Analysis Overview
SHA256
d90554b8cf36add67ceaaedfdcab5507eca5951197aed9b2a851485736640779
Threat Level: Known bad
The file Purchase Invoice.js was found to be: Known bad.
Malicious Activity Summary
Vjw0rm
Blocklisted process makes network request
Drops startup file
Checks computer location settings
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-08-24 15:53
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-08-24 15:53
Reported
2022-08-24 15:55
Platform
win7-20220812-en
Max time kernel
132s
Max time network
137s
Command Line
Signatures
Vjw0rm
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\wscript.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Purchase Invoice.js | C:\Windows\system32\wscript.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Purchase Invoice.js | C:\Windows\system32\wscript.exe | N/A |
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1972 wrote to memory of 1936 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\wscript.exe |
| PID 1972 wrote to memory of 1936 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\wscript.exe |
| PID 1972 wrote to memory of 1936 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\wscript.exe |
Processes
C:\Windows\system32\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Local\Temp\Purchase Invoice.js"
C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\UWdKpbrkDF.js"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | harold.jetos.com | udp |
| NL | 80.76.51.117:3609 | harold.jetos.com | tcp |
Files
memory/1972-54-0x000007FEFC271000-0x000007FEFC273000-memory.dmp
memory/1936-55-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\UWdKpbrkDF.js
| MD5 | 1214283010a75e6bf30c48c99722ee00 |
| SHA1 | baf927af2f820cf90a38bb0093097a18c7430fc6 |
| SHA256 | a87f39cd2f3017d5ab87295a437448f840c972e8a92363008ce342ccd9a7c8df |
| SHA512 | ec8be42a8fb7ec0ea971fe266f6c7f8121e2c105df6b4ecb329c67960f3d1b638c49d5381cde81badd25e82dd76f33c08253e50f47bc822e808d47f20f9f1156 |
Analysis: behavioral2
Detonation Overview
Submitted
2022-08-24 15:53
Reported
2022-08-24 15:56
Platform
win10v2004-20220812-en
Max time kernel
152s
Max time network
169s
Command Line
Signatures
Vjw0rm
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\wscript.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\wscript.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Purchase Invoice.js | C:\Windows\system32\wscript.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Purchase Invoice.js | C:\Windows\system32\wscript.exe | N/A |
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2320 wrote to memory of 2184 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\wscript.exe |
| PID 2320 wrote to memory of 2184 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\wscript.exe |
Processes
C:\Windows\system32\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Local\Temp\Purchase Invoice.js"
C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\UWdKpbrkDF.js"
Network
| Country | Destination | Domain | Proto |
| US | 93.184.221.240:80 | tcp | |
| US | 209.197.3.8:80 | tcp | |
| US | 8.8.8.8:53 | harold.jetos.com | udp |
| NL | 80.76.51.117:3609 | harold.jetos.com | tcp |
| DE | 20.52.64.200:443 | tcp | |
| US | 8.8.8.8:53 | 106.89.54.20.in-addr.arpa | udp |
Files
memory/2184-132-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\UWdKpbrkDF.js
| MD5 | 1214283010a75e6bf30c48c99722ee00 |
| SHA1 | baf927af2f820cf90a38bb0093097a18c7430fc6 |
| SHA256 | a87f39cd2f3017d5ab87295a437448f840c972e8a92363008ce342ccd9a7c8df |
| SHA512 | ec8be42a8fb7ec0ea971fe266f6c7f8121e2c105df6b4ecb329c67960f3d1b638c49d5381cde81badd25e82dd76f33c08253e50f47bc822e808d47f20f9f1156 |