Overview

overview

10

Static

static

AWB06152022.js

windows7_x64

10

AWB06152022.js

windows10_x64

10

Analysis

  • max time kernel
    63s
  • max time network
    127s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    15-06-2022 15:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    AWB06152022.js

  • Size

    491KB

  • MD5

    9132b6feb40cf5d30ee938e72a505826

  • SHA1

    30cc4aa2aa1b2e2698beb6b8b6a878523913dd2c

  • SHA256

    98cc9c29783c707d3981c59c3cb48474cd4c99a58db0b13fb3dc96ade0e50fba

  • SHA512

    7d7862ec8a3446be4769e6ccb0ca209f3ab01a7b0581f57182b3373e2f43374339c3887c624181d7820fc105c9fd5c48e7c000c45c93e077cca095312affce09

Score
10/10
vjw0rmwarzoneratinfostealerpersistencerattrojanworm

Malware Config

Extracted

Family

vjw0rm

C2

http://franmhort.duia.ro:8152

Signatures

  • Vjw0rm

    Vjw0rm is a remote access trojan written in JavaScript.

    trojanwormvjw0rm
  • WarzoneRat, AveMaria

    WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

    ratinfostealerwarzonerat
  • Warzone RAT Payload 2 IoCs
    rat
  • Blocklisted process makes network request 3 IoCs
  • Executes dropped EXE 1 IoCs
  • Drops startup file 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe C:\Users\Admin\AppData\Local\Temp\AWB06152022.js
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2008
    • C:\Windows\System32\wscript.exe
      "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\HDeixdadNw.js"
      2⤵
      • Blocklisted process makes network request
      • Drops startup file
      • Adds Run key to start application
      PID:2004
    • C:\Windows\System32\wscript.exe
      "C:\Windows\System32\wscript.exe" "C:\Users\Admin\AppData\Local\Temp\coco.vbs"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1988
      • C:\Users\Admin\AppData\Local\Tempwinlogon.exe
        "C:\Users\Admin\AppData\Local\Tempwinlogon.exe"
        3⤵
        • Executes dropped EXE
        PID:1728

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\coco.vbs
    Filesize

    262KB

    MD5

    c88b4225d112a00ca24064e0ef0eab73

    SHA1

    3e3fdaee20e6ab757e013f0ebfd4f2a0dbb267db

    SHA256

    0a35cdc2af8e2f4b971dc4482d9c3bca3c0de4295406dccd7c6743895769a504

    SHA512

    937617ac5ddd7d8bd971645c81b5667be178d5bb9700152072a9184dddff952327b36e329b1c257da1dc38f1e7c781ea501a14d8a5f0fe2b41a19656732a09ba

    Download Submit
  • C:\Users\Admin\AppData\Local\Tempwinlogon.exe
    Filesize

    131KB

    MD5

    d094904acee9a06b8cc82def7ae31dbd

    SHA1

    855bc1ffd23a61fbbe9775de464c43bc532d2e69

    SHA256

    195657d28badaba67b1a0e0a9b32da62179454f2fad141f490c2b6808d326229

    SHA512

    a4b91d26f5db1e5859874f5f1c3f6f39c7cd5535b8a16b321072fb7f539af79cc1b31799ee679401e16fd8b9c0598c5890d389af609e19bf1fc04d624e06220e

    Download Submit
  • C:\Users\Admin\AppData\Local\Tempwinlogon.exe
    Filesize

    131KB

    MD5

    d094904acee9a06b8cc82def7ae31dbd

    SHA1

    855bc1ffd23a61fbbe9775de464c43bc532d2e69

    SHA256

    195657d28badaba67b1a0e0a9b32da62179454f2fad141f490c2b6808d326229

    SHA512

    a4b91d26f5db1e5859874f5f1c3f6f39c7cd5535b8a16b321072fb7f539af79cc1b31799ee679401e16fd8b9c0598c5890d389af609e19bf1fc04d624e06220e

    Download Submit
  • C:\Users\Admin\AppData\Roaming\HDeixdadNw.js
    Filesize

    10KB

    MD5

    a48f536f703ee0912c56793251cd2cce

    SHA1

    de0bce31d9b9b143d81942eeff44aa7e0318b1e8

    SHA256

    173da53c8d93e620556f5557083c0b714802c3d3cad6aeb24ae09118a1b06f36

    SHA512

    bdbf60dd94eb29052756065eea2aea2132c7af712f1f7854bb549ecf0998632950e2dc6c35dfb4bf25f2b7857111f29567a71a917d033ad62e8535f36d8f5d6b

    Download Submit
  • memory/1728-61-0x0000000000000000-mapping.dmp
    Download
  • memory/1728-63-0x0000000076391000-0x0000000076393000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1988-56-0x0000000000000000-mapping.dmp
    Download
  • memory/2004-55-0x0000000000000000-mapping.dmp
    Download
  • memory/2008-54-0x000007FEFC061000-0x000007FEFC063000-memory.dmp
    Filesize

    8KB

    Download