Analysis
-
max time kernel
188s -
max time network
209s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
08-02-2022 01:06
General
-
Target
PO-098765MK.js
-
Size
25KB
-
MD5
139e0e10e1e1a4d2ba7f582c7f090386
-
SHA1
2fd97c48b50d5b1954deda2ec5dcf0e2982226d2
-
SHA256
34118f870c72acd9879333419b07dc6c07269a9905c3654cfa713ad028bf2665
-
SHA512
34d9623b7019b450c5bac34b7f2543f333f16a0676dd1024678a0b40aedcb58d702caf3a04429987f10665b7ef6f0d13066a6c1e98fb89f9296ee1b0f30fdf33
Score
10/10
Malware Config
Signatures
-
Vjw0rm
Vjw0rm is a remote access trojan written in JavaScript.
-
Blocklisted process makes network request 14 IoCs
-
Drops startup file 2 IoCs
-
Drops file in Windows directory 8 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\PO-098765MK.js1⤵
- Blocklisted process makes network request
- Drops startup file
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
64KB
-
Filesize
16KB