Analysis

  • max time kernel
    149s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17/08/2022, 02:00

General

  • Target

    TRANSFERENCIA $112987.17.js

  • Size

    50KB

  • MD5

    fec5ad2c4cd364f6780813e4170d43d5

  • SHA1

    b7ce2fb648f9cbf7fd69a16f083599bfe5511d53

  • SHA256

    5dfaea003a9b484fad723fc13f79303169e4c8f2f414a4ee0ef187f7ebd0aac9

  • SHA512

    bfa44ffc12478a1bb12266e8a00ff912def28f321a1eaa400c0cec730f2aacfb97e78822b33f5ad436421e1aa8e170c0da3da01ad646a59f466b0cd04dae4838

Score
10/10

Malware Config

Signatures

  • Vjw0rm

    Vjw0rm is a remote access trojan written in JavaScript.

  • Blocklisted process makes network request 29 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe "C:\Users\Admin\AppData\Local\Temp\TRANSFERENCIA $112987.17.js"
    1⤵
    • Blocklisted process makes network request
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4048
    • C:\Windows\System32\wscript.exe
      "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\jQCWVHjWAA.js"
      2⤵
      • Blocklisted process makes network request
      • Checks computer location settings
      • Drops startup file
      • Suspicious use of WriteProcessMemory
      PID:4976
      • C:\Windows\System32\wscript.exe
        "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\bZQEUbJxNj.js"
        3⤵
        • Blocklisted process makes network request
        • Drops startup file
        PID:4924

Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Roaming\bZQEUbJxNj.js

          Filesize

          6KB

          MD5

          a542a21ecaba36f6ba8c6457b8ab67f9

          SHA1

          3f05ddc6d6e59554cd9870b9e4b17919b81eaa6c

          SHA256

          bc831f27e6da7b5e82be628a1564c8b6aee02ec9290c5d21f99733dd2d1db47b

          SHA512

          78ca13a83bbd029470978b1e465ee6b0c2a9345a1fe8ee3e86d9f1d48bd52b7927a16e607f71084a91706213d8ddc0293ed06a1927e478b9bbc21ab0b47b9a2a

        • C:\Users\Admin\AppData\Roaming\jQCWVHjWAA.js

          Filesize

          26KB

          MD5

          1f7855c87513cf8d9f4b5319445865cf

          SHA1

          a73d48e0da18067c2e943da97c45acb679e18139

          SHA256

          b386904566434edecd5319ebe730f8c5ecd05d8003eaf8b695cc771aa17c2579

          SHA512

          41eb3f05e08fa6b878b1a8ffa90cba44756be53ea09d00c63425ba176f1bef31dc677caea99acfb2e6298403efaae1af4e71ea5a7fe29158a9c0510bfee022a9