Analysis

  • max time kernel
    147s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11/10/2022, 08:41

General

  • Target

    transaction-statement_632ac8d3-e96d-a443-8227-db1e5339fb8c_de-de_381b3d.js

  • Size

    113KB

  • MD5

    a3f0fc528a20dbcacfb69e1b69907a4b

  • SHA1

    400c75cffd7342908c1282b862d3df10d5a95e65

  • SHA256

    508b21cb602b5a3e9e19eb6ba9e010fb0d4a743d18e4a869063f72e2454324f7

  • SHA512

    6c750e6f3c53d4bdc1e7c1602c46692ef04143434a76e66ab373a7091c9ddf1816c67dd39106c5db27212eb6a905858677f24ae479f29d6ad1a2ded836b022ae

  • SSDEEP

    1536:W7KmfMkwheMurpzqwPUSvf0cCF11blV6DmEJMAB/iJuoG2446rTCRLTiR6RccQ:o2Mrqe7C/0vB2uo96/U/XPQ

Score
10/10

Malware Config

Signatures

  • Vjw0rm

    Vjw0rm is a remote access trojan written in JavaScript.

  • Blocklisted process makes network request 5 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe C:\Users\Admin\AppData\Local\Temp\transaction-statement_632ac8d3-e96d-a443-8227-db1e5339fb8c_de-de_381b3d.js
    1⤵
    • Checks computer location settings
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:4644
    • C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\HzqeCuGMns.js"
      2⤵
      • Blocklisted process makes network request
      • Drops startup file
      PID:1164
    • C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe
      "C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\bzjupikerj.txt"
      2⤵
      • Suspicious use of SetWindowsHookEx
      PID:4660

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\HzqeCuGMns.js

    Filesize

    5KB

    MD5

    7d8cc50c80e29db13ca0032d3e00a56d

    SHA1

    d8d138717093b67b4d6205234c82a6fe4f801429

    SHA256

    0ff424c14ee63e81e35e1431f9b5636b2bfe1e6f49e8fc5650260e9806f3402b

    SHA512

    b1f2d71401d7d4cdc4bf55569c04b1ea2c49097bacd04b2bc24c0e84bfd6bd418ffb4aeadd171032944aaf1ac94c5b868bf9924ffe0e84fa60866c9e8b583b1c

  • C:\Users\Admin\AppData\Roaming\bzjupikerj.txt

    Filesize

    51KB

    MD5

    c1783ea3118978252aa6c8891d0ea61c

    SHA1

    9986142768fd83fb445f8ac6dfd196aba3fb3139

    SHA256

    23b78abed63ac1a61a43873aa4bc168f30a4bef0e1fa9132a89f479c02805855

    SHA512

    6a22b6683589c981eaa8d1aad2bfaffc06789ec9671b3a6ec6b7279f4fcbaf6d2c1b1bf8ed3ffb047a86e711294d66b532d313805b4973566afd27b2fc182006

  • memory/4660-143-0x0000000002BE0000-0x0000000003BE0000-memory.dmp

    Filesize

    16.0MB

  • memory/4660-150-0x0000000002BE0000-0x0000000003BE0000-memory.dmp

    Filesize

    16.0MB

  • memory/4660-151-0x0000000002BE0000-0x0000000003BE0000-memory.dmp

    Filesize

    16.0MB