Analysis Overview
SHA256
22125214857ca13a8cb91e5c920d2018db792d57356537234487ad47e66ae0e0
Threat Level: Known bad
The file Payment Swift-MT103101122.js was found to be: Known bad.
Malicious Activity Summary
Vjw0rm
Blocklisted process makes network request
Checks computer location settings
Drops startup file
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-10-11 10:06
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-10-11 10:06
Reported
2022-10-11 10:09
Platform
win7-20220901-en
Max time kernel
147s
Max time network
150s
Command Line
Signatures
Vjw0rm
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\system32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FeyQENosfv.js | C:\Windows\System32\wscript.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FeyQENosfv.js | C:\Windows\System32\wscript.exe | N/A |
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1324 wrote to memory of 668 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\wscript.exe |
| PID 1324 wrote to memory of 668 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\wscript.exe |
| PID 1324 wrote to memory of 668 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\wscript.exe |
Processes
C:\Windows\system32\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Local\Temp\Payment Swift-MT103101122.js"
C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\FeyQENosfv.js"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | javaautorun.duia.ro | udp |
| DK | 2.58.46.200:5465 | javaautorun.duia.ro | tcp |
| NL | 185.216.71.62:52054 | 185.216.71.62 | tcp |
| DK | 2.58.46.200:5465 | javaautorun.duia.ro | tcp |
| DK | 2.58.46.200:5465 | javaautorun.duia.ro | tcp |
| DK | 2.58.46.200:5465 | javaautorun.duia.ro | tcp |
| DK | 2.58.46.200:5465 | javaautorun.duia.ro | tcp |
Files
memory/1324-54-0x000007FEFC001000-0x000007FEFC003000-memory.dmp
memory/668-55-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\FeyQENosfv.js
| MD5 | f008c6822efc36d36773c28c6648531a |
| SHA1 | e2346b75ee7d0ab6106a519f652d1b55f3fd2a28 |
| SHA256 | 2f5f6b4f2a873a414a1541572c41ff23339fd055b46e0edffcf4adf42985ec7e |
| SHA512 | cd4464839b668ce3218d803f6b10c5b932b964d951d29689979c673d7e002c727f239600e6f7dc62f6d291f7612531df802660bc23ac415926f3eecefdc5fa80 |
Analysis: behavioral2
Detonation Overview
Submitted
2022-10-11 10:06
Reported
2022-10-11 10:08
Platform
win10v2004-20220812-en
Max time kernel
151s
Max time network
154s
Command Line
Signatures
Vjw0rm
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\wscript.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FeyQENosfv.js | C:\Windows\System32\wscript.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FeyQENosfv.js | C:\Windows\System32\wscript.exe | N/A |
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4832 wrote to memory of 4808 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\wscript.exe |
| PID 4832 wrote to memory of 4808 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\wscript.exe |
Processes
C:\Windows\system32\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Local\Temp\Payment Swift-MT103101122.js"
C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\FeyQENosfv.js"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | javaautorun.duia.ro | udp |
| NL | 185.216.71.62:52054 | 185.216.71.62 | tcp |
| DK | 2.58.46.200:5465 | javaautorun.duia.ro | tcp |
| US | 93.184.220.29:80 | tcp | |
| DK | 2.58.46.200:5465 | javaautorun.duia.ro | tcp |
| JP | 40.79.189.58:443 | tcp | |
| US | 93.184.221.240:80 | tcp | |
| US | 93.184.221.240:80 | tcp | |
| US | 93.184.221.240:80 | tcp | |
| DK | 2.58.46.200:5465 | javaautorun.duia.ro | tcp |
| US | 8.247.211.254:80 | tcp | |
| US | 8.247.211.254:80 | tcp | |
| DK | 2.58.46.200:5465 | javaautorun.duia.ro | tcp |
| DK | 2.58.46.200:5465 | javaautorun.duia.ro | tcp |
| DK | 2.58.46.200:5465 | javaautorun.duia.ro | tcp |
Files
memory/4808-132-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\FeyQENosfv.js
| MD5 | f008c6822efc36d36773c28c6648531a |
| SHA1 | e2346b75ee7d0ab6106a519f652d1b55f3fd2a28 |
| SHA256 | 2f5f6b4f2a873a414a1541572c41ff23339fd055b46e0edffcf4adf42985ec7e |
| SHA512 | cd4464839b668ce3218d803f6b10c5b932b964d951d29689979c673d7e002c727f239600e6f7dc62f6d291f7612531df802660bc23ac415926f3eecefdc5fa80 |