Analysis Overview
SHA256
b1c0b2b8c165b4144be04ac5138af82825f61f4928a4ddf8b9db44f3a2ba1e0d
Threat Level: Known bad
The file 1.vhd was found to be: Known bad.
Malicious Activity Summary
Vjw0rm
Purecrypter family
PureCrypter
Blocklisted process makes network request
Drops startup file
Checks computer location settings
Adds Run key to start application
Enumerates physical storage devices
Program crash
Uses Task Scheduler COM API
Suspicious use of AdjustPrivilegeToken
Creates scheduled task(s)
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2023-02-24 14:27
Signatures
Purecrypter family
Analysis: behavioral3
Detonation Overview
Submitted
2023-02-24 14:27
Reported
2023-02-24 14:29
Platform
win7-20230220-en
Max time kernel
28s
Max time network
30s
Command Line
Signatures
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\$RECYCLE.BIN\$I4FIL8H.js
Network
Files
Analysis: behavioral5
Detonation Overview
Submitted
2023-02-24 14:27
Reported
2023-02-24 14:29
Platform
win7-20230220-en
Max time kernel
30s
Max time network
33s
Command Line
Signatures
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\$RECYCLE.BIN\$I5VEPRW.js
Network
Files
Analysis: behavioral12
Detonation Overview
Submitted
2023-02-24 14:27
Reported
2023-02-24 14:29
Platform
win10v2004-20230220-en
Max time kernel
114s
Max time network
124s
Command Line
Signatures
Vjw0rm
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\wscript.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\$R4FIL8H.js | C:\Windows\system32\wscript.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\system32\wscript.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\0YME0MQN5Y = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\$R4FIL8H.js\"" | C:\Windows\system32\wscript.exe | N/A |
Enumerates physical storage devices
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\$RECYCLE.BIN\$R4FIL8H.js
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 210.81.184.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | js9400.duckdns.org | udp |
| RU | 194.147.140.16:9400 | js9400.duckdns.org | tcp |
| US | 8.8.8.8:53 | 16.140.147.194.in-addr.arpa | udp |
| US | 104.208.16.90:443 | tcp | |
| NL | 173.223.113.164:443 | tcp | |
| NL | 173.223.113.131:80 | tcp | |
| US | 204.79.197.203:80 | tcp | |
| US | 8.8.8.8:53 | 62.13.109.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 151.122.125.40.in-addr.arpa | udp |
| US | 13.107.4.50:80 | tcp | |
| US | 93.184.220.29:80 | tcp |
Files
Analysis: behavioral15
Detonation Overview
Submitted
2023-02-24 14:27
Reported
2023-02-24 14:29
Platform
win7-20230220-en
Max time kernel
124s
Max time network
127s
Command Line
Signatures
Vjw0rm
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\wscript.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\$RMH8R2U.js | C:\Windows\system32\wscript.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\system32\wscript.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Windows\CurrentVersion\Run\0YME0MQN5Y = "'C:\\Users\\Admin\\AppData\\Local\\Temp\\$RMH8R2U.js'" | C:\Windows\system32\wscript.exe | N/A |
Enumerates physical storage devices
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\$RECYCLE.BIN\$RMH8R2U.js
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | js9400.duckdns.org | udp |
| RU | 194.147.140.16:9400 | js9400.duckdns.org | tcp |
Files
Analysis: behavioral17
Detonation Overview
Submitted
2023-02-24 14:27
Reported
2023-02-24 14:29
Platform
win7-20230220-en
Max time kernel
150s
Max time network
153s
Command Line
Signatures
Vjw0rm
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\wscript.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\T817630494847_Payment_receipt_Pdf.js | C:\Windows\system32\wscript.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\T817630494847_Payment_receipt_Pdf.js | C:\Windows\system32\wscript.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\system32\wscript.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Windows\CurrentVersion\Run\FTQMIP0ARG = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\T817630494847_Payment_receipt_Pdf.js\"" | C:\Windows\system32\wscript.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2008 wrote to memory of 1012 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\schtasks.exe |
| PID 2008 wrote to memory of 1012 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\schtasks.exe |
| PID 2008 wrote to memory of 1012 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\schtasks.exe |
Uses Task Scheduler COM API
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\T817630494847_Payment_receipt_Pdf.js
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Local\Temp\T817630494847_Payment_receipt_Pdf.js
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | js9300.duckdns.org | udp |
| RU | 194.147.140.16:9300 | js9300.duckdns.org | tcp |
Files
Analysis: behavioral16
Detonation Overview
Submitted
2023-02-24 14:27
Reported
2023-02-24 14:29
Platform
win10v2004-20230220-en
Max time kernel
108s
Max time network
118s
Command Line
Signatures
Vjw0rm
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\wscript.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\$RMH8R2U.js | C:\Windows\system32\wscript.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\system32\wscript.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\0YME0MQN5Y = "'C:\\Users\\Admin\\AppData\\Local\\Temp\\$RMH8R2U.js'" | C:\Windows\system32\wscript.exe | N/A |
Enumerates physical storage devices
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\$RECYCLE.BIN\$RMH8R2U.js
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | js9400.duckdns.org | udp |
| RU | 194.147.140.16:9400 | js9400.duckdns.org | tcp |
| US | 8.8.8.8:53 | 14.110.152.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 199.176.139.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 16.140.147.194.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 96.108.152.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.175.53.84.in-addr.arpa | udp |
| US | 93.184.220.29:80 | tcp | |
| US | 93.184.220.29:80 | tcp | |
| US | 93.184.221.240:80 | tcp | |
| NL | 173.223.113.164:443 | tcp | |
| NL | 173.223.113.131:80 | tcp | |
| US | 204.79.197.203:80 | tcp |
Files
Analysis: behavioral1
Detonation Overview
Submitted
2023-02-24 14:27
Reported
2023-02-24 14:27
Platform
win7-20230220-en
Max time kernel
0s
Command Line
Signatures
Processes
Network
Files
Analysis: behavioral4
Detonation Overview
Submitted
2023-02-24 14:27
Reported
2023-02-24 14:29
Platform
win10v2004-20230220-en
Max time kernel
62s
Max time network
125s
Command Line
Signatures
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\$RECYCLE.BIN\$I4FIL8H.js
Network
| Country | Destination | Domain | Proto |
| US | 20.42.73.26:443 | tcp | |
| US | 209.197.3.8:80 | tcp | |
| US | 209.197.3.8:80 | tcp | |
| NL | 173.223.113.164:443 | tcp | |
| US | 8.8.8.8:53 | 45.8.109.52.in-addr.arpa | udp |
| NL | 8.253.208.120:80 | tcp |
Files
Analysis: behavioral7
Detonation Overview
Submitted
2023-02-24 14:27
Reported
2023-02-24 14:29
Platform
win7-20230220-en
Max time kernel
31s
Max time network
33s
Command Line
Signatures
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\$RECYCLE.BIN\$IMH8R2U.js
Network
Files
Analysis: behavioral9
Detonation Overview
Submitted
2023-02-24 14:27
Reported
2023-02-24 14:29
Platform
win7-20230220-en
Max time kernel
30s
Max time network
33s
Command Line
Signatures
PureCrypter
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\$RECYCLE.BIN\$R40P23D.exe |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\$RECYCLE.BIN\$R40P23D.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2044 wrote to memory of 1392 | N/A | C:\Users\Admin\AppData\Local\Temp\$RECYCLE.BIN\$R40P23D.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 2044 wrote to memory of 1392 | N/A | C:\Users\Admin\AppData\Local\Temp\$RECYCLE.BIN\$R40P23D.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 2044 wrote to memory of 1392 | N/A | C:\Users\Admin\AppData\Local\Temp\$RECYCLE.BIN\$R40P23D.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 2044 wrote to memory of 1392 | N/A | C:\Users\Admin\AppData\Local\Temp\$RECYCLE.BIN\$R40P23D.exe | C:\Windows\SysWOW64\WerFault.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\$RECYCLE.BIN\$R40P23D.exe
"C:\Users\Admin\AppData\Local\Temp\$RECYCLE.BIN\$R40P23D.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2044 -s 1344
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ashaambulanceservice.com | udp |
| IN | 43.225.53.24:443 | ashaambulanceservice.com | tcp |
| IN | 43.225.53.24:443 | ashaambulanceservice.com | tcp |
| IN | 43.225.53.24:443 | ashaambulanceservice.com | tcp |
| IN | 43.225.53.24:443 | ashaambulanceservice.com | tcp |
| IN | 43.225.53.24:443 | ashaambulanceservice.com | tcp |
Files
memory/2044-54-0x0000000000020000-0x000000000003E000-memory.dmp
memory/2044-55-0x0000000004C00000-0x0000000004C40000-memory.dmp
memory/2044-56-0x0000000004C00000-0x0000000004C40000-memory.dmp
Analysis: behavioral13
Detonation Overview
Submitted
2023-02-24 14:27
Reported
2023-02-24 14:29
Platform
win7-20230220-en
Max time kernel
127s
Max time network
131s
Command Line
Signatures
Vjw0rm
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\wscript.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\$R5VEPRW.js | C:\Windows\system32\wscript.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\system32\wscript.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Windows\CurrentVersion\Run\0YME0MQN5Y = "'C:\\Users\\Admin\\AppData\\Local\\Temp\\$R5VEPRW.js'" | C:\Windows\system32\wscript.exe | N/A |
Enumerates physical storage devices
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\$RECYCLE.BIN\$R5VEPRW.js
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | js9400.duckdns.org | udp |
| RU | 194.147.140.16:9400 | js9400.duckdns.org | tcp |
Files
Analysis: behavioral6
Detonation Overview
Submitted
2023-02-24 14:27
Reported
2023-02-24 14:29
Platform
win10v2004-20230220-en
Max time kernel
100s
Max time network
105s
Command Line
Signatures
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\$RECYCLE.BIN\$I5VEPRW.js
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 65.193.24.20.in-addr.arpa | udp |
| US | 52.168.112.66:443 | tcp | |
| US | 8.8.8.8:53 | 0.77.109.52.in-addr.arpa | udp |
| US | 209.197.3.8:80 | tcp | |
| US | 209.197.3.8:80 | tcp | |
| NL | 173.223.113.164:443 | tcp | |
| NL | 173.223.113.131:80 | tcp | |
| US | 204.79.197.203:80 | tcp |
Files
Analysis: behavioral8
Detonation Overview
Submitted
2023-02-24 14:27
Reported
2023-02-24 14:29
Platform
win10v2004-20230220-en
Max time kernel
63s
Max time network
124s
Command Line
Signatures
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\$RECYCLE.BIN\$IMH8R2U.js
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 199.176.139.52.in-addr.arpa | udp |
| US | 52.168.112.67:443 | tcp | |
| NL | 173.223.113.164:443 | tcp | |
| NL | 8.253.208.113:80 | tcp | |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
Files
Analysis: behavioral14
Detonation Overview
Submitted
2023-02-24 14:27
Reported
2023-02-24 14:29
Platform
win10v2004-20230220-en
Max time kernel
112s
Max time network
136s
Command Line
Signatures
Vjw0rm
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\wscript.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\$R5VEPRW.js | C:\Windows\system32\wscript.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\system32\wscript.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\0YME0MQN5Y = "'C:\\Users\\Admin\\AppData\\Local\\Temp\\$R5VEPRW.js'" | C:\Windows\system32\wscript.exe | N/A |
Enumerates physical storage devices
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\$RECYCLE.BIN\$R5VEPRW.js
Network
| Country | Destination | Domain | Proto |
| US | 209.197.3.8:80 | tcp | |
| US | 8.8.8.8:53 | js9400.duckdns.org | udp |
| RU | 194.147.140.16:9400 | js9400.duckdns.org | tcp |
| US | 8.8.8.8:53 | 16.140.147.194.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 151.122.125.40.in-addr.arpa | udp |
| US | 20.42.65.85:443 | tcp | |
| NL | 173.223.113.164:443 | tcp | |
| NL | 173.223.113.131:80 | tcp | |
| US | 204.79.197.203:80 | tcp | |
| US | 209.197.3.8:80 | tcp | |
| US | 209.197.3.8:80 | tcp | |
| US | 209.197.3.8:80 | tcp | |
| US | 8.8.8.8:53 | 63.13.109.52.in-addr.arpa | udp |
| NL | 173.223.113.131:80 | tcp |
Files
Analysis: behavioral18
Detonation Overview
Submitted
2023-02-24 14:27
Reported
2023-02-24 14:29
Platform
win10v2004-20230220-en
Max time kernel
144s
Max time network
147s
Command Line
Signatures
Vjw0rm
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\wscript.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\wscript.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\T817630494847_Payment_receipt_Pdf.js | C:\Windows\system32\wscript.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\T817630494847_Payment_receipt_Pdf.js | C:\Windows\system32\wscript.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\system32\wscript.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\FTQMIP0ARG = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\T817630494847_Payment_receipt_Pdf.js\"" | C:\Windows\system32\wscript.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1376 wrote to memory of 404 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\schtasks.exe |
| PID 1376 wrote to memory of 404 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\schtasks.exe |
Uses Task Scheduler COM API
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\T817630494847_Payment_receipt_Pdf.js
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Local\Temp\T817630494847_Payment_receipt_Pdf.js
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | js9300.duckdns.org | udp |
| RU | 194.147.140.16:9300 | js9300.duckdns.org | tcp |
| US | 8.8.8.8:53 | 126.23.238.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 16.140.147.194.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 250.108.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 164.113.223.173.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 65.193.24.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.237.18.117.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 226.101.242.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 164.2.77.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.232.229.192.in-addr.arpa | udp |
| US | 20.189.173.9:443 | tcp | |
| US | 8.8.8.8:53 | 62.13.109.52.in-addr.arpa | udp |
Files
Analysis: behavioral2
Detonation Overview
Submitted
2023-02-24 14:27
Reported
2023-02-24 14:27
Platform
win10v2004-20230220-en
Max time kernel
1s
Command Line
Signatures
Processes
Network
| Country | Destination | Domain | Proto |
| N/A | 52.139.176.199:443 | tcp |
Files
Analysis: behavioral10
Detonation Overview
Submitted
2023-02-24 14:27
Reported
2023-02-24 14:29
Platform
win10v2004-20230221-en
Max time kernel
92s
Max time network
124s
Command Line
Signatures
PureCrypter
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\$RECYCLE.BIN\$R40P23D.exe |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\$RECYCLE.BIN\$R40P23D.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\$RECYCLE.BIN\$R40P23D.exe
"C:\Users\Admin\AppData\Local\Temp\$RECYCLE.BIN\$R40P23D.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 2860 -ip 2860
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2860 -s 1984
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ashaambulanceservice.com | udp |
| IN | 43.225.53.24:443 | ashaambulanceservice.com | tcp |
| US | 8.8.8.8:53 | 199.176.139.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 24.53.225.43.in-addr.arpa | udp |
| IN | 43.225.53.24:443 | ashaambulanceservice.com | tcp |
| IN | 43.225.53.24:443 | ashaambulanceservice.com | tcp |
| IN | 43.225.53.24:443 | ashaambulanceservice.com | tcp |
| IN | 43.225.53.24:443 | ashaambulanceservice.com | tcp |
| US | 20.189.173.4:443 | tcp | |
| NL | 173.223.113.164:443 | tcp | |
| NL | 173.223.113.131:80 | tcp | |
| US | 204.79.197.203:80 | tcp | |
| US | 93.184.221.240:80 | tcp | |
| US | 8.8.8.8:53 | 45.8.109.52.in-addr.arpa | udp |
Files
memory/2860-133-0x0000000000330000-0x000000000034E000-memory.dmp
memory/2860-134-0x00000000053A0000-0x0000000005944000-memory.dmp
memory/2860-135-0x0000000004CF0000-0x0000000004D82000-memory.dmp
memory/2860-136-0x0000000004F90000-0x0000000004FA0000-memory.dmp
Analysis: behavioral11
Detonation Overview
Submitted
2023-02-24 14:27
Reported
2023-02-24 14:29
Platform
win7-20230220-en
Max time kernel
122s
Max time network
124s
Command Line
Signatures
Vjw0rm
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\wscript.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\$R4FIL8H.js | C:\Windows\system32\wscript.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\system32\wscript.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Windows\CurrentVersion\Run\0YME0MQN5Y = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\$R4FIL8H.js\"" | C:\Windows\system32\wscript.exe | N/A |
Enumerates physical storage devices
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\$RECYCLE.BIN\$R4FIL8H.js
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | js9400.duckdns.org | udp |
| RU | 194.147.140.16:9400 | js9400.duckdns.org | tcp |