Analysis Overview
SHA256
45f0f33921e9e548f1df35f5d30855704de3542789c4c7d2c35f68cd8ab0166f
Threat Level: Known bad
The file Invoices & Supporting documents.js was found to be: Known bad.
Malicious Activity Summary
Vjw0rm
Blocklisted process makes network request
Checks computer location settings
Drops startup file
Adds Run key to start application
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-10-11 14:27
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-10-11 14:27
Reported
2022-10-11 14:29
Platform
win7-20220901-en
Max time kernel
150s
Max time network
154s
Command Line
Signatures
Vjw0rm
Blocklisted process makes network request
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Invoices & Supporting documents.js | C:\Windows\system32\wscript.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nNRlQXvwxJ.js | C:\Windows\System32\wscript.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nNRlQXvwxJ.js | C:\Windows\System32\wscript.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Invoices & Supporting documents.js | C:\Windows\System32\wscript.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nNRlQXvwxJ.js | C:\Windows\System32\wscript.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run | C:\Windows\system32\wscript.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Invoices & Supporting documents = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Invoices & Supporting documents.js\"" | C:\Windows\system32\wscript.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\software\microsoft\windows\currentversion\run | C:\Windows\System32\wscript.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\Invoices & Supporting documents = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Invoices & Supporting documents.js\"" | C:\Windows\System32\wscript.exe | N/A |
| Key created | \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run | C:\Windows\System32\wscript.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Invoices & Supporting documents = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Invoices & Supporting documents.js\"" | C:\Windows\System32\wscript.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\software\microsoft\windows\currentversion\run | C:\Windows\system32\wscript.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\Invoices & Supporting documents = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Invoices & Supporting documents.js\"" | C:\Windows\system32\wscript.exe | N/A |
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1768 wrote to memory of 836 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\wscript.exe |
| PID 1768 wrote to memory of 836 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\wscript.exe |
| PID 1768 wrote to memory of 836 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\wscript.exe |
| PID 1768 wrote to memory of 800 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\wscript.exe |
| PID 1768 wrote to memory of 800 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\wscript.exe |
| PID 1768 wrote to memory of 800 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\wscript.exe |
| PID 800 wrote to memory of 1696 | N/A | C:\Windows\System32\wscript.exe | C:\Windows\System32\wscript.exe |
| PID 800 wrote to memory of 1696 | N/A | C:\Windows\System32\wscript.exe | C:\Windows\System32\wscript.exe |
| PID 800 wrote to memory of 1696 | N/A | C:\Windows\System32\wscript.exe | C:\Windows\System32\wscript.exe |
Processes
C:\Windows\system32\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Local\Temp\Invoices & Supporting documents.js"
C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\nNRlQXvwxJ.js"
C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\Invoices & Supporting documents.js"
C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\nNRlQXvwxJ.js"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | javaautorun.duia.ro | udp |
| US | 8.8.8.8:53 | remixdika.ydns.eu | udp |
| US | 8.8.8.8:53 | javaautorun.duia.ro | udp |
| NL | 5.62.20.25:5465 | javaautorun.duia.ro | tcp |
| NL | 5.62.20.25:5465 | javaautorun.duia.ro | tcp |
| NL | 37.0.14.195:3030 | remixdika.ydns.eu | tcp |
| NL | 37.0.14.195:3030 | remixdika.ydns.eu | tcp |
| NL | 5.62.20.25:5465 | javaautorun.duia.ro | tcp |
| NL | 5.62.20.25:5465 | javaautorun.duia.ro | tcp |
| NL | 37.0.14.195:3030 | remixdika.ydns.eu | tcp |
| NL | 5.62.20.25:5465 | javaautorun.duia.ro | tcp |
| NL | 5.62.20.25:5465 | javaautorun.duia.ro | tcp |
| NL | 37.0.14.195:3030 | remixdika.ydns.eu | tcp |
| NL | 5.62.20.25:5465 | javaautorun.duia.ro | tcp |
| NL | 5.62.20.25:5465 | javaautorun.duia.ro | tcp |
| NL | 37.0.14.195:3030 | remixdika.ydns.eu | tcp |
| NL | 37.0.14.195:3030 | remixdika.ydns.eu | tcp |
| NL | 37.0.14.195:3030 | remixdika.ydns.eu | tcp |
| NL | 37.0.14.195:3030 | remixdika.ydns.eu | tcp |
| NL | 5.62.20.25:5465 | javaautorun.duia.ro | tcp |
| NL | 5.62.20.25:5465 | javaautorun.duia.ro | tcp |
| NL | 37.0.14.195:3030 | remixdika.ydns.eu | tcp |
| NL | 37.0.14.195:3030 | remixdika.ydns.eu | tcp |
| NL | 37.0.14.195:3030 | remixdika.ydns.eu | tcp |
| NL | 37.0.14.195:3030 | remixdika.ydns.eu | tcp |
Files
memory/1768-54-0x000007FEFC591000-0x000007FEFC593000-memory.dmp
memory/836-55-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\nNRlQXvwxJ.js
| MD5 | 7d8cc50c80e29db13ca0032d3e00a56d |
| SHA1 | d8d138717093b67b4d6205234c82a6fe4f801429 |
| SHA256 | 0ff424c14ee63e81e35e1431f9b5636b2bfe1e6f49e8fc5650260e9806f3402b |
| SHA512 | b1f2d71401d7d4cdc4bf55569c04b1ea2c49097bacd04b2bc24c0e84bfd6bd418ffb4aeadd171032944aaf1ac94c5b868bf9924ffe0e84fa60866c9e8b583b1c |
memory/800-57-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Invoices & Supporting documents.js
| MD5 | e0d2cbd0519e1f0dbf8c0b74c8ee1246 |
| SHA1 | 35187b51e45f7466ae98c67900c7c14f7ba268a6 |
| SHA256 | 45f0f33921e9e548f1df35f5d30855704de3542789c4c7d2c35f68cd8ab0166f |
| SHA512 | 9a6fd2345615d75963c8f13049a08ac3873a051e621c25fb13f25ddb12cf301412d28e4660f53ee6e2a02743ed1d6d87cadafb403cf66f5a524fa715327ef99f |
C:\Users\Admin\AppData\Roaming\nNRlQXvwxJ.js
| MD5 | 7d8cc50c80e29db13ca0032d3e00a56d |
| SHA1 | d8d138717093b67b4d6205234c82a6fe4f801429 |
| SHA256 | 0ff424c14ee63e81e35e1431f9b5636b2bfe1e6f49e8fc5650260e9806f3402b |
| SHA512 | b1f2d71401d7d4cdc4bf55569c04b1ea2c49097bacd04b2bc24c0e84bfd6bd418ffb4aeadd171032944aaf1ac94c5b868bf9924ffe0e84fa60866c9e8b583b1c |
memory/1696-62-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Invoices & Supporting documents.js
| MD5 | e0d2cbd0519e1f0dbf8c0b74c8ee1246 |
| SHA1 | 35187b51e45f7466ae98c67900c7c14f7ba268a6 |
| SHA256 | 45f0f33921e9e548f1df35f5d30855704de3542789c4c7d2c35f68cd8ab0166f |
| SHA512 | 9a6fd2345615d75963c8f13049a08ac3873a051e621c25fb13f25ddb12cf301412d28e4660f53ee6e2a02743ed1d6d87cadafb403cf66f5a524fa715327ef99f |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nNRlQXvwxJ.js
| MD5 | 7d8cc50c80e29db13ca0032d3e00a56d |
| SHA1 | d8d138717093b67b4d6205234c82a6fe4f801429 |
| SHA256 | 0ff424c14ee63e81e35e1431f9b5636b2bfe1e6f49e8fc5650260e9806f3402b |
| SHA512 | b1f2d71401d7d4cdc4bf55569c04b1ea2c49097bacd04b2bc24c0e84bfd6bd418ffb4aeadd171032944aaf1ac94c5b868bf9924ffe0e84fa60866c9e8b583b1c |
Analysis: behavioral2
Detonation Overview
Submitted
2022-10-11 14:27
Reported
2022-10-11 14:29
Platform
win10v2004-20220901-en
Max time kernel
145s
Max time network
152s
Command Line
Signatures
Vjw0rm
Blocklisted process makes network request
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\wscript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation | C:\Windows\System32\wscript.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nNRlQXvwxJ.js | C:\Windows\System32\wscript.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nNRlQXvwxJ.js | C:\Windows\System32\wscript.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Invoices & Supporting documents.js | C:\Windows\System32\wscript.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nNRlQXvwxJ.js | C:\Windows\System32\wscript.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Invoices & Supporting documents.js | C:\Windows\system32\wscript.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\software\microsoft\windows\currentversion\run | C:\Windows\System32\wscript.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Invoices & Supporting documents = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Invoices & Supporting documents.js\"" | C:\Windows\System32\wscript.exe | N/A |
| Key created | \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run | C:\Windows\System32\wscript.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Invoices & Supporting documents = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Invoices & Supporting documents.js\"" | C:\Windows\System32\wscript.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\software\microsoft\windows\currentversion\run | C:\Windows\system32\wscript.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Invoices & Supporting documents = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Invoices & Supporting documents.js\"" | C:\Windows\system32\wscript.exe | N/A |
| Key created | \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run | C:\Windows\system32\wscript.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Invoices & Supporting documents = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Invoices & Supporting documents.js\"" | C:\Windows\system32\wscript.exe | N/A |
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3180 wrote to memory of 3660 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\wscript.exe |
| PID 3180 wrote to memory of 3660 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\wscript.exe |
| PID 3180 wrote to memory of 3552 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\wscript.exe |
| PID 3180 wrote to memory of 3552 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\wscript.exe |
| PID 3552 wrote to memory of 640 | N/A | C:\Windows\System32\wscript.exe | C:\Windows\System32\wscript.exe |
| PID 3552 wrote to memory of 640 | N/A | C:\Windows\System32\wscript.exe | C:\Windows\System32\wscript.exe |
Processes
C:\Windows\system32\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Local\Temp\Invoices & Supporting documents.js"
C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\nNRlQXvwxJ.js"
C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\Invoices & Supporting documents.js"
C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\nNRlQXvwxJ.js"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | javaautorun.duia.ro | udp |
| NL | 5.62.20.25:5465 | javaautorun.duia.ro | tcp |
| NL | 5.62.20.25:5465 | javaautorun.duia.ro | tcp |
| US | 8.8.8.8:53 | remixdika.ydns.eu | udp |
| NL | 37.0.14.195:3030 | remixdika.ydns.eu | tcp |
| NL | 37.0.14.195:3030 | remixdika.ydns.eu | tcp |
| US | 13.89.179.9:443 | tcp | |
| NL | 5.62.20.25:5465 | javaautorun.duia.ro | tcp |
| NL | 5.62.20.25:5465 | javaautorun.duia.ro | tcp |
| NL | 104.80.225.205:443 | tcp | |
| US | 209.197.3.8:80 | tcp | |
| US | 209.197.3.8:80 | tcp | |
| US | 209.197.3.8:80 | tcp | |
| NL | 37.0.14.195:3030 | remixdika.ydns.eu | tcp |
| NL | 5.62.20.25:5465 | javaautorun.duia.ro | tcp |
| NL | 5.62.20.25:5465 | javaautorun.duia.ro | tcp |
| NL | 37.0.14.195:3030 | remixdika.ydns.eu | tcp |
| NL | 5.62.20.25:5465 | javaautorun.duia.ro | tcp |
| NL | 5.62.20.25:5465 | javaautorun.duia.ro | tcp |
| NL | 37.0.14.195:3030 | remixdika.ydns.eu | tcp |
| NL | 37.0.14.195:3030 | remixdika.ydns.eu | tcp |
| NL | 37.0.14.195:3030 | remixdika.ydns.eu | tcp |
| NL | 37.0.14.195:3030 | remixdika.ydns.eu | tcp |
| NL | 5.62.20.25:5465 | javaautorun.duia.ro | tcp |
| NL | 5.62.20.25:5465 | javaautorun.duia.ro | tcp |
| NL | 37.0.14.195:3030 | remixdika.ydns.eu | tcp |
| NL | 37.0.14.195:3030 | remixdika.ydns.eu | tcp |
| NL | 37.0.14.195:3030 | remixdika.ydns.eu | tcp |
| NL | 37.0.14.195:3030 | remixdika.ydns.eu | tcp |
| NL | 5.62.20.25:5465 | javaautorun.duia.ro | tcp |
| NL | 5.62.20.25:5465 | javaautorun.duia.ro | tcp |
| NL | 37.0.14.195:3030 | remixdika.ydns.eu | tcp |
Files
memory/3660-132-0x0000000000000000-mapping.dmp
memory/3552-134-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\nNRlQXvwxJ.js
| MD5 | 7d8cc50c80e29db13ca0032d3e00a56d |
| SHA1 | d8d138717093b67b4d6205234c82a6fe4f801429 |
| SHA256 | 0ff424c14ee63e81e35e1431f9b5636b2bfe1e6f49e8fc5650260e9806f3402b |
| SHA512 | b1f2d71401d7d4cdc4bf55569c04b1ea2c49097bacd04b2bc24c0e84bfd6bd418ffb4aeadd171032944aaf1ac94c5b868bf9924ffe0e84fa60866c9e8b583b1c |
C:\Users\Admin\AppData\Roaming\Invoices & Supporting documents.js
| MD5 | e0d2cbd0519e1f0dbf8c0b74c8ee1246 |
| SHA1 | 35187b51e45f7466ae98c67900c7c14f7ba268a6 |
| SHA256 | 45f0f33921e9e548f1df35f5d30855704de3542789c4c7d2c35f68cd8ab0166f |
| SHA512 | 9a6fd2345615d75963c8f13049a08ac3873a051e621c25fb13f25ddb12cf301412d28e4660f53ee6e2a02743ed1d6d87cadafb403cf66f5a524fa715327ef99f |
memory/640-136-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\nNRlQXvwxJ.js
| MD5 | 7d8cc50c80e29db13ca0032d3e00a56d |
| SHA1 | d8d138717093b67b4d6205234c82a6fe4f801429 |
| SHA256 | 0ff424c14ee63e81e35e1431f9b5636b2bfe1e6f49e8fc5650260e9806f3402b |
| SHA512 | b1f2d71401d7d4cdc4bf55569c04b1ea2c49097bacd04b2bc24c0e84bfd6bd418ffb4aeadd171032944aaf1ac94c5b868bf9924ffe0e84fa60866c9e8b583b1c |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Invoices & Supporting documents.js
| MD5 | e0d2cbd0519e1f0dbf8c0b74c8ee1246 |
| SHA1 | 35187b51e45f7466ae98c67900c7c14f7ba268a6 |
| SHA256 | 45f0f33921e9e548f1df35f5d30855704de3542789c4c7d2c35f68cd8ab0166f |
| SHA512 | 9a6fd2345615d75963c8f13049a08ac3873a051e621c25fb13f25ddb12cf301412d28e4660f53ee6e2a02743ed1d6d87cadafb403cf66f5a524fa715327ef99f |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nNRlQXvwxJ.js
| MD5 | 7d8cc50c80e29db13ca0032d3e00a56d |
| SHA1 | d8d138717093b67b4d6205234c82a6fe4f801429 |
| SHA256 | 0ff424c14ee63e81e35e1431f9b5636b2bfe1e6f49e8fc5650260e9806f3402b |
| SHA512 | b1f2d71401d7d4cdc4bf55569c04b1ea2c49097bacd04b2bc24c0e84bfd6bd418ffb4aeadd171032944aaf1ac94c5b868bf9924ffe0e84fa60866c9e8b583b1c |