Analysis

  • max time kernel
    150s
  • max time network
    154s
  • platform
    windows7_x64
  • resource
    win7-20220901-en
  • resource tags

    arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
  • submitted
    11/10/2022, 14:27

General

  • Target

    Invoices & Supporting documents.js

  • Size

    37KB

  • MD5

    e0d2cbd0519e1f0dbf8c0b74c8ee1246

  • SHA1

    35187b51e45f7466ae98c67900c7c14f7ba268a6

  • SHA256

    45f0f33921e9e548f1df35f5d30855704de3542789c4c7d2c35f68cd8ab0166f

  • SHA512

    9a6fd2345615d75963c8f13049a08ac3873a051e621c25fb13f25ddb12cf301412d28e4660f53ee6e2a02743ed1d6d87cadafb403cf66f5a524fa715327ef99f

  • SSDEEP

    768:2buVp24R6SMkM4gF8wsZ1va/a9zcHEdYHzePC:2w2g6qMPCwsZ14a9zcH+IzePC

Malware Config

Signatures

  • Vjw0rm

    Vjw0rm is a remote access trojan written in JavaScript.

  • Blocklisted process makes network request 22 IoCs
  • Drops startup file 5 IoCs
  • Adds Run key to start application 2 TTPs 8 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe "C:\Users\Admin\AppData\Local\Temp\Invoices & Supporting documents.js"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1768
    • C:\Windows\System32\wscript.exe
      "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\nNRlQXvwxJ.js"
      2⤵
      • Blocklisted process makes network request
      • Drops startup file
      PID:836
    • C:\Windows\System32\wscript.exe
      "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\Invoices & Supporting documents.js"
      2⤵
      • Blocklisted process makes network request
      • Drops startup file
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:800
      • C:\Windows\System32\wscript.exe
        "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\nNRlQXvwxJ.js"
        3⤵
        • Blocklisted process makes network request
        • Drops startup file
        PID:1696

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Invoices & Supporting documents.js

    Filesize

    37KB

    MD5

    e0d2cbd0519e1f0dbf8c0b74c8ee1246

    SHA1

    35187b51e45f7466ae98c67900c7c14f7ba268a6

    SHA256

    45f0f33921e9e548f1df35f5d30855704de3542789c4c7d2c35f68cd8ab0166f

    SHA512

    9a6fd2345615d75963c8f13049a08ac3873a051e621c25fb13f25ddb12cf301412d28e4660f53ee6e2a02743ed1d6d87cadafb403cf66f5a524fa715327ef99f

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Invoices & Supporting documents.js

    Filesize

    37KB

    MD5

    e0d2cbd0519e1f0dbf8c0b74c8ee1246

    SHA1

    35187b51e45f7466ae98c67900c7c14f7ba268a6

    SHA256

    45f0f33921e9e548f1df35f5d30855704de3542789c4c7d2c35f68cd8ab0166f

    SHA512

    9a6fd2345615d75963c8f13049a08ac3873a051e621c25fb13f25ddb12cf301412d28e4660f53ee6e2a02743ed1d6d87cadafb403cf66f5a524fa715327ef99f

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nNRlQXvwxJ.js

    Filesize

    5KB

    MD5

    7d8cc50c80e29db13ca0032d3e00a56d

    SHA1

    d8d138717093b67b4d6205234c82a6fe4f801429

    SHA256

    0ff424c14ee63e81e35e1431f9b5636b2bfe1e6f49e8fc5650260e9806f3402b

    SHA512

    b1f2d71401d7d4cdc4bf55569c04b1ea2c49097bacd04b2bc24c0e84bfd6bd418ffb4aeadd171032944aaf1ac94c5b868bf9924ffe0e84fa60866c9e8b583b1c

  • C:\Users\Admin\AppData\Roaming\nNRlQXvwxJ.js

    Filesize

    5KB

    MD5

    7d8cc50c80e29db13ca0032d3e00a56d

    SHA1

    d8d138717093b67b4d6205234c82a6fe4f801429

    SHA256

    0ff424c14ee63e81e35e1431f9b5636b2bfe1e6f49e8fc5650260e9806f3402b

    SHA512

    b1f2d71401d7d4cdc4bf55569c04b1ea2c49097bacd04b2bc24c0e84bfd6bd418ffb4aeadd171032944aaf1ac94c5b868bf9924ffe0e84fa60866c9e8b583b1c

  • C:\Users\Admin\AppData\Roaming\nNRlQXvwxJ.js

    Filesize

    5KB

    MD5

    7d8cc50c80e29db13ca0032d3e00a56d

    SHA1

    d8d138717093b67b4d6205234c82a6fe4f801429

    SHA256

    0ff424c14ee63e81e35e1431f9b5636b2bfe1e6f49e8fc5650260e9806f3402b

    SHA512

    b1f2d71401d7d4cdc4bf55569c04b1ea2c49097bacd04b2bc24c0e84bfd6bd418ffb4aeadd171032944aaf1ac94c5b868bf9924ffe0e84fa60866c9e8b583b1c

  • memory/1768-54-0x000007FEFC591000-0x000007FEFC593000-memory.dmp

    Filesize

    8KB