Analysis

  • max time kernel
    150s
  • max time network
    145s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23/09/2022, 09:01

General

  • Target

    PROFORMA INVOICE COPY WA09272.js

  • Size

    12KB

  • MD5

    b1f70d48db73570f4ccc1c3f8565f2d6

  • SHA1

    65ae40fdc9d4f7ea360ad11cea0ed5293b9bd21b

  • SHA256

    3a16f4af6cfdbb6dcb6f70d1a2f5297a69fa2154397b8d30cee7c701950a817c

  • SHA512

    2e0d902fcc620a287229156f6913c343cec473c2096a8185b0137c5811511c13ebb0b000f55134ba2fcd4dd9dcd97eaa30ff580a28c5c9a7a313054a0bce95b1

  • SSDEEP

    384:U9nTaRzxzbXaLhVtBmgOzqWdZr1sXvGJNHG:sUXoyLR1sXvGLHG

Score
10/10

Malware Config

Signatures

  • Vjw0rm

    Vjw0rm is a remote access trojan written in JavaScript.

  • Blocklisted process makes network request 17 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe "C:\Users\Admin\AppData\Local\Temp\PROFORMA INVOICE COPY WA09272.js"
    1⤵
    • Blocklisted process makes network request
    • Checks computer location settings
    • Drops startup file
    • Suspicious use of WriteProcessMemory
    PID:4964
    • C:\Windows\System32\wscript.exe
      "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\dhQWBviQOI.js"
      2⤵
        PID:3928

    Network

          MITRE ATT&CK Enterprise v6

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Roaming\dhQWBviQOI.js

            Filesize

            2KB

            MD5

            fd184d31c7f2558d05dccf36c900622a

            SHA1

            faf3169e2352555e7bf2503531fc9e61552383db

            SHA256

            145d40636321f7ebf1abd9ac5daec213322ca1f5fbf8f884928c2a8bebd6f22b

            SHA512

            8f6e66cb854d09c226c615eb3ca6339ef0f6cda97ee3072321f308c85420f2b82193c2d6e44d78e9665e956d0212ba122aea7f0fd4e7f86e4051fd257056ab77