Analysis

  • max time kernel
    128s
  • max time network
    142s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    10/10/2022, 11:16

General

  • Target

    DP1010.js

  • Size

    462KB

  • MD5

    fbed7e5f3d4312ba715856597ca55060

  • SHA1

    8b047a323041693ad29f3eb3c56653c2d6630356

  • SHA256

    319372731b242e6a2e7b2e159c2272c34dba4f9af69691d7b887df75353f3823

  • SHA512

    a9ab7cdd172639eea6076aafe3801f25f67e78a0072b6b5083c9573a030e03a625dc01600a2039fb27486720ff23969368f46b4104288ad3fd32fac149eda750

  • SSDEEP

    6144:kJU4h6FzMe3n2xL/l5EMmPfkScu+zbDbMINH8erNLnDQHQOiHWHtTXjRhcHybCh2:kJUAyobEMmPfkScu80ibhJy+HhLjGrV

Score
10/10

Malware Config

Signatures

  • Vjw0rm

    Vjw0rm is a remote access trojan written in JavaScript.

  • Blocklisted process makes network request 5 IoCs
  • Executes dropped EXE 1 IoCs
  • Drops startup file 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe C:\Users\Admin\AppData\Local\Temp\DP1010.js
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:948
    • C:\Windows\System32\wscript.exe
      "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\iNFyCMUHlt.js"
      2⤵
      • Blocklisted process makes network request
      • Drops startup file
      PID:980
    • C:\Users\Admin\AppData\Local\Temp\fireblende.exe
      "C:\Users\Admin\AppData\Local\Temp\fireblende.exe"
      2⤵
      • Executes dropped EXE
      PID:1220

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\fireblende.exe

    Filesize

    252KB

    MD5

    f5eeb7b7ec72a813286f53d736c9f78a

    SHA1

    ce5cf9aef07eeb0f8dfaec7bb708540572a0d7e9

    SHA256

    19f029efa58192c3659eae9ff4e2a19968048d1c0a0f0247ac044c23ca4d8358

    SHA512

    4528a0dbe9f9a2068086d7a2193fd10c81774f6e30c857fb60cb284387613aa5350845a81b74d5b9e37c1d9cd4058fe2b73b451efbfdc452f97d757ff16d14e9

  • C:\Users\Admin\AppData\Roaming\iNFyCMUHlt.js

    Filesize

    5KB

    MD5

    8a0de3cb189e9f7611b73438796e43ba

    SHA1

    73684c9be5b1992510c4e0a8d3b70137a2efd207

    SHA256

    ce31a6b170ccb2670e50cc95c292923cde1aff9ea1bbf6d64c9f2d6338991899

    SHA512

    8c92d8cc47f356b48020bbbfe17dafc9e9420f08b3bfa43b53ef7d3afc129282bc5248db5115202ff58c424c5c5c417271382d5e33ab305d5d550f4165346ac2

  • memory/948-54-0x000007FEFB6D1000-0x000007FEFB6D3000-memory.dmp

    Filesize

    8KB