Analysis Overview
SHA256
9005a39c203e068daa077fe244e2608d36852dbef6f6ce8b28cc5cc015b89b1b
Threat Level: Known bad
The file 98e3648add4ab0724ebeb54eb720e8ad97ad52b0 was found to be: Known bad.
Malicious Activity Summary
Vjw0rm
Blocklisted process makes network request
Executes dropped EXE
Checks computer location settings
Reads user/profile data of web browsers
Drops startup file
Loads dropped DLL
Suspicious use of SetThreadContext
Enumerates physical storage devices
Suspicious behavior: MapViewOfSection
Suspicious use of SendNotifyMessage
Suspicious use of FindShellTrayWindow
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of WriteProcessMemory
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2023-01-18 00:54
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2023-01-18 00:54
Reported
2023-01-18 00:57
Platform
win7-20221111-en
Max time kernel
151s
Max time network
208s
Command Line
Signatures
Vjw0rm
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bin.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\bin.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TzTlSUHDie.js | C:\Windows\System32\wscript.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TzTlSUHDie.js | C:\Windows\System32\wscript.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cscript.exe | N/A |
Reads user/profile data of web browsers
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 652 set thread context of 1268 | N/A | C:\Users\Admin\AppData\Local\Temp\bin.exe | C:\Windows\Explorer.EXE |
| PID 652 set thread context of 1268 | N/A | C:\Users\Admin\AppData\Local\Temp\bin.exe | C:\Windows\Explorer.EXE |
| PID 1768 set thread context of 1268 | N/A | C:\Windows\SysWOW64\cscript.exe | C:\Windows\Explorer.EXE |
Enumerates physical storage devices
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \Registry\User\S-1-5-21-3385717845-2518323428-350143044-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 | C:\Windows\SysWOW64\cscript.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bin.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bin.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bin.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bin.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cscript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cscript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cscript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cscript.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\bin.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\cscript.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\98e3648add4ab0724ebeb54eb720e8ad97ad52b0.js
C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\TzTlSUHDie.js"
C:\Users\Admin\AppData\Local\Temp\bin.exe
"C:\Users\Admin\AppData\Local\Temp\bin.exe"
C:\Windows\SysWOW64\autochk.exe
"C:\Windows\SysWOW64\autochk.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\SysWOW64\cmd.exe"
C:\Windows\SysWOW64\cscript.exe
"C:\Windows\SysWOW64\cscript.exe"
C:\Program Files\Mozilla Firefox\Firefox.exe
"C:\Program Files\Mozilla Firefox\Firefox.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | javaautorun.duia.ro | udp |
| N/A | 194.5.98.109:5443 | javaautorun.duia.ro | tcp |
| N/A | 8.8.8.8:53 | www.ambilis.com | udp |
| N/A | 199.59.243.222:80 | www.ambilis.com | tcp |
| N/A | 194.5.98.109:5443 | javaautorun.duia.ro | tcp |
| N/A | 8.8.8.8:53 | www.sqlite.org | udp |
| N/A | 45.33.6.223:80 | www.sqlite.org | tcp |
| N/A | 45.33.6.223:80 | www.sqlite.org | tcp |
| N/A | 194.5.98.109:5443 | javaautorun.duia.ro | tcp |
| N/A | 8.8.8.8:53 | www.theedenpublicschool.com | udp |
| N/A | 162.214.81.26:80 | www.theedenpublicschool.com | tcp |
| N/A | 194.5.98.109:5443 | javaautorun.duia.ro | tcp |
| N/A | 194.5.98.109:5443 | javaautorun.duia.ro | tcp |
| N/A | 8.8.8.8:53 | www.theedenpublicschool.com | udp |
| N/A | 162.214.81.26:80 | www.theedenpublicschool.com | tcp |
| N/A | 194.5.98.109:5443 | javaautorun.duia.ro | tcp |
| N/A | 8.8.8.8:53 | theedenpublicschool.com | udp |
| N/A | 162.214.81.26:80 | theedenpublicschool.com | tcp |
| N/A | 8.8.8.8:53 | www.ecomicsvilla.com | udp |
| N/A | 198.252.102.191:80 | www.ecomicsvilla.com | tcp |
| N/A | 194.5.98.109:5443 | javaautorun.duia.ro | tcp |
| N/A | 194.5.98.109:5443 | javaautorun.duia.ro | tcp |
| N/A | 194.5.98.109:5443 | javaautorun.duia.ro | tcp |
| N/A | 194.5.98.109:5443 | javaautorun.duia.ro | tcp |
| N/A | 194.5.98.109:5443 | javaautorun.duia.ro | tcp |
Files
memory/1400-54-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\TzTlSUHDie.js
| MD5 | 90c052e2282de1c12470fc54d62681d9 |
| SHA1 | ea069b254dde1f6cad46afedf55c69d4516a0d7a |
| SHA256 | be62476863ca538e76f33e4758a5a5af8609d681026c4e325d8d667470aa9097 |
| SHA512 | 73661062644236fcd76f689a8271f5f2c875468fbfdd4a4431a2b419c8bc093129345ee9b83d4f87eaa389a1ff12e776ba5d0d5845899931e1b72c32d4cb5ea7 |
memory/652-56-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\bin.exe
| MD5 | f9fdfca55156f35ea48a17947d091f4d |
| SHA1 | 15f10040cf10535deed5ca028150ed847a585d01 |
| SHA256 | 7258963be005d6914901a62c591c56427553f62537f86d70965af16dae57c0d0 |
| SHA512 | 53caa12467706839406c40e8e8a925a67f8c51ddc6abb0bf7db8ca61e03af09714cc954e959c89dae91fb45c07fc113a076e0ab34806933ca7deed520113c302 |
memory/1400-58-0x000007FEFB9E1000-0x000007FEFB9E3000-memory.dmp
memory/652-59-0x0000000000D50000-0x0000000000D7F000-memory.dmp
memory/652-60-0x0000000000D80000-0x0000000001083000-memory.dmp
memory/652-61-0x00000000000E0000-0x00000000000F0000-memory.dmp
memory/1268-62-0x0000000004330000-0x000000000440D000-memory.dmp
memory/652-63-0x0000000000D50000-0x0000000000D7F000-memory.dmp
memory/652-64-0x00000000001A0000-0x00000000001B0000-memory.dmp
memory/1268-65-0x0000000006D40000-0x0000000006E6A000-memory.dmp
memory/1768-66-0x0000000000000000-mapping.dmp
memory/652-67-0x0000000000D50000-0x0000000000D7F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\bin.exe
| MD5 | f9fdfca55156f35ea48a17947d091f4d |
| SHA1 | 15f10040cf10535deed5ca028150ed847a585d01 |
| SHA256 | 7258963be005d6914901a62c591c56427553f62537f86d70965af16dae57c0d0 |
| SHA512 | 53caa12467706839406c40e8e8a925a67f8c51ddc6abb0bf7db8ca61e03af09714cc954e959c89dae91fb45c07fc113a076e0ab34806933ca7deed520113c302 |
memory/1768-69-0x0000000000ED0000-0x0000000000EF2000-memory.dmp
memory/1768-70-0x0000000000070000-0x000000000009D000-memory.dmp
memory/1768-71-0x0000000000B50000-0x0000000000E53000-memory.dmp
memory/1268-72-0x0000000004330000-0x000000000440D000-memory.dmp
memory/1768-73-0x0000000000A20000-0x0000000000AAF000-memory.dmp
memory/1268-74-0x0000000002AE0000-0x0000000002B78000-memory.dmp
memory/1268-75-0x0000000006D40000-0x0000000006E6A000-memory.dmp
memory/1768-76-0x0000000075B61000-0x0000000075B63000-memory.dmp
\Users\Admin\AppData\Local\Temp\sqlite3.dll
| MD5 | 9c73b282279e74e40435132e61fda001 |
| SHA1 | 63c7248e91b68fbde4641e3c5e2dc3e9d38671fa |
| SHA256 | 6710d91d77e1937dd5b46d96c0852042985dc78c4c51ce12d3e07a4cdb12c202 |
| SHA512 | 02f9a01a3a5f74ef994ebb9e5f24c6870e2d48c8b99c429a63e74dad73fb581f0b52b2a86d651cafa414675b70a0e85b2e08c843d07e080fe69ee835e3c91108 |
memory/1268-78-0x0000000002AE0000-0x0000000002B78000-memory.dmp
memory/1268-79-0x000007FEF5890000-0x000007FEF59D3000-memory.dmp
memory/1268-80-0x000007FECFD40000-0x000007FECFD4A000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-01-18 00:54
Reported
2023-01-18 00:57
Platform
win10v2004-20221111-en
Max time kernel
153s
Max time network
208s
Command Line
Signatures
Vjw0rm
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bin.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\wscript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\bin.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TzTlSUHDie.js | C:\Windows\System32\wscript.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TzTlSUHDie.js | C:\Windows\System32\wscript.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1908 set thread context of 784 | N/A | C:\Users\Admin\AppData\Local\Temp\bin.exe | C:\Windows\Explorer.EXE |
| PID 3948 set thread context of 784 | N/A | C:\Windows\SysWOW64\wlanext.exe | C:\Windows\Explorer.EXE |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bin.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bin.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bin.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wlanext.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wlanext.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\bin.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\wlanext.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4956 wrote to memory of 3392 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\wscript.exe |
| PID 4956 wrote to memory of 3392 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\wscript.exe |
| PID 4956 wrote to memory of 1908 | N/A | C:\Windows\system32\wscript.exe | C:\Users\Admin\AppData\Local\Temp\bin.exe |
| PID 4956 wrote to memory of 1908 | N/A | C:\Windows\system32\wscript.exe | C:\Users\Admin\AppData\Local\Temp\bin.exe |
| PID 4956 wrote to memory of 1908 | N/A | C:\Windows\system32\wscript.exe | C:\Users\Admin\AppData\Local\Temp\bin.exe |
| PID 784 wrote to memory of 3948 | N/A | C:\Windows\Explorer.EXE | C:\Windows\SysWOW64\wlanext.exe |
| PID 784 wrote to memory of 3948 | N/A | C:\Windows\Explorer.EXE | C:\Windows\SysWOW64\wlanext.exe |
| PID 784 wrote to memory of 3948 | N/A | C:\Windows\Explorer.EXE | C:\Windows\SysWOW64\wlanext.exe |
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\98e3648add4ab0724ebeb54eb720e8ad97ad52b0.js
C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\TzTlSUHDie.js"
C:\Users\Admin\AppData\Local\Temp\bin.exe
"C:\Users\Admin\AppData\Local\Temp\bin.exe"
C:\Windows\SysWOW64\wlanext.exe
"C:\Windows\SysWOW64\wlanext.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 72.21.81.240:80 | tcp | |
| N/A | 13.89.179.10:443 | tcp | |
| N/A | 72.21.91.29:80 | tcp | |
| N/A | 72.21.81.240:80 | tcp | |
| N/A | 93.184.221.240:80 | tcp | |
| N/A | 93.184.221.240:80 | tcp | |
| N/A | 93.184.221.240:80 | tcp | |
| N/A | 93.184.221.240:80 | tcp | |
| N/A | 8.8.8.8:53 | javaautorun.duia.ro | udp |
| N/A | 194.5.98.109:5443 | javaautorun.duia.ro | tcp |
| N/A | 194.5.98.109:5443 | javaautorun.duia.ro | tcp |
| N/A | 194.5.98.109:5443 | javaautorun.duia.ro | tcp |
| N/A | 194.5.98.109:5443 | javaautorun.duia.ro | tcp |
| N/A | 194.5.98.109:5443 | javaautorun.duia.ro | tcp |
| N/A | 194.5.98.109:5443 | javaautorun.duia.ro | tcp |
| N/A | 8.8.8.8:53 | www.ambilis.com | udp |
| N/A | 199.59.243.222:80 | www.ambilis.com | tcp |
| N/A | 194.5.98.109:5443 | javaautorun.duia.ro | tcp |
| N/A | 8.8.8.8:53 | www.theedenpublicschool.com | udp |
| N/A | 162.214.81.26:80 | www.theedenpublicschool.com | tcp |
| N/A | 194.5.98.109:5443 | javaautorun.duia.ro | tcp |
| N/A | 8.8.8.8:53 | www.ambilis.com | udp |
| N/A | 199.59.243.222:80 | www.ambilis.com | tcp |
| N/A | 8.8.8.8:53 | www.theedenpublicschool.com | udp |
| N/A | 162.214.81.26:80 | www.theedenpublicschool.com | tcp |
| N/A | 8.8.8.8:53 | theedenpublicschool.com | udp |
| N/A | 162.214.81.26:80 | theedenpublicschool.com | tcp |
Files
memory/3392-132-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\TzTlSUHDie.js
| MD5 | 90c052e2282de1c12470fc54d62681d9 |
| SHA1 | ea069b254dde1f6cad46afedf55c69d4516a0d7a |
| SHA256 | be62476863ca538e76f33e4758a5a5af8609d681026c4e325d8d667470aa9097 |
| SHA512 | 73661062644236fcd76f689a8271f5f2c875468fbfdd4a4431a2b419c8bc093129345ee9b83d4f87eaa389a1ff12e776ba5d0d5845899931e1b72c32d4cb5ea7 |
memory/1908-134-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\bin.exe
| MD5 | f9fdfca55156f35ea48a17947d091f4d |
| SHA1 | 15f10040cf10535deed5ca028150ed847a585d01 |
| SHA256 | 7258963be005d6914901a62c591c56427553f62537f86d70965af16dae57c0d0 |
| SHA512 | 53caa12467706839406c40e8e8a925a67f8c51ddc6abb0bf7db8ca61e03af09714cc954e959c89dae91fb45c07fc113a076e0ab34806933ca7deed520113c302 |
C:\Users\Admin\AppData\Local\Temp\bin.exe
| MD5 | f9fdfca55156f35ea48a17947d091f4d |
| SHA1 | 15f10040cf10535deed5ca028150ed847a585d01 |
| SHA256 | 7258963be005d6914901a62c591c56427553f62537f86d70965af16dae57c0d0 |
| SHA512 | 53caa12467706839406c40e8e8a925a67f8c51ddc6abb0bf7db8ca61e03af09714cc954e959c89dae91fb45c07fc113a076e0ab34806933ca7deed520113c302 |
memory/1908-137-0x0000000000340000-0x000000000036F000-memory.dmp
memory/1908-138-0x00000000013B0000-0x00000000016FA000-memory.dmp
memory/1908-139-0x0000000000EB0000-0x0000000000EC0000-memory.dmp
memory/784-140-0x0000000007A90000-0x0000000007BB5000-memory.dmp
memory/3948-141-0x0000000000000000-mapping.dmp
memory/1908-142-0x0000000000340000-0x000000000036F000-memory.dmp
memory/3948-143-0x0000000000DC0000-0x000000000110A000-memory.dmp
memory/784-144-0x0000000007A90000-0x0000000007BB5000-memory.dmp
memory/3948-145-0x0000000000800000-0x0000000000817000-memory.dmp
memory/3948-146-0x00000000004E0000-0x000000000050D000-memory.dmp
memory/3948-147-0x0000000000A60000-0x0000000000AEF000-memory.dmp
memory/784-148-0x0000000002B00000-0x0000000002BA3000-memory.dmp
memory/3948-149-0x00000000004E0000-0x000000000050D000-memory.dmp
memory/784-150-0x0000000002B00000-0x0000000002BA3000-memory.dmp