Overview

overview

10

Static

static

Order Spec.PDF.js

windows7-x64

10

Order Spec.PDF.js

windows10-2004-x64

10

Analysis

  • max time kernel
    204s
  • max time network
    224s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    29/11/2022, 06:21

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Order Spec.PDF.js

  • Size

    40KB

  • MD5

    866bc1d7e3b0b0f5d50f822d901cc6db

  • SHA1

    981e383028b2672260a69f4b4210d76ad0946533

  • SHA256

    b29f7ef3d2fc192562ade4242016a762ad7863c8936b30d6e91565d820734ba9

  • SHA512

    00dea71438fbb27c492f3201d64ae342864cae5e3672ad9504363577570b930e6e744c6785be2d675f9439d0de821c87dfca2fc41e84cffcde1dd7bbf9d35a8b

  • SSDEEP

    768:NKm0ftIQVmYOn+QSkQqRp2iDg0vGcxZfznJNanLPE0BcOlh:cVftIQmSkR2iDYefXWM0BcOD

Score
10/10
vjw0rmwshratpersistencetrojanworm

Malware Config

Extracted

Family

wshrat

C2

http://45.139.105.174:1604

Signatures

  • Vjw0rm

    Vjw0rm is a remote access trojan written in JavaScript.

    trojanwormvjw0rm
  • WSHRAT

    WSHRAT is a variant of Houdini worm and has vbs and js variants.

    trojanwshrat
  • Blocklisted process makes network request 23 IoCs
  • Drops startup file 4 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Script User-Agent 17 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe "C:\Users\Admin\AppData\Local\Temp\Order Spec.PDF.js"
    1⤵
    • Blocklisted process makes network request
    • Drops startup file
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1188
    • C:\Windows\System32\wscript.exe
      "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\DHRCMgDdNJ.js"
      2⤵
      • Blocklisted process makes network request
      • Drops startup file
      PID:1776

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\DHRCMgDdNJ.js
    Filesize

    6KB

    MD5

    632a1c96cfffa418b08375cfe6d6c9aa

    SHA1

    8c43d121c6e4b7859c20ecad06feb1a1b32d1f0e

    SHA256

    a68ed70a13255af4d8ba9bc0b5024e13a4e5e07153b4d1169965f774f4328d8d

    SHA512

    8bd0e9821ea72602544c0af137e61d792d7a5c73196b9f39fb9331ce676535ab9225def366f83923db99ca46e5d217aa38e51934f440f2fee565f9e45e504a43

    Download Submit

  • memory/1188-54-0x000007FEFBD41000-0x000007FEFBD43000-memory.dmp

    Filesize

    8KB

    Download