Analysis Overview
SHA256
f293561f8a8432c1f92858eff79fa9cb0dce4292687f09a6ee1ea52cb395961d
Threat Level: Known bad
The file SPI MARINE1.js was found to be: Known bad.
Malicious Activity Summary
Vjw0rm
Executes dropped EXE
Blocklisted process makes network request
Checks computer location settings
Drops startup file
Reads user/profile data of web browsers
Accesses Microsoft Outlook profiles
Legitimate hosting services abused for malware hosting/C2
Enumerates physical storage devices
outlook_office_path
Checks processor information in registry
Suspicious use of AdjustPrivilegeToken
outlook_win_path
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2023-01-12 13:06
Signatures
Analysis: behavioral2
Detonation Overview
Submitted
2023-01-12 13:06
Reported
2023-01-12 13:09
Platform
win10v2004-20220812-en
Max time kernel
143s
Max time network
148s
Command Line
Signatures
Vjw0rm
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Payload-1.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\wscript.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ReMheFnfnu.js | C:\Windows\System32\wscript.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ReMheFnfnu.js | C:\Windows\System32\wscript.exe | N/A |
Reads user/profile data of web browsers
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\Payload-1.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\Payload-1.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\Payload-1.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
Enumerates physical storage devices
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Users\Admin\AppData\Local\Temp\Payload-1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\Payload-1.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Payload-1.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3172 wrote to memory of 4508 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\wscript.exe |
| PID 3172 wrote to memory of 4508 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\wscript.exe |
| PID 3172 wrote to memory of 632 | N/A | C:\Windows\system32\wscript.exe | C:\Users\Admin\AppData\Local\Temp\Payload-1.exe |
| PID 3172 wrote to memory of 632 | N/A | C:\Windows\system32\wscript.exe | C:\Users\Admin\AppData\Local\Temp\Payload-1.exe |
| PID 3172 wrote to memory of 632 | N/A | C:\Windows\system32\wscript.exe | C:\Users\Admin\AppData\Local\Temp\Payload-1.exe |
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\Payload-1.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\Payload-1.exe | N/A |
Processes
C:\Windows\system32\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Local\Temp\SPI MARINE1.js"
C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\ReMheFnfnu.js"
C:\Users\Admin\AppData\Local\Temp\Payload-1.exe
"C:\Users\Admin\AppData\Local\Temp\Payload-1.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | javaautorun.duia.ro | udp |
| N/A | 194.5.98.97:5443 | javaautorun.duia.ro | tcp |
| N/A | 8.8.8.8:53 | discord.com | udp |
| N/A | 162.159.138.232:443 | discord.com | tcp |
| N/A | 8.8.8.8:53 | mail.agritrader.net.ve | udp |
| N/A | 190.114.12.98:587 | mail.agritrader.net.ve | tcp |
| N/A | 194.5.98.97:5443 | javaautorun.duia.ro | tcp |
| N/A | 194.5.98.97:5443 | javaautorun.duia.ro | tcp |
| N/A | 194.5.98.97:5443 | javaautorun.duia.ro | tcp |
| N/A | 8.238.20.126:80 | tcp | |
| N/A | 194.5.98.97:5443 | javaautorun.duia.ro | tcp |
| N/A | 13.89.179.8:443 | tcp | |
| N/A | 194.5.98.97:5443 | javaautorun.duia.ro | tcp |
| N/A | 8.238.20.126:80 | tcp | |
| N/A | 8.238.20.126:80 | tcp | |
| N/A | 8.253.208.120:80 | tcp | |
| N/A | 194.5.98.97:5443 | javaautorun.duia.ro | tcp |
| N/A | 194.5.98.97:5443 | javaautorun.duia.ro | tcp |
| N/A | 194.5.98.97:5443 | javaautorun.duia.ro | tcp |
| N/A | 194.5.98.97:5443 | javaautorun.duia.ro | tcp |
| N/A | 194.5.98.97:5443 | javaautorun.duia.ro | tcp |
| N/A | 194.5.98.97:5443 | javaautorun.duia.ro | tcp |
| N/A | 194.5.98.97:5443 | javaautorun.duia.ro | tcp |
| N/A | 194.5.98.97:5443 | javaautorun.duia.ro | tcp |
| N/A | 194.5.98.97:5443 | javaautorun.duia.ro | tcp |
| N/A | 194.5.98.97:5443 | javaautorun.duia.ro | tcp |
Files
memory/4508-132-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\ReMheFnfnu.js
| MD5 | c3ac7171af4f9c6564c944b0c43e11c3 |
| SHA1 | 17199bac943ab82cf4d97bc4a6d2a262121138d5 |
| SHA256 | 5a56274341805f7b17c4dc8435b1d5ecec97f60c3555228c1c12decae4503de4 |
| SHA512 | 0505e21e0bef9d3c75c3ceb0bc2272d3e3aaf41c2b0600ac981218e8251ef9ae49f3ff2d7128c326bec02343f4471362789a30235ea7fa09bd9e53b7eb8ae200 |
C:\Users\Admin\AppData\Local\Temp\Payload-1.exe
| MD5 | 5d69b96143f57d5a20e3e118308005b6 |
| SHA1 | 01f8350a1cb668c1b023d7c5e28b55d5d4e18d07 |
| SHA256 | 666a2de04c0e4233afc3c1632997b7cbe1d1d17408f2172ecf0ee2359ccd30ed |
| SHA512 | 7b9c50d9455a1d5a4e2ff09b5e6bf4edfd246abb571eaf3189e8140c9764e46d94d9972bce446f4717d32eb21c0b798ad09bbed6af24a95a139eddd9a8ac9e73 |
memory/632-134-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\Payload-1.exe
| MD5 | 5d69b96143f57d5a20e3e118308005b6 |
| SHA1 | 01f8350a1cb668c1b023d7c5e28b55d5d4e18d07 |
| SHA256 | 666a2de04c0e4233afc3c1632997b7cbe1d1d17408f2172ecf0ee2359ccd30ed |
| SHA512 | 7b9c50d9455a1d5a4e2ff09b5e6bf4edfd246abb571eaf3189e8140c9764e46d94d9972bce446f4717d32eb21c0b798ad09bbed6af24a95a139eddd9a8ac9e73 |
memory/632-137-0x00000000003C0000-0x0000000000482000-memory.dmp
memory/632-138-0x00000000072D0000-0x0000000007336000-memory.dmp
memory/632-139-0x0000000008800000-0x0000000008822000-memory.dmp
memory/632-140-0x0000000008CC0000-0x0000000008CCA000-memory.dmp
memory/632-141-0x0000000008CF0000-0x0000000008D02000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2023-01-12 13:06
Reported
2023-01-12 13:09
Platform
win7-20220812-en
Max time kernel
147s
Max time network
153s
Command Line
Signatures
Vjw0rm
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Payload-1.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ReMheFnfnu.js | C:\Windows\System32\wscript.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ReMheFnfnu.js | C:\Windows\System32\wscript.exe | N/A |
Reads user/profile data of web browsers
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\Payload-1.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\Payload-1.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\Payload-1.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
Enumerates physical storage devices
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\Payload-1.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Users\Admin\AppData\Local\Temp\Payload-1.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Payload-1.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1096 wrote to memory of 1112 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\wscript.exe |
| PID 1096 wrote to memory of 1112 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\wscript.exe |
| PID 1096 wrote to memory of 1112 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\wscript.exe |
| PID 1096 wrote to memory of 1620 | N/A | C:\Windows\system32\wscript.exe | C:\Users\Admin\AppData\Local\Temp\Payload-1.exe |
| PID 1096 wrote to memory of 1620 | N/A | C:\Windows\system32\wscript.exe | C:\Users\Admin\AppData\Local\Temp\Payload-1.exe |
| PID 1096 wrote to memory of 1620 | N/A | C:\Windows\system32\wscript.exe | C:\Users\Admin\AppData\Local\Temp\Payload-1.exe |
| PID 1096 wrote to memory of 1620 | N/A | C:\Windows\system32\wscript.exe | C:\Users\Admin\AppData\Local\Temp\Payload-1.exe |
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\Payload-1.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\Payload-1.exe | N/A |
Processes
C:\Windows\system32\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Local\Temp\SPI MARINE1.js"
C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\ReMheFnfnu.js"
C:\Users\Admin\AppData\Local\Temp\Payload-1.exe
"C:\Users\Admin\AppData\Local\Temp\Payload-1.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | javaautorun.duia.ro | udp |
| N/A | 194.5.98.97:5443 | javaautorun.duia.ro | tcp |
| N/A | 8.8.8.8:53 | discord.com | udp |
| N/A | 162.159.128.233:443 | discord.com | tcp |
| N/A | 8.8.8.8:53 | mail.agritrader.net.ve | udp |
| N/A | 190.114.12.98:587 | mail.agritrader.net.ve | tcp |
| N/A | 194.5.98.97:5443 | javaautorun.duia.ro | tcp |
| N/A | 194.5.98.97:5443 | javaautorun.duia.ro | tcp |
| N/A | 194.5.98.97:5443 | javaautorun.duia.ro | tcp |
| N/A | 194.5.98.97:5443 | javaautorun.duia.ro | tcp |
| N/A | 194.5.98.97:5443 | javaautorun.duia.ro | tcp |
| N/A | 194.5.98.97:5443 | javaautorun.duia.ro | tcp |
| N/A | 194.5.98.97:5443 | javaautorun.duia.ro | tcp |
| N/A | 194.5.98.97:5443 | javaautorun.duia.ro | tcp |
| N/A | 194.5.98.97:5443 | javaautorun.duia.ro | tcp |
| N/A | 194.5.98.97:5443 | javaautorun.duia.ro | tcp |
| N/A | 194.5.98.97:5443 | javaautorun.duia.ro | tcp |
| N/A | 194.5.98.97:5443 | javaautorun.duia.ro | tcp |
| N/A | 194.5.98.97:5443 | javaautorun.duia.ro | tcp |
| N/A | 194.5.98.97:5443 | javaautorun.duia.ro | tcp |
| N/A | 194.5.98.97:5443 | javaautorun.duia.ro | tcp |
Files
memory/1096-54-0x000007FEFC141000-0x000007FEFC143000-memory.dmp
memory/1112-55-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\ReMheFnfnu.js
| MD5 | c3ac7171af4f9c6564c944b0c43e11c3 |
| SHA1 | 17199bac943ab82cf4d97bc4a6d2a262121138d5 |
| SHA256 | 5a56274341805f7b17c4dc8435b1d5ecec97f60c3555228c1c12decae4503de4 |
| SHA512 | 0505e21e0bef9d3c75c3ceb0bc2272d3e3aaf41c2b0600ac981218e8251ef9ae49f3ff2d7128c326bec02343f4471362789a30235ea7fa09bd9e53b7eb8ae200 |
memory/1620-57-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\Payload-1.exe
| MD5 | 5d69b96143f57d5a20e3e118308005b6 |
| SHA1 | 01f8350a1cb668c1b023d7c5e28b55d5d4e18d07 |
| SHA256 | 666a2de04c0e4233afc3c1632997b7cbe1d1d17408f2172ecf0ee2359ccd30ed |
| SHA512 | 7b9c50d9455a1d5a4e2ff09b5e6bf4edfd246abb571eaf3189e8140c9764e46d94d9972bce446f4717d32eb21c0b798ad09bbed6af24a95a139eddd9a8ac9e73 |
C:\Users\Admin\AppData\Local\Temp\Payload-1.exe
| MD5 | 5d69b96143f57d5a20e3e118308005b6 |
| SHA1 | 01f8350a1cb668c1b023d7c5e28b55d5d4e18d07 |
| SHA256 | 666a2de04c0e4233afc3c1632997b7cbe1d1d17408f2172ecf0ee2359ccd30ed |
| SHA512 | 7b9c50d9455a1d5a4e2ff09b5e6bf4edfd246abb571eaf3189e8140c9764e46d94d9972bce446f4717d32eb21c0b798ad09bbed6af24a95a139eddd9a8ac9e73 |
memory/1620-61-0x0000000000DB0000-0x0000000000E72000-memory.dmp
memory/1620-62-0x00000000768A1000-0x00000000768A3000-memory.dmp
memory/1620-63-0x0000000000600000-0x000000000060E000-memory.dmp
memory/1620-64-0x0000000008220000-0x00000000082D2000-memory.dmp