Overview

overview

10

Static

static

New Order.js

windows7_x64

10

New Order.js

windows10-2004_x64

10

Analysis

  • max time kernel
    146s
  • max time network
    183s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    16-06-2022 05:46

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    New Order.js

  • Size

    531KB

  • MD5

    e7c12e5be1dad9a6fa3c0d201f8cce0c

  • SHA1

    66e700ec7a5ef9daab0caef89d5feed95cc9ba06

  • SHA256

    650a05ec364c57a741c304434972b520db752b659675321246c5e76a0f1a2411

  • SHA512

    2acbbbfcbbb09b92f67559070882a7b157875b3fda72ff45bf6951b10a8ff1607943528035fef32bee419f818244d1db7f959ccec44145a86b18231ee7a3eac7

Score
10/10
vjw0rmwarzoneratinfostealerpersistencerattrojanworm

Malware Config

Signatures

  • Vjw0rm

    Vjw0rm is a remote access trojan written in JavaScript.

    trojanwormvjw0rm
  • WarzoneRat, AveMaria

    WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

    ratinfostealerwarzonerat
  • Warzone RAT Payload 2 IoCs
    rat
  • Blocklisted process makes network request 8 IoCs
  • Executes dropped EXE 1 IoCs
  • Drops startup file 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe "C:\Users\Admin\AppData\Local\Temp\New Order.js"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2020
    • C:\Windows\System32\wscript.exe
      "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\ZezqiNHkoV.js"
      2⤵
      • Blocklisted process makes network request
      • Drops startup file
      • Adds Run key to start application
      PID:2016
    • C:\Windows\System32\wscript.exe
      "C:\Windows\System32\wscript.exe" "C:\Users\Admin\AppData\Local\Temp\coco.vbs"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2044
      • C:\Users\Admin\AppData\Local\Tempwinlogon.exe
        "C:\Users\Admin\AppData\Local\Tempwinlogon.exe"
        3⤵
        • Executes dropped EXE
        PID:1580

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\coco.vbs
    Filesize

    262KB

    MD5

    7ed171f03775557ab9dae2b0913a6141

    SHA1

    44a21f8522f5ce3cc7559e34cd7bf08314407baa

    SHA256

    a32fbd632126405e9a0d3a307216dcf2f5828058b843322c2bad050d46c5cf51

    SHA512

    27bd180d0b204f46e86692d63401f87874db6b9c41ef419083c7ffe475b43d8d1e3f6f4d77f5717995d8100a65b78e38d5a678c82feaaecb725a9501cc7e74bc

    Download Submit
  • C:\Users\Admin\AppData\Local\Tempwinlogon.exe
    Filesize

    131KB

    MD5

    c1d889597ddaeded0537670d00a4ab9f

    SHA1

    d657abfa2084d8b5ae03765cc88133a5980ac204

    SHA256

    fe8a49318d4bf9b8eb541b38219865b9338c31f89ed9b3e28adf338fa6b639dc

    SHA512

    a94b7f4b7ee52c72df031f584f5945a87b04893fe1a4f1741d52312adab3d64169e931184211cea4456cc8b02999c1d394aeabd87ac6987537a6267511362762

    Download Submit
  • C:\Users\Admin\AppData\Local\Tempwinlogon.exe
    Filesize

    131KB

    MD5

    c1d889597ddaeded0537670d00a4ab9f

    SHA1

    d657abfa2084d8b5ae03765cc88133a5980ac204

    SHA256

    fe8a49318d4bf9b8eb541b38219865b9338c31f89ed9b3e28adf338fa6b639dc

    SHA512

    a94b7f4b7ee52c72df031f584f5945a87b04893fe1a4f1741d52312adab3d64169e931184211cea4456cc8b02999c1d394aeabd87ac6987537a6267511362762

    Download Submit
  • C:\Users\Admin\AppData\Roaming\ZezqiNHkoV.js
    Filesize

    24KB

    MD5

    f93528065e94fbb67b95cc8924ae924c

    SHA1

    6daf76f2f60b1ec1e2e21b0845a17878ffabe1dd

    SHA256

    1ac504a0baca468bbca78692aae52089bbd25053676f6915f76ec84a73c9f6ab

    SHA512

    730ec25aa21016d3af7cb3a03e235a7a50bf4a1c54f26d4c683bc14273afa5038684327fa84ce98973bee7ae669cf1f0a1b62e562887834c28bbb402b43b408a

    Download Submit
  • memory/1580-61-0x0000000000000000-mapping.dmp
    Download
  • memory/1580-63-0x0000000076451000-0x0000000076453000-memory.dmp
    Filesize

    8KB

    Download
  • memory/2016-55-0x0000000000000000-mapping.dmp
    Download
  • memory/2020-54-0x000007FEFBDC1000-0x000007FEFBDC3000-memory.dmp
    Filesize

    8KB

    Download
  • memory/2044-57-0x0000000000000000-mapping.dmp
    Download