Analysis Overview
SHA256
e835762f9005924946dbde6b9d9bbf55d7cc360ad4dc371e429f21e0feccab48
Threat Level: Known bad
The file Proforma Invoice 3001855006.zip was found to be: Known bad.
Malicious Activity Summary
Vjw0rm
Blocklisted process makes network request
Checks computer location settings
Drops startup file
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2023-01-19 15:28
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2023-01-19 15:28
Reported
2023-01-19 15:33
Platform
win7-20220812-en
Max time kernel
296s
Max time network
301s
Command Line
Signatures
Vjw0rm
Blocklisted process makes network request
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tKxfBQLFjK.js | C:\Windows\System32\wscript.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tKxfBQLFjK.js | C:\Windows\System32\wscript.exe | N/A |
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1264 wrote to memory of 1724 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\wscript.exe |
| PID 1264 wrote to memory of 1724 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\wscript.exe |
| PID 1264 wrote to memory of 1724 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\wscript.exe |
Processes
C:\Windows\system32\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Local\Temp\Proforma Invoice 3001855006.js"
C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\tKxfBQLFjK.js"
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | javaautorun.duia.ro | udp |
| N/A | 194.5.98.42:5443 | javaautorun.duia.ro | tcp |
| N/A | 194.5.98.42:5443 | javaautorun.duia.ro | tcp |
| N/A | 194.5.98.42:5443 | javaautorun.duia.ro | tcp |
| N/A | 194.5.98.42:5443 | javaautorun.duia.ro | tcp |
| N/A | 194.5.98.42:5443 | javaautorun.duia.ro | tcp |
| N/A | 194.5.98.42:5443 | javaautorun.duia.ro | tcp |
| N/A | 194.5.98.42:5443 | javaautorun.duia.ro | tcp |
| N/A | 194.5.98.42:5443 | javaautorun.duia.ro | tcp |
| N/A | 194.5.98.42:5443 | javaautorun.duia.ro | tcp |
| N/A | 194.5.98.42:5443 | javaautorun.duia.ro | tcp |
| N/A | 194.5.98.42:5443 | javaautorun.duia.ro | tcp |
| N/A | 194.5.98.42:5443 | javaautorun.duia.ro | tcp |
| N/A | 194.5.98.42:5443 | javaautorun.duia.ro | tcp |
| N/A | 194.5.98.42:5443 | javaautorun.duia.ro | tcp |
| N/A | 194.5.98.42:5443 | javaautorun.duia.ro | tcp |
| N/A | 194.5.98.42:5443 | javaautorun.duia.ro | tcp |
| N/A | 194.5.98.42:5443 | javaautorun.duia.ro | tcp |
| N/A | 194.5.98.42:5443 | javaautorun.duia.ro | tcp |
| N/A | 194.5.98.42:5443 | javaautorun.duia.ro | tcp |
| N/A | 194.5.98.42:5443 | javaautorun.duia.ro | tcp |
| N/A | 194.5.98.42:5443 | javaautorun.duia.ro | tcp |
| N/A | 194.5.98.42:5443 | javaautorun.duia.ro | tcp |
| N/A | 194.5.98.42:5443 | javaautorun.duia.ro | tcp |
| N/A | 194.5.98.42:5443 | javaautorun.duia.ro | tcp |
| N/A | 194.5.98.42:5443 | javaautorun.duia.ro | tcp |
| N/A | 194.5.98.42:5443 | javaautorun.duia.ro | tcp |
| N/A | 194.5.98.42:5443 | javaautorun.duia.ro | tcp |
| N/A | 194.5.98.42:5443 | javaautorun.duia.ro | tcp |
| N/A | 194.5.98.42:5443 | javaautorun.duia.ro | tcp |
| N/A | 194.5.98.42:5443 | javaautorun.duia.ro | tcp |
| N/A | 194.5.98.42:5443 | javaautorun.duia.ro | tcp |
| N/A | 194.5.98.42:5443 | javaautorun.duia.ro | tcp |
Files
memory/1724-54-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\tKxfBQLFjK.js
| MD5 | 135ed79b9eea21fa24a2517885b8745b |
| SHA1 | 17ce07b47b0fa1212f30f3879850ec5e7625fbb0 |
| SHA256 | 9feca465d427fa36019bf8e1ce0cbb6f18646d1c4f76b81b5f832bc063447257 |
| SHA512 | 3d1b80e4aa41c0cdeba5c2885f333db7d1e7afdf83015f1100ab1e1c9e198673da1ab33f500b85e07c7e50cd99acceef1ee8dcb64cf0443693a4aae80cadc0c3 |
memory/1724-56-0x000007FEFC581000-0x000007FEFC583000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-01-19 15:28
Reported
2023-01-19 15:33
Platform
win10v2004-20220812-en
Max time kernel
294s
Max time network
300s
Command Line
Signatures
Vjw0rm
Blocklisted process makes network request
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\wscript.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tKxfBQLFjK.js | C:\Windows\System32\wscript.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tKxfBQLFjK.js | C:\Windows\System32\wscript.exe | N/A |
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 5012 wrote to memory of 4964 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\wscript.exe |
| PID 5012 wrote to memory of 4964 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\wscript.exe |
Processes
C:\Windows\system32\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Local\Temp\Proforma Invoice 3001855006.js"
C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\tKxfBQLFjK.js"
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | javaautorun.duia.ro | udp |
| N/A | 194.5.98.42:5443 | javaautorun.duia.ro | tcp |
| N/A | 93.184.220.29:80 | tcp | |
| N/A | 194.5.98.42:5443 | javaautorun.duia.ro | tcp |
| N/A | 93.184.220.29:80 | tcp | |
| N/A | 93.184.220.29:80 | tcp | |
| N/A | 194.5.98.42:5443 | javaautorun.duia.ro | tcp |
| N/A | 194.5.98.42:5443 | javaautorun.duia.ro | tcp |
| N/A | 93.184.220.29:80 | tcp | |
| N/A | 194.5.98.42:5443 | javaautorun.duia.ro | tcp |
| N/A | 194.5.98.42:5443 | javaautorun.duia.ro | tcp |
| N/A | 194.5.98.42:5443 | javaautorun.duia.ro | tcp |
| N/A | 194.5.98.42:5443 | javaautorun.duia.ro | tcp |
| N/A | 194.5.98.42:5443 | javaautorun.duia.ro | tcp |
| N/A | 194.5.98.42:5443 | javaautorun.duia.ro | tcp |
| N/A | 194.5.98.42:5443 | javaautorun.duia.ro | tcp |
| N/A | 104.80.225.205:443 | tcp | |
| N/A | 194.5.98.42:5443 | javaautorun.duia.ro | tcp |
| N/A | 194.5.98.42:5443 | javaautorun.duia.ro | tcp |
| N/A | 194.5.98.42:5443 | javaautorun.duia.ro | tcp |
| N/A | 194.5.98.42:5443 | javaautorun.duia.ro | tcp |
| N/A | 194.5.98.42:5443 | javaautorun.duia.ro | tcp |
| N/A | 93.184.220.29:80 | tcp | |
| N/A | 194.5.98.42:5443 | javaautorun.duia.ro | tcp |
| N/A | 194.5.98.42:5443 | javaautorun.duia.ro | tcp |
| N/A | 194.5.98.42:5443 | javaautorun.duia.ro | tcp |
| N/A | 194.5.98.42:5443 | javaautorun.duia.ro | tcp |
| N/A | 194.5.98.42:5443 | javaautorun.duia.ro | tcp |
| N/A | 194.5.98.42:5443 | javaautorun.duia.ro | tcp |
| N/A | 194.5.98.42:5443 | javaautorun.duia.ro | tcp |
| N/A | 194.5.98.42:5443 | javaautorun.duia.ro | tcp |
| N/A | 194.5.98.42:5443 | javaautorun.duia.ro | tcp |
| N/A | 194.5.98.42:5443 | javaautorun.duia.ro | tcp |
| N/A | 194.5.98.42:5443 | javaautorun.duia.ro | tcp |
| N/A | 194.5.98.42:5443 | javaautorun.duia.ro | tcp |
Files
memory/4964-132-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\tKxfBQLFjK.js
| MD5 | 135ed79b9eea21fa24a2517885b8745b |
| SHA1 | 17ce07b47b0fa1212f30f3879850ec5e7625fbb0 |
| SHA256 | 9feca465d427fa36019bf8e1ce0cbb6f18646d1c4f76b81b5f832bc063447257 |
| SHA512 | 3d1b80e4aa41c0cdeba5c2885f333db7d1e7afdf83015f1100ab1e1c9e198673da1ab33f500b85e07c7e50cd99acceef1ee8dcb64cf0443693a4aae80cadc0c3 |