Analysis
-
max time kernel
153s -
max time network
157s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
13-12-2021 15:18
General
-
Target
ORDER 211213AB.js
-
Size
309KB
-
MD5
6d1f37247016404997f0aea71bf6d012
-
SHA1
13be69202507178c513345c60fbb111cb8f2ccc0
-
SHA256
f0df36fdbb9aa896e774335fdcaa9cb7f914682ee392117ab43a0c1d85d49a26
-
SHA512
b14ca2616c862569a1b5c997bc6fd09a70598d46fe2d03649ed2e05a2b5fefc82cf6e44cf13448617615c6ce8d79ca0b4e4f953cc0e0be00f9af62d877ad30b7
Malware Config
Extracted
vjw0rm
http://chongmei33.publicvm.com:7974
Signatures
-
Vjw0rm
Vjw0rm is a remote access trojan written in JavaScript.
-
Blocklisted process makes network request 19 IoCs
-
Drops startup file 2 IoCs
-
Adds Run key to start application 2 TTPs 4 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes
-
C:\Windows\system32\wscript.exewscript.exe "C:\Users\Admin\AppData\Local\Temp\ORDER 211213AB.js"1⤵
- Blocklisted process makes network request
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\ExiLNbTayh.js"2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\ExiLNbTayh.jsMD5
e03a490c408d7d19176f8d182569df3d
SHA1b464106f14a65ff83b35028b62020b9a2ab955f0
SHA256d703fdbdc538a6a4f22a7d568e68c67d2c7826dc1ed4357a28481d8df3324714
SHA512cca24f233042079507716d0f102f142af19ad9c22c42ce1af8e6208fbedb78a4242e5a49f1f2b5dcc5690a87c7c40646c61d94c32f562e987b090080c4fd1914
-
memory/524-54-0x0000000000000000-mapping.dmp