Analysis

  • max time kernel
    142s
  • max time network
    153s
  • platform
    windows7_x64
  • resource
    win7-20220901-en
  • resource tags

    arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
  • submitted
    23/09/2022, 13:40

General

  • Target

    Statement Power Metre SRL.js

  • Size

    117KB

  • MD5

    911a689ab23a99b27ec0a41df25dc1b2

  • SHA1

    f78334182a6c6af188f996c215ea7b48bb4043ea

  • SHA256

    6dde0bc3fc8d0b186be04fd2ca3b284aa7f922f28cd04830adc1e2e03d95e34b

  • SHA512

    b0ef082316a219063c26aa92f2adb914fd0ec3648531d9fa0d3082ad13762f3cdedec91b85e936ed6da7bebf227de6f63e8bc10949b059961d1db7beb7517a6d

  • SSDEEP

    1536:Exy5MbAav/s5Aj6hQDvY1lnpFjPdTtiS7b2Piz4KBVmNBs3lt66hS5LmFf3:9s/ujSvaJPDjYiXVDloI0I3

Score
10/10

Malware Config

Signatures

  • Vjw0rm

    Vjw0rm is a remote access trojan written in JavaScript.

  • Blocklisted process makes network request 13 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 1 IoCs
  • Drops startup file 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe "C:\Users\Admin\AppData\Local\Temp\Statement Power Metre SRL.js"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1700
    • C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\vZrohjawOK.js"
      2⤵
      • Blocklisted process makes network request
      • Drops startup file
      PID:2024
    • C:\Program Files\Java\jre7\bin\javaw.exe
      "C:\Program Files\Java\jre7\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\bqdusfmk.txt"
      2⤵
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:580
      • C:\Users\Admin\AppData\Local\Temp\dl-8145328203593744586375516193.exe
        C:\Users\Admin\AppData\Local\Temp\dl-8145328203593744586375516193.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:2008

Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\dl-8145328203593744586375516193.exe

          Filesize

          7KB

          MD5

          2febb58744b8f59fe8fcdce3bd4f4aa8

          SHA1

          629cf9935873f774f9c3115a59109253ece7cd00

          SHA256

          b0a8c5dd26ed95dc30f3ad761fef82317011f357c6bc78634331a74cff7d7284

          SHA512

          854935f36be0317641598b8a25e31e170b311c3106fb94ce6d77d89b8a7080b5bce42357b450b4529b57f6834d40bd221a021a511b3ed12e8ebae43edbac3619

        • C:\Users\Admin\AppData\Local\Temp\dl-8145328203593744586375516193.exe

          Filesize

          7KB

          MD5

          2febb58744b8f59fe8fcdce3bd4f4aa8

          SHA1

          629cf9935873f774f9c3115a59109253ece7cd00

          SHA256

          b0a8c5dd26ed95dc30f3ad761fef82317011f357c6bc78634331a74cff7d7284

          SHA512

          854935f36be0317641598b8a25e31e170b311c3106fb94ce6d77d89b8a7080b5bce42357b450b4529b57f6834d40bd221a021a511b3ed12e8ebae43edbac3619

        • C:\Users\Admin\AppData\Roaming\bqdusfmk.txt

          Filesize

          51KB

          MD5

          1d6cb5a374117999329351e6f28268e3

          SHA1

          a08e5a413f3febe7def2dff25717cbfe16b315b5

          SHA256

          cbf7cbc7305bed6abb433ff9b8277c63a2d79dc845d2995adf8cc1c6dd5463dd

          SHA512

          0ce83690f1806a002bd68e6fd1caad2852146e8c03d78aefd5309868e184954793ed0546978dcc86d226c4a5a33437f6feb350cc7ef1a57615dbe80e22042c51

        • C:\Users\Admin\AppData\Roaming\vZrohjawOK.js

          Filesize

          6KB

          MD5

          aeea41deb4363e0a23003555ffc0ada1

          SHA1

          c1fc845800ef733bfd2886bceba15ed4ec19bbdb

          SHA256

          e4b86c3adb3c82dcbf9e87518210b8f23e813174e93fa8b90f3b0ee0f024da1e

          SHA512

          bcbe6e10d4a6f5166adc864274b534be36b5b238abe7d83c2d26c60cc25a7ff9b2d887c10c132c439108dbdae793d0ad061890a431f1e2b7df659dd67f5cd823

        • memory/580-71-0x00000000022B0000-0x00000000052B0000-memory.dmp

          Filesize

          48.0MB

        • memory/580-74-0x00000000005D0000-0x00000000005DA000-memory.dmp

          Filesize

          40KB

        • memory/580-80-0x00000000022B0000-0x00000000052B0000-memory.dmp

          Filesize

          48.0MB

        • memory/1700-54-0x000007FEFC611000-0x000007FEFC613000-memory.dmp

          Filesize

          8KB

        • memory/2008-78-0x0000000000DA0000-0x0000000000DA8000-memory.dmp

          Filesize

          32KB

        • memory/2008-79-0x0000000076BA1000-0x0000000076BA3000-memory.dmp

          Filesize

          8KB