Analysis Overview
SHA256
cee54813009042b01b4ebd1afbf99160b0c25465b7530332ba5bb064be6eba63
Threat Level: Known bad
The file MV BMC ENDORA V0123- PDA.js was found to be: Known bad.
Malicious Activity Summary
Vjw0rm
AsyncRat
Async RAT payload
Executes dropped EXE
Blocklisted process makes network request
Drops startup file
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Enumerates physical storage devices
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Creates scheduled task(s)
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2023-01-13 08:57
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2023-01-13 08:57
Reported
2023-01-13 08:59
Platform
win7-20220812-en
Max time kernel
146s
Max time network
152s
Command Line
Signatures
AsyncRat
Vjw0rm
Async RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Recycle Bin.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FtFYVjAgTz.js | C:\Windows\System32\wscript.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FtFYVjAgTz.js | C:\Windows\System32\wscript.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Reads user/profile data of web browsers
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\Recycle Bin.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Local\Temp\MV BMC ENDORA V0123- PDA.js"
C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\FtFYVjAgTz.js"
C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe
"C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Recycle Bin" /tr '"C:\Users\Admin\AppData\Roaming\Recycle Bin.exe"' & exit
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp5E18.tmp.bat""
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "Recycle Bin" /tr '"C:\Users\Admin\AppData\Roaming\Recycle Bin.exe"'
C:\Windows\SysWOW64\timeout.exe
timeout 3
C:\Users\Admin\AppData\Roaming\Recycle Bin.exe
"C:\Users\Admin\AppData\Roaming\Recycle Bin.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | javaautorun.duia.ro | udp |
| N/A | 194.5.98.97:5443 | javaautorun.duia.ro | tcp |
| N/A | 194.5.98.97:5443 | javaautorun.duia.ro | tcp |
| N/A | 84.21.172.33:8808 | tcp | |
| N/A | 194.5.98.97:5443 | javaautorun.duia.ro | tcp |
| N/A | 84.21.172.33:8808 | tcp | |
| N/A | 194.5.98.97:5443 | javaautorun.duia.ro | tcp |
| N/A | 194.5.98.97:5443 | javaautorun.duia.ro | tcp |
| N/A | 194.5.98.97:5443 | javaautorun.duia.ro | tcp |
| N/A | 194.5.98.97:5443 | javaautorun.duia.ro | tcp |
| N/A | 194.5.98.97:5443 | javaautorun.duia.ro | tcp |
| N/A | 194.5.98.97:5443 | javaautorun.duia.ro | tcp |
| N/A | 194.5.98.97:5443 | javaautorun.duia.ro | tcp |
| N/A | 194.5.98.97:5443 | javaautorun.duia.ro | tcp |
| N/A | 194.5.98.97:5443 | javaautorun.duia.ro | tcp |
| N/A | 194.5.98.97:5443 | javaautorun.duia.ro | tcp |
| N/A | 194.5.98.97:5443 | javaautorun.duia.ro | tcp |
| N/A | 194.5.98.97:5443 | javaautorun.duia.ro | tcp |
| N/A | 194.5.98.97:5443 | javaautorun.duia.ro | tcp |
Files
memory/1816-54-0x000007FEFC181000-0x000007FEFC183000-memory.dmp
memory/1756-55-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\FtFYVjAgTz.js
| MD5 | 7586d9e4467d26fde97538eab36cf88c |
| SHA1 | d7fcd37e0bc9e790023a38d2d470cd001f81ca92 |
| SHA256 | 7aff4cbd997ad6886484076ba71d1c067931d9a1462aa16e9d2fc47b4d5b8f18 |
| SHA512 | 02676bd1e1086eeae9bdec3bce065ac97267c457daf6fbd77a783d7fc81fc6f891518d6fd19dd525e84ebd25e3098614c4bbefa71ded301cd3a7a46ed2a40e0a |
memory/1956-57-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe
| MD5 | 1b5be7647628e1de782bb8f33d369dd3 |
| SHA1 | cd6e2f240ea97d03c6c796ab3573f728d6c30d9f |
| SHA256 | fb7bd4fd5348db2f3b763f5215e964892387af9fe83df18455432dc245f7b903 |
| SHA512 | 93de4f650672705d3975ba7dd0d0901c03834117d014f91dc093ac0a26abed7737aa2344dd30bb8fd258220576d09ec15368777597d78bec9f43dfa53f67b155 |
C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe
| MD5 | 1b5be7647628e1de782bb8f33d369dd3 |
| SHA1 | cd6e2f240ea97d03c6c796ab3573f728d6c30d9f |
| SHA256 | fb7bd4fd5348db2f3b763f5215e964892387af9fe83df18455432dc245f7b903 |
| SHA512 | 93de4f650672705d3975ba7dd0d0901c03834117d014f91dc093ac0a26abed7737aa2344dd30bb8fd258220576d09ec15368777597d78bec9f43dfa53f67b155 |
memory/1956-61-0x0000000000E30000-0x0000000000E42000-memory.dmp
memory/1956-62-0x00000000756A1000-0x00000000756A3000-memory.dmp
memory/1928-63-0x0000000000000000-mapping.dmp
memory/1868-64-0x0000000000000000-mapping.dmp
memory/552-65-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\tmp5E18.tmp.bat
| MD5 | 283069a509dcbec665140fd9d1cb1125 |
| SHA1 | b8c7494ec6c7612cd09a0b80a5bee48e84f72dbd |
| SHA256 | 157ebfe2f54922b9e7dd683dd576ab8c832cc130ea0c6b90a09a45b95ec132a1 |
| SHA512 | 5febd13491c244783d6cab407d642a16057d722402c352e172412403edd614c3fbfe1e7de72f37c2cb06e770a09c72bf9f2e71cdd7f882bc402a83d4f205cbf7 |
memory/1620-67-0x0000000000000000-mapping.dmp
\Users\Admin\AppData\Roaming\Recycle Bin.exe
| MD5 | 1b5be7647628e1de782bb8f33d369dd3 |
| SHA1 | cd6e2f240ea97d03c6c796ab3573f728d6c30d9f |
| SHA256 | fb7bd4fd5348db2f3b763f5215e964892387af9fe83df18455432dc245f7b903 |
| SHA512 | 93de4f650672705d3975ba7dd0d0901c03834117d014f91dc093ac0a26abed7737aa2344dd30bb8fd258220576d09ec15368777597d78bec9f43dfa53f67b155 |
C:\Users\Admin\AppData\Roaming\Recycle Bin.exe
| MD5 | 1b5be7647628e1de782bb8f33d369dd3 |
| SHA1 | cd6e2f240ea97d03c6c796ab3573f728d6c30d9f |
| SHA256 | fb7bd4fd5348db2f3b763f5215e964892387af9fe83df18455432dc245f7b903 |
| SHA512 | 93de4f650672705d3975ba7dd0d0901c03834117d014f91dc093ac0a26abed7737aa2344dd30bb8fd258220576d09ec15368777597d78bec9f43dfa53f67b155 |
memory/1880-70-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Recycle Bin.exe
| MD5 | 1b5be7647628e1de782bb8f33d369dd3 |
| SHA1 | cd6e2f240ea97d03c6c796ab3573f728d6c30d9f |
| SHA256 | fb7bd4fd5348db2f3b763f5215e964892387af9fe83df18455432dc245f7b903 |
| SHA512 | 93de4f650672705d3975ba7dd0d0901c03834117d014f91dc093ac0a26abed7737aa2344dd30bb8fd258220576d09ec15368777597d78bec9f43dfa53f67b155 |
memory/1880-72-0x00000000003B0000-0x00000000003C2000-memory.dmp
memory/1880-74-0x0000000005330000-0x00000000053AE000-memory.dmp
memory/1880-75-0x00000000006E0000-0x00000000006EA000-memory.dmp
memory/1880-76-0x0000000005C10000-0x0000000005CA0000-memory.dmp
memory/1880-77-0x0000000005A20000-0x0000000005A80000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-01-13 08:57
Reported
2023-01-13 08:59
Platform
win10v2004-20220812-en
Max time kernel
150s
Max time network
152s
Command Line
Signatures
AsyncRat
Vjw0rm
Async RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Recycle Bin.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\wscript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FtFYVjAgTz.js | C:\Windows\System32\wscript.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FtFYVjAgTz.js | C:\Windows\System32\wscript.exe | N/A |
Reads user/profile data of web browsers
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\Recycle Bin.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Local\Temp\MV BMC ENDORA V0123- PDA.js"
C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\FtFYVjAgTz.js"
C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe
"C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Recycle Bin" /tr '"C:\Users\Admin\AppData\Roaming\Recycle Bin.exe"' & exit
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp8E2B.tmp.bat""
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "Recycle Bin" /tr '"C:\Users\Admin\AppData\Roaming\Recycle Bin.exe"'
C:\Windows\SysWOW64\timeout.exe
timeout 3
C:\Users\Admin\AppData\Roaming\Recycle Bin.exe
"C:\Users\Admin\AppData\Roaming\Recycle Bin.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | javaautorun.duia.ro | udp |
| N/A | 194.5.98.97:5443 | javaautorun.duia.ro | tcp |
| N/A | 93.184.220.29:80 | tcp | |
| N/A | 93.184.220.29:80 | tcp | |
| N/A | 194.5.98.97:5443 | javaautorun.duia.ro | tcp |
| N/A | 84.21.172.33:6606 | tcp | |
| N/A | 84.21.172.33:6606 | tcp | |
| N/A | 194.5.98.97:5443 | javaautorun.duia.ro | tcp |
| N/A | 194.5.98.97:5443 | javaautorun.duia.ro | tcp |
| N/A | 194.5.98.97:5443 | javaautorun.duia.ro | tcp |
| N/A | 52.182.143.210:443 | tcp | |
| N/A | 194.5.98.97:5443 | javaautorun.duia.ro | tcp |
| N/A | 8.8.8.8:53 | 14.110.152.52.in-addr.arpa | udp |
| N/A | 194.5.98.97:5443 | javaautorun.duia.ro | tcp |
| N/A | 194.5.98.97:5443 | javaautorun.duia.ro | tcp |
| N/A | 8.8.8.8:53 | 0.e.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.0.0.0.4.0.c.0.0.3.0.1.3.0.6.2.ip6.arpa | udp |
| N/A | 194.5.98.97:5443 | javaautorun.duia.ro | tcp |
| N/A | 194.5.98.97:5443 | javaautorun.duia.ro | tcp |
| N/A | 194.5.98.97:5443 | javaautorun.duia.ro | tcp |
| N/A | 194.5.98.97:5443 | javaautorun.duia.ro | tcp |
| N/A | 194.5.98.97:5443 | javaautorun.duia.ro | tcp |
| N/A | 194.5.98.97:5443 | javaautorun.duia.ro | tcp |
| N/A | 194.5.98.97:5443 | javaautorun.duia.ro | tcp |
| N/A | 194.5.98.97:5443 | javaautorun.duia.ro | tcp |
Files
memory/1080-132-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\FtFYVjAgTz.js
| MD5 | 7586d9e4467d26fde97538eab36cf88c |
| SHA1 | d7fcd37e0bc9e790023a38d2d470cd001f81ca92 |
| SHA256 | 7aff4cbd997ad6886484076ba71d1c067931d9a1462aa16e9d2fc47b4d5b8f18 |
| SHA512 | 02676bd1e1086eeae9bdec3bce065ac97267c457daf6fbd77a783d7fc81fc6f891518d6fd19dd525e84ebd25e3098614c4bbefa71ded301cd3a7a46ed2a40e0a |
memory/580-134-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe
| MD5 | 1b5be7647628e1de782bb8f33d369dd3 |
| SHA1 | cd6e2f240ea97d03c6c796ab3573f728d6c30d9f |
| SHA256 | fb7bd4fd5348db2f3b763f5215e964892387af9fe83df18455432dc245f7b903 |
| SHA512 | 93de4f650672705d3975ba7dd0d0901c03834117d014f91dc093ac0a26abed7737aa2344dd30bb8fd258220576d09ec15368777597d78bec9f43dfa53f67b155 |
C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe
| MD5 | 1b5be7647628e1de782bb8f33d369dd3 |
| SHA1 | cd6e2f240ea97d03c6c796ab3573f728d6c30d9f |
| SHA256 | fb7bd4fd5348db2f3b763f5215e964892387af9fe83df18455432dc245f7b903 |
| SHA512 | 93de4f650672705d3975ba7dd0d0901c03834117d014f91dc093ac0a26abed7737aa2344dd30bb8fd258220576d09ec15368777597d78bec9f43dfa53f67b155 |
memory/580-137-0x0000000000D30000-0x0000000000D42000-memory.dmp
memory/580-138-0x00000000057D0000-0x000000000586C000-memory.dmp
memory/1172-139-0x0000000000000000-mapping.dmp
memory/4360-140-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\tmp8E2B.tmp.bat
| MD5 | e113f3895ad67011505e2fe3e1f48a71 |
| SHA1 | 60c5f2be1c75922ec5ade991021207f07e0b256a |
| SHA256 | 5eb779a9f9077d5ae74d09f601fa0ce68a8cd27c858918bc6c1319f479e4aaec |
| SHA512 | 291359cf8ee4f2adbda15561ef825d00fd91eca6b6c97596e3123d397f603a2f5bd69d201aff9c975d81cb00044f4709da131e665c186fb9ece72867e8f48b40 |
memory/4472-142-0x0000000000000000-mapping.dmp
memory/1460-143-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Recycle Bin.exe
| MD5 | 1b5be7647628e1de782bb8f33d369dd3 |
| SHA1 | cd6e2f240ea97d03c6c796ab3573f728d6c30d9f |
| SHA256 | fb7bd4fd5348db2f3b763f5215e964892387af9fe83df18455432dc245f7b903 |
| SHA512 | 93de4f650672705d3975ba7dd0d0901c03834117d014f91dc093ac0a26abed7737aa2344dd30bb8fd258220576d09ec15368777597d78bec9f43dfa53f67b155 |
memory/3940-144-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Recycle Bin.exe
| MD5 | 1b5be7647628e1de782bb8f33d369dd3 |
| SHA1 | cd6e2f240ea97d03c6c796ab3573f728d6c30d9f |
| SHA256 | fb7bd4fd5348db2f3b763f5215e964892387af9fe83df18455432dc245f7b903 |
| SHA512 | 93de4f650672705d3975ba7dd0d0901c03834117d014f91dc093ac0a26abed7737aa2344dd30bb8fd258220576d09ec15368777597d78bec9f43dfa53f67b155 |
memory/3940-147-0x0000000005680000-0x0000000005C24000-memory.dmp
memory/3940-148-0x0000000005140000-0x00000000051A6000-memory.dmp
memory/3940-149-0x00000000064B0000-0x0000000006526000-memory.dmp
memory/3940-150-0x0000000006560000-0x000000000657E000-memory.dmp