Analysis

  • max time kernel
    151s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12/10/2022, 13:22

General

  • Target

    9f40a90db5c7da1cc2ced7e23df53ec3.com.exe

  • Size

    1.4MB

  • MD5

    6c6d3758452aa4500bd4186d02a54bbd

  • SHA1

    29a36ac35cdd13203b584e4f1176802a8bd999ef

  • SHA256

    2e37d7372a97df9e3955837eeae856489541aab815dffabc00bbc72af6483e9b

  • SHA512

    f6a1332f36948f2d2f593878a704f8d9de8dcb157c3727bdf21203ddf69512f4498faa1a34a86a2e91d5a4b8fc635fd058636a7b38c1cb2e1841efa44c4a18f2

  • SSDEEP

    24576:0AOcZ2i7sBG5TH4AI8saogP5+OE8YqZWyqTr+Mo5pemHI0Yuyqgm:iQYAIoh+OE8Yq+xo5EmHWqZ

Malware Config

Extracted

Family

vjw0rm

C2

http://129.204.138.203:7974

Signatures

  • Vjw0rm

    Vjw0rm is a remote access trojan written in JavaScript.

  • Blocklisted process makes network request 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 41 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9f40a90db5c7da1cc2ced7e23df53ec3.com.exe
    "C:\Users\Admin\AppData\Local\Temp\9f40a90db5c7da1cc2ced7e23df53ec3.com.exe"
    1⤵
    • Checks computer location settings
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:2200
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\temp\4_87\rfil.js" Paul E. Patton (born May 26, 1937) is an American politician who served as the 59th governor of Kentucky from 1995 to 2003.
      2⤵
      • Blocklisted process makes network request
      • Drops startup file
      PID:4436
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\temp\4_87\xrqxkro.vbe"
      2⤵
      • Checks computer location settings
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:2184
      • C:\Users\Admin\AppData\Local\Temp\4_87\kkuai.exe
        "C:\Users\Admin\AppData\Local\Temp\4_87\kkuai.exe" fwfinco.apb
        3⤵
        • Executes dropped EXE
        • Checks computer location settings
        • Adds Run key to start application
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:4904
        • C:\Windows\SysWOW64\mshta.exe
          "C:\Windows\SysWOW64\mshta.exe"
          4⤵
            PID:2256
          • C:\Windows\SysWOW64\mshta.exe
            "C:\Windows\SysWOW64\mshta.exe"
            4⤵
              PID:1332
            • C:\Windows\SysWOW64\mshta.exe
              "C:\Windows\SysWOW64\mshta.exe"
              4⤵
                PID:4776
              • C:\Windows\SysWOW64\mshta.exe
                "C:\Windows\SysWOW64\mshta.exe"
                4⤵
                  PID:2300
                • C:\Windows\SysWOW64\mshta.exe
                  "C:\Windows\SysWOW64\mshta.exe"
                  4⤵
                    PID:3916
                  • C:\Windows\SysWOW64\mshta.exe
                    "C:\Windows\SysWOW64\mshta.exe"
                    4⤵
                      PID:2000
                    • C:\Windows\SysWOW64\mshta.exe
                      "C:\Windows\SysWOW64\mshta.exe"
                      4⤵
                        PID:380
                      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                        4⤵
                          PID:4500
                        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                          4⤵
                          • Suspicious use of SetWindowsHookEx
                          PID:4824

                  Network

                  MITRE ATT&CK Enterprise v6

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads

                  • C:\Users\Admin\AppData\Local\Temp\4_87\epueaee.qsa

                    Filesize

                    832KB

                    MD5

                    097b77b3288ee474492dc94a6cb43a15

                    SHA1

                    742d0e529289b837f512055a4e448fb17cad7656

                    SHA256

                    db326b548a3e1a2a05539881a054b6f9c0ba302d945480564df3cf77fe96ebb1

                    SHA512

                    e738ca448b7e83e822803b5bd22ae222584ae46ee67e7ac60189a23af36c42515c1122d5e10b7145db6aee97b110d4882794ee6877a43eb502239d68fa076dab

                  • C:\Users\Admin\AppData\Local\Temp\4_87\fwfinco.apb

                    Filesize

                    124.2MB

                    MD5

                    87bbebf030409ffb724c09365e4d094c

                    SHA1

                    dcec2d7a6ff6de98f1760454b1c1c67abeac0da3

                    SHA256

                    29808fb1137203fc1b0a840e60876da3d8c3ddf9b21869310b2caa221e64ba24

                    SHA512

                    1a5005e44bf12b4e83e77ee5479a413643813ac0aef3ee906693d08c1a4439949931270be996beda5052fc5c2d01a22852224e19b00462cb086b361082a08f6a

                  • C:\Users\Admin\AppData\Local\Temp\4_87\ieeoonj.ppt

                    Filesize

                    61KB

                    MD5

                    6eab883507b80a10c54c5c90706826c8

                    SHA1

                    fd9813bfd24992485b5133d5d68025dd3d0cdf46

                    SHA256

                    907be50f2e3548c8ac9f4945c05ce4e74ea8f246c51378e097e10837d0331b43

                    SHA512

                    88bfda7bebe18d4c2faeeedf366c781259e1537f74d7f5d0251f9364807fd945faadff2c56dbeffd5dec8b89723cba736a5538eeaeaee8b511bfd3d5b93ee2c1

                  • C:\Users\Admin\AppData\Local\Temp\4_87\kkuai.exe

                    Filesize

                    1.0MB

                    MD5

                    b153044cf36a027e19eb94b06003f09c

                    SHA1

                    9c5137654c78d249b318d7612a4d3dd2710c3aea

                    SHA256

                    cbcdc1eecb091c7e3418706dd0aafaca9018474150f73d2d4b1cc55595dcf550

                    SHA512

                    ef301b7c23b5012909e6b2a48d7bffbfc122e6c18180b66bd7ac16c8e9a27f3eff6b7cbab8a997857e6d101f8275ca87ba30d153fecb62e630aad14d923d7b96

                  • C:\Users\Admin\AppData\Local\Temp\4_87\kkuai.exe

                    Filesize

                    1.0MB

                    MD5

                    b153044cf36a027e19eb94b06003f09c

                    SHA1

                    9c5137654c78d249b318d7612a4d3dd2710c3aea

                    SHA256

                    cbcdc1eecb091c7e3418706dd0aafaca9018474150f73d2d4b1cc55595dcf550

                    SHA512

                    ef301b7c23b5012909e6b2a48d7bffbfc122e6c18180b66bd7ac16c8e9a27f3eff6b7cbab8a997857e6d101f8275ca87ba30d153fecb62e630aad14d923d7b96

                  • C:\Users\Admin\AppData\Local\temp\4_87\rfil.js

                    Filesize

                    3KB

                    MD5

                    6c705c7ee0ce269b3e6eb770b797e808

                    SHA1

                    e8c6540e4dbb6a464e1f0c2c59cab161f44a8705

                    SHA256

                    dbd1b9421d8634cc2af6ae9c4fe72891bd3139527730185d2e28afe0447b4e2e

                    SHA512

                    0999401d3218986eac63b8e449a572cdd5aec382fac11a6aa86b6a4035107b75343f6f005d506322c0a0e853c7566cf49078991d93cadfab1e80fad8ed1d93e2

                  • C:\Users\Admin\AppData\Local\temp\4_87\xrqxkro.vbe

                    Filesize

                    23KB

                    MD5

                    71e60ffa129c1759de7d21cda151dc4e

                    SHA1

                    7a727197a54b055d06180b398ce1a196ffd5ffe6

                    SHA256

                    26a2dee2267cbd8d019524d2045dda3f0cec89e73d56ba3d2cf2fef9187cb55a

                    SHA512

                    bf9ca1b82cbff005357fba82b97c4d0494f4b268b1751639f486a936297e5fa49707d545e3471ef61c4153f6cdd796c344d564f6251de87ac8f499b1002ed3e0

                  • memory/4824-150-0x0000000000400000-0x0000000000468000-memory.dmp

                    Filesize

                    416KB

                  • memory/4824-152-0x0000000000400000-0x0000000000468000-memory.dmp

                    Filesize

                    416KB

                  • memory/4824-155-0x0000000000400000-0x0000000000468000-memory.dmp

                    Filesize

                    416KB

                  • memory/4824-156-0x0000000000400000-0x0000000000468000-memory.dmp

                    Filesize

                    416KB