Analysis

  • max time kernel
    144s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23/09/2022, 13:40

General

  • Target

    Statement Power Metre SRL.js

  • Size

    117KB

  • MD5

    911a689ab23a99b27ec0a41df25dc1b2

  • SHA1

    f78334182a6c6af188f996c215ea7b48bb4043ea

  • SHA256

    6dde0bc3fc8d0b186be04fd2ca3b284aa7f922f28cd04830adc1e2e03d95e34b

  • SHA512

    b0ef082316a219063c26aa92f2adb914fd0ec3648531d9fa0d3082ad13762f3cdedec91b85e936ed6da7bebf227de6f63e8bc10949b059961d1db7beb7517a6d

  • SSDEEP

    1536:Exy5MbAav/s5Aj6hQDvY1lnpFjPdTtiS7b2Piz4KBVmNBs3lt66hS5LmFf3:9s/ujSvaJPDjYiXVDloI0I3

Score
10/10

Malware Config

Signatures

  • Vjw0rm

    Vjw0rm is a remote access trojan written in JavaScript.

  • Blocklisted process makes network request 16 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe "C:\Users\Admin\AppData\Local\Temp\Statement Power Metre SRL.js"
    1⤵
    • Checks computer location settings
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:4972
    • C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\vZrohjawOK.js"
      2⤵
      • Blocklisted process makes network request
      • Drops startup file
      PID:5024
    • C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe
      "C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\qtkykjur.txt"
      2⤵
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4604
      • C:\Users\Admin\AppData\Local\Temp\dl3025944341293021328888936654.exe
        C:\Users\Admin\AppData\Local\Temp\dl3025944341293021328888936654.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:860

Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\dl3025944341293021328888936654.exe

          Filesize

          7KB

          MD5

          2febb58744b8f59fe8fcdce3bd4f4aa8

          SHA1

          629cf9935873f774f9c3115a59109253ece7cd00

          SHA256

          b0a8c5dd26ed95dc30f3ad761fef82317011f357c6bc78634331a74cff7d7284

          SHA512

          854935f36be0317641598b8a25e31e170b311c3106fb94ce6d77d89b8a7080b5bce42357b450b4529b57f6834d40bd221a021a511b3ed12e8ebae43edbac3619

        • C:\Users\Admin\AppData\Local\Temp\dl3025944341293021328888936654.exe

          Filesize

          7KB

          MD5

          2febb58744b8f59fe8fcdce3bd4f4aa8

          SHA1

          629cf9935873f774f9c3115a59109253ece7cd00

          SHA256

          b0a8c5dd26ed95dc30f3ad761fef82317011f357c6bc78634331a74cff7d7284

          SHA512

          854935f36be0317641598b8a25e31e170b311c3106fb94ce6d77d89b8a7080b5bce42357b450b4529b57f6834d40bd221a021a511b3ed12e8ebae43edbac3619

        • C:\Users\Admin\AppData\Roaming\qtkykjur.txt

          Filesize

          51KB

          MD5

          1d6cb5a374117999329351e6f28268e3

          SHA1

          a08e5a413f3febe7def2dff25717cbfe16b315b5

          SHA256

          cbf7cbc7305bed6abb433ff9b8277c63a2d79dc845d2995adf8cc1c6dd5463dd

          SHA512

          0ce83690f1806a002bd68e6fd1caad2852146e8c03d78aefd5309868e184954793ed0546978dcc86d226c4a5a33437f6feb350cc7ef1a57615dbe80e22042c51

        • C:\Users\Admin\AppData\Roaming\vZrohjawOK.js

          Filesize

          6KB

          MD5

          aeea41deb4363e0a23003555ffc0ada1

          SHA1

          c1fc845800ef733bfd2886bceba15ed4ec19bbdb

          SHA256

          e4b86c3adb3c82dcbf9e87518210b8f23e813174e93fa8b90f3b0ee0f024da1e

          SHA512

          bcbe6e10d4a6f5166adc864274b534be36b5b238abe7d83c2d26c60cc25a7ff9b2d887c10c132c439108dbdae793d0ad061890a431f1e2b7df659dd67f5cd823

        • memory/860-154-0x0000000000FD0000-0x0000000000FD8000-memory.dmp

          Filesize

          32KB

        • memory/4604-138-0x0000000003230000-0x0000000004230000-memory.dmp

          Filesize

          16.0MB

        • memory/4604-151-0x0000000003230000-0x0000000004230000-memory.dmp

          Filesize

          16.0MB

        • memory/4604-153-0x0000000003230000-0x0000000004230000-memory.dmp

          Filesize

          16.0MB

        • memory/4604-155-0x0000000003230000-0x0000000004230000-memory.dmp

          Filesize

          16.0MB

        • memory/4604-156-0x0000000003230000-0x0000000004230000-memory.dmp

          Filesize

          16.0MB

        • memory/4604-157-0x0000000003230000-0x0000000004230000-memory.dmp

          Filesize

          16.0MB

        • memory/4604-159-0x0000000003230000-0x0000000004230000-memory.dmp

          Filesize

          16.0MB

        • memory/4604-160-0x0000000003230000-0x0000000004230000-memory.dmp

          Filesize

          16.0MB