Analysis

  • max time kernel
    110s
  • max time network
    156s
  • platform
    windows7_x64
  • resource
    win7v20210410
  • submitted
    28-07-2021 16:10

General

  • Target

    Invoice_#01.js

  • Size

    9KB

  • MD5

    758a8716e34bdc7cc046fcb9383216d9

  • SHA1

    5faac5dd55211b967333205e71b9d934b14e88b5

  • SHA256

    a1ee2ea563a62ce42f154749f225613c13b6c5568a0e4d955a2c09895ac1a26e

  • SHA512

    1fba12f0bc766bcd8ebc3203dd2ef833f0f34f4fd53f435d9f224e97ba450886bb6ecf1aab92cc912a7eaa3e31e100f650a386051438449fcc01f01afa9acbb7

Malware Config

Signatures

  • Vjw0rm

    Vjw0rm is a remote access trojan written in JavaScript.

  • Blocklisted process makes network request 1 IoCs
  • Drops startup file 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe C:\Users\Admin\AppData\Local\Temp\Invoice_#01.js
    1⤵
    • Blocklisted process makes network request
    • Drops startup file
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1128
    • C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Local\Temp\Invoice_#01.js
      2⤵
      • Creates scheduled task(s)
      PID:1352

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1352-59-0x0000000000000000-mapping.dmp