Malware Analysis Report

2024-11-15 08:04

Sample ID 230224-rsefdshe4t
Target 1.vhd
SHA256 b1c0b2b8c165b4144be04ac5138af82825f61f4928a4ddf8b9db44f3a2ba1e0d
Tags
vjw0rm persistence trojan worm purecrypter downloader loader
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b1c0b2b8c165b4144be04ac5138af82825f61f4928a4ddf8b9db44f3a2ba1e0d

Threat Level: Known bad

The file 1.vhd was found to be: Known bad.

Malicious Activity Summary

vjw0rm persistence trojan worm purecrypter downloader loader

Vjw0rm

Purecrypter family

PureCrypter

Blocklisted process makes network request

Drops startup file

Checks computer location settings

Adds Run key to start application

Enumerates physical storage devices

Program crash

Uses Task Scheduler COM API

Suspicious use of AdjustPrivilegeToken

Creates scheduled task(s)

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-02-24 14:27

Signatures

Purecrypter family

purecrypter

Analysis: behavioral3

Detonation Overview

Submitted

2023-02-24 14:27

Reported

2023-02-24 14:29

Platform

win7-20230220-en

Max time kernel

28s

Max time network

30s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\$RECYCLE.BIN\$I4FIL8H.js

Signatures

N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\$RECYCLE.BIN\$I4FIL8H.js

Network

N/A

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2023-02-24 14:27

Reported

2023-02-24 14:29

Platform

win7-20230220-en

Max time kernel

30s

Max time network

33s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\$RECYCLE.BIN\$I5VEPRW.js

Signatures

N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\$RECYCLE.BIN\$I5VEPRW.js

Network

N/A

Files

N/A

Analysis: behavioral12

Detonation Overview

Submitted

2023-02-24 14:27

Reported

2023-02-24 14:29

Platform

win10v2004-20230220-en

Max time kernel

114s

Max time network

124s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\$RECYCLE.BIN\$R4FIL8H.js

Signatures

Vjw0rm

trojan worm vjw0rm

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\system32\wscript.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\$R4FIL8H.js C:\Windows\system32\wscript.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\system32\wscript.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\0YME0MQN5Y = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\$R4FIL8H.js\"" C:\Windows\system32\wscript.exe N/A

Enumerates physical storage devices

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\$RECYCLE.BIN\$R4FIL8H.js

Network

Country Destination Domain Proto
US 8.8.8.8:53 210.81.184.52.in-addr.arpa udp
US 8.8.8.8:53 js9400.duckdns.org udp
RU 194.147.140.16:9400 js9400.duckdns.org tcp
US 8.8.8.8:53 16.140.147.194.in-addr.arpa udp
US 104.208.16.90:443 tcp
NL 173.223.113.164:443 tcp
NL 173.223.113.131:80 tcp
US 204.79.197.203:80 tcp
US 8.8.8.8:53 62.13.109.52.in-addr.arpa udp
US 8.8.8.8:53 151.122.125.40.in-addr.arpa udp
US 13.107.4.50:80 tcp
US 93.184.220.29:80 tcp

Files

N/A

Analysis: behavioral15

Detonation Overview

Submitted

2023-02-24 14:27

Reported

2023-02-24 14:29

Platform

win7-20230220-en

Max time kernel

124s

Max time network

127s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\$RECYCLE.BIN\$RMH8R2U.js

Signatures

Vjw0rm

trojan worm vjw0rm

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\system32\wscript.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\$RMH8R2U.js C:\Windows\system32\wscript.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\system32\wscript.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Windows\CurrentVersion\Run\0YME0MQN5Y = "'C:\\Users\\Admin\\AppData\\Local\\Temp\\$RMH8R2U.js'" C:\Windows\system32\wscript.exe N/A

Enumerates physical storage devices

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\$RECYCLE.BIN\$RMH8R2U.js

Network

Country Destination Domain Proto
US 8.8.8.8:53 js9400.duckdns.org udp
RU 194.147.140.16:9400 js9400.duckdns.org tcp

Files

N/A

Analysis: behavioral17

Detonation Overview

Submitted

2023-02-24 14:27

Reported

2023-02-24 14:29

Platform

win7-20230220-en

Max time kernel

150s

Max time network

153s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\T817630494847_Payment_receipt_Pdf.js

Signatures

Vjw0rm

trojan worm vjw0rm

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\system32\wscript.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\T817630494847_Payment_receipt_Pdf.js C:\Windows\system32\wscript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\T817630494847_Payment_receipt_Pdf.js C:\Windows\system32\wscript.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\system32\wscript.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Windows\CurrentVersion\Run\FTQMIP0ARG = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\T817630494847_Payment_receipt_Pdf.js\"" C:\Windows\system32\wscript.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2008 wrote to memory of 1012 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\schtasks.exe
PID 2008 wrote to memory of 1012 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\schtasks.exe
PID 2008 wrote to memory of 1012 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\schtasks.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\T817630494847_Payment_receipt_Pdf.js

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Local\Temp\T817630494847_Payment_receipt_Pdf.js

Network

Country Destination Domain Proto
US 8.8.8.8:53 js9300.duckdns.org udp
RU 194.147.140.16:9300 js9300.duckdns.org tcp

Files

N/A

Analysis: behavioral16

Detonation Overview

Submitted

2023-02-24 14:27

Reported

2023-02-24 14:29

Platform

win10v2004-20230220-en

Max time kernel

108s

Max time network

118s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\$RECYCLE.BIN\$RMH8R2U.js

Signatures

Vjw0rm

trojan worm vjw0rm

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\system32\wscript.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\$RMH8R2U.js C:\Windows\system32\wscript.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\system32\wscript.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\0YME0MQN5Y = "'C:\\Users\\Admin\\AppData\\Local\\Temp\\$RMH8R2U.js'" C:\Windows\system32\wscript.exe N/A

Enumerates physical storage devices

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\$RECYCLE.BIN\$RMH8R2U.js

Network

Country Destination Domain Proto
US 8.8.8.8:53 js9400.duckdns.org udp
RU 194.147.140.16:9400 js9400.duckdns.org tcp
US 8.8.8.8:53 14.110.152.52.in-addr.arpa udp
US 8.8.8.8:53 199.176.139.52.in-addr.arpa udp
US 8.8.8.8:53 16.140.147.194.in-addr.arpa udp
US 8.8.8.8:53 96.108.152.52.in-addr.arpa udp
US 8.8.8.8:53 138.175.53.84.in-addr.arpa udp
US 93.184.220.29:80 tcp
US 93.184.220.29:80 tcp
US 93.184.221.240:80 tcp
NL 173.223.113.164:443 tcp
NL 173.223.113.131:80 tcp
US 204.79.197.203:80 tcp

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-02-24 14:27

Reported

2023-02-24 14:27

Platform

win7-20230220-en

Max time kernel

0s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

N/A

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2023-02-24 14:27

Reported

2023-02-24 14:29

Platform

win10v2004-20230220-en

Max time kernel

62s

Max time network

125s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\$RECYCLE.BIN\$I4FIL8H.js

Signatures

N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\$RECYCLE.BIN\$I4FIL8H.js

Network

Country Destination Domain Proto
US 20.42.73.26:443 tcp
US 209.197.3.8:80 tcp
US 209.197.3.8:80 tcp
NL 173.223.113.164:443 tcp
US 8.8.8.8:53 45.8.109.52.in-addr.arpa udp
NL 8.253.208.120:80 tcp

Files

N/A

Analysis: behavioral7

Detonation Overview

Submitted

2023-02-24 14:27

Reported

2023-02-24 14:29

Platform

win7-20230220-en

Max time kernel

31s

Max time network

33s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\$RECYCLE.BIN\$IMH8R2U.js

Signatures

N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\$RECYCLE.BIN\$IMH8R2U.js

Network

N/A

Files

N/A

Analysis: behavioral9

Detonation Overview

Submitted

2023-02-24 14:27

Reported

2023-02-24 14:29

Platform

win7-20230220-en

Max time kernel

30s

Max time network

33s

Command Line

"C:\Users\Admin\AppData\Local\Temp\$RECYCLE.BIN\$R40P23D.exe"

Signatures

PureCrypter

loader downloader purecrypter

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\$RECYCLE.BIN\$R40P23D.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\$RECYCLE.BIN\$R40P23D.exe

"C:\Users\Admin\AppData\Local\Temp\$RECYCLE.BIN\$R40P23D.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2044 -s 1344

Network

Country Destination Domain Proto
US 8.8.8.8:53 ashaambulanceservice.com udp
IN 43.225.53.24:443 ashaambulanceservice.com tcp
IN 43.225.53.24:443 ashaambulanceservice.com tcp
IN 43.225.53.24:443 ashaambulanceservice.com tcp
IN 43.225.53.24:443 ashaambulanceservice.com tcp
IN 43.225.53.24:443 ashaambulanceservice.com tcp

Files

memory/2044-54-0x0000000000020000-0x000000000003E000-memory.dmp

memory/2044-55-0x0000000004C00000-0x0000000004C40000-memory.dmp

memory/2044-56-0x0000000004C00000-0x0000000004C40000-memory.dmp

Analysis: behavioral13

Detonation Overview

Submitted

2023-02-24 14:27

Reported

2023-02-24 14:29

Platform

win7-20230220-en

Max time kernel

127s

Max time network

131s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\$RECYCLE.BIN\$R5VEPRW.js

Signatures

Vjw0rm

trojan worm vjw0rm

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\system32\wscript.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\$R5VEPRW.js C:\Windows\system32\wscript.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\system32\wscript.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Windows\CurrentVersion\Run\0YME0MQN5Y = "'C:\\Users\\Admin\\AppData\\Local\\Temp\\$R5VEPRW.js'" C:\Windows\system32\wscript.exe N/A

Enumerates physical storage devices

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\$RECYCLE.BIN\$R5VEPRW.js

Network

Country Destination Domain Proto
US 8.8.8.8:53 js9400.duckdns.org udp
RU 194.147.140.16:9400 js9400.duckdns.org tcp

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2023-02-24 14:27

Reported

2023-02-24 14:29

Platform

win10v2004-20230220-en

Max time kernel

100s

Max time network

105s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\$RECYCLE.BIN\$I5VEPRW.js

Signatures

N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\$RECYCLE.BIN\$I5VEPRW.js

Network

Country Destination Domain Proto
US 8.8.8.8:53 65.193.24.20.in-addr.arpa udp
US 52.168.112.66:443 tcp
US 8.8.8.8:53 0.77.109.52.in-addr.arpa udp
US 209.197.3.8:80 tcp
US 209.197.3.8:80 tcp
NL 173.223.113.164:443 tcp
NL 173.223.113.131:80 tcp
US 204.79.197.203:80 tcp

Files

N/A

Analysis: behavioral8

Detonation Overview

Submitted

2023-02-24 14:27

Reported

2023-02-24 14:29

Platform

win10v2004-20230220-en

Max time kernel

63s

Max time network

124s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\$RECYCLE.BIN\$IMH8R2U.js

Signatures

N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\$RECYCLE.BIN\$IMH8R2U.js

Network

Country Destination Domain Proto
US 8.8.8.8:53 199.176.139.52.in-addr.arpa udp
US 52.168.112.67:443 tcp
NL 173.223.113.164:443 tcp
NL 8.253.208.113:80 tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp

Files

N/A

Analysis: behavioral14

Detonation Overview

Submitted

2023-02-24 14:27

Reported

2023-02-24 14:29

Platform

win10v2004-20230220-en

Max time kernel

112s

Max time network

136s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\$RECYCLE.BIN\$R5VEPRW.js

Signatures

Vjw0rm

trojan worm vjw0rm

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\system32\wscript.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\$R5VEPRW.js C:\Windows\system32\wscript.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\system32\wscript.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\0YME0MQN5Y = "'C:\\Users\\Admin\\AppData\\Local\\Temp\\$R5VEPRW.js'" C:\Windows\system32\wscript.exe N/A

Enumerates physical storage devices

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\$RECYCLE.BIN\$R5VEPRW.js

Network

Country Destination Domain Proto
US 209.197.3.8:80 tcp
US 8.8.8.8:53 js9400.duckdns.org udp
RU 194.147.140.16:9400 js9400.duckdns.org tcp
US 8.8.8.8:53 16.140.147.194.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 151.122.125.40.in-addr.arpa udp
US 20.42.65.85:443 tcp
NL 173.223.113.164:443 tcp
NL 173.223.113.131:80 tcp
US 204.79.197.203:80 tcp
US 209.197.3.8:80 tcp
US 209.197.3.8:80 tcp
US 209.197.3.8:80 tcp
US 8.8.8.8:53 63.13.109.52.in-addr.arpa udp
NL 173.223.113.131:80 tcp

Files

N/A

Analysis: behavioral18

Detonation Overview

Submitted

2023-02-24 14:27

Reported

2023-02-24 14:29

Platform

win10v2004-20230220-en

Max time kernel

144s

Max time network

147s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\T817630494847_Payment_receipt_Pdf.js

Signatures

Vjw0rm

trojan worm vjw0rm

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\system32\wscript.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation C:\Windows\system32\wscript.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\T817630494847_Payment_receipt_Pdf.js C:\Windows\system32\wscript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\T817630494847_Payment_receipt_Pdf.js C:\Windows\system32\wscript.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\system32\wscript.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\FTQMIP0ARG = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\T817630494847_Payment_receipt_Pdf.js\"" C:\Windows\system32\wscript.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1376 wrote to memory of 404 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\schtasks.exe
PID 1376 wrote to memory of 404 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\schtasks.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\T817630494847_Payment_receipt_Pdf.js

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Local\Temp\T817630494847_Payment_receipt_Pdf.js

Network

Country Destination Domain Proto
US 8.8.8.8:53 js9300.duckdns.org udp
RU 194.147.140.16:9300 js9300.duckdns.org tcp
US 8.8.8.8:53 126.23.238.8.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 16.140.147.194.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 250.108.137.52.in-addr.arpa udp
US 8.8.8.8:53 164.113.223.173.in-addr.arpa udp
US 8.8.8.8:53 65.193.24.20.in-addr.arpa udp
US 8.8.8.8:53 29.237.18.117.in-addr.arpa udp
US 8.8.8.8:53 226.101.242.52.in-addr.arpa udp
US 8.8.8.8:53 164.2.77.40.in-addr.arpa udp
US 8.8.8.8:53 240.232.229.192.in-addr.arpa udp
US 20.189.173.9:443 tcp
US 8.8.8.8:53 62.13.109.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2023-02-24 14:27

Reported

2023-02-24 14:27

Platform

win10v2004-20230220-en

Max time kernel

1s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 52.139.176.199:443 tcp

Files

N/A

Analysis: behavioral10

Detonation Overview

Submitted

2023-02-24 14:27

Reported

2023-02-24 14:29

Platform

win10v2004-20230221-en

Max time kernel

92s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\$RECYCLE.BIN\$R40P23D.exe"

Signatures

PureCrypter

loader downloader purecrypter

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\$RECYCLE.BIN\$R40P23D.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\$RECYCLE.BIN\$R40P23D.exe

"C:\Users\Admin\AppData\Local\Temp\$RECYCLE.BIN\$R40P23D.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 2860 -ip 2860

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2860 -s 1984

Network

Country Destination Domain Proto
US 8.8.8.8:53 ashaambulanceservice.com udp
IN 43.225.53.24:443 ashaambulanceservice.com tcp
US 8.8.8.8:53 199.176.139.52.in-addr.arpa udp
US 8.8.8.8:53 24.53.225.43.in-addr.arpa udp
IN 43.225.53.24:443 ashaambulanceservice.com tcp
IN 43.225.53.24:443 ashaambulanceservice.com tcp
IN 43.225.53.24:443 ashaambulanceservice.com tcp
IN 43.225.53.24:443 ashaambulanceservice.com tcp
US 20.189.173.4:443 tcp
NL 173.223.113.164:443 tcp
NL 173.223.113.131:80 tcp
US 204.79.197.203:80 tcp
US 93.184.221.240:80 tcp
US 8.8.8.8:53 45.8.109.52.in-addr.arpa udp

Files

memory/2860-133-0x0000000000330000-0x000000000034E000-memory.dmp

memory/2860-134-0x00000000053A0000-0x0000000005944000-memory.dmp

memory/2860-135-0x0000000004CF0000-0x0000000004D82000-memory.dmp

memory/2860-136-0x0000000004F90000-0x0000000004FA0000-memory.dmp

Analysis: behavioral11

Detonation Overview

Submitted

2023-02-24 14:27

Reported

2023-02-24 14:29

Platform

win7-20230220-en

Max time kernel

122s

Max time network

124s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\$RECYCLE.BIN\$R4FIL8H.js

Signatures

Vjw0rm

trojan worm vjw0rm

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\system32\wscript.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\$R4FIL8H.js C:\Windows\system32\wscript.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\system32\wscript.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Windows\CurrentVersion\Run\0YME0MQN5Y = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\$R4FIL8H.js\"" C:\Windows\system32\wscript.exe N/A

Enumerates physical storage devices

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\$RECYCLE.BIN\$R4FIL8H.js

Network

Country Destination Domain Proto
US 8.8.8.8:53 js9400.duckdns.org udp
RU 194.147.140.16:9400 js9400.duckdns.org tcp

Files

N/A