Overview

overview

10

Static

static

DTQ112.js

windows7-x64

10

DTQ112.js

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    154s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    19/01/2023, 12:57

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    DTQ112.js

  • Size

    383KB

  • MD5

    85645d678a8f223d8f51b378d1be3dd7

  • SHA1

    0c74da21bca5af61794c8ed4ecc2e184238b33f5

  • SHA256

    e97df359d8f26fcd593a5316e33cb9e683cf837cd84eca3c7e9f8a70e055885d

  • SHA512

    6b09e33c62bf92058d59d61d6c6a5c066d6e045247dd0122174eff287c367b35ccc537f213f6b9959ffa61f7531c8cba046266b238a94ff43523286640f3ea5c

  • SSDEEP

    6144:rI7O6VBbM1UcEHy5rqRs23QfpbX90vXdfPFhxAVSCE4:GcH5rqyIi90PdHFhxw1E4

Score
10/10
vjw0rmtrojanworm

Malware Config

Signatures

  • Vjw0rm

    Vjw0rm is a remote access trojan written in JavaScript.

    trojanwormvjw0rm
  • Blocklisted process makes network request 16 IoCs
  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 25 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of WriteProcessMemory
    PID:1272
    • C:\Windows\system32\wscript.exe
      wscript.exe C:\Users\Admin\AppData\Local\Temp\DTQ112.js
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1228
      • C:\Windows\System32\wscript.exe
        "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\WuPDXzESAy.js"
        3⤵
        • Blocklisted process makes network request
        • Drops startup file
        PID:1080
      • C:\Users\Admin\AppData\Local\Temp\bin.exe
        "C:\Users\Admin\AppData\Local\Temp\bin.exe"
        3⤵
        • Executes dropped EXE
        • Checks computer location settings
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:1648
    • C:\Windows\SysWOW64\msiexec.exe
      "C:\Windows\SysWOW64\msiexec.exe"
      2⤵
      • Blocklisted process makes network request
      • Loads dropped DLL
      • Suspicious use of SetThreadContext
      • Modifies Internet Explorer settings
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:984
      • C:\Program Files\Mozilla Firefox\Firefox.exe
        "C:\Program Files\Mozilla Firefox\Firefox.exe"
        3⤵
          PID:1388

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\bin.exe
      Filesize

      185KB

      MD5

      f9fdfca55156f35ea48a17947d091f4d

      SHA1

      15f10040cf10535deed5ca028150ed847a585d01

      SHA256

      7258963be005d6914901a62c591c56427553f62537f86d70965af16dae57c0d0

      SHA512

      53caa12467706839406c40e8e8a925a67f8c51ddc6abb0bf7db8ca61e03af09714cc954e959c89dae91fb45c07fc113a076e0ab34806933ca7deed520113c302

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\bin.exe
      Filesize

      185KB

      MD5

      f9fdfca55156f35ea48a17947d091f4d

      SHA1

      15f10040cf10535deed5ca028150ed847a585d01

      SHA256

      7258963be005d6914901a62c591c56427553f62537f86d70965af16dae57c0d0

      SHA512

      53caa12467706839406c40e8e8a925a67f8c51ddc6abb0bf7db8ca61e03af09714cc954e959c89dae91fb45c07fc113a076e0ab34806933ca7deed520113c302

      Download Submit

    • C:\Users\Admin\AppData\Roaming\WuPDXzESAy.js
      Filesize

      18KB

      MD5

      729bb7bd9776f8fd965be4bf94a3809a

      SHA1

      52ea0f24856743b71acde3ea34e7b91bcf32e6ec

      SHA256

      f2e2a03ac56f6698481b44b442d2ee91ee0522f23ca5d21c9e23de061c7a8e28

      SHA512

      4deeca4514770a78c384c4ec3ed0cf5d1f82cf20336fc2769f85903d8d3b7db1b472d726e8ff45e139da37b6c4caff54be6e407c56bfe603828ab17b17d8f996

      Download Submit

    • \Users\Admin\AppData\Local\Temp\sqlite3.dll
      Filesize

      1.1MB

      MD5

      f55e5766477de5997da50f12c9c74c91

      SHA1

      4dc98900a887be95411f07b9e597c57bdc7dbab3

      SHA256

      90be88984ee60864256378c952d44b13d55ac032ab6a7b8c698885176bcece69

      SHA512

      983417a297e68b58fbd1c07fed7a1697d249110a2c10644b2dc96e3facedd3fbfbcac6a7809631ffd62894f02cadd4d3e62022b9e5e026e5bf434f1eb1878f05

      Download Submit

    • memory/984-65-0x0000000075091000-0x0000000075093000-memory.dmp

      Filesize

      8KB

      Download

    • memory/984-70-0x0000000001F70000-0x0000000001FFF000-memory.dmp

      Filesize

      572KB

      Download

    • memory/984-69-0x0000000002110000-0x0000000002413000-memory.dmp

      Filesize

      3.0MB

      Download

    • memory/984-68-0x00000000000D0000-0x00000000000FD000-memory.dmp

      Filesize

      180KB

      Download

    • memory/984-67-0x0000000000B50000-0x0000000000B64000-memory.dmp

      Filesize

      80KB

      Download

    • memory/1080-59-0x000007FEFB9C1000-0x000007FEFB9C3000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1272-62-0x0000000004F30000-0x0000000005027000-memory.dmp

      Filesize

      988KB

      Download

    • memory/1272-71-0x0000000003CA0000-0x0000000003D61000-memory.dmp

      Filesize

      772KB

      Download

    • memory/1272-73-0x0000000003CA0000-0x0000000003D61000-memory.dmp

      Filesize

      772KB

      Download

    • memory/1648-64-0x0000000000F00000-0x0000000000F2F000-memory.dmp

      Filesize

      188KB

      Download

    • memory/1648-61-0x00000000000E0000-0x00000000000F0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1648-60-0x0000000000730000-0x0000000000A33000-memory.dmp

      Filesize

      3.0MB

      Download

    • memory/1648-58-0x0000000000F00000-0x0000000000F2F000-memory.dmp

      Filesize

      188KB

      Download