Analysis Overview
SHA256
6dde0bc3fc8d0b186be04fd2ca3b284aa7f922f28cd04830adc1e2e03d95e34b
Threat Level: Known bad
The file Statement Power Metre SRL.js was found to be: Known bad.
Malicious Activity Summary
Vjw0rm
Executes dropped EXE
Blocklisted process makes network request
Downloads MZ/PE file
Drops startup file
Checks computer location settings
Enumerates physical storage devices
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Modifies registry class
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-09-23 13:40
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-09-23 13:40
Reported
2022-09-23 13:42
Platform
win7-20220901-en
Max time kernel
142s
Max time network
153s
Command Line
Signatures
Vjw0rm
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WScript.exe | N/A |
| N/A | N/A | C:\Windows\System32\WScript.exe | N/A |
| N/A | N/A | C:\Windows\System32\WScript.exe | N/A |
| N/A | N/A | C:\Windows\System32\WScript.exe | N/A |
| N/A | N/A | C:\Windows\System32\WScript.exe | N/A |
| N/A | N/A | C:\Windows\System32\WScript.exe | N/A |
| N/A | N/A | C:\Windows\System32\WScript.exe | N/A |
| N/A | N/A | C:\Windows\System32\WScript.exe | N/A |
| N/A | N/A | C:\Windows\System32\WScript.exe | N/A |
| N/A | N/A | C:\Windows\System32\WScript.exe | N/A |
| N/A | N/A | C:\Windows\System32\WScript.exe | N/A |
| N/A | N/A | C:\Windows\System32\WScript.exe | N/A |
| N/A | N/A | C:\Windows\System32\WScript.exe | N/A |
Downloads MZ/PE file
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\dl-8145328203593744586375516193.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vZrohjawOK.js | C:\Windows\System32\WScript.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vZrohjawOK.js | C:\Windows\System32\WScript.exe | N/A |
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\dl-8145328203593744586375516193.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Java\jre7\bin\javaw.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Local\Temp\Statement Power Metre SRL.js"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\vZrohjawOK.js"
C:\Program Files\Java\jre7\bin\javaw.exe
"C:\Program Files\Java\jre7\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\bqdusfmk.txt"
C:\Users\Admin\AppData\Local\Temp\dl-8145328203593744586375516193.exe
C:\Users\Admin\AppData\Local\Temp\dl-8145328203593744586375516193.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | javaautorun.duia.ro | udp |
| NO | 194.5.98.175:5432 | javaautorun.duia.ro | tcp |
| US | 8.8.8.8:53 | jbd231.duckdns.org | udp |
| NL | 109.248.150.138:3269 | jbd231.duckdns.org | tcp |
| NL | 109.248.150.185:80 | 109.248.150.185 | tcp |
| NL | 109.248.150.185:80 | 109.248.150.185 | tcp |
| NO | 194.5.98.175:5432 | javaautorun.duia.ro | tcp |
| NO | 194.5.98.175:5432 | javaautorun.duia.ro | tcp |
| NO | 194.5.98.175:5432 | javaautorun.duia.ro | tcp |
| NO | 194.5.98.175:5432 | javaautorun.duia.ro | tcp |
| NO | 194.5.98.175:5432 | javaautorun.duia.ro | tcp |
| NO | 194.5.98.175:5432 | javaautorun.duia.ro | tcp |
| NO | 194.5.98.175:5432 | javaautorun.duia.ro | tcp |
| NO | 194.5.98.175:5432 | javaautorun.duia.ro | tcp |
| NO | 194.5.98.175:5432 | javaautorun.duia.ro | tcp |
| NO | 194.5.98.175:5432 | javaautorun.duia.ro | tcp |
| NO | 194.5.98.175:5432 | javaautorun.duia.ro | tcp |
| NO | 194.5.98.175:5432 | javaautorun.duia.ro | tcp |
Files
memory/1700-54-0x000007FEFC611000-0x000007FEFC613000-memory.dmp
memory/2024-55-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\vZrohjawOK.js
| MD5 | aeea41deb4363e0a23003555ffc0ada1 |
| SHA1 | c1fc845800ef733bfd2886bceba15ed4ec19bbdb |
| SHA256 | e4b86c3adb3c82dcbf9e87518210b8f23e813174e93fa8b90f3b0ee0f024da1e |
| SHA512 | bcbe6e10d4a6f5166adc864274b534be36b5b238abe7d83c2d26c60cc25a7ff9b2d887c10c132c439108dbdae793d0ad061890a431f1e2b7df659dd67f5cd823 |
memory/580-57-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\bqdusfmk.txt
| MD5 | 1d6cb5a374117999329351e6f28268e3 |
| SHA1 | a08e5a413f3febe7def2dff25717cbfe16b315b5 |
| SHA256 | cbf7cbc7305bed6abb433ff9b8277c63a2d79dc845d2995adf8cc1c6dd5463dd |
| SHA512 | 0ce83690f1806a002bd68e6fd1caad2852146e8c03d78aefd5309868e184954793ed0546978dcc86d226c4a5a33437f6feb350cc7ef1a57615dbe80e22042c51 |
memory/580-71-0x00000000022B0000-0x00000000052B0000-memory.dmp
memory/580-74-0x00000000005D0000-0x00000000005DA000-memory.dmp
memory/2008-75-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\dl-8145328203593744586375516193.exe
| MD5 | 2febb58744b8f59fe8fcdce3bd4f4aa8 |
| SHA1 | 629cf9935873f774f9c3115a59109253ece7cd00 |
| SHA256 | b0a8c5dd26ed95dc30f3ad761fef82317011f357c6bc78634331a74cff7d7284 |
| SHA512 | 854935f36be0317641598b8a25e31e170b311c3106fb94ce6d77d89b8a7080b5bce42357b450b4529b57f6834d40bd221a021a511b3ed12e8ebae43edbac3619 |
C:\Users\Admin\AppData\Local\Temp\dl-8145328203593744586375516193.exe
| MD5 | 2febb58744b8f59fe8fcdce3bd4f4aa8 |
| SHA1 | 629cf9935873f774f9c3115a59109253ece7cd00 |
| SHA256 | b0a8c5dd26ed95dc30f3ad761fef82317011f357c6bc78634331a74cff7d7284 |
| SHA512 | 854935f36be0317641598b8a25e31e170b311c3106fb94ce6d77d89b8a7080b5bce42357b450b4529b57f6834d40bd221a021a511b3ed12e8ebae43edbac3619 |
memory/2008-78-0x0000000000DA0000-0x0000000000DA8000-memory.dmp
memory/2008-79-0x0000000076BA1000-0x0000000076BA3000-memory.dmp
memory/580-80-0x00000000022B0000-0x00000000052B0000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-09-23 13:40
Reported
2022-09-23 13:42
Platform
win10v2004-20220812-en
Max time kernel
144s
Max time network
153s
Command Line
Signatures
Vjw0rm
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WScript.exe | N/A |
| N/A | N/A | C:\Windows\System32\WScript.exe | N/A |
| N/A | N/A | C:\Windows\System32\WScript.exe | N/A |
| N/A | N/A | C:\Windows\System32\WScript.exe | N/A |
| N/A | N/A | C:\Windows\System32\WScript.exe | N/A |
| N/A | N/A | C:\Windows\System32\WScript.exe | N/A |
| N/A | N/A | C:\Windows\System32\WScript.exe | N/A |
| N/A | N/A | C:\Windows\System32\WScript.exe | N/A |
| N/A | N/A | C:\Windows\System32\WScript.exe | N/A |
| N/A | N/A | C:\Windows\System32\WScript.exe | N/A |
| N/A | N/A | C:\Windows\System32\WScript.exe | N/A |
| N/A | N/A | C:\Windows\System32\WScript.exe | N/A |
| N/A | N/A | C:\Windows\System32\WScript.exe | N/A |
| N/A | N/A | C:\Windows\System32\WScript.exe | N/A |
| N/A | N/A | C:\Windows\System32\WScript.exe | N/A |
| N/A | N/A | C:\Windows\System32\WScript.exe | N/A |
Downloads MZ/PE file
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\dl3025944341293021328888936654.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\wscript.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vZrohjawOK.js | C:\Windows\System32\WScript.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vZrohjawOK.js | C:\Windows\System32\WScript.exe | N/A |
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings | C:\Windows\system32\wscript.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\dl3025944341293021328888936654.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4972 wrote to memory of 5024 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\WScript.exe |
| PID 4972 wrote to memory of 5024 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\WScript.exe |
| PID 4972 wrote to memory of 4604 | N/A | C:\Windows\system32\wscript.exe | C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe |
| PID 4972 wrote to memory of 4604 | N/A | C:\Windows\system32\wscript.exe | C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe |
| PID 4604 wrote to memory of 860 | N/A | C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe | C:\Users\Admin\AppData\Local\Temp\dl3025944341293021328888936654.exe |
| PID 4604 wrote to memory of 860 | N/A | C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe | C:\Users\Admin\AppData\Local\Temp\dl3025944341293021328888936654.exe |
| PID 4604 wrote to memory of 860 | N/A | C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe | C:\Users\Admin\AppData\Local\Temp\dl3025944341293021328888936654.exe |
Processes
C:\Windows\system32\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Local\Temp\Statement Power Metre SRL.js"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\vZrohjawOK.js"
C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe
"C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\qtkykjur.txt"
C:\Users\Admin\AppData\Local\Temp\dl3025944341293021328888936654.exe
C:\Users\Admin\AppData\Local\Temp\dl3025944341293021328888936654.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | javaautorun.duia.ro | udp |
| NO | 194.5.98.175:5432 | javaautorun.duia.ro | tcp |
| NO | 194.5.98.175:5432 | javaautorun.duia.ro | tcp |
| NL | 104.80.225.205:443 | tcp | |
| US | 8.8.8.8:53 | jbd231.duckdns.org | udp |
| NL | 109.248.150.138:3269 | jbd231.duckdns.org | tcp |
| NL | 109.248.150.185:80 | 109.248.150.185 | tcp |
| NL | 109.248.150.185:80 | 109.248.150.185 | tcp |
| NO | 194.5.98.175:5432 | javaautorun.duia.ro | tcp |
| US | 209.197.3.8:80 | tcp | |
| US | 209.197.3.8:80 | tcp | |
| NO | 194.5.98.175:5432 | javaautorun.duia.ro | tcp |
| NO | 194.5.98.175:5432 | javaautorun.duia.ro | tcp |
| NO | 194.5.98.175:5432 | javaautorun.duia.ro | tcp |
| NO | 194.5.98.175:5432 | javaautorun.duia.ro | tcp |
| NO | 194.5.98.175:5432 | javaautorun.duia.ro | tcp |
| NO | 194.5.98.175:5432 | javaautorun.duia.ro | tcp |
| NO | 194.5.98.175:5432 | javaautorun.duia.ro | tcp |
| NO | 194.5.98.175:5432 | javaautorun.duia.ro | tcp |
| NO | 194.5.98.175:5432 | javaautorun.duia.ro | tcp |
| NO | 194.5.98.175:5432 | javaautorun.duia.ro | tcp |
| NO | 194.5.98.175:5432 | javaautorun.duia.ro | tcp |
| NO | 194.5.98.175:5432 | javaautorun.duia.ro | tcp |
| NO | 194.5.98.175:5432 | javaautorun.duia.ro | tcp |
Files
memory/5024-132-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\vZrohjawOK.js
| MD5 | aeea41deb4363e0a23003555ffc0ada1 |
| SHA1 | c1fc845800ef733bfd2886bceba15ed4ec19bbdb |
| SHA256 | e4b86c3adb3c82dcbf9e87518210b8f23e813174e93fa8b90f3b0ee0f024da1e |
| SHA512 | bcbe6e10d4a6f5166adc864274b534be36b5b238abe7d83c2d26c60cc25a7ff9b2d887c10c132c439108dbdae793d0ad061890a431f1e2b7df659dd67f5cd823 |
memory/4604-134-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\qtkykjur.txt
| MD5 | 1d6cb5a374117999329351e6f28268e3 |
| SHA1 | a08e5a413f3febe7def2dff25717cbfe16b315b5 |
| SHA256 | cbf7cbc7305bed6abb433ff9b8277c63a2d79dc845d2995adf8cc1c6dd5463dd |
| SHA512 | 0ce83690f1806a002bd68e6fd1caad2852146e8c03d78aefd5309868e184954793ed0546978dcc86d226c4a5a33437f6feb350cc7ef1a57615dbe80e22042c51 |
memory/4604-138-0x0000000003230000-0x0000000004230000-memory.dmp
memory/860-149-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\dl3025944341293021328888936654.exe
| MD5 | 2febb58744b8f59fe8fcdce3bd4f4aa8 |
| SHA1 | 629cf9935873f774f9c3115a59109253ece7cd00 |
| SHA256 | b0a8c5dd26ed95dc30f3ad761fef82317011f357c6bc78634331a74cff7d7284 |
| SHA512 | 854935f36be0317641598b8a25e31e170b311c3106fb94ce6d77d89b8a7080b5bce42357b450b4529b57f6834d40bd221a021a511b3ed12e8ebae43edbac3619 |
memory/4604-151-0x0000000003230000-0x0000000004230000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\dl3025944341293021328888936654.exe
| MD5 | 2febb58744b8f59fe8fcdce3bd4f4aa8 |
| SHA1 | 629cf9935873f774f9c3115a59109253ece7cd00 |
| SHA256 | b0a8c5dd26ed95dc30f3ad761fef82317011f357c6bc78634331a74cff7d7284 |
| SHA512 | 854935f36be0317641598b8a25e31e170b311c3106fb94ce6d77d89b8a7080b5bce42357b450b4529b57f6834d40bd221a021a511b3ed12e8ebae43edbac3619 |
memory/4604-153-0x0000000003230000-0x0000000004230000-memory.dmp
memory/860-154-0x0000000000FD0000-0x0000000000FD8000-memory.dmp
memory/4604-155-0x0000000003230000-0x0000000004230000-memory.dmp
memory/4604-156-0x0000000003230000-0x0000000004230000-memory.dmp
memory/4604-157-0x0000000003230000-0x0000000004230000-memory.dmp
memory/4604-159-0x0000000003230000-0x0000000004230000-memory.dmp
memory/4604-160-0x0000000003230000-0x0000000004230000-memory.dmp