Malware Analysis Report

2024-11-15 08:05

Sample ID 230222-m327zscg4v
Target HK SEMI CORPORATION CO,,Ltd.pdf.js
SHA256 6d492fc9630da1e571ef9953241ad9a594b7b702d7dfa033b06941d3b7f9f201
Tags
vjw0rm wshrat persistence trojan worm
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6d492fc9630da1e571ef9953241ad9a594b7b702d7dfa033b06941d3b7f9f201

Threat Level: Known bad

The file HK SEMI CORPORATION CO,,Ltd.pdf.js was found to be: Known bad.

Malicious Activity Summary

vjw0rm wshrat persistence trojan worm

Vjw0rm

WSHRAT

Blocklisted process makes network request

Checks computer location settings

Drops startup file

Adds Run key to start application

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Script User-Agent

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-02-22 11:00

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-02-22 11:00

Reported

2023-02-22 11:02

Platform

win7-20230220-en

Max time kernel

150s

Max time network

153s

Command Line

wscript.exe "C:\Users\Admin\AppData\Local\Temp\HK SEMI CORPORATION CO,,Ltd.pdf.js"

Signatures

Vjw0rm

trojan worm vjw0rm

WSHRAT

trojan wshrat

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\system32\wscript.exe N/A
N/A N/A C:\Windows\system32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\system32\wscript.exe N/A
N/A N/A C:\Windows\system32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\system32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\system32\wscript.exe N/A
N/A N/A C:\Windows\system32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\system32\wscript.exe N/A
N/A N/A C:\Windows\system32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\system32\wscript.exe N/A
N/A N/A C:\Windows\system32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\system32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\system32\wscript.exe N/A
N/A N/A C:\Windows\system32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\system32\wscript.exe N/A
N/A N/A C:\Windows\system32\wscript.exe N/A
N/A N/A C:\Windows\system32\wscript.exe N/A
N/A N/A C:\Windows\system32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\system32\wscript.exe N/A
N/A N/A C:\Windows\system32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\system32\wscript.exe N/A
N/A N/A C:\Windows\system32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\system32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\system32\wscript.exe N/A
N/A N/A C:\Windows\system32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lTMNJJUZOW.js C:\Windows\System32\wscript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lTMNJJUZOW.js C:\Windows\System32\wscript.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HK SEMI CORPORATION CO,,Ltd.pdf.js C:\Windows\system32\wscript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HK SEMI CORPORATION CO,,Ltd.pdf.js C:\Windows\system32\wscript.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Windows\CurrentVersion\Run\HK SEMI CORPORATION CO,,Ltd = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\HK SEMI CORPORATION CO,,Ltd.pdf.js\"" C:\Windows\system32\wscript.exe N/A
Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run C:\Windows\system32\wscript.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HK SEMI CORPORATION CO,,Ltd = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\HK SEMI CORPORATION CO,,Ltd.pdf.js\"" C:\Windows\system32\wscript.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\software\microsoft\windows\currentversion\run C:\Windows\system32\wscript.exe N/A

Enumerates physical storage devices

Script User-Agent

Description Indicator Process Target
HTTP User-Agent header WSHRAT|C0585B3B|MLXLFKOI|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 22/2/2023|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|C0585B3B|MLXLFKOI|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 22/2/2023|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|C0585B3B|MLXLFKOI|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 22/2/2023|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|C0585B3B|MLXLFKOI|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 22/2/2023|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|C0585B3B|MLXLFKOI|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 22/2/2023|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|C0585B3B|MLXLFKOI|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 22/2/2023|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|C0585B3B|MLXLFKOI|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 22/2/2023|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|C0585B3B|MLXLFKOI|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 22/2/2023|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|C0585B3B|MLXLFKOI|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 22/2/2023|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|C0585B3B|MLXLFKOI|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 22/2/2023|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|C0585B3B|MLXLFKOI|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 22/2/2023|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|C0585B3B|MLXLFKOI|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 22/2/2023|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|C0585B3B|MLXLFKOI|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 22/2/2023|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|C0585B3B|MLXLFKOI|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 22/2/2023|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|C0585B3B|MLXLFKOI|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 22/2/2023|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|C0585B3B|MLXLFKOI|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 22/2/2023|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|C0585B3B|MLXLFKOI|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 22/2/2023|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|C0585B3B|MLXLFKOI|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 22/2/2023|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|C0585B3B|MLXLFKOI|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 22/2/2023|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|C0585B3B|MLXLFKOI|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 22/2/2023|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|C0585B3B|MLXLFKOI|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 22/2/2023|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|C0585B3B|MLXLFKOI|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 22/2/2023|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|C0585B3B|MLXLFKOI|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 22/2/2023|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|C0585B3B|MLXLFKOI|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 22/2/2023|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|C0585B3B|MLXLFKOI|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 22/2/2023|JavaScript N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1432 wrote to memory of 1156 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe
PID 1432 wrote to memory of 1156 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe
PID 1432 wrote to memory of 1156 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe

Processes

C:\Windows\system32\wscript.exe

wscript.exe "C:\Users\Admin\AppData\Local\Temp\HK SEMI CORPORATION CO,,Ltd.pdf.js"

C:\Windows\System32\wscript.exe

"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\lTMNJJUZOW.js"

Network

Country Destination Domain Proto
US 8.8.8.8:53 javaautorun.duia.ro udp
EE 91.193.75.131:5440 javaautorun.duia.ro tcp
NL 45.139.105.174:1604 45.139.105.174 tcp
NL 45.139.105.174:1604 45.139.105.174 tcp
EE 91.193.75.131:5440 javaautorun.duia.ro tcp
NL 45.139.105.174:1604 45.139.105.174 tcp
NL 45.139.105.174:1604 45.139.105.174 tcp
EE 91.193.75.131:5440 javaautorun.duia.ro tcp
NL 45.139.105.174:1604 45.139.105.174 tcp
EE 91.193.75.131:5440 javaautorun.duia.ro tcp
NL 45.139.105.174:1604 45.139.105.174 tcp
NL 45.139.105.174:1604 45.139.105.174 tcp
EE 91.193.75.131:5440 javaautorun.duia.ro tcp
NL 45.139.105.174:1604 45.139.105.174 tcp
NL 45.139.105.174:1604 45.139.105.174 tcp
EE 91.193.75.131:5440 javaautorun.duia.ro tcp
NL 45.139.105.174:1604 45.139.105.174 tcp
NL 45.139.105.174:1604 45.139.105.174 tcp
EE 91.193.75.131:5440 javaautorun.duia.ro tcp
NL 45.139.105.174:1604 45.139.105.174 tcp
EE 91.193.75.131:5440 javaautorun.duia.ro tcp
NL 45.139.105.174:1604 45.139.105.174 tcp
NL 45.139.105.174:1604 45.139.105.174 tcp
EE 91.193.75.131:5440 javaautorun.duia.ro tcp
NL 45.139.105.174:1604 45.139.105.174 tcp
NL 45.139.105.174:1604 45.139.105.174 tcp
NL 45.139.105.174:1604 45.139.105.174 tcp
NL 45.139.105.174:1604 45.139.105.174 tcp
EE 91.193.75.131:5440 javaautorun.duia.ro tcp
NL 45.139.105.174:1604 45.139.105.174 tcp
NL 45.139.105.174:1604 45.139.105.174 tcp
EE 91.193.75.131:5440 javaautorun.duia.ro tcp
NL 45.139.105.174:1604 45.139.105.174 tcp
NL 45.139.105.174:1604 45.139.105.174 tcp
EE 91.193.75.131:5440 javaautorun.duia.ro tcp
NL 45.139.105.174:1604 45.139.105.174 tcp
EE 91.193.75.131:5440 javaautorun.duia.ro tcp
NL 45.139.105.174:1604 45.139.105.174 tcp
NL 45.139.105.174:1604 45.139.105.174 tcp
EE 91.193.75.131:5440 javaautorun.duia.ro tcp

Files

C:\Users\Admin\AppData\Roaming\lTMNJJUZOW.js

MD5 ad59cac7b1286d1827b2fcc78a4d0520
SHA1 ba3b243c38e22175487e15c865e11aa4654e4f00
SHA256 eb442a007602f5f27c002bf0f7ab0e9b0f68bb9788cf338019fe856013c39a69
SHA512 6a459770989387cc1dfb8e1a8ea8baca669127a8bb7e0f97945ea3e0b53371da46f88d058c3005519b4f698d24e4ae64163dd588945205f12a01d4e6d2fee221

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HK SEMI CORPORATION CO,,Ltd.pdf.js

MD5 7c1b866122a8e513808e32caed12c6f6
SHA1 fe31d17019b1faf1fa5a8c219bfbf1290d8c3423
SHA256 6d492fc9630da1e571ef9953241ad9a594b7b702d7dfa033b06941d3b7f9f201
SHA512 cd94ea8344923c1f5b007e10226ebc1bb7e1d1a1fcc0fdb0c3c14478ed5d7c78f9f1b1ac38aaa90567e49be5a5f9df320c68ad8de925620c82c5f9dd825de948

Analysis: behavioral2

Detonation Overview

Submitted

2023-02-22 11:00

Reported

2023-02-22 11:02

Platform

win10v2004-20230220-en

Max time kernel

147s

Max time network

150s

Command Line

wscript.exe "C:\Users\Admin\AppData\Local\Temp\HK SEMI CORPORATION CO,,Ltd.pdf.js"

Signatures

Vjw0rm

trojan worm vjw0rm

WSHRAT

trojan wshrat

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\system32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\system32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\system32\wscript.exe N/A
N/A N/A C:\Windows\system32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\system32\wscript.exe N/A
N/A N/A C:\Windows\system32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\system32\wscript.exe N/A
N/A N/A C:\Windows\system32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\system32\wscript.exe N/A
N/A N/A C:\Windows\system32\wscript.exe N/A
N/A N/A C:\Windows\system32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\system32\wscript.exe N/A
N/A N/A C:\Windows\system32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\system32\wscript.exe N/A
N/A N/A C:\Windows\system32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\system32\wscript.exe N/A
N/A N/A C:\Windows\system32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\system32\wscript.exe N/A
N/A N/A C:\Windows\system32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\system32\wscript.exe N/A
N/A N/A C:\Windows\system32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\system32\wscript.exe N/A
N/A N/A C:\Windows\system32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\system32\wscript.exe N/A
N/A N/A C:\Windows\system32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\system32\wscript.exe N/A
N/A N/A C:\Windows\system32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\system32\wscript.exe N/A
N/A N/A C:\Windows\system32\wscript.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation C:\Windows\system32\wscript.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HK SEMI CORPORATION CO,,Ltd.pdf.js C:\Windows\system32\wscript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HK SEMI CORPORATION CO,,Ltd.pdf.js C:\Windows\system32\wscript.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lTMNJJUZOW.js C:\Windows\System32\wscript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lTMNJJUZOW.js C:\Windows\System32\wscript.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\software\microsoft\windows\currentversion\run C:\Windows\system32\wscript.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HK SEMI CORPORATION CO,,Ltd = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\HK SEMI CORPORATION CO,,Ltd.pdf.js\"" C:\Windows\system32\wscript.exe N/A
Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run C:\Windows\system32\wscript.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HK SEMI CORPORATION CO,,Ltd = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\HK SEMI CORPORATION CO,,Ltd.pdf.js\"" C:\Windows\system32\wscript.exe N/A

Enumerates physical storage devices

Script User-Agent

Description Indicator Process Target
HTTP User-Agent header WSHRAT|D0F59775|TPAVZECK|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 22/2/2023|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|D0F59775|TPAVZECK|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 22/2/2023|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|D0F59775|TPAVZECK|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 22/2/2023|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|D0F59775|TPAVZECK|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 22/2/2023|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|D0F59775|TPAVZECK|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 22/2/2023|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|D0F59775|TPAVZECK|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 22/2/2023|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|D0F59775|TPAVZECK|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 22/2/2023|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|D0F59775|TPAVZECK|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 22/2/2023|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|D0F59775|TPAVZECK|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 22/2/2023|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|D0F59775|TPAVZECK|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 22/2/2023|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|D0F59775|TPAVZECK|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 22/2/2023|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|D0F59775|TPAVZECK|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 22/2/2023|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|D0F59775|TPAVZECK|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 22/2/2023|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|D0F59775|TPAVZECK|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 22/2/2023|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|D0F59775|TPAVZECK|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 22/2/2023|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|D0F59775|TPAVZECK|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 22/2/2023|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|D0F59775|TPAVZECK|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 22/2/2023|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|D0F59775|TPAVZECK|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 22/2/2023|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|D0F59775|TPAVZECK|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 22/2/2023|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|D0F59775|TPAVZECK|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 22/2/2023|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|D0F59775|TPAVZECK|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 22/2/2023|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|D0F59775|TPAVZECK|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 22/2/2023|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|D0F59775|TPAVZECK|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 22/2/2023|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|D0F59775|TPAVZECK|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 22/2/2023|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|D0F59775|TPAVZECK|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 22/2/2023|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|D0F59775|TPAVZECK|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 22/2/2023|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|D0F59775|TPAVZECK|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 22/2/2023|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|D0F59775|TPAVZECK|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 22/2/2023|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|D0F59775|TPAVZECK|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 22/2/2023|JavaScript N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 464 wrote to memory of 2016 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe
PID 464 wrote to memory of 2016 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe

Processes

C:\Windows\system32\wscript.exe

wscript.exe "C:\Users\Admin\AppData\Local\Temp\HK SEMI CORPORATION CO,,Ltd.pdf.js"

C:\Windows\System32\wscript.exe

"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\lTMNJJUZOW.js"

Network

Country Destination Domain Proto
US 8.8.8.8:53 javaautorun.duia.ro udp
NL 45.139.105.174:1604 45.139.105.174 tcp
EE 91.193.75.131:5440 javaautorun.duia.ro tcp
US 8.8.8.8:53 254.7.248.8.in-addr.arpa udp
US 8.8.8.8:53 42.220.44.20.in-addr.arpa udp
US 8.8.8.8:53 174.105.139.45.in-addr.arpa udp
US 8.8.8.8:53 65.193.24.20.in-addr.arpa udp
US 8.8.8.8:53 29.220.184.93.in-addr.arpa udp
US 8.8.8.8:53 32.146.190.20.in-addr.arpa udp
US 8.8.8.8:53 105.104.123.20.in-addr.arpa udp
US 8.8.8.8:53 164.113.223.173.in-addr.arpa udp
NL 45.139.105.174:1604 45.139.105.174 tcp
EE 91.193.75.131:5440 javaautorun.duia.ro tcp
NL 45.139.105.174:1604 45.139.105.174 tcp
NL 45.139.105.174:1604 45.139.105.174 tcp
EE 91.193.75.131:5440 javaautorun.duia.ro tcp
NL 45.139.105.174:1604 45.139.105.174 tcp
NL 45.139.105.174:1604 45.139.105.174 tcp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 126.179.238.8.in-addr.arpa udp
US 8.8.8.8:53 164.2.77.40.in-addr.arpa udp
EE 91.193.75.131:5440 javaautorun.duia.ro tcp
NL 45.139.105.174:1604 45.139.105.174 tcp
IE 20.50.73.11:443 tcp
NL 45.139.105.174:1604 45.139.105.174 tcp
EE 91.193.75.131:5440 javaautorun.duia.ro tcp
NL 45.139.105.174:1604 45.139.105.174 tcp
NL 45.139.105.174:1604 45.139.105.174 tcp
NL 45.139.105.174:1604 45.139.105.174 tcp
US 8.8.8.8:53 2.77.109.52.in-addr.arpa udp
EE 91.193.75.131:5440 javaautorun.duia.ro tcp
NL 45.139.105.174:1604 45.139.105.174 tcp
NL 45.139.105.174:1604 45.139.105.174 tcp
EE 91.193.75.131:5440 javaautorun.duia.ro tcp
NL 45.139.105.174:1604 45.139.105.174 tcp
NL 45.139.105.174:1604 45.139.105.174 tcp
EE 91.193.75.131:5440 javaautorun.duia.ro tcp
NL 45.139.105.174:1604 45.139.105.174 tcp
NL 45.139.105.174:1604 45.139.105.174 tcp
EE 91.193.75.131:5440 javaautorun.duia.ro tcp
NL 45.139.105.174:1604 45.139.105.174 tcp
NL 45.139.105.174:1604 45.139.105.174 tcp
EE 91.193.75.131:5440 javaautorun.duia.ro tcp
NL 45.139.105.174:1604 45.139.105.174 tcp
NL 45.139.105.174:1604 45.139.105.174 tcp
EE 91.193.75.131:5440 javaautorun.duia.ro tcp
NL 45.139.105.174:1604 45.139.105.174 tcp
NL 45.139.105.174:1604 45.139.105.174 tcp
EE 91.193.75.131:5440 javaautorun.duia.ro tcp
NL 45.139.105.174:1604 45.139.105.174 tcp
NL 45.139.105.174:1604 45.139.105.174 tcp
EE 91.193.75.131:5440 javaautorun.duia.ro tcp
NL 45.139.105.174:1604 45.139.105.174 tcp
NL 45.139.105.174:1604 45.139.105.174 tcp
EE 91.193.75.131:5440 javaautorun.duia.ro tcp
NL 45.139.105.174:1604 45.139.105.174 tcp
NL 45.139.105.174:1604 45.139.105.174 tcp

Files

C:\Users\Admin\AppData\Roaming\lTMNJJUZOW.js

MD5 ad59cac7b1286d1827b2fcc78a4d0520
SHA1 ba3b243c38e22175487e15c865e11aa4654e4f00
SHA256 eb442a007602f5f27c002bf0f7ab0e9b0f68bb9788cf338019fe856013c39a69
SHA512 6a459770989387cc1dfb8e1a8ea8baca669127a8bb7e0f97945ea3e0b53371da46f88d058c3005519b4f698d24e4ae64163dd588945205f12a01d4e6d2fee221

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HK SEMI CORPORATION CO,,Ltd.pdf.js

MD5 7c1b866122a8e513808e32caed12c6f6
SHA1 fe31d17019b1faf1fa5a8c219bfbf1290d8c3423
SHA256 6d492fc9630da1e571ef9953241ad9a594b7b702d7dfa033b06941d3b7f9f201
SHA512 cd94ea8344923c1f5b007e10226ebc1bb7e1d1a1fcc0fdb0c3c14478ed5d7c78f9f1b1ac38aaa90567e49be5a5f9df320c68ad8de925620c82c5f9dd825de948