Analysis
-
max time kernel
150s -
max time network
176s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
03-09-2021 03:01
General
-
Target
DHL September Pickup Form for E-Shipment Retu.js
-
Size
31KB
-
MD5
0bc390a3151f3d4524d81c4f039d2685
-
SHA1
89d78b77ddbfbeb17d4d1a589d93f886bdc76e80
-
SHA256
21c1f33b0a6d1b5ecaf03b167e8701a9e9fa4ecf8935e9437ad01cc8f944349c
-
SHA512
d658ed37178255fbe2b8bca0dfc34a142c11139ddef078abb241a6c3bcb8759a4a46c693c14142bffc53eed1f18f0af394489ba66dcfed25b9aacca78aae76f8
Malware Config
Signatures
-
Vjw0rm
Vjw0rm is a remote access trojan written in JavaScript.
-
Blocklisted process makes network request 18 IoCs
-
Drops startup file 3 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes
-
C:\Windows\system32\wscript.exewscript.exe "C:\Users\Admin\AppData\Local\Temp\DHL September Pickup Form for E-Shipment Retu.js"1⤵
- Blocklisted process makes network request
- Drops startup file
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\AfHZdNMtwD.js"2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\AfHZdNMtwD.jsMD5
eef60c67a6c398f351039837615f2ece
SHA1da2bcc1eef7918ae27df4c7352b8f9eb025e7ccc
SHA2565a9376351281368dc74815b74de37f98bf1c3d571fb2f6b5258625354a2265f9
SHA512f9480c76ab3545f5c931ac99030aaf272f3c2af764a57efa257031ff69876b5930e57dd4d55e2c2e12f75bb04fb4d44cf40522bf19130781dbd144222814d219
-
memory/520-60-0x0000000000000000-mapping.dmp