 379205c5e6523ebff4ad1d7e8e9fbdde56db2b8e
SHA256 4f9d9d8215eb52c5ba734d8c9afdd52d620ba5ad7475c78ae1f3af5c64d7fc20
SHA512 777967c33506df8c189efaf255d4c45b4406aa969fa6611710acfdb3cc3630884b25500887461d3820e9adf1ab328758eeb8c98d4e0b91655554f7cc351c23ed

Analysis: behavioral2

Detonation Overview

Submitted

2022-11-17 17:56

Reported

2022-11-17 17:58

Platform

win10v2004-20220812-en

Max time kernel

150s

Max time network

151s

Command Line

wscript.exe "C:\Users\Admin\AppData\Local\Temp\ECEX2240 304 sheets 42.047mt RFQ-221115-1.js"

Signatures

Vjw0rm

trojan worm vjw0rm

WSHRAT

trojan wshrat

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation C:\Windows\system32\wscript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation C:\Windows\System32\wscript.exe N/A

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QhFBKsXrcc.js C:\Windows\System32\wscript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ECEX2240 304 sheets 42.047mt RFQ-221115-1.js C:\Windows\System32\wscript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QhFBKsXrcc.js C:\Windows\System32\wscript.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ECEX2240 304 sheets 42.047mt RFQ-221115-1.js C:\Windows\system32\wscript.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QhFBKsXrcc.js C:\Windows\System32\wscript.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\software\microsoft\windows\currentversion\run C:\Windows\system32\wscript.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ECEX2240 304 sheets 42 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\ECEX2240 304 sheets 42.047mt RFQ-221115-1.js\"" C:\Windows\system32\wscript.exe N/A
Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run C:\Windows\system32\wscript.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ECEX2240 304 sheets 42 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\ECEX2240 304 sheets 42.047mt RFQ-221115-1.js\"" C:\Windows\system32\wscript.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\software\microsoft\windows\currentversion\run C:\Windows\System32\wscript.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ECEX2240 304 sheets 42 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\ECEX2240 304 sheets 42.047mt RFQ-221115-1.js\"" C:\Windows\System32\wscript.exe N/A
Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run C:\Windows\System32\wscript.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ECEX2240 304 sheets 42 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\ECEX2240 304 sheets 42.047mt RFQ-221115-1.js\"" C:\Windows\System32\wscript.exe N/A

Enumerates physical storage devices

Script User-Agent

Description Indicator Process Target
HTTP User-Agent header WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 17/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 17/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 17/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 17/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 17/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 17/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 17/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 17/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 17/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 17/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 17/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 17/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 17/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 17/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 17/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 17/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 17/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 17/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 17/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 17/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 17/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 17/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 17/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 17/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 17/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 17/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 17/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 17/11/2022|JavaScript N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1572 wrote to memory of 4916 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe
PID 1572 wrote to memory of 4916 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe
PID 1572 wrote to memory of 1940 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe
PID 1572 wrote to memory of 1940 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe
PID 1940 wrote to memory of 4564 N/A C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe
PID 1940 wrote to memory of 4564 N/A C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe

Processes

C:\Windows\system32\wscript.exe

wscript.exe "C:\Users\Admin\AppData\Local\Temp\ECEX2240 304 sheets 42.047mt RFQ-221115-1.js"

C:\Windows\System32\wscript.exe

"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\QhFBKsXrcc.js"

C:\Windows\System32\wscript.exe

"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\ECEX2240 304 sheets 42.047mt RFQ-221115-1.js"

C:\Windows\System32\wscript.exe

"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\QhFBKsXrcc.js"

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 javaautorun.duia.ro udp
N/A 154.120.76.213:5465 javaautorun.duia.ro tcp
N/A 8.8.8.8:53 vipdata2.ddns.net udp
N/A 134.19.179.235:21234 vipdata2.ddns.net tcp
N/A 154.120.76.213:5465 javaautorun.duia.ro tcp
N/A 134.19.179.235:21234 vipdata2.ddns.net tcp
N/A 134.19.179.235:21234 vipdata2.ddns.net tcp
N/A 134.19.179.235:21234 vipdata2.ddns.net tcp
N/A 134.19.179.235:21234 vipdata2.ddns.net tcp
N/A 134.19.179.235:21234 vipdata2.ddns.net tcp
N/A 154.120.76.213:5465 javaautorun.duia.ro tcp
N/A 154.120.76.213:5465 javaautorun.duia.ro tcp
N/A 134.19.179.235:21234 vipdata2.ddns.net tcp
N/A 134.19.179.235:21234 vipdata2.ddns.net tcp
N/A 13.69.239.72:443 tcp
N/A 134.19.179.235:21234 vipdata2.ddns.net tcp
N/A 134.19.179.235:21234 vipdata2.ddns.net tcp
N/A 134.19.179.235:21234 vipdata2.ddns.net tcp
N/A 154.120.76.213:5465 javaautorun.duia.ro tcp
N/A 154.120.76.213:5465 javaautorun.duia.ro tcp
N/A 134.19.179.235:21234 vipdata2.ddns.net tcp
N/A 209.197.3.8:80 tcp
N/A 209.197.3.8:80 tcp
N/A 134.19.179.235:21234 vipdata2.ddns.net tcp
N/A 134.19.179.235:21234 vipdata2.ddns.net tcp
N/A 134.19.179.235:21234 vipdata2.ddns.net tcp
N/A 134.19.179.235:21234 vipdata2.ddns.net tcp
N/A 154.120.76.213:5465 javaautorun.duia.ro tcp
N/A 154.120.76.213:5465 javaautorun.duia.ro tcp
N/A 134.19.179.235:21234 vipdata2.ddns.net tcp
N/A 134.19.179.235:21234 vipdata2.ddns.net tcp
N/A 134.19.179.235:21234 vipdata2.ddns.net tcp
N/A 134.19.179.235:21234 vipdata2.ddns.net tcp
N/A 134.19.179.235:21234 vipdata2.ddns.net tcp
N/A 134.19.179.235:21234 vipdata2.ddns.net tcp
N/A 154.120.76.213:5465 javaautorun.duia.ro tcp
N/A 154.120.76.213:5465 javaautorun.duia.ro tcp
N/A 134.19.179.235:21234 vipdata2.ddns.net tcp
N/A 134.19.179.235:21234 vipdata2.ddns.net tcp
N/A 134.19.179.235:21234 vipdata2.ddns.net tcp
N/A 134.19.179.235:21234 vipdata2.ddns.net tcp
N/A 134.19.179.235:21234 vipdata2.ddns.net tcp
N/A 154.120.76.213:5465 javaautorun.duia.ro tcp
N/A 154.120.76.213:5465 javaautorun.duia.ro tcp
N/A 134.19.179.235:21234 vipdata2.ddns.net tcp
N/A 134.19.179.235:21234 tcp

Files

memory/4916-132-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\QhFBKsXrcc.js

MD5 489b6394d8868b203a2b62e4f4811713
SHA1 379205c5e6523ebff4ad1d7e8e9fbdde56db2b8e
SHA256 4f9d9d8215eb52c5ba734d8c9afdd52d620ba5ad7475c78ae1f3af5c64d7fc20
SHA512 777967c33506df8c189efaf255d4c45b4406aa969fa6611710acfdb3cc3630884b25500887461d3820e9adf1ab328758eeb8c98d4e0b91655554f7cc351c23ed

memory/1940-134-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\ECEX2240 304 sheets 42.047mt RFQ-221115-1.js

MD5 930fe12236c4f4fb72dede56a721b9d5
SHA1 af54639ddd3a2585635cc0699374de872bdf588a
SHA256 70f6448c7123a3fdfeeea3f8a1bff79b749f622c9d1a5b6542e0cafc6e6372ce
SHA512 c100ad6a6f7b46c8dd0516d9b3139fe663adcd43f22d38a68bc9282617b0c98b5ab5c2145c815c03793391eb086fd1bf79134471565337003b5125f0944219c9

C:\Users\Admin\AppData\Roaming\QhFBKsXrcc.js

MD5 489b6394d8868b203a2b62e4f4811713
SHA1 379205c5e6523ebff4ad1d7e8e9fbdde56db2b8e
SHA256 4f9d9d8215eb52c5ba734d8c9afdd52d620ba5ad7475c78ae1f3af5c64d7fc20
SHA512 777967c33506df8c189efaf255d4c45b4406aa969fa6611710acfdb3cc3630884b25500887461d3820e9adf1ab328758eeb8c98d4e0b91655554f7cc351c23ed

memory/4564-137-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ECEX2240 304 sheets 42.047mt RFQ-221115-1.js

MD5 930fe12236c4f4fb72dede56a721b9d5
SHA1 af54639ddd3a2585635cc0699374de872bdf588a
SHA256 70f6448c7123a3fdfeeea3f8a1bff79b749f622c9d1a5b6542e0cafc6e6372ce
SHA512 c100ad6a6f7b46c8dd0516d9b3139fe663adcd43f22d38a68bc9282617b0c98b5ab5c2145c815c03793391eb086fd1bf79134471565337003b5125f0944219c9

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QhFBKsXrcc.js

MD5 489b6394d8868b203a2b62e4f4811713
SHA1 379205c5e6523ebff4ad1d7e8e9fbdde56db2b8e
SHA256 4f9d9d8215eb52c5ba734d8c9afdd52d620ba5ad7475c78ae1f3af5c64d7fc20
SHA512 777967c33506df8c189efaf255d4c45b4406aa969fa6611710acfdb3cc3630884b25500887461d3820e9adf1ab328758eeb8c98d4e0b91655554f7cc351c23ed