Analysis

  • max time kernel
    150s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26/09/2022, 18:29

General

  • Target

    Purchase Order____________pdf.js

  • Size

    117KB

  • MD5

    130fe2e5e4dfbd03e161a332ce14cebe

  • SHA1

    89a0f599416dd6f9b75058e32ac542edbc7ff108

  • SHA256

    a1aa91a1ae489d8be807999d3b7a8bc8b10794063d763d06667384ae6152e720

  • SHA512

    4366e5e84e77b850389bedd9c57787f07289471cd8e7c31ea8ffd6b48fb2f41664838ff87276370933d6a6ba8a74b1135d99068958516be7f8821b672e3ee818

  • SSDEEP

    1536:NG347n0iT37jLbtB+3NABd7+2rCSmKO+e5JZTDRc+cMw4xl5hY6/QO7STboOhGrW:yiT3fj+38XeTP5Wuj/97m0INcw

Score
10/10

Malware Config

Signatures

  • Vjw0rm

    Vjw0rm is a remote access trojan written in JavaScript.

  • Blocklisted process makes network request 6 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe "C:\Users\Admin\AppData\Local\Temp\Purchase Order____________pdf.js"
    1⤵
    • Checks computer location settings
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:3716
    • C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\nbrkkMGeYq.js"
      2⤵
      • Blocklisted process makes network request
      • Drops startup file
      PID:3588
    • C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe
      "C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\hytjxfaw.txt"
      2⤵
      • Suspicious use of SetWindowsHookEx
      PID:392

Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Roaming\hytjxfaw.txt

          Filesize

          51KB

          MD5

          df91a24b4385f63e96878f62cc9257a0

          SHA1

          e91ccdbb6122256b89b652ab65dc2d3411f442c4

          SHA256

          11a49b8ff72f776e7565eba69e17ae09bee0aa51dd7c66ae6874bed08f2f6e08

          SHA512

          179b4886ccbb6ecbbb9fa54c2516709d44cb5f1a710369321b615c22ecc4a7b4101119063654060243a742b4a5605d5dce994d10076802cd3089399eaf44b090

        • C:\Users\Admin\AppData\Roaming\nbrkkMGeYq.js

          Filesize

          6KB

          MD5

          a9238779333b1aea96970177b647723b

          SHA1

          8f5ee4d7b77ff3b00473ed0acbf33fe7c72f3b76

          SHA256

          9575923c7e3fe773ed3a5a0e9527d14d7e0ac80f57ea817cd079b392191e81b3

          SHA512

          825127d06be4413db342e968b24d73c2bd552eca3a3a87489b0f4bc53d02ccfa0bf0a9fff42b2d87295ac629e598eec7d47dfb618daedad877710bd8719b4674

        • memory/392-149-0x0000000002FD0000-0x0000000003FD0000-memory.dmp

          Filesize

          16.0MB

        • memory/392-140-0x0000000002FD0000-0x0000000003FD0000-memory.dmp

          Filesize

          16.0MB

        • memory/392-148-0x0000000002FD0000-0x0000000003FD0000-memory.dmp

          Filesize

          16.0MB

        • memory/392-150-0x0000000002FD0000-0x0000000003FD0000-memory.dmp

          Filesize

          16.0MB

        • memory/392-151-0x0000000002FD0000-0x0000000003FD0000-memory.dmp

          Filesize

          16.0MB

        • memory/392-153-0x0000000002FD0000-0x0000000003FD0000-memory.dmp

          Filesize

          16.0MB

        • memory/392-154-0x0000000002FD0000-0x0000000003FD0000-memory.dmp

          Filesize

          16.0MB

        • memory/392-156-0x0000000002FD0000-0x0000000003FD0000-memory.dmp

          Filesize

          16.0MB

        • memory/392-157-0x0000000002FD0000-0x0000000003FD0000-memory.dmp

          Filesize

          16.0MB