Analysis Overview
SHA256
036046d5ad198798908412fb75cb37ddc9dba5bbf7397b397a7d75ab3e7f7956
Threat Level: Known bad
The file cLAskPOVmATadexax2223.js was found to be: Known bad.
Malicious Activity Summary
Vjw0rm
Blocklisted process makes network request
Checks computer location settings
Drops startup file
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-08-23 01:56
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-08-23 01:56
Reported
2022-08-23 01:58
Platform
win7-20220812-en
Max time kernel
140s
Max time network
144s
Command Line
Signatures
Vjw0rm
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\wscript.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cLAskPOVmATadexax2223.js | C:\Windows\system32\wscript.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cLAskPOVmATadexax2223.js | C:\Windows\system32\wscript.exe | N/A |
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1692 wrote to memory of 1864 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\wscript.exe |
| PID 1692 wrote to memory of 1864 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\wscript.exe |
| PID 1692 wrote to memory of 1864 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\wscript.exe |
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\cLAskPOVmATadexax2223.js
C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\tekCJjaePX.js"
Network
| Country | Destination | Domain | Proto |
| NL | 185.157.162.75:2223 | 185.157.162.75 | tcp |
Files
memory/1692-54-0x000007FEFBB31000-0x000007FEFBB33000-memory.dmp
memory/1864-55-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\tekCJjaePX.js
| MD5 | 03e3c601fbb227e986a13bd98d98493a |
| SHA1 | fe2f78aa29c17ad88506ce667b493bc507fe1884 |
| SHA256 | 6b641a01433c2ce557e6682bdc431f1558499520132336317c8ff6aed54614e0 |
| SHA512 | 9ccfb7edeffdf67555a9475960c365dce0a99caa58ead2422354c5c201e0b7cc7fa22b2975b97cf75273be2bce2ce66013db4617d9cc29ca2a1d5fd1b20e0870 |
Analysis: behavioral2
Detonation Overview
Submitted
2022-08-23 01:56
Reported
2022-08-23 01:58
Platform
win10v2004-20220812-en
Max time kernel
137s
Max time network
142s
Command Line
Signatures
Vjw0rm
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\wscript.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\wscript.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cLAskPOVmATadexax2223.js | C:\Windows\system32\wscript.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cLAskPOVmATadexax2223.js | C:\Windows\system32\wscript.exe | N/A |
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3176 wrote to memory of 4088 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\wscript.exe |
| PID 3176 wrote to memory of 4088 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\wscript.exe |
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\cLAskPOVmATadexax2223.js
C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\tekCJjaePX.js"
Network
| Country | Destination | Domain | Proto |
| US | 93.184.221.240:80 | tcp | |
| NL | 185.157.162.75:2223 | 185.157.162.75 | tcp |
| IE | 13.69.239.73:443 | tcp | |
| US | 93.184.221.240:80 | tcp | |
| US | 93.184.221.240:80 | tcp | |
| US | 93.184.221.240:80 | tcp | |
| US | 93.184.221.240:80 | tcp |
Files
memory/4088-132-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\tekCJjaePX.js
| MD5 | 03e3c601fbb227e986a13bd98d98493a |
| SHA1 | fe2f78aa29c17ad88506ce667b493bc507fe1884 |
| SHA256 | 6b641a01433c2ce557e6682bdc431f1558499520132336317c8ff6aed54614e0 |
| SHA512 | 9ccfb7edeffdf67555a9475960c365dce0a99caa58ead2422354c5c201e0b7cc7fa22b2975b97cf75273be2bce2ce66013db4617d9cc29ca2a1d5fd1b20e0870 |