Overview

overview

10

Static

static

Inquiry.js

windows7-x64

10

Inquiry.js

windows10-2004-x64

10

Analysis

  • max time kernel
    595s
  • max time network
    601s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30-01-2023 12:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Inquiry.js

  • Size

    1.3MB

  • MD5

    443caa6bef67a2be0e4bcec86619683e

  • SHA1

    24801da9b7ee6f3bea3a877b4f2e1e5592d27a7c

  • SHA256

    772fd8b1137becb5b3697fb1e10ba79f31367c7402d06235f96fc214d0338327

  • SHA512

    eccc636da9661159c0e500e4eaa3cda94f1ceb220c766459e97ca759c289a0e70522f4cd12d60a4aa6d1ac98a2ef8594c0aff49976087397711cf3b1edbfe6d6

  • SSDEEP

    24576:dwgFD4BiYRWfbd/RgU+FnkCt3fANRbonYMk37CMYY3lPg:dwgFD2ic6hRgU+1RuPoeYYK

Score
10/10
vjw0rmcollectionspywarestealertrojanworm

Malware Config

Signatures

  • Vjw0rm

    Vjw0rm is a remote access trojan written in JavaScript.

    trojanwormvjw0rm
  • Blocklisted process makes network request 57 IoCs
  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe C:\Users\Admin\AppData\Local\Temp\Inquiry.js
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:3228
    • C:\Windows\System32\wscript.exe
      "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\ygXhKsdexe.js"
      2⤵
      • Blocklisted process makes network request
      • Drops startup file
      PID:1824
    • C:\Users\Admin\AppData\Local\Temp\Payload (3).exe
      "C:\Users\Admin\AppData\Local\Temp\Payload (3).exe"
      2⤵
      • Executes dropped EXE
      • Accesses Microsoft Outlook profiles
      • Checks processor information in registry
      • Suspicious use of AdjustPrivilegeToken
      • outlook_office_path
      • outlook_win_path
      PID:4968

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

2
T1012

System Information Discovery

3
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Email Collection

1
T1114

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\Payload (3).exe
    Filesize

    755KB

    MD5

    3e8af9fffb1b980b193508f6a8a8cdc3

    SHA1

    e91e6f525952ae5a812d3cd3a795c6aeca94e527

    SHA256

    ba055f5ffcf5c345e37307673717f11319326e5c4b621f336b76c4826b09f7cc

    SHA512

    072bac20632cc30aa99715e4d5f508eab6a5b143704a0cdbbf0f5f22f86f4c02204efb1eb4acf8eeca97622c074bed2aa333119e842040e34ab55bff219a1f11

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\Payload (3).exe
    Filesize

    755KB

    MD5

    3e8af9fffb1b980b193508f6a8a8cdc3

    SHA1

    e91e6f525952ae5a812d3cd3a795c6aeca94e527

    SHA256

    ba055f5ffcf5c345e37307673717f11319326e5c4b621f336b76c4826b09f7cc

    SHA512

    072bac20632cc30aa99715e4d5f508eab6a5b143704a0cdbbf0f5f22f86f4c02204efb1eb4acf8eeca97622c074bed2aa333119e842040e34ab55bff219a1f11

    Download Submit
  • C:\Users\Admin\AppData\Roaming\ygXhKsdexe.js
    Filesize

    6KB

    MD5

    f5900623d262e28b5b5169d4307406df

    SHA1

    1eba3a193e440e9373133f69cff2f9cff6373189

    SHA256

    9530c305096a7bc5443c50079a77e7aee12d6dea1770f279ccf8f6e5f149f334

    SHA512

    d0ed8912d5ff927bfa0f05616f4712dbf6a60349839d4722691c02eb7cb0ebf2d1f1cbbe8becd1a77b5c71821b623323811d9255d1f8b9060cb928f31a996f97

    Download Submit
  • memory/1824-132-0x0000000000000000-mapping.dmp
    Download
  • memory/4968-134-0x0000000000000000-mapping.dmp
    Download
  • memory/4968-137-0x0000000000D40000-0x0000000000E04000-memory.dmp
    Filesize

    784KB

    Download
  • memory/4968-138-0x0000000007C90000-0x0000000007CF6000-memory.dmp
    Filesize

    408KB

    Download
  • memory/4968-139-0x0000000009190000-0x00000000091B2000-memory.dmp
    Filesize

    136KB

    Download
  • memory/4968-140-0x0000000009160000-0x000000000916A000-memory.dmp
    Filesize

    40KB

    Download
  • memory/4968-141-0x00000000095D0000-0x00000000095E2000-memory.dmp
    Filesize

    72KB

    Download