Malware Analysis Report

2024-11-15 08:05

Sample ID 230310-hgpmjsca34
Target 3580ae39b6b33aa67838c5c1ca91b6aebf91e470360fb13072497e85df748871
SHA256 3580ae39b6b33aa67838c5c1ca91b6aebf91e470360fb13072497e85df748871
Tags
formbook vjw0rm a24e rat spyware stealer trojan worm
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3580ae39b6b33aa67838c5c1ca91b6aebf91e470360fb13072497e85df748871

Threat Level: Known bad

The file 3580ae39b6b33aa67838c5c1ca91b6aebf91e470360fb13072497e85df748871 was found to be: Known bad.

Malicious Activity Summary

formbook vjw0rm a24e rat spyware stealer trojan worm

Formbook

Vjw0rm

Formbook payload

Blocklisted process makes network request

Drops startup file

Checks computer location settings

Executes dropped EXE

Suspicious use of SetThreadContext

Enumerates physical storage devices

Suspicious behavior: MapViewOfSection

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of SendNotifyMessage

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-03-10 06:42

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2023-03-10 06:42

Reported

2023-03-10 06:45

Platform

win10v2004-20230220-en

Max time kernel

148s

Max time network

150s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\3580ae39b6b33aa67838c5c1ca91b6aebf91e470360fb13072497e85df748871.js

Signatures

Formbook

trojan spyware stealer formbook

Vjw0rm

trojan worm vjw0rm

Formbook payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation C:\Windows\system32\wscript.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SfehVeXIsQ.js C:\Windows\System32\wscript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SfehVeXIsQ.js C:\Windows\System32\wscript.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\BIG BRO.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1056 set thread context of 3184 N/A C:\Users\Admin\AppData\Local\Temp\BIG BRO.exe C:\Windows\Explorer.EXE
PID 2068 set thread context of 3184 N/A C:\Windows\SysWOW64\wscript.exe C:\Windows\Explorer.EXE

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\BIG BRO.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BIG BRO.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BIG BRO.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BIG BRO.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\BIG BRO.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\wscript.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\3580ae39b6b33aa67838c5c1ca91b6aebf91e470360fb13072497e85df748871.js

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\System32\wscript.exe

"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\SfehVeXIsQ.js"

C:\Users\Admin\AppData\Local\Temp\BIG BRO.exe

"C:\Users\Admin\AppData\Local\Temp\BIG BRO.exe"

C:\Windows\SysWOW64\wscript.exe

"C:\Windows\SysWOW64\wscript.exe"

C:\Windows\SysWOW64\cmd.exe

/c del "C:\Users\Admin\AppData\Local\Temp\BIG BRO.exe"

Network

Country Destination Domain Proto
IE 20.54.89.15:443 tcp
US 8.8.8.8:53 15.89.54.20.in-addr.arpa udp
US 8.8.8.8:53 176.122.125.40.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 javaautorun.duia.ro udp
RU 23.111.200.87:5465 javaautorun.duia.ro tcp
US 8.8.8.8:53 76.38.195.152.in-addr.arpa udp
US 8.8.8.8:53 33.18.126.40.in-addr.arpa udp
RU 23.111.200.87:5465 javaautorun.duia.ro tcp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 164.2.77.40.in-addr.arpa udp
RU 23.111.200.87:5465 javaautorun.duia.ro tcp
US 8.8.8.8:53 2.36.159.162.in-addr.arpa udp
US 8.8.8.8:53 254.129.241.8.in-addr.arpa udp
RU 23.111.200.87:5465 javaautorun.duia.ro tcp
US 8.8.8.8:53 97.97.242.52.in-addr.arpa udp
US 8.8.8.8:53 www.balloonbanarasdecorator.com udp
US 162.241.123.11:80 www.balloonbanarasdecorator.com tcp
US 8.8.8.8:53 11.123.241.162.in-addr.arpa udp
RU 23.111.200.87:5465 javaautorun.duia.ro tcp
RU 23.111.200.87:5465 javaautorun.duia.ro tcp
US 8.8.8.8:53 86.8.109.52.in-addr.arpa udp
US 8.8.8.8:53 www.maxpropertyfinanceuk.co.uk udp
US 35.227.197.36:80 www.maxpropertyfinanceuk.co.uk tcp
US 8.8.8.8:53 36.197.227.35.in-addr.arpa udp
RU 23.111.200.87:5465 javaautorun.duia.ro tcp
RU 23.111.200.87:5465 javaautorun.duia.ro tcp
US 8.8.8.8:53 www.lop3a.com udp
US 172.82.153.187:80 www.lop3a.com tcp
RU 23.111.200.87:5465 javaautorun.duia.ro tcp
US 8.8.8.8:53 187.153.82.172.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 177.238.32.23.in-addr.arpa udp
NL 173.223.113.164:443 tcp
NL 173.223.113.131:80 tcp
US 131.253.33.203:80 tcp
RU 23.111.200.87:5465 javaautorun.duia.ro tcp
US 8.8.8.8:53 www.dwentalplans.com udp
DE 185.53.177.53:80 www.dwentalplans.com tcp
RU 23.111.200.87:5465 javaautorun.duia.ro tcp
US 8.8.8.8:53 53.177.53.185.in-addr.arpa udp
US 209.197.3.8:80 tcp
RU 23.111.200.87:5465 javaautorun.duia.ro tcp
RU 23.111.200.87:5465 javaautorun.duia.ro tcp
US 8.8.8.8:53 www.industrailglasstech.com udp
RU 23.111.200.87:5465 javaautorun.duia.ro tcp
RU 23.111.200.87:5465 javaautorun.duia.ro tcp
US 8.8.8.8:53 www.theglazingsquad.uk udp
NL 185.146.22.249:80 www.theglazingsquad.uk tcp
US 8.8.8.8:53 249.22.146.185.in-addr.arpa udp
RU 23.111.200.87:5465 javaautorun.duia.ro tcp

Files

C:\Users\Admin\AppData\Roaming\SfehVeXIsQ.js

MD5 ef7a0bcfc54e28b9a81af747b834c898
SHA1 47f605a45958a0beab476be0ef3b97434f7b999e
SHA256 24fc05651edf06401a27a583f1dbe295881a16f9f98a04321319f3873a8569a4
SHA512 c975ac3784e346a0ed4f754177f25d256b41bd0bf707f37f0e04e3d15022db5e6d9bfbe50719b8ac483f9b7406a0a3a2782a28f279a046f61faffb863ec5da31

C:\Users\Admin\AppData\Local\Temp\BIG BRO.exe

MD5 a20ea9350fa5aa4d9641723f3dfc1b31
SHA1 c23cf2953ea071eac81740a687473442c66e73de
SHA256 01afe1517575e1fd7f60e86702fc11a97cfc74718e520c6016eef42fa164b4ae
SHA512 296b4ace0af1f33abb8c3c0262999b07c8ad6e9a4c075959b43335992f1058865581b2c7d362dc824ed787f61dc9c62338778cd28e12add2ac34b086ca62e035

C:\Users\Admin\AppData\Local\Temp\BIG BRO.exe

MD5 a20ea9350fa5aa4d9641723f3dfc1b31
SHA1 c23cf2953ea071eac81740a687473442c66e73de
SHA256 01afe1517575e1fd7f60e86702fc11a97cfc74718e520c6016eef42fa164b4ae
SHA512 296b4ace0af1f33abb8c3c0262999b07c8ad6e9a4c075959b43335992f1058865581b2c7d362dc824ed787f61dc9c62338778cd28e12add2ac34b086ca62e035

C:\Users\Admin\AppData\Local\Temp\BIG BRO.exe

MD5 a20ea9350fa5aa4d9641723f3dfc1b31
SHA1 c23cf2953ea071eac81740a687473442c66e73de
SHA256 01afe1517575e1fd7f60e86702fc11a97cfc74718e520c6016eef42fa164b4ae
SHA512 296b4ace0af1f33abb8c3c0262999b07c8ad6e9a4c075959b43335992f1058865581b2c7d362dc824ed787f61dc9c62338778cd28e12add2ac34b086ca62e035

memory/1056-144-0x00000000014A0000-0x00000000017EA000-memory.dmp

memory/1056-145-0x0000000001020000-0x0000000001034000-memory.dmp

memory/3184-146-0x0000000008280000-0x000000000838F000-memory.dmp

memory/2068-147-0x0000000000F10000-0x0000000000F37000-memory.dmp

memory/2068-148-0x0000000000F10000-0x0000000000F37000-memory.dmp

memory/2068-149-0x0000000001330000-0x000000000135F000-memory.dmp

memory/2068-150-0x0000000003540000-0x000000000388A000-memory.dmp

memory/2068-151-0x0000000001330000-0x000000000135F000-memory.dmp

memory/2068-153-0x0000000003380000-0x0000000003413000-memory.dmp

memory/3184-154-0x0000000008810000-0x0000000008976000-memory.dmp

memory/3184-155-0x0000000008810000-0x0000000008976000-memory.dmp

memory/3184-156-0x0000000002D80000-0x0000000002D90000-memory.dmp

memory/3184-157-0x0000000002D80000-0x0000000002D90000-memory.dmp

memory/3184-158-0x0000000002D80000-0x0000000002D90000-memory.dmp

memory/3184-159-0x0000000002D80000-0x0000000002D90000-memory.dmp

memory/3184-160-0x0000000002D80000-0x0000000002D90000-memory.dmp

memory/3184-161-0x0000000002D80000-0x0000000002D90000-memory.dmp

memory/3184-162-0x0000000002D80000-0x0000000002D90000-memory.dmp

memory/3184-163-0x0000000002D80000-0x0000000002D90000-memory.dmp

memory/3184-164-0x0000000002D80000-0x0000000002D90000-memory.dmp

memory/3184-165-0x0000000002D80000-0x0000000002D90000-memory.dmp

memory/3184-166-0x0000000002D80000-0x0000000002D90000-memory.dmp

memory/3184-167-0x0000000002D80000-0x0000000002D90000-memory.dmp

memory/3184-168-0x0000000002D80000-0x0000000002D90000-memory.dmp

memory/3184-169-0x0000000002D80000-0x0000000002D90000-memory.dmp

memory/3184-170-0x0000000002D80000-0x0000000002D90000-memory.dmp

memory/3184-171-0x0000000002D80000-0x0000000002D90000-memory.dmp

memory/3184-173-0x0000000008810000-0x0000000008976000-memory.dmp

memory/3184-174-0x0000000008810000-0x0000000008976000-memory.dmp

memory/3184-175-0x0000000008810000-0x0000000008976000-memory.dmp

memory/3184-177-0x0000000008810000-0x0000000008976000-memory.dmp

memory/3184-183-0x0000000002D80000-0x0000000002D90000-memory.dmp

memory/3184-184-0x0000000002D80000-0x0000000002D90000-memory.dmp

memory/3184-185-0x0000000002D80000-0x0000000002D90000-memory.dmp

memory/3184-186-0x0000000002D80000-0x0000000002D90000-memory.dmp

memory/3184-187-0x0000000002D80000-0x0000000002D90000-memory.dmp

memory/3184-188-0x0000000002D80000-0x0000000002D90000-memory.dmp

memory/3184-189-0x0000000002D80000-0x0000000002D90000-memory.dmp

memory/3184-190-0x0000000002D80000-0x0000000002D90000-memory.dmp

memory/3184-191-0x0000000002D80000-0x0000000002D90000-memory.dmp

memory/3184-192-0x0000000002D80000-0x0000000002D90000-memory.dmp

memory/3184-193-0x0000000002D80000-0x0000000002D90000-memory.dmp

memory/3184-194-0x0000000002D80000-0x0000000002D90000-memory.dmp

memory/3184-195-0x0000000002D80000-0x0000000002D90000-memory.dmp

memory/3184-196-0x0000000002D80000-0x0000000002D90000-memory.dmp

memory/3184-197-0x0000000002D80000-0x0000000002D90000-memory.dmp

memory/3184-198-0x0000000002D80000-0x0000000002D90000-memory.dmp

memory/3184-199-0x0000000007870000-0x0000000007872000-memory.dmp

memory/3184-206-0x0000000002D80000-0x0000000002D90000-memory.dmp

memory/3184-207-0x0000000002D80000-0x0000000002D90000-memory.dmp

memory/3184-208-0x0000000002D80000-0x0000000002D90000-memory.dmp

memory/3184-209-0x0000000002D80000-0x0000000002D90000-memory.dmp

memory/3184-210-0x0000000002D80000-0x0000000002D90000-memory.dmp

memory/3184-211-0x0000000002D80000-0x0000000002D90000-memory.dmp

memory/3184-212-0x0000000002D80000-0x0000000002D90000-memory.dmp

memory/3184-214-0x0000000002D80000-0x0000000002D90000-memory.dmp

memory/3184-213-0x0000000002D80000-0x0000000002D90000-memory.dmp

memory/3184-215-0x0000000002D80000-0x0000000002D90000-memory.dmp

memory/3184-216-0x0000000002D80000-0x0000000002D90000-memory.dmp

memory/3184-217-0x0000000002D80000-0x0000000002D90000-memory.dmp

memory/3184-218-0x0000000002D80000-0x0000000002D90000-memory.dmp

memory/3184-219-0x0000000002D80000-0x0000000002D90000-memory.dmp

memory/3184-222-0x0000000000CA0000-0x0000000000CA2000-memory.dmp

memory/3184-223-0x0000000000CB0000-0x0000000000CBA000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2023-03-10 06:42

Reported

2023-03-10 06:45

Platform

win7-20230220-en

Max time kernel

150s

Max time network

153s

Command Line

C:\Windows\Explorer.EXE

Signatures

Formbook

trojan spyware stealer formbook

Vjw0rm

trojan worm vjw0rm

Formbook payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SfehVeXIsQ.js C:\Windows\System32\wscript.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SfehVeXIsQ.js C:\Windows\System32\wscript.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\BIG BRO.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 668 set thread context of 1252 N/A C:\Users\Admin\AppData\Local\Temp\BIG BRO.exe C:\Windows\Explorer.EXE
PID 1300 set thread context of 1252 N/A C:\Windows\SysWOW64\wininit.exe C:\Windows\Explorer.EXE

Enumerates physical storage devices

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\BIG BRO.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\wininit.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1996 wrote to memory of 1044 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe
PID 1996 wrote to memory of 1044 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe
PID 1996 wrote to memory of 1044 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe
PID 1996 wrote to memory of 668 N/A C:\Windows\system32\wscript.exe C:\Users\Admin\AppData\Local\Temp\BIG BRO.exe
PID 1996 wrote to memory of 668 N/A C:\Windows\system32\wscript.exe C:\Users\Admin\AppData\Local\Temp\BIG BRO.exe
PID 1996 wrote to memory of 668 N/A C:\Windows\system32\wscript.exe C:\Users\Admin\AppData\Local\Temp\BIG BRO.exe
PID 1996 wrote to memory of 668 N/A C:\Windows\system32\wscript.exe C:\Users\Admin\AppData\Local\Temp\BIG BRO.exe
PID 1252 wrote to memory of 1300 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\wininit.exe
PID 1252 wrote to memory of 1300 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\wininit.exe
PID 1252 wrote to memory of 1300 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\wininit.exe
PID 1252 wrote to memory of 1300 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\wininit.exe
PID 1300 wrote to memory of 832 N/A C:\Windows\SysWOW64\wininit.exe C:\Windows\SysWOW64\cmd.exe
PID 1300 wrote to memory of 832 N/A C:\Windows\SysWOW64\wininit.exe C:\Windows\SysWOW64\cmd.exe
PID 1300 wrote to memory of 832 N/A C:\Windows\SysWOW64\wininit.exe C:\Windows\SysWOW64\cmd.exe
PID 1300 wrote to memory of 832 N/A C:\Windows\SysWOW64\wininit.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\3580ae39b6b33aa67838c5c1ca91b6aebf91e470360fb13072497e85df748871.js

C:\Windows\System32\wscript.exe

"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\SfehVeXIsQ.js"

C:\Users\Admin\AppData\Local\Temp\BIG BRO.exe

"C:\Users\Admin\AppData\Local\Temp\BIG BRO.exe"

C:\Windows\SysWOW64\wininit.exe

"C:\Windows\SysWOW64\wininit.exe"

C:\Windows\SysWOW64\cmd.exe

/c del "C:\Users\Admin\AppData\Local\Temp\BIG BRO.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 javaautorun.duia.ro udp
RU 23.111.200.87:5465 javaautorun.duia.ro tcp
RU 23.111.200.87:5465 javaautorun.duia.ro tcp
RU 23.111.200.87:5465 javaautorun.duia.ro tcp
RU 23.111.200.87:5465 javaautorun.duia.ro tcp
US 8.8.8.8:53 www.netspirit.africa udp
RU 23.111.200.87:5465 javaautorun.duia.ro tcp
RU 23.111.200.87:5465 javaautorun.duia.ro tcp
US 8.8.8.8:53 www.dunaphotography.com udp
HK 156.234.11.200:80 www.dunaphotography.com tcp
RU 23.111.200.87:5465 javaautorun.duia.ro tcp
RU 23.111.200.87:5465 javaautorun.duia.ro tcp
RU 23.111.200.87:5465 javaautorun.duia.ro tcp
US 8.8.8.8:53 www.alliotcloud.top udp
CN 8.129.48.154:80 www.alliotcloud.top tcp
RU 23.111.200.87:5465 javaautorun.duia.ro tcp
US 8.8.8.8:53 www.alliotcloud.top udp
CN 8.129.48.154:80 www.alliotcloud.top tcp
RU 23.111.200.87:5465 javaautorun.duia.ro tcp
RU 23.111.200.87:5465 javaautorun.duia.ro tcp
RU 23.111.200.87:5465 javaautorun.duia.ro tcp
US 8.8.8.8:53 www.valleymistst.co.uk udp
CH 81.17.18.198:80 www.valleymistst.co.uk tcp
RU 23.111.200.87:5465 javaautorun.duia.ro tcp
RU 23.111.200.87:5465 javaautorun.duia.ro tcp
US 8.8.8.8:53 www.balloonbanarasdecorator.com udp
US 162.241.123.11:80 www.balloonbanarasdecorator.com tcp
RU 23.111.200.87:5465 javaautorun.duia.ro tcp

Files

C:\Users\Admin\AppData\Roaming\SfehVeXIsQ.js

MD5 ef7a0bcfc54e28b9a81af747b834c898
SHA1 47f605a45958a0beab476be0ef3b97434f7b999e
SHA256 24fc05651edf06401a27a583f1dbe295881a16f9f98a04321319f3873a8569a4
SHA512 c975ac3784e346a0ed4f754177f25d256b41bd0bf707f37f0e04e3d15022db5e6d9bfbe50719b8ac483f9b7406a0a3a2782a28f279a046f61faffb863ec5da31

C:\Users\Admin\AppData\Local\Temp\BIG BRO.exe

MD5 a20ea9350fa5aa4d9641723f3dfc1b31
SHA1 c23cf2953ea071eac81740a687473442c66e73de
SHA256 01afe1517575e1fd7f60e86702fc11a97cfc74718e520c6016eef42fa164b4ae
SHA512 296b4ace0af1f33abb8c3c0262999b07c8ad6e9a4c075959b43335992f1058865581b2c7d362dc824ed787f61dc9c62338778cd28e12add2ac34b086ca62e035

C:\Users\Admin\AppData\Local\Temp\BIG BRO.exe

MD5 a20ea9350fa5aa4d9641723f3dfc1b31
SHA1 c23cf2953ea071eac81740a687473442c66e73de
SHA256 01afe1517575e1fd7f60e86702fc11a97cfc74718e520c6016eef42fa164b4ae
SHA512 296b4ace0af1f33abb8c3c0262999b07c8ad6e9a4c075959b43335992f1058865581b2c7d362dc824ed787f61dc9c62338778cd28e12add2ac34b086ca62e035

memory/668-64-0x0000000000800000-0x0000000000B03000-memory.dmp

memory/668-65-0x0000000000280000-0x0000000000294000-memory.dmp

memory/1252-66-0x0000000006FA0000-0x00000000070DD000-memory.dmp

memory/1300-67-0x0000000000650000-0x000000000066A000-memory.dmp

memory/1300-68-0x0000000000650000-0x000000000066A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\BIG BRO.exe

MD5 a20ea9350fa5aa4d9641723f3dfc1b31
SHA1 c23cf2953ea071eac81740a687473442c66e73de
SHA256 01afe1517575e1fd7f60e86702fc11a97cfc74718e520c6016eef42fa164b4ae
SHA512 296b4ace0af1f33abb8c3c0262999b07c8ad6e9a4c075959b43335992f1058865581b2c7d362dc824ed787f61dc9c62338778cd28e12add2ac34b086ca62e035

memory/1300-70-0x0000000000080000-0x00000000000AF000-memory.dmp

memory/1300-71-0x0000000001F20000-0x0000000002223000-memory.dmp

memory/1300-72-0x0000000000080000-0x00000000000AF000-memory.dmp

memory/1300-74-0x0000000001DF0000-0x0000000001E83000-memory.dmp

memory/1252-75-0x0000000006400000-0x00000000064C9000-memory.dmp

memory/1252-76-0x0000000006400000-0x00000000064C9000-memory.dmp

memory/1252-79-0x0000000006400000-0x00000000064C9000-memory.dmp