Analysis Overview
SHA256
d545270fe4ea4823d14c419ec38d3c1f861c6a24c096b3b0953960428c4ef395
Threat Level: Known bad
The file Proforma DA request.js was found to be: Known bad.
Malicious Activity Summary
Vjw0rm
Executes dropped EXE
Blocklisted process makes network request
Drops startup file
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Legitimate hosting services abused for malware hosting/C2
Accesses Microsoft Outlook profiles
Program crash
Enumerates physical storage devices
outlook_office_path
Suspicious use of WriteProcessMemory
outlook_win_path
Suspicious use of AdjustPrivilegeToken
Checks processor information in registry
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2023-01-13 08:39
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2023-01-13 08:39
Reported
2023-01-13 08:42
Platform
win7-20221111-en
Max time kernel
147s
Max time network
151s
Command Line
Signatures
Vjw0rm
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Payload.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HJuNhYQRCb.js | C:\Windows\System32\wscript.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HJuNhYQRCb.js | C:\Windows\System32\wscript.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
Reads user/profile data of web browsers
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\Payload.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\Payload.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\Payload.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\Payload.exe |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\Payload.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Users\Admin\AppData\Local\Temp\Payload.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Payload.exe | N/A |
Suspicious use of WriteProcessMemory
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\Payload.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\Payload.exe | N/A |
Processes
C:\Windows\system32\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Local\Temp\Proforma DA request.js"
C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\HJuNhYQRCb.js"
C:\Users\Admin\AppData\Local\Temp\Payload.exe
"C:\Users\Admin\AppData\Local\Temp\Payload.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1656 -s 1872
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | javaautorun.duia.ro | udp |
| N/A | 194.5.98.97:5443 | javaautorun.duia.ro | tcp |
| N/A | 8.8.8.8:53 | discord.com | udp |
| N/A | 162.159.128.233:443 | discord.com | tcp |
| N/A | 8.8.8.8:53 | api.telegram.org | udp |
| N/A | 149.154.167.220:443 | api.telegram.org | tcp |
| N/A | 194.5.98.97:5443 | javaautorun.duia.ro | tcp |
| N/A | 194.5.98.97:5443 | javaautorun.duia.ro | tcp |
| N/A | 194.5.98.97:5443 | javaautorun.duia.ro | tcp |
| N/A | 194.5.98.97:5443 | javaautorun.duia.ro | tcp |
| N/A | 194.5.98.97:5443 | javaautorun.duia.ro | tcp |
| N/A | 194.5.98.97:5443 | javaautorun.duia.ro | tcp |
| N/A | 194.5.98.97:5443 | javaautorun.duia.ro | tcp |
| N/A | 194.5.98.97:5443 | javaautorun.duia.ro | tcp |
| N/A | 194.5.98.97:5443 | javaautorun.duia.ro | tcp |
| N/A | 194.5.98.97:5443 | javaautorun.duia.ro | tcp |
| N/A | 194.5.98.97:5443 | javaautorun.duia.ro | tcp |
| N/A | 194.5.98.97:5443 | javaautorun.duia.ro | tcp |
| N/A | 194.5.98.97:5443 | javaautorun.duia.ro | tcp |
| N/A | 194.5.98.97:5443 | javaautorun.duia.ro | tcp |
| N/A | 194.5.98.97:5443 | javaautorun.duia.ro | tcp |
Files
memory/1540-54-0x000007FEFC091000-0x000007FEFC093000-memory.dmp
memory/660-55-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\HJuNhYQRCb.js
| MD5 | bc7e3f3b7e656d7210168ade916e46ed |
| SHA1 | 210515856852a1563147ce7e86504c6ceede5f27 |
| SHA256 | 9cfe508ba1049698650251a3ae53bdc78770d77d1bbe6d30653eb5c4fa29acba |
| SHA512 | bb8424b6b60d66db6e021fcc6ab132437addbb196bd1709e855ea184c5dcfdd5aa8c3008c3526dc6f8c475165f18b966766850e758fccdd40bfd04874c6e5c17 |
memory/1656-57-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\Payload.exe
| MD5 | 2b7f757f0a02ced496481020f0b8f1eb |
| SHA1 | 21f11c5f725648d27af684ecff61c3ef7ecbcba3 |
| SHA256 | e9104e917f45761bacb425fc97f53175c3ad82ac1961fd68b749c574ec81b3e9 |
| SHA512 | 1a13cd7f10099cfb679974fb8984ed9698bd5f2bef3beac3f06027e25ecb8147864c6b15768a204991e8e5d6eef75e3447dd816d9c00497b31f479b72197a9d7 |
C:\Users\Admin\AppData\Local\Temp\Payload.exe
| MD5 | 2b7f757f0a02ced496481020f0b8f1eb |
| SHA1 | 21f11c5f725648d27af684ecff61c3ef7ecbcba3 |
| SHA256 | e9104e917f45761bacb425fc97f53175c3ad82ac1961fd68b749c574ec81b3e9 |
| SHA512 | 1a13cd7f10099cfb679974fb8984ed9698bd5f2bef3beac3f06027e25ecb8147864c6b15768a204991e8e5d6eef75e3447dd816d9c00497b31f479b72197a9d7 |
memory/1656-61-0x00000000003C0000-0x0000000000484000-memory.dmp
memory/1656-62-0x0000000075931000-0x0000000075933000-memory.dmp
memory/1656-63-0x0000000000570000-0x000000000057E000-memory.dmp
memory/1656-64-0x0000000008450000-0x0000000008502000-memory.dmp
memory/1732-65-0x0000000000000000-mapping.dmp
\Users\Admin\AppData\Local\Temp\Payload.exe
| MD5 | 2b7f757f0a02ced496481020f0b8f1eb |
| SHA1 | 21f11c5f725648d27af684ecff61c3ef7ecbcba3 |
| SHA256 | e9104e917f45761bacb425fc97f53175c3ad82ac1961fd68b749c574ec81b3e9 |
| SHA512 | 1a13cd7f10099cfb679974fb8984ed9698bd5f2bef3beac3f06027e25ecb8147864c6b15768a204991e8e5d6eef75e3447dd816d9c00497b31f479b72197a9d7 |
\Users\Admin\AppData\Local\Temp\Payload.exe
| MD5 | 2b7f757f0a02ced496481020f0b8f1eb |
| SHA1 | 21f11c5f725648d27af684ecff61c3ef7ecbcba3 |
| SHA256 | e9104e917f45761bacb425fc97f53175c3ad82ac1961fd68b749c574ec81b3e9 |
| SHA512 | 1a13cd7f10099cfb679974fb8984ed9698bd5f2bef3beac3f06027e25ecb8147864c6b15768a204991e8e5d6eef75e3447dd816d9c00497b31f479b72197a9d7 |
\Users\Admin\AppData\Local\Temp\Payload.exe
| MD5 | 2b7f757f0a02ced496481020f0b8f1eb |
| SHA1 | 21f11c5f725648d27af684ecff61c3ef7ecbcba3 |
| SHA256 | e9104e917f45761bacb425fc97f53175c3ad82ac1961fd68b749c574ec81b3e9 |
| SHA512 | 1a13cd7f10099cfb679974fb8984ed9698bd5f2bef3beac3f06027e25ecb8147864c6b15768a204991e8e5d6eef75e3447dd816d9c00497b31f479b72197a9d7 |
\Users\Admin\AppData\Local\Temp\Payload.exe
| MD5 | 2b7f757f0a02ced496481020f0b8f1eb |
| SHA1 | 21f11c5f725648d27af684ecff61c3ef7ecbcba3 |
| SHA256 | e9104e917f45761bacb425fc97f53175c3ad82ac1961fd68b749c574ec81b3e9 |
| SHA512 | 1a13cd7f10099cfb679974fb8984ed9698bd5f2bef3beac3f06027e25ecb8147864c6b15768a204991e8e5d6eef75e3447dd816d9c00497b31f479b72197a9d7 |
\Users\Admin\AppData\Local\Temp\Payload.exe
| MD5 | 2b7f757f0a02ced496481020f0b8f1eb |
| SHA1 | 21f11c5f725648d27af684ecff61c3ef7ecbcba3 |
| SHA256 | e9104e917f45761bacb425fc97f53175c3ad82ac1961fd68b749c574ec81b3e9 |
| SHA512 | 1a13cd7f10099cfb679974fb8984ed9698bd5f2bef3beac3f06027e25ecb8147864c6b15768a204991e8e5d6eef75e3447dd816d9c00497b31f479b72197a9d7 |
Analysis: behavioral2
Detonation Overview
Submitted
2023-01-13 08:39
Reported
2023-01-13 08:42
Platform
win10v2004-20220901-en
Max time kernel
141s
Max time network
147s
Command Line
Signatures
Vjw0rm
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Payload.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\wscript.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HJuNhYQRCb.js | C:\Windows\System32\wscript.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HJuNhYQRCb.js | C:\Windows\System32\wscript.exe | N/A |
Reads user/profile data of web browsers
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\Payload.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\Payload.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\Payload.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
Enumerates physical storage devices
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\Payload.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Users\Admin\AppData\Local\Temp\Payload.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Payload.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2224 wrote to memory of 3852 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\wscript.exe |
| PID 2224 wrote to memory of 3852 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\wscript.exe |
| PID 2224 wrote to memory of 3800 | N/A | C:\Windows\system32\wscript.exe | C:\Users\Admin\AppData\Local\Temp\Payload.exe |
| PID 2224 wrote to memory of 3800 | N/A | C:\Windows\system32\wscript.exe | C:\Users\Admin\AppData\Local\Temp\Payload.exe |
| PID 2224 wrote to memory of 3800 | N/A | C:\Windows\system32\wscript.exe | C:\Users\Admin\AppData\Local\Temp\Payload.exe |
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\Payload.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\Payload.exe | N/A |
Processes
C:\Windows\system32\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Local\Temp\Proforma DA request.js"
C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\HJuNhYQRCb.js"
C:\Users\Admin\AppData\Local\Temp\Payload.exe
"C:\Users\Admin\AppData\Local\Temp\Payload.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | javaautorun.duia.ro | udp |
| N/A | 194.5.98.97:5443 | javaautorun.duia.ro | tcp |
| N/A | 8.8.8.8:53 | discord.com | udp |
| N/A | 162.159.128.233:443 | discord.com | tcp |
| N/A | 8.8.8.8:53 | api.telegram.org | udp |
| N/A | 149.154.167.220:443 | api.telegram.org | tcp |
| N/A | 149.154.167.220:443 | api.telegram.org | tcp |
| N/A | 194.5.98.97:5443 | javaautorun.duia.ro | tcp |
| N/A | 194.5.98.97:5443 | javaautorun.duia.ro | tcp |
| N/A | 209.197.3.8:80 | tcp | |
| N/A | 20.189.173.5:443 | tcp | |
| N/A | 104.80.225.205:443 | tcp | |
| N/A | 194.5.98.97:5443 | javaautorun.duia.ro | tcp |
| N/A | 209.197.3.8:80 | tcp | |
| N/A | 209.197.3.8:80 | tcp | |
| N/A | 209.197.3.8:80 | tcp | |
| N/A | 194.5.98.97:5443 | javaautorun.duia.ro | tcp |
| N/A | 194.5.98.97:5443 | javaautorun.duia.ro | tcp |
| N/A | 194.5.98.97:5443 | javaautorun.duia.ro | tcp |
| N/A | 194.5.98.97:5443 | javaautorun.duia.ro | tcp |
| N/A | 194.5.98.97:5443 | javaautorun.duia.ro | tcp |
| N/A | 194.5.98.97:5443 | javaautorun.duia.ro | tcp |
| N/A | 194.5.98.97:5443 | javaautorun.duia.ro | tcp |
| N/A | 194.5.98.97:5443 | javaautorun.duia.ro | tcp |
| N/A | 13.107.42.16:443 | tcp | |
| N/A | 194.5.98.97:5443 | javaautorun.duia.ro | tcp |
| N/A | 194.5.98.97:5443 | javaautorun.duia.ro | tcp |
| N/A | 194.5.98.97:5443 | javaautorun.duia.ro | tcp |
| N/A | 194.5.98.97:5443 | javaautorun.duia.ro | tcp |
Files
memory/3852-132-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\HJuNhYQRCb.js
| MD5 | bc7e3f3b7e656d7210168ade916e46ed |
| SHA1 | 210515856852a1563147ce7e86504c6ceede5f27 |
| SHA256 | 9cfe508ba1049698650251a3ae53bdc78770d77d1bbe6d30653eb5c4fa29acba |
| SHA512 | bb8424b6b60d66db6e021fcc6ab132437addbb196bd1709e855ea184c5dcfdd5aa8c3008c3526dc6f8c475165f18b966766850e758fccdd40bfd04874c6e5c17 |
memory/3800-134-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\Payload.exe
| MD5 | 2b7f757f0a02ced496481020f0b8f1eb |
| SHA1 | 21f11c5f725648d27af684ecff61c3ef7ecbcba3 |
| SHA256 | e9104e917f45761bacb425fc97f53175c3ad82ac1961fd68b749c574ec81b3e9 |
| SHA512 | 1a13cd7f10099cfb679974fb8984ed9698bd5f2bef3beac3f06027e25ecb8147864c6b15768a204991e8e5d6eef75e3447dd816d9c00497b31f479b72197a9d7 |
C:\Users\Admin\AppData\Local\Temp\Payload.exe
| MD5 | 2b7f757f0a02ced496481020f0b8f1eb |
| SHA1 | 21f11c5f725648d27af684ecff61c3ef7ecbcba3 |
| SHA256 | e9104e917f45761bacb425fc97f53175c3ad82ac1961fd68b749c574ec81b3e9 |
| SHA512 | 1a13cd7f10099cfb679974fb8984ed9698bd5f2bef3beac3f06027e25ecb8147864c6b15768a204991e8e5d6eef75e3447dd816d9c00497b31f479b72197a9d7 |
memory/3800-137-0x0000000000E70000-0x0000000000F34000-memory.dmp
memory/3800-138-0x0000000007D90000-0x0000000007DF6000-memory.dmp
memory/3800-139-0x00000000092B0000-0x00000000092D2000-memory.dmp
memory/3800-140-0x0000000003190000-0x000000000319A000-memory.dmp
memory/3800-141-0x00000000031C0000-0x00000000031D2000-memory.dmp