Analysis Overview
SHA256
6cb57c9e0fc285d854fde3c6e71eebbf5f10572d12319483801bb5feeb1276c5
Threat Level: Known bad
The file PAYMENT RECEIPT.js was found to be: Known bad.
Malicious Activity Summary
Vjw0rm
Blocklisted process makes network request
Checks computer location settings
Drops startup file
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2023-01-20 19:46
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2023-01-20 19:46
Reported
2023-01-20 19:48
Platform
win7-20220812-en
Max time kernel
146s
Max time network
150s
Command Line
Signatures
Vjw0rm
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VpdWufezad.js | C:\Windows\System32\wscript.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VpdWufezad.js | C:\Windows\System32\wscript.exe | N/A |
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1684 wrote to memory of 952 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\wscript.exe |
| PID 1684 wrote to memory of 952 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\wscript.exe |
| PID 1684 wrote to memory of 952 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\wscript.exe |
Processes
C:\Windows\system32\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Local\Temp\PAYMENT RECEIPT.js"
C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\VpdWufezad.js"
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | javaautorun.duia.ro | udp |
| N/A | 91.193.75.231:5443 | javaautorun.duia.ro | tcp |
| N/A | 91.193.75.231:5443 | javaautorun.duia.ro | tcp |
| N/A | 91.193.75.231:5443 | javaautorun.duia.ro | tcp |
| N/A | 91.193.75.231:5443 | javaautorun.duia.ro | tcp |
| N/A | 91.193.75.231:5443 | javaautorun.duia.ro | tcp |
| N/A | 91.193.75.231:5443 | javaautorun.duia.ro | tcp |
| N/A | 91.193.75.231:5443 | javaautorun.duia.ro | tcp |
| N/A | 91.193.75.231:5443 | javaautorun.duia.ro | tcp |
| N/A | 91.193.75.231:5443 | javaautorun.duia.ro | tcp |
| N/A | 91.193.75.231:5443 | javaautorun.duia.ro | tcp |
| N/A | 91.193.75.231:5443 | javaautorun.duia.ro | tcp |
| N/A | 91.193.75.231:5443 | javaautorun.duia.ro | tcp |
| N/A | 91.193.75.231:5443 | javaautorun.duia.ro | tcp |
| N/A | 91.193.75.231:5443 | javaautorun.duia.ro | tcp |
| N/A | 91.193.75.231:5443 | javaautorun.duia.ro | tcp |
| N/A | 91.193.75.231:5443 | javaautorun.duia.ro | tcp |
Files
memory/952-54-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\VpdWufezad.js
| MD5 | 29b7dfa182095ac131dc0fe29ac1114f |
| SHA1 | da5c6968d5c0c93ec8c5c03d6beb846a18f88514 |
| SHA256 | 182dc31a957357b8f8e6417ff1559ee2d1fe28b4e63a934ca377b3f3805aa479 |
| SHA512 | 743c692da089edd96c205d62c27fdbe94c4e1b99e275227cb3ce5905a07cf882542425cce20774ac389b2b045270ec0faa4139066ad3f8b100711ca1358c192c |
memory/952-56-0x000007FEFC341000-0x000007FEFC343000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-01-20 19:46
Reported
2023-01-20 19:48
Platform
win10v2004-20221111-en
Max time kernel
151s
Max time network
156s
Command Line
Signatures
Vjw0rm
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\wscript.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VpdWufezad.js | C:\Windows\System32\wscript.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VpdWufezad.js | C:\Windows\System32\wscript.exe | N/A |
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1300 wrote to memory of 4224 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\wscript.exe |
| PID 1300 wrote to memory of 4224 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\wscript.exe |
Processes
C:\Windows\system32\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Local\Temp\PAYMENT RECEIPT.js"
C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\VpdWufezad.js"
Network
| Country | Destination | Domain | Proto |
| N/A | 72.21.91.29:80 | tcp | |
| N/A | 8.8.8.8:53 | javaautorun.duia.ro | udp |
| N/A | 91.193.75.231:5443 | javaautorun.duia.ro | tcp |
| N/A | 91.193.75.231:5443 | javaautorun.duia.ro | tcp |
| N/A | 40.77.2.164:443 | tcp | |
| N/A | 104.80.225.205:443 | tcp | |
| N/A | 52.168.117.170:443 | tcp | |
| N/A | 91.193.75.231:5443 | javaautorun.duia.ro | tcp |
| N/A | 88.221.25.154:80 | tcp | |
| N/A | 88.221.25.154:80 | tcp | |
| N/A | 88.221.25.154:80 | tcp | |
| N/A | 8.8.8.8:53 | 15.89.54.20.in-addr.arpa | udp |
| N/A | 91.193.75.231:5443 | javaautorun.duia.ro | tcp |
| N/A | 91.193.75.231:5443 | javaautorun.duia.ro | tcp |
| N/A | 91.193.75.231:5443 | javaautorun.duia.ro | tcp |
| N/A | 91.193.75.231:5443 | javaautorun.duia.ro | tcp |
| N/A | 91.193.75.231:5443 | javaautorun.duia.ro | tcp |
| N/A | 91.193.75.231:5443 | javaautorun.duia.ro | tcp |
| N/A | 91.193.75.231:5443 | javaautorun.duia.ro | tcp |
| N/A | 91.193.75.231:5443 | javaautorun.duia.ro | tcp |
| N/A | 91.193.75.231:5443 | javaautorun.duia.ro | tcp |
Files
memory/4224-132-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\VpdWufezad.js
| MD5 | 29b7dfa182095ac131dc0fe29ac1114f |
| SHA1 | da5c6968d5c0c93ec8c5c03d6beb846a18f88514 |
| SHA256 | 182dc31a957357b8f8e6417ff1559ee2d1fe28b4e63a934ca377b3f3805aa479 |
| SHA512 | 743c692da089edd96c205d62c27fdbe94c4e1b99e275227cb3ce5905a07cf882542425cce20774ac389b2b045270ec0faa4139066ad3f8b100711ca1358c192c |