Malware Analysis Report

2024-11-30 15:42

Sample ID 230116-kp12nagc8t
Target d4b928defdafd9c54fe69160ba650cc8.bin
SHA256 fd12bc99829e1bf6b3d47705419e33055763a3a375e3069ff5e3d9654c5e461b
Tags
vjw0rm persistence trojan worm
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

fd12bc99829e1bf6b3d47705419e33055763a3a375e3069ff5e3d9654c5e461b

Threat Level: Known bad

The file d4b928defdafd9c54fe69160ba650cc8.bin was found to be: Known bad.

Malicious Activity Summary

vjw0rm persistence trojan worm

Vjw0rm

Blocklisted process makes network request

Checks computer location settings

Drops startup file

Adds Run key to start application

Looks up external IP address via web service

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-01-16 08:47

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-01-16 08:47

Reported

2023-01-16 08:50

Platform

win7-20221111-en

Max time kernel

167s

Max time network

182s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\7a9d74c5d107f2c91ae6414674542a85136b310b3948319ffea6139226eaaaee.js

Signatures

Vjw0rm

trojan worm vjw0rm

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7a9d74c5d107f2c91ae6414674542a85136b310b3948319ffea6139226eaaaee.js C:\Windows\system32\wscript.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EZIcjnTabV.js C:\Windows\System32\wscript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EZIcjnTabV.js C:\Windows\System32\wscript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7a9d74c5d107f2c91ae6414674542a85136b310b3948319ffea6139226eaaaee.js C:\Windows\System32\wscript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EZIcjnTabV.js C:\Windows\System32\wscript.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run C:\Windows\System32\wscript.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\7a9d74c5d107f2c91ae6414674542a85136b310b3948319ffea6139226eaaaee = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\7a9d74c5d107f2c91ae6414674542a85136b310b3948319ffea6139226eaaaee.js\"" C:\Windows\System32\wscript.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\software\microsoft\windows\currentversion\run C:\Windows\system32\wscript.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\7a9d74c5d107f2c91ae6414674542a85136b310b3948319ffea6139226eaaaee = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\7a9d74c5d107f2c91ae6414674542a85136b310b3948319ffea6139226eaaaee.js\"" C:\Windows\system32\wscript.exe N/A
Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run C:\Windows\system32\wscript.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\7a9d74c5d107f2c91ae6414674542a85136b310b3948319ffea6139226eaaaee = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\7a9d74c5d107f2c91ae6414674542a85136b310b3948319ffea6139226eaaaee.js\"" C:\Windows\system32\wscript.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\software\microsoft\windows\currentversion\run C:\Windows\System32\wscript.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\7a9d74c5d107f2c91ae6414674542a85136b310b3948319ffea6139226eaaaee = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\7a9d74c5d107f2c91ae6414674542a85136b310b3948319ffea6139226eaaaee.js\"" C:\Windows\System32\wscript.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Enumerates physical storage devices

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\7a9d74c5d107f2c91ae6414674542a85136b310b3948319ffea6139226eaaaee.js

C:\Windows\System32\wscript.exe

"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\EZIcjnTabV.js"

C:\Windows\System32\wscript.exe

"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\7a9d74c5d107f2c91ae6414674542a85136b310b3948319ffea6139226eaaaee.js"

C:\Windows\System32\wscript.exe

"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\EZIcjnTabV.js"

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 ip-api.com udp
N/A 8.8.8.8:53 javaautorun.duia.ro udp
N/A 208.95.112.1:80 ip-api.com tcp
N/A 194.5.98.97:5443 javaautorun.duia.ro tcp
N/A 194.5.98.97:5443 javaautorun.duia.ro tcp
N/A 8.8.8.8:53 newstrigpaid.2waky.com udp
N/A 85.209.135.243:2048 newstrigpaid.2waky.com tcp
N/A 85.209.135.243:2048 newstrigpaid.2waky.com tcp
N/A 194.5.98.97:5443 javaautorun.duia.ro tcp
N/A 194.5.98.97:5443 javaautorun.duia.ro tcp
N/A 85.209.135.243:2048 newstrigpaid.2waky.com tcp
N/A 194.5.98.97:5443 javaautorun.duia.ro tcp
N/A 194.5.98.97:5443 javaautorun.duia.ro tcp
N/A 85.209.135.243:2048 newstrigpaid.2waky.com tcp
N/A 194.5.98.97:5443 javaautorun.duia.ro tcp
N/A 194.5.98.97:5443 javaautorun.duia.ro tcp
N/A 85.209.135.243:2048 newstrigpaid.2waky.com tcp
N/A 194.5.98.97:5443 javaautorun.duia.ro tcp
N/A 194.5.98.97:5443 javaautorun.duia.ro tcp
N/A 85.209.135.243:2048 newstrigpaid.2waky.com tcp
N/A 85.209.135.243:2048 newstrigpaid.2waky.com tcp
N/A 194.5.98.97:5443 javaautorun.duia.ro tcp
N/A 194.5.98.97:5443 javaautorun.duia.ro tcp
N/A 85.209.135.243:2048 newstrigpaid.2waky.com tcp
N/A 194.5.98.97:5443 javaautorun.duia.ro tcp
N/A 194.5.98.97:5443 javaautorun.duia.ro tcp
N/A 85.209.135.243:2048 newstrigpaid.2waky.com tcp
N/A 194.5.98.97:5443 javaautorun.duia.ro tcp
N/A 194.5.98.97:5443 javaautorun.duia.ro tcp
N/A 85.209.135.243:2048 newstrigpaid.2waky.com tcp
N/A 85.209.135.243:2048 newstrigpaid.2waky.com tcp
N/A 194.5.98.97:5443 javaautorun.duia.ro tcp
N/A 194.5.98.97:5443 javaautorun.duia.ro tcp
N/A 85.209.135.243:2048 newstrigpaid.2waky.com tcp
N/A 194.5.98.97:5443 javaautorun.duia.ro tcp
N/A 194.5.98.97:5443 javaautorun.duia.ro tcp
N/A 85.209.135.243:2048 newstrigpaid.2waky.com tcp
N/A 194.5.98.97:5443 javaautorun.duia.ro tcp
N/A 194.5.98.97:5443 javaautorun.duia.ro tcp
N/A 85.209.135.243:2048 newstrigpaid.2waky.com tcp
N/A 194.5.98.97:5443 javaautorun.duia.ro tcp
N/A 194.5.98.97:5443 javaautorun.duia.ro tcp
N/A 85.209.135.243:2048 newstrigpaid.2waky.com tcp
N/A 85.209.135.243:2048 newstrigpaid.2waky.com tcp
N/A 194.5.98.97:5443 javaautorun.duia.ro tcp
N/A 194.5.98.97:5443 javaautorun.duia.ro tcp
N/A 85.209.135.243:2048 newstrigpaid.2waky.com tcp
N/A 194.5.98.97:5443 javaautorun.duia.ro tcp
N/A 194.5.98.97:5443 javaautorun.duia.ro tcp
N/A 85.209.135.243:2048 newstrigpaid.2waky.com tcp
N/A 194.5.98.97:5443 javaautorun.duia.ro tcp
N/A 194.5.98.97:5443 javaautorun.duia.ro tcp
N/A 85.209.135.243:2048 newstrigpaid.2waky.com tcp
N/A 85.209.135.243:2048 newstrigpaid.2waky.com tcp
N/A 194.5.98.97:5443 javaautorun.duia.ro tcp
N/A 194.5.98.97:5443 javaautorun.duia.ro tcp

Files

memory/1708-54-0x000007FEFB6F1000-0x000007FEFB6F3000-memory.dmp

memory/1028-55-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\EZIcjnTabV.js

MD5 a46a00fce7c7561dd03f37519c548491
SHA1 d707d5893467538b1ef934900fa7953b0ba3be37
SHA256 db64faff8266eb46d6e649170da234562332aeb11b6e7adc3073739906a8592b
SHA512 61295739a668d5c286bce20c643e2b1498ffc2f4a2873177b655bf9b8fe534c041a12da95ffa0552e1b76ba2ad09344d5bfc70ba09e03a43d08f01a59f992f8c

memory/864-57-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\7a9d74c5d107f2c91ae6414674542a85136b310b3948319ffea6139226eaaaee.js

MD5 d4b928defdafd9c54fe69160ba650cc8
SHA1 041715d3775045016dfbebb68f8e4964c8ad123a
SHA256 7a9d74c5d107f2c91ae6414674542a85136b310b3948319ffea6139226eaaaee
SHA512 a77cc501a0fb679cc407f97e84af603f90dd8451ea66cf49a1cc76698f1fcaddb6f28f08aa090f38f9004763ccc020d16a069ae5f9ec609a982c39042db668c4

memory/1492-61-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7a9d74c5d107f2c91ae6414674542a85136b310b3948319ffea6139226eaaaee.js

MD5 d4b928defdafd9c54fe69160ba650cc8
SHA1 041715d3775045016dfbebb68f8e4964c8ad123a
SHA256 7a9d74c5d107f2c91ae6414674542a85136b310b3948319ffea6139226eaaaee
SHA512 a77cc501a0fb679cc407f97e84af603f90dd8451ea66cf49a1cc76698f1fcaddb6f28f08aa090f38f9004763ccc020d16a069ae5f9ec609a982c39042db668c4

C:\Users\Admin\AppData\Roaming\EZIcjnTabV.js

MD5 a46a00fce7c7561dd03f37519c548491
SHA1 d707d5893467538b1ef934900fa7953b0ba3be37
SHA256 db64faff8266eb46d6e649170da234562332aeb11b6e7adc3073739906a8592b
SHA512 61295739a668d5c286bce20c643e2b1498ffc2f4a2873177b655bf9b8fe534c041a12da95ffa0552e1b76ba2ad09344d5bfc70ba09e03a43d08f01a59f992f8c

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EZIcjnTabV.js

MD5 a46a00fce7c7561dd03f37519c548491
SHA1 d707d5893467538b1ef934900fa7953b0ba3be37
SHA256 db64faff8266eb46d6e649170da234562332aeb11b6e7adc3073739906a8592b
SHA512 61295739a668d5c286bce20c643e2b1498ffc2f4a2873177b655bf9b8fe534c041a12da95ffa0552e1b76ba2ad09344d5bfc70ba09e03a43d08f01a59f992f8c

Analysis: behavioral2

Detonation Overview

Submitted

2023-01-16 08:47

Reported

2023-01-16 08:50

Platform

win10v2004-20221111-en

Max time kernel

144s

Max time network

150s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\7a9d74c5d107f2c91ae6414674542a85136b310b3948319ffea6139226eaaaee.js

Signatures

Vjw0rm

trojan worm vjw0rm

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation C:\Windows\system32\wscript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation C:\Windows\System32\wscript.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7a9d74c5d107f2c91ae6414674542a85136b310b3948319ffea6139226eaaaee.js C:\Windows\system32\wscript.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EZIcjnTabV.js C:\Windows\System32\wscript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EZIcjnTabV.js C:\Windows\System32\wscript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7a9d74c5d107f2c91ae6414674542a85136b310b3948319ffea6139226eaaaee.js C:\Windows\System32\wscript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EZIcjnTabV.js C:\Windows\System32\wscript.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run C:\Windows\system32\wscript.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\7a9d74c5d107f2c91ae6414674542a85136b310b3948319ffea6139226eaaaee = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\7a9d74c5d107f2c91ae6414674542a85136b310b3948319ffea6139226eaaaee.js\"" C:\Windows\system32\wscript.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\software\microsoft\windows\currentversion\run C:\Windows\System32\wscript.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\7a9d74c5d107f2c91ae6414674542a85136b310b3948319ffea6139226eaaaee = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\7a9d74c5d107f2c91ae6414674542a85136b310b3948319ffea6139226eaaaee.js\"" C:\Windows\System32\wscript.exe N/A
Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run C:\Windows\System32\wscript.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\7a9d74c5d107f2c91ae6414674542a85136b310b3948319ffea6139226eaaaee = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\7a9d74c5d107f2c91ae6414674542a85136b310b3948319ffea6139226eaaaee.js\"" C:\Windows\System32\wscript.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\software\microsoft\windows\currentversion\run C:\Windows\system32\wscript.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\7a9d74c5d107f2c91ae6414674542a85136b310b3948319ffea6139226eaaaee = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\7a9d74c5d107f2c91ae6414674542a85136b310b3948319ffea6139226eaaaee.js\"" C:\Windows\system32\wscript.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2276 wrote to memory of 2156 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe
PID 2276 wrote to memory of 2156 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe
PID 2276 wrote to memory of 3040 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe
PID 2276 wrote to memory of 3040 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe
PID 3040 wrote to memory of 5012 N/A C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe
PID 3040 wrote to memory of 5012 N/A C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\7a9d74c5d107f2c91ae6414674542a85136b310b3948319ffea6139226eaaaee.js

C:\Windows\System32\wscript.exe

"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\EZIcjnTabV.js"

C:\Windows\System32\wscript.exe

"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\7a9d74c5d107f2c91ae6414674542a85136b310b3948319ffea6139226eaaaee.js"

C:\Windows\System32\wscript.exe

"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\EZIcjnTabV.js"

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 ip-api.com udp
N/A 8.8.8.8:53 javaautorun.duia.ro udp
N/A 208.95.112.1:80 ip-api.com tcp
N/A 194.5.98.97:5443 javaautorun.duia.ro tcp
N/A 194.5.98.97:5443 javaautorun.duia.ro tcp
N/A 194.5.98.97:5443 javaautorun.duia.ro tcp
N/A 194.5.98.97:5443 javaautorun.duia.ro tcp
N/A 8.8.8.8:53 newstrigpaid.2waky.com udp
N/A 85.209.135.243:2048 newstrigpaid.2waky.com tcp
N/A 194.5.98.97:5443 javaautorun.duia.ro tcp
N/A 85.209.135.243:2048 newstrigpaid.2waky.com tcp
N/A 20.42.65.84:443 tcp
N/A 194.5.98.97:5443 javaautorun.duia.ro tcp
N/A 85.209.135.243:2048 newstrigpaid.2waky.com tcp
N/A 194.5.98.97:5443 javaautorun.duia.ro tcp
N/A 194.5.98.97:5443 javaautorun.duia.ro tcp
N/A 85.209.135.243:2048 newstrigpaid.2waky.com tcp
N/A 194.5.98.97:5443 javaautorun.duia.ro tcp
N/A 194.5.98.97:5443 javaautorun.duia.ro tcp
N/A 85.209.135.243:2048 newstrigpaid.2waky.com tcp
N/A 194.5.98.97:5443 javaautorun.duia.ro tcp
N/A 85.209.135.243:2048 newstrigpaid.2waky.com tcp
N/A 96.16.110.41:443 tcp
N/A 194.5.98.97:5443 javaautorun.duia.ro tcp
N/A 194.5.98.97:5443 javaautorun.duia.ro tcp
N/A 194.5.98.97:5443 javaautorun.duia.ro tcp
N/A 85.209.135.243:2048 newstrigpaid.2waky.com tcp
N/A 194.5.98.97:5443 javaautorun.duia.ro tcp
N/A 194.5.98.97:5443 javaautorun.duia.ro tcp
N/A 85.209.135.243:2048 newstrigpaid.2waky.com tcp
N/A 194.5.98.97:5443 javaautorun.duia.ro tcp
N/A 194.5.98.97:5443 javaautorun.duia.ro tcp
N/A 194.5.98.97:5443 javaautorun.duia.ro tcp
N/A 173.223.112.135:443 tcp
N/A 194.5.98.97:5443 javaautorun.duia.ro tcp
N/A 85.209.135.243:2048 newstrigpaid.2waky.com tcp
N/A 194.5.98.97:5443 javaautorun.duia.ro tcp
N/A 194.5.98.97:5443 javaautorun.duia.ro tcp
N/A 85.209.135.243:2048 newstrigpaid.2waky.com tcp

Files

memory/2156-132-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\EZIcjnTabV.js

MD5 a46a00fce7c7561dd03f37519c548491
SHA1 d707d5893467538b1ef934900fa7953b0ba3be37
SHA256 db64faff8266eb46d6e649170da234562332aeb11b6e7adc3073739906a8592b
SHA512 61295739a668d5c286bce20c643e2b1498ffc2f4a2873177b655bf9b8fe534c041a12da95ffa0552e1b76ba2ad09344d5bfc70ba09e03a43d08f01a59f992f8c

memory/3040-134-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\7a9d74c5d107f2c91ae6414674542a85136b310b3948319ffea6139226eaaaee.js

MD5 d4b928defdafd9c54fe69160ba650cc8
SHA1 041715d3775045016dfbebb68f8e4964c8ad123a
SHA256 7a9d74c5d107f2c91ae6414674542a85136b310b3948319ffea6139226eaaaee
SHA512 a77cc501a0fb679cc407f97e84af603f90dd8451ea66cf49a1cc76698f1fcaddb6f28f08aa090f38f9004763ccc020d16a069ae5f9ec609a982c39042db668c4

C:\Users\Admin\AppData\Roaming\EZIcjnTabV.js

MD5 a46a00fce7c7561dd03f37519c548491
SHA1 d707d5893467538b1ef934900fa7953b0ba3be37
SHA256 db64faff8266eb46d6e649170da234562332aeb11b6e7adc3073739906a8592b
SHA512 61295739a668d5c286bce20c643e2b1498ffc2f4a2873177b655bf9b8fe534c041a12da95ffa0552e1b76ba2ad09344d5bfc70ba09e03a43d08f01a59f992f8c

memory/5012-137-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7a9d74c5d107f2c91ae6414674542a85136b310b3948319ffea6139226eaaaee.js

MD5 d4b928defdafd9c54fe69160ba650cc8
SHA1 041715d3775045016dfbebb68f8e4964c8ad123a
SHA256 7a9d74c5d107f2c91ae6414674542a85136b310b3948319ffea6139226eaaaee
SHA512 a77cc501a0fb679cc407f97e84af603f90dd8451ea66cf49a1cc76698f1fcaddb6f28f08aa090f38f9004763ccc020d16a069ae5f9ec609a982c39042db668c4

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EZIcjnTabV.js

MD5 a46a00fce7c7561dd03f37519c548491
SHA1 d707d5893467538b1ef934900fa7953b0ba3be37
SHA256 db64faff8266eb46d6e649170da234562332aeb11b6e7adc3073739906a8592b
SHA512 61295739a668d5c286bce20c643e2b1498ffc2f4a2873177b655bf9b8fe534c041a12da95ffa0552e1b76ba2ad09344d5bfc70ba09e03a43d08f01a59f992f8c