Overview

overview

10

Static

static

PO_0018251-26931.js

windows7_x64

10

PO_0018251-26931.js

windows10-2004_x64

10

Analysis

  • max time kernel
    15s
  • max time network
    16s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    28-06-2022 10:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    PO_0018251-26931.js

  • Size

    360KB

  • MD5

    14d7b7944fe3f3f6d379ef011b7abcd3

  • SHA1

    20d00db55f778ae7db48881f022b59f17ad3644e

  • SHA256

    24f26aded3fc1498cfa25636b0f53feab05bf646c8288782d7ff6d10799822b2

  • SHA512

    8f970656c4a6d8fc9fd9078e46d9da84a0cd888e8acb3a0a1f8efcfd5f181405da87548eda6d18c422349ac807d451b6a4e1925e6be72a98941543afb6465266

Score
10/10
vjw0rmxloaderloaderpersistencerattrojanworm

Malware Config

Signatures

  • Vjw0rm

    Vjw0rm is a remote access trojan written in JavaScript.

    trojanwormvjw0rm
  • Xloader

    Xloader is a rebranded version of Formbook malware.

    loaderxloader
  • Xloader Payload 3 IoCs
    rat
  • Blocklisted process makes network request 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3116
    • C:\Windows\system32\wscript.exe
      wscript.exe C:\Users\Admin\AppData\Local\Temp\PO_0018251-26931.js
      2⤵
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:2508
      • C:\Windows\System32\wscript.exe
        "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\RXUccpYQwK.js"
        3⤵
        • Blocklisted process makes network request
        • Drops startup file
        • Adds Run key to start application
        PID:1848
      • C:\Users\Admin\AppData\Local\Temp\bin.exe
        "C:\Users\Admin\AppData\Local\Temp\bin.exe"
        3⤵
        • Executes dropped EXE
        • Checks computer location settings
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:2112
    • C:\Windows\SysWOW64\cmstp.exe
      "C:\Windows\SysWOW64\cmstp.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4888
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Users\Admin\AppData\Local\Temp\bin.exe"
        3⤵
          PID:3612

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Registry Run Keys / Startup Folder

    1
    T1060

    Privilege Escalation

    Defense Evasion

    Modify Registry

    1
    T1112

    Credential Access

    Discovery

    Query Registry

    1
    T1012

    System Information Discovery

    2
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\bin.exe
      Filesize

      174KB

      MD5

      3ae87cd93196b3f86a2e1cfa3e6c9133

      SHA1

      64b444869181c8893d695072239bc48681ea10cd

      SHA256

      0a1b761095e129d76033c7bde535ca8f0517b4ddaaeda3981b5d8f998f8cf407

      SHA512

      1e1490502069ff5328939cc30a8e1aa74089e9cf918a27c0ce831c877035fe578811fcb970859c88437724c65383e86f055eedad4c14e3699d4270d280b865e8

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\bin.exe
      Filesize

      174KB

      MD5

      3ae87cd93196b3f86a2e1cfa3e6c9133

      SHA1

      64b444869181c8893d695072239bc48681ea10cd

      SHA256

      0a1b761095e129d76033c7bde535ca8f0517b4ddaaeda3981b5d8f998f8cf407

      SHA512

      1e1490502069ff5328939cc30a8e1aa74089e9cf918a27c0ce831c877035fe578811fcb970859c88437724c65383e86f055eedad4c14e3699d4270d280b865e8

      Download Submit
    • C:\Users\Admin\AppData\Roaming\RXUccpYQwK.js
      Filesize

      17KB

      MD5

      36ec5141b619fc59bebb52b2219a9bee

      SHA1

      f2418e89a5d8ce28ad3c73c0da1c8287948508a1

      SHA256

      beead3a67b89212d96e4c5a13bfbcd0414f3e0e849cac6b613e7b952361cea40

      SHA512

      253eb6c4e93870d32941532eee5b77f6887dd76b451d228674fe1c589b87943935d5a21198426d94d26e96ebe59249b0b48e32acfb81710bcd26265ca0a3a85d

      Download Submit
    • memory/1848-130-0x0000000000000000-mapping.dmp
      Download
    • memory/2112-136-0x00000000010F0000-0x0000000001101000-memory.dmp
      Filesize

      68KB

      Download
    • memory/2112-135-0x0000000001150000-0x000000000149A000-memory.dmp
      Filesize

      3.3MB

      Download
    • memory/2112-132-0x0000000000000000-mapping.dmp
      Download
    • memory/3116-137-0x00000000028C0000-0x0000000002A4E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/3612-139-0x0000000000000000-mapping.dmp
      Download
    • memory/4888-138-0x0000000000000000-mapping.dmp
      Download
    • memory/4888-141-0x0000000000170000-0x000000000019C000-memory.dmp
      Filesize

      176KB

      Download
    • memory/4888-140-0x0000000000E20000-0x0000000000E36000-memory.dmp
      Filesize

      88KB

      Download
    • memory/4888-142-0x0000000002400000-0x000000000274A000-memory.dmp
      Filesize

      3.3MB

      Download