Analysis Overview
SHA256
9005a39c203e068daa077fe244e2608d36852dbef6f6ce8b28cc5cc015b89b1b
Threat Level: Known bad
The file 98e3648add4ab0724ebeb54eb720e8ad97ad52b0 was found to be: Known bad.
Malicious Activity Summary
Vjw0rm
Blocklisted process makes network request
Executes dropped EXE
Checks computer location settings
Loads dropped DLL
Drops startup file
Reads user/profile data of web browsers
Suspicious use of SetThreadContext
Program crash
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SendNotifyMessage
Suspicious use of FindShellTrayWindow
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Modifies Internet Explorer settings
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2023-01-17 19:06
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2023-01-17 19:06
Reported
2023-01-17 19:09
Platform
win7-20220812-en
Max time kernel
155s
Max time network
164s
Command Line
Signatures
Vjw0rm
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wscript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wscript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bin.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\bin.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TzTlSUHDie.js | C:\Windows\System32\wscript.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TzTlSUHDie.js | C:\Windows\System32\wscript.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\wscript.exe | N/A |
Reads user/profile data of web browsers
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1640 set thread context of 1340 | N/A | C:\Users\Admin\AppData\Local\Temp\bin.exe | C:\Windows\Explorer.EXE |
| PID 856 set thread context of 1340 | N/A | C:\Windows\SysWOW64\wscript.exe | C:\Windows\Explorer.EXE |
Enumerates physical storage devices
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \Registry\User\S-1-5-21-999675638-2867687379-27515722-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 | C:\Windows\SysWOW64\wscript.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bin.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bin.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bin.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wscript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wscript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wscript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wscript.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\bin.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\wscript.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\98e3648add4ab0724ebeb54eb720e8ad97ad52b0.js
C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\TzTlSUHDie.js"
C:\Users\Admin\AppData\Local\Temp\bin.exe
"C:\Users\Admin\AppData\Local\Temp\bin.exe"
C:\Windows\SysWOW64\wscript.exe
"C:\Windows\SysWOW64\wscript.exe"
C:\Program Files\Mozilla Firefox\Firefox.exe
"C:\Program Files\Mozilla Firefox\Firefox.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | javaautorun.duia.ro | udp |
| N/A | 194.5.98.109:5443 | javaautorun.duia.ro | tcp |
| N/A | 194.5.98.109:5443 | javaautorun.duia.ro | tcp |
| N/A | 8.8.8.8:53 | www.ambilis.com | udp |
| N/A | 199.59.243.222:80 | www.ambilis.com | tcp |
| N/A | 8.8.8.8:53 | www.sqlite.org | udp |
| N/A | 45.33.6.223:80 | www.sqlite.org | tcp |
| N/A | 45.33.6.223:80 | www.sqlite.org | tcp |
| N/A | 194.5.98.109:5443 | javaautorun.duia.ro | tcp |
| N/A | 194.5.98.109:5443 | javaautorun.duia.ro | tcp |
| N/A | 8.8.8.8:53 | www.theedenpublicschool.com | udp |
| N/A | 162.214.81.26:80 | www.theedenpublicschool.com | tcp |
| N/A | 162.214.81.26:80 | www.theedenpublicschool.com | tcp |
| N/A | 194.5.98.109:5443 | javaautorun.duia.ro | tcp |
| N/A | 194.5.98.109:5443 | javaautorun.duia.ro | tcp |
| N/A | 8.8.8.8:53 | www.ecomicsvilla.com | udp |
| N/A | 198.252.102.191:80 | www.ecomicsvilla.com | tcp |
| N/A | 198.252.102.191:80 | www.ecomicsvilla.com | tcp |
| N/A | 194.5.98.109:5443 | javaautorun.duia.ro | tcp |
| N/A | 194.5.98.109:5443 | javaautorun.duia.ro | tcp |
| N/A | 194.5.98.109:5443 | javaautorun.duia.ro | tcp |
| N/A | 8.8.8.8:53 | www.ecomicsvilla.com | udp |
| N/A | 198.252.102.191:80 | www.ecomicsvilla.com | tcp |
| N/A | 8.8.8.8:53 | ecomicsvilla.com | udp |
| N/A | 198.252.102.191:80 | ecomicsvilla.com | tcp |
| N/A | 194.5.98.109:5443 | javaautorun.duia.ro | tcp |
| N/A | 194.5.98.109:5443 | javaautorun.duia.ro | tcp |
| N/A | 8.8.8.8:53 | www.boltag.xyz | udp |
| N/A | 199.192.31.98:80 | www.boltag.xyz | tcp |
| N/A | 199.192.31.98:80 | www.boltag.xyz | tcp |
| N/A | 194.5.98.109:5443 | javaautorun.duia.ro | tcp |
| N/A | 8.8.8.8:53 | www.f1253.com | udp |
| N/A | 34.92.178.239:80 | www.f1253.com | tcp |
| N/A | 34.92.178.239:80 | www.f1253.com | tcp |
| N/A | 194.5.98.109:5443 | javaautorun.duia.ro | tcp |
Files
memory/952-54-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\TzTlSUHDie.js
| MD5 | 90c052e2282de1c12470fc54d62681d9 |
| SHA1 | ea069b254dde1f6cad46afedf55c69d4516a0d7a |
| SHA256 | be62476863ca538e76f33e4758a5a5af8609d681026c4e325d8d667470aa9097 |
| SHA512 | 73661062644236fcd76f689a8271f5f2c875468fbfdd4a4431a2b419c8bc093129345ee9b83d4f87eaa389a1ff12e776ba5d0d5845899931e1b72c32d4cb5ea7 |
memory/1640-56-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\bin.exe
| MD5 | f9fdfca55156f35ea48a17947d091f4d |
| SHA1 | 15f10040cf10535deed5ca028150ed847a585d01 |
| SHA256 | 7258963be005d6914901a62c591c56427553f62537f86d70965af16dae57c0d0 |
| SHA512 | 53caa12467706839406c40e8e8a925a67f8c51ddc6abb0bf7db8ca61e03af09714cc954e959c89dae91fb45c07fc113a076e0ab34806933ca7deed520113c302 |
memory/1640-58-0x0000000000A40000-0x0000000000A6F000-memory.dmp
memory/952-59-0x000007FEFC251000-0x000007FEFC253000-memory.dmp
memory/1640-60-0x0000000000A70000-0x0000000000D73000-memory.dmp
memory/1640-61-0x0000000000070000-0x0000000000080000-memory.dmp
memory/1340-62-0x0000000004C10000-0x0000000004CE9000-memory.dmp
memory/856-63-0x0000000000000000-mapping.dmp
memory/1640-64-0x0000000000A40000-0x0000000000A6F000-memory.dmp
memory/856-65-0x0000000000620000-0x0000000000646000-memory.dmp
memory/856-66-0x0000000000180000-0x00000000001AD000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\bin.exe
| MD5 | f9fdfca55156f35ea48a17947d091f4d |
| SHA1 | 15f10040cf10535deed5ca028150ed847a585d01 |
| SHA256 | 7258963be005d6914901a62c591c56427553f62537f86d70965af16dae57c0d0 |
| SHA512 | 53caa12467706839406c40e8e8a925a67f8c51ddc6abb0bf7db8ca61e03af09714cc954e959c89dae91fb45c07fc113a076e0ab34806933ca7deed520113c302 |
memory/856-68-0x0000000002090000-0x0000000002393000-memory.dmp
memory/856-69-0x0000000000520000-0x00000000005AF000-memory.dmp
memory/1340-70-0x0000000004CF0000-0x0000000004DA6000-memory.dmp
memory/1340-71-0x0000000004C10000-0x0000000004CE9000-memory.dmp
memory/856-72-0x0000000075F81000-0x0000000075F83000-memory.dmp
memory/856-73-0x0000000000180000-0x00000000001AD000-memory.dmp
\Users\Admin\AppData\Local\Temp\sqlite3.dll
| MD5 | 38a3e021eb32c9976adaf0b3372080fc |
| SHA1 | 68e02803c646be21007d90bec841c176b82211fd |
| SHA256 | 8cde0275d60da0d11954f73c7c8862cfc4b306f61bb8b1ce14abe4a193af2652 |
| SHA512 | b886cc112f2750e7300b66f7242850659fa49fdc97f75aed376cb9f5440875f303a143bf8b51068ec42674f1ebe1dfcc40534f3a7aed3cc4d20f9274b9a66d18 |
memory/1340-75-0x0000000004CF0000-0x0000000004DA6000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-01-17 19:06
Reported
2023-01-17 19:10
Platform
win10v2004-20221111-en
Max time kernel
157s
Max time network
207s
Command Line
Signatures
Vjw0rm
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bin.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\wscript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\bin.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TzTlSUHDie.js | C:\Windows\System32\wscript.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TzTlSUHDie.js | C:\Windows\System32\wscript.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 520 set thread context of 2632 | N/A | C:\Users\Admin\AppData\Local\Temp\bin.exe | C:\Windows\Explorer.EXE |
| PID 3808 set thread context of 2632 | N/A | C:\Windows\SysWOW64\msdt.exe | C:\Windows\Explorer.EXE |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\WerFault.exe | C:\Program Files\Mozilla Firefox\Firefox.exe |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \Registry\User\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 | C:\Windows\SysWOW64\msdt.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bin.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bin.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bin.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msdt.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msdt.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msdt.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msdt.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\bin.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\msdt.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\98e3648add4ab0724ebeb54eb720e8ad97ad52b0.js
C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\TzTlSUHDie.js"
C:\Users\Admin\AppData\Local\Temp\bin.exe
"C:\Users\Admin\AppData\Local\Temp\bin.exe"
C:\Windows\SysWOW64\msdt.exe
"C:\Windows\SysWOW64\msdt.exe"
C:\Program Files\Mozilla Firefox\Firefox.exe
"C:\Program Files\Mozilla Firefox\Firefox.exe"
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 452 -p 2544 -ip 2544
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2544 -s 120
Network
| Country | Destination | Domain | Proto |
| N/A | 20.42.65.84:443 | tcp | |
| N/A | 178.79.208.1:80 | tcp | |
| N/A | 178.79.208.1:80 | tcp | |
| N/A | 8.8.8.8:53 | javaautorun.duia.ro | udp |
| N/A | 194.5.98.109:5443 | javaautorun.duia.ro | tcp |
| N/A | 8.8.8.8:53 | 106.89.54.20.in-addr.arpa | udp |
| N/A | 194.5.98.109:5443 | javaautorun.duia.ro | tcp |
| N/A | 8.8.8.8:53 | www.ambilis.com | udp |
| N/A | 199.59.243.222:80 | www.ambilis.com | tcp |
| N/A | 194.5.98.109:5443 | javaautorun.duia.ro | tcp |
| N/A | 8.8.8.8:53 | 9.9.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.0.0.0.2.0.0.0.0.2.0.1.3.0.6.2.ip6.arpa | udp |
| N/A | 194.5.98.109:5443 | javaautorun.duia.ro | tcp |
| N/A | 194.5.98.109:5443 | javaautorun.duia.ro | tcp |
| N/A | 8.8.8.8:53 | www.theedenpublicschool.com | udp |
| N/A | 162.214.81.26:80 | www.theedenpublicschool.com | tcp |
| N/A | 194.5.98.109:5443 | javaautorun.duia.ro | tcp |
| N/A | 194.5.98.109:5443 | javaautorun.duia.ro | tcp |
| N/A | 194.5.98.109:5443 | javaautorun.duia.ro | tcp |
| N/A | 194.5.98.109:5443 | javaautorun.duia.ro | tcp |
Files
memory/4436-132-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\TzTlSUHDie.js
| MD5 | 90c052e2282de1c12470fc54d62681d9 |
| SHA1 | ea069b254dde1f6cad46afedf55c69d4516a0d7a |
| SHA256 | be62476863ca538e76f33e4758a5a5af8609d681026c4e325d8d667470aa9097 |
| SHA512 | 73661062644236fcd76f689a8271f5f2c875468fbfdd4a4431a2b419c8bc093129345ee9b83d4f87eaa389a1ff12e776ba5d0d5845899931e1b72c32d4cb5ea7 |
C:\Users\Admin\AppData\Local\Temp\bin.exe
| MD5 | f9fdfca55156f35ea48a17947d091f4d |
| SHA1 | 15f10040cf10535deed5ca028150ed847a585d01 |
| SHA256 | 7258963be005d6914901a62c591c56427553f62537f86d70965af16dae57c0d0 |
| SHA512 | 53caa12467706839406c40e8e8a925a67f8c51ddc6abb0bf7db8ca61e03af09714cc954e959c89dae91fb45c07fc113a076e0ab34806933ca7deed520113c302 |
memory/520-134-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\bin.exe
| MD5 | f9fdfca55156f35ea48a17947d091f4d |
| SHA1 | 15f10040cf10535deed5ca028150ed847a585d01 |
| SHA256 | 7258963be005d6914901a62c591c56427553f62537f86d70965af16dae57c0d0 |
| SHA512 | 53caa12467706839406c40e8e8a925a67f8c51ddc6abb0bf7db8ca61e03af09714cc954e959c89dae91fb45c07fc113a076e0ab34806933ca7deed520113c302 |
memory/520-137-0x00000000003B0000-0x00000000003DF000-memory.dmp
memory/520-138-0x0000000001660000-0x00000000019AA000-memory.dmp
memory/520-139-0x0000000001180000-0x0000000001190000-memory.dmp
memory/2632-140-0x0000000002C50000-0x0000000002D49000-memory.dmp
memory/3808-141-0x0000000000000000-mapping.dmp
memory/520-142-0x00000000003B0000-0x00000000003DF000-memory.dmp
memory/3808-143-0x0000000000700000-0x0000000000757000-memory.dmp
memory/3808-144-0x0000000001030000-0x000000000105D000-memory.dmp
memory/3808-145-0x00000000030C0000-0x000000000340A000-memory.dmp
memory/3808-146-0x0000000002E60000-0x0000000002EEF000-memory.dmp
memory/2632-147-0x0000000007280000-0x000000000733C000-memory.dmp
memory/3808-148-0x0000000001030000-0x000000000105D000-memory.dmp
memory/2632-149-0x0000000007280000-0x000000000733C000-memory.dmp