Analysis Overview
SHA256
ceaa4d371a7d05ee9dc926777f30684b0acd7ea78c745a8d1b3eaa77b6e85e55
Threat Level: Known bad
The file 35K MT SOYBEAN MEAL.js was found to be: Known bad.
Malicious Activity Summary
Vjw0rm
Executes dropped EXE
Blocklisted process makes network request
Drops startup file
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Legitimate hosting services abused for malware hosting/C2
Accesses Microsoft Outlook profiles
Enumerates physical storage devices
Program crash
Checks processor information in registry
Suspicious use of AdjustPrivilegeToken
outlook_office_path
outlook_win_path
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2023-01-12 15:43
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2023-01-12 15:43
Reported
2023-01-12 15:45
Platform
win7-20220901-en
Max time kernel
149s
Max time network
154s
Command Line
Signatures
Vjw0rm
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Payload.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mTDWCoeANO.js | C:\Windows\System32\wscript.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mTDWCoeANO.js | C:\Windows\System32\wscript.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
Reads user/profile data of web browsers
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\Payload.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\Payload.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\Payload.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\Payload.exe |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\Payload.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Users\Admin\AppData\Local\Temp\Payload.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Payload.exe | N/A |
Suspicious use of WriteProcessMemory
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\Payload.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\Payload.exe | N/A |
Processes
C:\Windows\system32\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Local\Temp\35K MT SOYBEAN MEAL.js"
C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\mTDWCoeANO.js"
C:\Users\Admin\AppData\Local\Temp\Payload.exe
"C:\Users\Admin\AppData\Local\Temp\Payload.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 716 -s 1844
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | javaautorun.duia.ro | udp |
| N/A | 194.5.98.97:5443 | javaautorun.duia.ro | tcp |
| N/A | 8.8.8.8:53 | discord.com | udp |
| N/A | 162.159.137.232:443 | discord.com | tcp |
| N/A | 8.8.8.8:53 | api.telegram.org | udp |
| N/A | 149.154.167.220:443 | api.telegram.org | tcp |
| N/A | 194.5.98.97:5443 | javaautorun.duia.ro | tcp |
| N/A | 194.5.98.97:5443 | javaautorun.duia.ro | tcp |
| N/A | 194.5.98.97:5443 | javaautorun.duia.ro | tcp |
| N/A | 194.5.98.97:5443 | javaautorun.duia.ro | tcp |
| N/A | 194.5.98.97:5443 | javaautorun.duia.ro | tcp |
| N/A | 194.5.98.97:5443 | javaautorun.duia.ro | tcp |
| N/A | 194.5.98.97:5443 | javaautorun.duia.ro | tcp |
| N/A | 194.5.98.97:5443 | javaautorun.duia.ro | tcp |
| N/A | 194.5.98.97:5443 | javaautorun.duia.ro | tcp |
| N/A | 194.5.98.97:5443 | javaautorun.duia.ro | tcp |
| N/A | 194.5.98.97:5443 | javaautorun.duia.ro | tcp |
| N/A | 194.5.98.97:5443 | javaautorun.duia.ro | tcp |
| N/A | 194.5.98.97:5443 | javaautorun.duia.ro | tcp |
| N/A | 194.5.98.97:5443 | javaautorun.duia.ro | tcp |
Files
memory/1036-54-0x000007FEFBDB1000-0x000007FEFBDB3000-memory.dmp
memory/564-55-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\mTDWCoeANO.js
| MD5 | 52a7a3de89aa5553c03bc908385e47c6 |
| SHA1 | c9119e20eb105d5f722d5fdc417a51a829b2b517 |
| SHA256 | 8331fd62bc3e4ebc9129cdfaaa8f1ee5e18461e13fff209e7220d6a93c8cb0fd |
| SHA512 | 3bfbd03b780803142088aa898fd6443a9a1aea202a714a00173227b5ecd98deadce5c0fded80225525e7a88e5c38b591b558a0106779b168e8c5b1b7038e63e3 |
memory/716-57-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\Payload.exe
| MD5 | 2b7f757f0a02ced496481020f0b8f1eb |
| SHA1 | 21f11c5f725648d27af684ecff61c3ef7ecbcba3 |
| SHA256 | e9104e917f45761bacb425fc97f53175c3ad82ac1961fd68b749c574ec81b3e9 |
| SHA512 | 1a13cd7f10099cfb679974fb8984ed9698bd5f2bef3beac3f06027e25ecb8147864c6b15768a204991e8e5d6eef75e3447dd816d9c00497b31f479b72197a9d7 |
C:\Users\Admin\AppData\Local\Temp\Payload.exe
| MD5 | 2b7f757f0a02ced496481020f0b8f1eb |
| SHA1 | 21f11c5f725648d27af684ecff61c3ef7ecbcba3 |
| SHA256 | e9104e917f45761bacb425fc97f53175c3ad82ac1961fd68b749c574ec81b3e9 |
| SHA512 | 1a13cd7f10099cfb679974fb8984ed9698bd5f2bef3beac3f06027e25ecb8147864c6b15768a204991e8e5d6eef75e3447dd816d9c00497b31f479b72197a9d7 |
memory/716-61-0x0000000000020000-0x00000000000E4000-memory.dmp
memory/716-62-0x0000000075BB1000-0x0000000075BB3000-memory.dmp
memory/716-63-0x00000000006A0000-0x00000000006AE000-memory.dmp
memory/716-64-0x00000000087B0000-0x0000000008862000-memory.dmp
memory/1924-65-0x0000000000000000-mapping.dmp
\Users\Admin\AppData\Local\Temp\Payload.exe
| MD5 | 2b7f757f0a02ced496481020f0b8f1eb |
| SHA1 | 21f11c5f725648d27af684ecff61c3ef7ecbcba3 |
| SHA256 | e9104e917f45761bacb425fc97f53175c3ad82ac1961fd68b749c574ec81b3e9 |
| SHA512 | 1a13cd7f10099cfb679974fb8984ed9698bd5f2bef3beac3f06027e25ecb8147864c6b15768a204991e8e5d6eef75e3447dd816d9c00497b31f479b72197a9d7 |
\Users\Admin\AppData\Local\Temp\Payload.exe
| MD5 | 2b7f757f0a02ced496481020f0b8f1eb |
| SHA1 | 21f11c5f725648d27af684ecff61c3ef7ecbcba3 |
| SHA256 | e9104e917f45761bacb425fc97f53175c3ad82ac1961fd68b749c574ec81b3e9 |
| SHA512 | 1a13cd7f10099cfb679974fb8984ed9698bd5f2bef3beac3f06027e25ecb8147864c6b15768a204991e8e5d6eef75e3447dd816d9c00497b31f479b72197a9d7 |
\Users\Admin\AppData\Local\Temp\Payload.exe
| MD5 | 2b7f757f0a02ced496481020f0b8f1eb |
| SHA1 | 21f11c5f725648d27af684ecff61c3ef7ecbcba3 |
| SHA256 | e9104e917f45761bacb425fc97f53175c3ad82ac1961fd68b749c574ec81b3e9 |
| SHA512 | 1a13cd7f10099cfb679974fb8984ed9698bd5f2bef3beac3f06027e25ecb8147864c6b15768a204991e8e5d6eef75e3447dd816d9c00497b31f479b72197a9d7 |
\Users\Admin\AppData\Local\Temp\Payload.exe
| MD5 | 2b7f757f0a02ced496481020f0b8f1eb |
| SHA1 | 21f11c5f725648d27af684ecff61c3ef7ecbcba3 |
| SHA256 | e9104e917f45761bacb425fc97f53175c3ad82ac1961fd68b749c574ec81b3e9 |
| SHA512 | 1a13cd7f10099cfb679974fb8984ed9698bd5f2bef3beac3f06027e25ecb8147864c6b15768a204991e8e5d6eef75e3447dd816d9c00497b31f479b72197a9d7 |
\Users\Admin\AppData\Local\Temp\Payload.exe
| MD5 | 2b7f757f0a02ced496481020f0b8f1eb |
| SHA1 | 21f11c5f725648d27af684ecff61c3ef7ecbcba3 |
| SHA256 | e9104e917f45761bacb425fc97f53175c3ad82ac1961fd68b749c574ec81b3e9 |
| SHA512 | 1a13cd7f10099cfb679974fb8984ed9698bd5f2bef3beac3f06027e25ecb8147864c6b15768a204991e8e5d6eef75e3447dd816d9c00497b31f479b72197a9d7 |
Analysis: behavioral2
Detonation Overview
Submitted
2023-01-12 15:43
Reported
2023-01-12 15:45
Platform
win10v2004-20220812-en
Max time kernel
143s
Max time network
148s
Command Line
Signatures
Vjw0rm
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Payload.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\wscript.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mTDWCoeANO.js | C:\Windows\System32\wscript.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mTDWCoeANO.js | C:\Windows\System32\wscript.exe | N/A |
Reads user/profile data of web browsers
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\Payload.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\Payload.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\Payload.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
Enumerates physical storage devices
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\Payload.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Users\Admin\AppData\Local\Temp\Payload.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Payload.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2240 wrote to memory of 5032 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\wscript.exe |
| PID 2240 wrote to memory of 5032 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\wscript.exe |
| PID 2240 wrote to memory of 2112 | N/A | C:\Windows\system32\wscript.exe | C:\Users\Admin\AppData\Local\Temp\Payload.exe |
| PID 2240 wrote to memory of 2112 | N/A | C:\Windows\system32\wscript.exe | C:\Users\Admin\AppData\Local\Temp\Payload.exe |
| PID 2240 wrote to memory of 2112 | N/A | C:\Windows\system32\wscript.exe | C:\Users\Admin\AppData\Local\Temp\Payload.exe |
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\Payload.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\Payload.exe | N/A |
Processes
C:\Windows\system32\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Local\Temp\35K MT SOYBEAN MEAL.js"
C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\mTDWCoeANO.js"
C:\Users\Admin\AppData\Local\Temp\Payload.exe
"C:\Users\Admin\AppData\Local\Temp\Payload.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | javaautorun.duia.ro | udp |
| N/A | 194.5.98.97:5443 | javaautorun.duia.ro | tcp |
| N/A | 93.184.221.240:80 | tcp | |
| N/A | 8.8.8.8:53 | discord.com | udp |
| N/A | 162.159.136.232:443 | discord.com | tcp |
| N/A | 8.8.8.8:53 | api.telegram.org | udp |
| N/A | 149.154.167.220:443 | api.telegram.org | tcp |
| N/A | 149.154.167.220:443 | api.telegram.org | tcp |
| N/A | 194.5.98.97:5443 | javaautorun.duia.ro | tcp |
| N/A | 194.5.98.97:5443 | javaautorun.duia.ro | tcp |
| N/A | 20.50.201.200:443 | tcp | |
| N/A | 194.5.98.97:5443 | javaautorun.duia.ro | tcp |
| N/A | 93.184.221.240:80 | tcp | |
| N/A | 93.184.221.240:80 | tcp | |
| N/A | 93.184.221.240:80 | tcp | |
| N/A | 194.5.98.97:5443 | javaautorun.duia.ro | tcp |
| N/A | 194.5.98.97:5443 | javaautorun.duia.ro | tcp |
| N/A | 194.5.98.97:5443 | javaautorun.duia.ro | tcp |
| N/A | 194.5.98.97:5443 | javaautorun.duia.ro | tcp |
| N/A | 194.5.98.97:5443 | javaautorun.duia.ro | tcp |
| N/A | 194.5.98.97:5443 | javaautorun.duia.ro | tcp |
| N/A | 194.5.98.97:5443 | javaautorun.duia.ro | tcp |
| N/A | 194.5.98.97:5443 | javaautorun.duia.ro | tcp |
| N/A | 194.5.98.97:5443 | javaautorun.duia.ro | tcp |
| N/A | 194.5.98.97:5443 | javaautorun.duia.ro | tcp |
| N/A | 194.5.98.97:5443 | javaautorun.duia.ro | tcp |
| N/A | 194.5.98.97:5443 | javaautorun.duia.ro | tcp |
Files
memory/5032-132-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\mTDWCoeANO.js
| MD5 | 52a7a3de89aa5553c03bc908385e47c6 |
| SHA1 | c9119e20eb105d5f722d5fdc417a51a829b2b517 |
| SHA256 | 8331fd62bc3e4ebc9129cdfaaa8f1ee5e18461e13fff209e7220d6a93c8cb0fd |
| SHA512 | 3bfbd03b780803142088aa898fd6443a9a1aea202a714a00173227b5ecd98deadce5c0fded80225525e7a88e5c38b591b558a0106779b168e8c5b1b7038e63e3 |
memory/2112-134-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\Payload.exe
| MD5 | 2b7f757f0a02ced496481020f0b8f1eb |
| SHA1 | 21f11c5f725648d27af684ecff61c3ef7ecbcba3 |
| SHA256 | e9104e917f45761bacb425fc97f53175c3ad82ac1961fd68b749c574ec81b3e9 |
| SHA512 | 1a13cd7f10099cfb679974fb8984ed9698bd5f2bef3beac3f06027e25ecb8147864c6b15768a204991e8e5d6eef75e3447dd816d9c00497b31f479b72197a9d7 |
C:\Users\Admin\AppData\Local\Temp\Payload.exe
| MD5 | 2b7f757f0a02ced496481020f0b8f1eb |
| SHA1 | 21f11c5f725648d27af684ecff61c3ef7ecbcba3 |
| SHA256 | e9104e917f45761bacb425fc97f53175c3ad82ac1961fd68b749c574ec81b3e9 |
| SHA512 | 1a13cd7f10099cfb679974fb8984ed9698bd5f2bef3beac3f06027e25ecb8147864c6b15768a204991e8e5d6eef75e3447dd816d9c00497b31f479b72197a9d7 |
memory/2112-137-0x0000000000970000-0x0000000000A34000-memory.dmp
memory/2112-138-0x0000000007790000-0x00000000077F6000-memory.dmp
memory/2112-139-0x0000000008B30000-0x0000000008B52000-memory.dmp
memory/2112-140-0x0000000002C00000-0x0000000002C0A000-memory.dmp
memory/2112-141-0x0000000002C30000-0x0000000002C42000-memory.dmp