Overview

overview

10

Static

static

RZKpmwZyCc_movar.js

windows7-x64

10

RZKpmwZyCc_movar.js

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    158s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    02/12/2022, 17:23

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    RZKpmwZyCc_movar.js

  • Size

    68KB

  • MD5

    387b3482bc2829229722380c02a7a6f0

  • SHA1

    81869d1b70775e564e583fb955ae8179b183122f

  • SHA256

    c82380d45b2e255e7121f6a76b2e9daf3e03836b8f3121f29aab932377fc8dc5

  • SHA512

    5810c27e2b677c0864198cd03a06100324e85c53f6324429a8a680a935e064dfc141920303a60c732ad3f2bab8e48b11261a5c963e9e362dac19414aa83b299b

  • SSDEEP

    1536:enVk9hSrHAb6G+GCEnwH+acT16uXNWrI5UjelXjk:enq9qHE9+CBT16tB

Score
10/10
vjw0rmwshratpersistencetrojanworm

Malware Config

Extracted

Family

wshrat

C2

http://45.139.105.174:7670

Signatures

  • Vjw0rm

    Vjw0rm is a remote access trojan written in JavaScript.

    trojanwormvjw0rm
  • WSHRAT

    WSHRAT is a variant of Houdini worm and has vbs and js variants.

    trojanwshrat
  • Blocklisted process makes network request 24 IoCs
  • Drops startup file 5 IoCs
  • Adds Run key to start application 2 TTPs 8 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Script User-Agent 16 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe C:\Users\Admin\AppData\Local\Temp\RZKpmwZyCc_movar.js
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1728
    • C:\Windows\System32\wscript.exe
      "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\pTycLbjPNg.js"
      2⤵
      • Blocklisted process makes network request
      • Drops startup file
      PID:592
    • C:\Windows\System32\wscript.exe
      "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\RZKpmwZyCc_movar.js"
      2⤵
      • Blocklisted process makes network request
      • Drops startup file
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:468
      • C:\Windows\System32\wscript.exe
        "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\pTycLbjPNg.js"
        3⤵
        • Blocklisted process makes network request
        • Drops startup file
        PID:672

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RZKpmwZyCc_movar.js
    Filesize

    68KB

    MD5

    387b3482bc2829229722380c02a7a6f0

    SHA1

    81869d1b70775e564e583fb955ae8179b183122f

    SHA256

    c82380d45b2e255e7121f6a76b2e9daf3e03836b8f3121f29aab932377fc8dc5

    SHA512

    5810c27e2b677c0864198cd03a06100324e85c53f6324429a8a680a935e064dfc141920303a60c732ad3f2bab8e48b11261a5c963e9e362dac19414aa83b299b

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pTycLbjPNg.js
    Filesize

    16KB

    MD5

    109194f9f824f9cbcbc8cbaf85502175

    SHA1

    faf63812152fc2c5b1858c1f6acc41ef81475dc5

    SHA256

    1931b5e0f1160d985036b8fd753dd93206db0f03eb6b15c6d1e04b437066e9d9

    SHA512

    63362d6e68cf44008ea8535265dd0b5fbbd2bf58c5d501be100f4d5c23549e3165c611f0d26b89e13ba4578b7bd1964fbb931ec769af453b1935e1e4a73b8e93

    Download Submit

  • C:\Users\Admin\AppData\Roaming\RZKpmwZyCc_movar.js
    Filesize

    68KB

    MD5

    387b3482bc2829229722380c02a7a6f0

    SHA1

    81869d1b70775e564e583fb955ae8179b183122f

    SHA256

    c82380d45b2e255e7121f6a76b2e9daf3e03836b8f3121f29aab932377fc8dc5

    SHA512

    5810c27e2b677c0864198cd03a06100324e85c53f6324429a8a680a935e064dfc141920303a60c732ad3f2bab8e48b11261a5c963e9e362dac19414aa83b299b

    Download Submit

  • C:\Users\Admin\AppData\Roaming\pTycLbjPNg.js
    Filesize

    16KB

    MD5

    109194f9f824f9cbcbc8cbaf85502175

    SHA1

    faf63812152fc2c5b1858c1f6acc41ef81475dc5

    SHA256

    1931b5e0f1160d985036b8fd753dd93206db0f03eb6b15c6d1e04b437066e9d9

    SHA512

    63362d6e68cf44008ea8535265dd0b5fbbd2bf58c5d501be100f4d5c23549e3165c611f0d26b89e13ba4578b7bd1964fbb931ec769af453b1935e1e4a73b8e93

    Download Submit

  • C:\Users\Admin\AppData\Roaming\pTycLbjPNg.js
    Filesize

    16KB

    MD5

    109194f9f824f9cbcbc8cbaf85502175

    SHA1

    faf63812152fc2c5b1858c1f6acc41ef81475dc5

    SHA256

    1931b5e0f1160d985036b8fd753dd93206db0f03eb6b15c6d1e04b437066e9d9

    SHA512

    63362d6e68cf44008ea8535265dd0b5fbbd2bf58c5d501be100f4d5c23549e3165c611f0d26b89e13ba4578b7bd1964fbb931ec769af453b1935e1e4a73b8e93

    Download Submit

  • memory/1728-54-0x000007FEFBFC1000-0x000007FEFBFC3000-memory.dmp

    Filesize

    8KB

    Download