Overview

overview

10

Static

static

Details.pdf.js

windows7_x64

10

Details.pdf.js

windows10-2004_x64

10

Analysis

  • max time kernel
    151s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    23-06-2022 05:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Details.pdf.js

  • Size

    562KB

  • MD5

    cb59237d6204d65a220eac88ad0af4e5

  • SHA1

    64304835929c67739b2aba280dcd0f9761925440

  • SHA256

    880764b02a05b427918594f017fa9c1fa3e9e8255506d542c302eb93380b0be8

  • SHA512

    ccd966e2c4e9715d0e46fe4e3c9f331c591757ffe184deaec93797271a77c12d86ad5e00d1b90fc4aa829a38016e3b38344bc711556c8026a0397f9d66bcea9a

Score
10/10
vjw0rmwarzoneratinfostealerpersistencerattrojanworm

Malware Config

Signatures

  • Vjw0rm

    Vjw0rm is a remote access trojan written in JavaScript.

    trojanwormvjw0rm
  • WarzoneRat, AveMaria

    WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

    ratinfostealerwarzonerat
  • Warzone RAT Payload 4 IoCs
    rat
  • Blocklisted process makes network request 17 IoCs
  • Executes dropped EXE 2 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe C:\Users\Admin\AppData\Local\Temp\Details.pdf.js
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4932
    • C:\Windows\System32\wscript.exe
      "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\duRKcJnxZP.js"
      2⤵
      • Blocklisted process makes network request
      • Drops startup file
      • Adds Run key to start application
      PID:5048
    • C:\Users\Admin\AppData\Roaming\Anew.exe
      "C:\Users\Admin\AppData\Roaming\Anew.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:4568
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell Add-MpPreference -ExclusionPath C:\
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4228
      • C:\Users\Admin\Documents\images.exe
        "C:\Users\Admin\Documents\images.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:3596
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          powershell Add-MpPreference -ExclusionPath C:\
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:224
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe"
          4⤵
            PID:4780

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Registry Run Keys / Startup Folder

    1
    T1060

    Privilege Escalation

    Defense Evasion

    Modify Registry

    1
    T1112

    Credential Access

    Discovery

    Query Registry

    1
    T1012

    System Information Discovery

    2
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
      Filesize

      2KB

      MD5

      968cb9309758126772781b83adb8a28f

      SHA1

      8da30e71accf186b2ba11da1797cf67f8f78b47c

      SHA256

      92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

      SHA512

      4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      18KB

      MD5

      b07cba4e3adc3da35da678a89a8966fe

      SHA1

      9b3002202018aca6079f72cece82e9c91dc50d7b

      SHA256

      90088fd879456cee47d4e9f9c59cf53f1883344be062d52e09c41d0b4cef80e3

      SHA512

      e220ccf89692f43d6c09da7aebe88343e45ddd62d9f8848642b9944e029229bb95f848078bd127fb8bb068f0c5a379f18bd05671714c342be9477875a1ff982b

      Download Submit
    • C:\Users\Admin\AppData\Roaming\Anew.exe
      Filesize

      131KB

      MD5

      db85d99c2bd8a7d6b1a6e4fdda9dedc7

      SHA1

      02561516bf81162120b3d1a741e232cf6962173b

      SHA256

      898f47d683968d318db92b19c683452a39e1ccdfd9a0e07a516e6354220d67b1

      SHA512

      ee957f8c344f2efd1d64551ea366bb357cbeb91e5f9c1a154f297e861cd8cefae892813b7c222d04fbd7c9b5ce357b1e3bff54663465c2b5fefad0ecf04c46bf

      Download Submit
    • C:\Users\Admin\AppData\Roaming\Anew.exe
      Filesize

      131KB

      MD5

      db85d99c2bd8a7d6b1a6e4fdda9dedc7

      SHA1

      02561516bf81162120b3d1a741e232cf6962173b

      SHA256

      898f47d683968d318db92b19c683452a39e1ccdfd9a0e07a516e6354220d67b1

      SHA512

      ee957f8c344f2efd1d64551ea366bb357cbeb91e5f9c1a154f297e861cd8cefae892813b7c222d04fbd7c9b5ce357b1e3bff54663465c2b5fefad0ecf04c46bf

      Download Submit
    • C:\Users\Admin\AppData\Roaming\duRKcJnxZP.js
      Filesize

      117KB

      MD5

      2ceda72d46215115db2fd420d1b2b572

      SHA1

      aa5df32f61fef685e1ba28715c68a60f54b27de7

      SHA256

      1a01f5780fe39194f89c220a0e899f028478c9312977d176b3c9e2db544b6e96

      SHA512

      924e847d376e2c33dfe7e14ab7120a63264396c2cd293a7c20b4df864fb3a170c7fe7abc42bfecce89cb1ce0c42709a91ec0cf76ddf8707088a6c1278544f055

      Download Submit
    • C:\Users\Admin\Documents\images.exe
      Filesize

      131KB

      MD5

      db85d99c2bd8a7d6b1a6e4fdda9dedc7

      SHA1

      02561516bf81162120b3d1a741e232cf6962173b

      SHA256

      898f47d683968d318db92b19c683452a39e1ccdfd9a0e07a516e6354220d67b1

      SHA512

      ee957f8c344f2efd1d64551ea366bb357cbeb91e5f9c1a154f297e861cd8cefae892813b7c222d04fbd7c9b5ce357b1e3bff54663465c2b5fefad0ecf04c46bf

      Download Submit
    • C:\Users\Admin\Documents\images.exe
      Filesize

      131KB

      MD5

      db85d99c2bd8a7d6b1a6e4fdda9dedc7

      SHA1

      02561516bf81162120b3d1a741e232cf6962173b

      SHA256

      898f47d683968d318db92b19c683452a39e1ccdfd9a0e07a516e6354220d67b1

      SHA512

      ee957f8c344f2efd1d64551ea366bb357cbeb91e5f9c1a154f297e861cd8cefae892813b7c222d04fbd7c9b5ce357b1e3bff54663465c2b5fefad0ecf04c46bf

      Download Submit
    • memory/224-154-0x000000006FC10000-0x000000006FC5C000-memory.dmp
      Filesize

      304KB

      Download
    • memory/224-145-0x0000000000000000-mapping.dmp
      Download
    • memory/3596-142-0x0000000000000000-mapping.dmp
      Download
    • memory/4228-137-0x0000000005560000-0x0000000005B88000-memory.dmp
      Filesize

      6.2MB

      Download
    • memory/4228-151-0x0000000007610000-0x000000000761A000-memory.dmp
      Filesize

      40KB

      Download
    • memory/4228-140-0x0000000005C70000-0x0000000005CD6000-memory.dmp
      Filesize

      408KB

      Download
    • memory/4228-139-0x0000000005C00000-0x0000000005C66000-memory.dmp
      Filesize

      408KB

      Download
    • memory/4228-138-0x00000000053D0000-0x00000000053F2000-memory.dmp
      Filesize

      136KB

      Download
    • memory/4228-135-0x0000000000000000-mapping.dmp
      Download
    • memory/4228-146-0x0000000007240000-0x0000000007272000-memory.dmp
      Filesize

      200KB

      Download
    • memory/4228-147-0x000000006FC10000-0x000000006FC5C000-memory.dmp
      Filesize

      304KB

      Download
    • memory/4228-148-0x0000000006840000-0x000000000685E000-memory.dmp
      Filesize

      120KB

      Download
    • memory/4228-149-0x0000000007BE0000-0x000000000825A000-memory.dmp
      Filesize

      6.5MB

      Download
    • memory/4228-150-0x0000000007590000-0x00000000075AA000-memory.dmp
      Filesize

      104KB

      Download
    • memory/4228-141-0x0000000006280000-0x000000000629E000-memory.dmp
      Filesize

      120KB

      Download
    • memory/4228-152-0x0000000007810000-0x00000000078A6000-memory.dmp
      Filesize

      600KB

      Download
    • memory/4228-153-0x00000000077C0000-0x00000000077CE000-memory.dmp
      Filesize

      56KB

      Download
    • memory/4228-136-0x0000000002950000-0x0000000002986000-memory.dmp
      Filesize

      216KB

      Download
    • memory/4228-155-0x00000000078D0000-0x00000000078EA000-memory.dmp
      Filesize

      104KB

      Download
    • memory/4228-156-0x00000000078B0000-0x00000000078B8000-memory.dmp
      Filesize

      32KB

      Download
    • memory/4568-132-0x0000000000000000-mapping.dmp
      Download
    • memory/4780-157-0x0000000000000000-mapping.dmp
      Download
    • memory/4780-160-0x00000000008D0000-0x00000000008D1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/5048-130-0x0000000000000000-mapping.dmp
      Download