Malware Analysis Report

2024-11-15 08:04

Sample ID 230311-1hc91sbd44
Target 32_94_payment_bv_xls.vhd
SHA256 fc82b563d313863573783df7d7b533da56a26e167db3a9143c7a780f1cab793d
Tags
vjw0rm persistence trojan worm
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

fc82b563d313863573783df7d7b533da56a26e167db3a9143c7a780f1cab793d

Threat Level: Known bad

The file 32_94_payment_bv_xls.vhd was found to be: Known bad.

Malicious Activity Summary

vjw0rm persistence trojan worm

Vjw0rm

Blocklisted process makes network request

Drops startup file

Adds Run key to start application

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-03-11 21:39

Signatures

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2023-03-11 21:38

Reported

2023-03-11 21:42

Platform

win7-20230220-en

Max time kernel

27s

Max time network

30s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\$RECYCLE.BIN\$IMH8R2U.js

Signatures

N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\$RECYCLE.BIN\$IMH8R2U.js

Network

N/A

Files

N/A

Analysis: behavioral8

Detonation Overview

Submitted

2023-03-11 21:38

Reported

2023-03-11 21:42

Platform

win10v2004-20230220-en

Max time kernel

144s

Max time network

150s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\$RECYCLE.BIN\$R4FIL8H.js

Signatures

Vjw0rm

trojan worm vjw0rm

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\system32\wscript.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\$R4FIL8H.js C:\Windows\system32\wscript.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\system32\wscript.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\0YME0MQN5Y = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\$R4FIL8H.js\"" C:\Windows\system32\wscript.exe N/A

Enumerates physical storage devices

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\$RECYCLE.BIN\$R4FIL8H.js

Network

Country Destination Domain Proto
US 52.152.110.14:443 tcp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 210.81.184.52.in-addr.arpa udp
US 8.8.8.8:53 js9400.duckdns.org udp
EE 91.193.75.174:9400 js9400.duckdns.org tcp
US 8.8.8.8:53 174.75.193.91.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 52.152.110.14:443 tcp
US 52.152.110.14:443 tcp
US 8.8.8.8:53 86.8.109.52.in-addr.arpa udp
US 52.152.110.14:443 tcp
US 8.8.8.8:53 113.238.32.23.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 52.152.110.14:443 tcp
US 93.184.220.29:80 tcp
US 93.184.220.29:80 tcp
US 93.184.221.240:80 tcp
NL 173.223.113.164:443 tcp
NL 173.223.113.131:80 tcp
US 204.79.197.203:80 tcp
US 52.152.110.14:443 tcp
US 8.8.8.8:53 199.176.139.52.in-addr.arpa udp
US 52.152.110.14:443 tcp
US 52.152.110.14:443 tcp

Files

N/A

Analysis: behavioral12

Detonation Overview

Submitted

2023-03-11 21:38

Reported

2023-03-11 21:42

Platform

win10v2004-20230220-en

Max time kernel

111s

Max time network

135s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\$RECYCLE.BIN\$RMH8R2U.js

Signatures

Vjw0rm

trojan worm vjw0rm

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\system32\wscript.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\$RMH8R2U.js C:\Windows\system32\wscript.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\system32\wscript.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\0YME0MQN5Y = "'C:\\Users\\Admin\\AppData\\Local\\Temp\\$RMH8R2U.js'" C:\Windows\system32\wscript.exe N/A

Enumerates physical storage devices

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\$RECYCLE.BIN\$RMH8R2U.js

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 33.146.190.20.in-addr.arpa udp
US 8.8.8.8:53 254.139.241.8.in-addr.arpa udp
US 8.8.8.8:53 js9400.duckdns.org udp
EE 91.193.75.174:9400 js9400.duckdns.org tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 174.75.193.91.in-addr.arpa udp
US 8.8.8.8:53 210.81.184.52.in-addr.arpa udp
US 8.8.8.8:53 84.150.43.20.in-addr.arpa udp
US 8.8.8.8:53 58.104.205.20.in-addr.arpa udp
US 8.8.8.8:53 176.122.125.40.in-addr.arpa udp
US 8.8.8.8:53 222.147.198.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 42.220.44.20.in-addr.arpa udp
US 8.8.8.8:53 65.94.81.40.in-addr.arpa udp
US 20.189.173.11:443 tcp
GB 157.240.221.35:443 tcp
US 8.8.8.8:53 164.2.77.40.in-addr.arpa udp
US 8.8.8.8:53 164.2.77.40.in-addr.arpa udp
US 8.8.8.8:53 2.36.159.162.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 240.232.18.117.in-addr.arpa udp
US 8.8.8.8:53 64.13.109.52.in-addr.arpa udp
US 8.8.8.8:53 33.18.126.40.in-addr.arpa udp
US 8.8.8.8:53 97.97.242.52.in-addr.arpa udp
US 8.8.8.8:53 99.113.223.173.in-addr.arpa udp

Files

N/A

Analysis: behavioral17

Detonation Overview

Submitted

2023-03-11 21:38

Reported

2023-03-11 21:42

Platform

win7-20230220-en

Max time kernel

151s

Max time network

30s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\System Volume Information\WPSettings.dat"

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_CLASSES\.dat\ = "dat_auto_file" C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_CLASSES\dat_auto_file\ C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_CLASSES\.dat C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_CLASSES\dat_auto_file\shell\Read C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_CLASSES\dat_auto_file\shell C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_CLASSES\dat_auto_file\shell\Read\command C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_CLASSES\dat_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\MuiCache C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_CLASSES\dat_auto_file C:\Windows\system32\rundll32.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\System Volume Information\WPSettings.dat"

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\System Volume Information\WPSettings.dat

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\System Volume Information\WPSettings.dat"

Network

N/A

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2023-03-11 21:38

Reported

2023-03-11 21:42

Platform

win10v2004-20230221-en

Max time kernel

77s

Max time network

127s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\$RECYCLE.BIN\$I5VEPRW.js

Signatures

N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\$RECYCLE.BIN\$I5VEPRW.js

Network

Country Destination Domain Proto
US 117.18.237.29:80 tcp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 210.81.184.52.in-addr.arpa udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 113.238.32.23.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 226.101.242.52.in-addr.arpa udp
US 52.168.112.66:443 tcp
US 209.197.3.8:80 tcp
US 209.197.3.8:80 tcp
NL 173.223.113.164:443 tcp
US 93.184.221.240:80 tcp

Files

N/A

Analysis: behavioral18

Detonation Overview

Submitted

2023-03-11 21:38

Reported

2023-03-11 21:42

Platform

win10v2004-20230220-en

Max time kernel

83s

Max time network

153s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\System Volume Information\WPSettings.dat"

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\System Volume Information\WPSettings.dat"

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 93.184.220.29:80 tcp
US 93.184.221.240:80 tcp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 210.81.184.52.in-addr.arpa udp
US 8.8.8.8:53 33.146.190.20.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 76.38.195.152.in-addr.arpa udp
US 52.152.108.96:443 tcp
US 20.189.173.3:443 tcp
US 93.184.220.29:80 tcp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 113.238.32.23.in-addr.arpa udp
US 8.8.8.8:53 151.122.125.40.in-addr.arpa udp
US 8.8.8.8:53 2.36.159.162.in-addr.arpa udp
US 93.184.221.240:80 tcp
US 8.8.8.8:53 8.3.197.209.in-addr.arpa udp
NL 173.223.113.164:443 tcp
NL 173.223.113.131:80 tcp
US 204.79.197.203:80 tcp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2023-03-11 21:38

Reported

2023-03-11 21:42

Platform

win10v2004-20230220-en

Max time kernel

122s

Max time network

152s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\$RECYCLE.BIN\$IMH8R2U.js

Signatures

N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\$RECYCLE.BIN\$IMH8R2U.js

Network

Country Destination Domain Proto
US 117.18.237.29:80 tcp
US 117.18.237.29:80 tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 210.81.184.52.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 20.189.173.5:443 tcp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
NL 173.223.113.164:443 tcp
US 8.8.8.8:53 226.101.242.52.in-addr.arpa udp
US 8.8.8.8:53 2.36.159.162.in-addr.arpa udp
US 8.8.8.8:53 226.101.242.52.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
NL 95.101.78.106:80 tcp
US 52.109.13.62:443 tcp
US 8.8.8.8:53 199.176.139.52.in-addr.arpa udp
US 8.8.8.8:53 64.13.109.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-03-11 21:38

Reported

2023-03-11 21:42

Platform

win7-20230220-en

Max time kernel

149s

Max time network

31s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\$RECYCLE.BIN\$I4FIL8H.js

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\$RECYCLE.BIN\$I4FIL8H.js

C:\Windows\explorer.exe

"C:\Windows\explorer.exe"

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x568

C:\Windows\SysWOW64\DllHost.exe

C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" shell32.dll,Options_RunDLL 7

C:\Windows\System32\Notepad.exe

"C:\Windows\System32\Notepad.exe" C:\Users\Admin\AppData\Local\Temp\$RECYCLE.BIN\$I4FIL8H.js

C:\Windows\System32\Notepad.exe

"C:\Windows\System32\Notepad.exe" C:\Users\Admin\AppData\Local\Temp\$RECYCLE.BIN\$R4FIL8H.js

C:\Windows\System32\Notepad.exe

"C:\Windows\System32\Notepad.exe" C:\Users\Admin\AppData\Local\Temp\$RECYCLE.BIN\$R5VEPRW.js

C:\Windows\System32\Notepad.exe

"C:\Windows\System32\Notepad.exe" C:\Users\Admin\AppData\Local\Temp\$RECYCLE.BIN\$RMH8R2U.js

Network

N/A

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2023-03-11 21:38

Reported

2023-03-11 21:42

Platform

win10v2004-20230220-en

Max time kernel

141s

Max time network

127s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\$RECYCLE.BIN\$I4FIL8H.js

Signatures

N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\$RECYCLE.BIN\$I4FIL8H.js

Network

Country Destination Domain Proto
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 38.146.190.20.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 20.42.73.26:443 tcp
US 93.184.221.240:80 tcp
NL 173.223.113.164:443 tcp
NL 173.223.113.131:80 tcp
NL 173.223.113.131:80 tcp
US 204.79.197.203:80 tcp
US 8.8.8.8:53 97.238.32.23.in-addr.arpa udp
US 8.8.8.8:53 76.38.195.152.in-addr.arpa udp

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2023-03-11 21:38

Reported

2023-03-11 21:42

Platform

win7-20230220-en

Max time kernel

28s

Max time network

33s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\$RECYCLE.BIN\$I5VEPRW.js

Signatures

N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\$RECYCLE.BIN\$I5VEPRW.js

Network

N/A

Files

N/A

Analysis: behavioral7

Detonation Overview

Submitted

2023-03-11 21:38

Reported

2023-03-11 21:42

Platform

win7-20230220-en

Max time kernel

124s

Max time network

130s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\$RECYCLE.BIN\$R4FIL8H.js

Signatures

Vjw0rm

trojan worm vjw0rm

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\system32\wscript.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\$R4FIL8H.js C:\Windows\system32\wscript.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\system32\wscript.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Windows\CurrentVersion\Run\0YME0MQN5Y = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\$R4FIL8H.js\"" C:\Windows\system32\wscript.exe N/A

Enumerates physical storage devices

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\$RECYCLE.BIN\$R4FIL8H.js

Network

Country Destination Domain Proto
US 8.8.8.8:53 js9400.duckdns.org udp
EE 91.193.75.174:9400 js9400.duckdns.org tcp

Files

N/A

Analysis: behavioral9

Detonation Overview

Submitted

2023-03-11 21:38

Reported

2023-03-11 21:42

Platform

win7-20230220-en

Max time kernel

123s

Max time network

127s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\$RECYCLE.BIN\$R5VEPRW.js

Signatures

Vjw0rm

trojan worm vjw0rm

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\system32\wscript.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\$R5VEPRW.js C:\Windows\system32\wscript.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\system32\wscript.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Windows\CurrentVersion\Run\0YME0MQN5Y = "'C:\\Users\\Admin\\AppData\\Local\\Temp\\$R5VEPRW.js'" C:\Windows\system32\wscript.exe N/A

Enumerates physical storage devices

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\$RECYCLE.BIN\$R5VEPRW.js

Network

Country Destination Domain Proto
US 8.8.8.8:53 js9400.duckdns.org udp
EE 91.193.75.174:9400 js9400.duckdns.org tcp

Files

N/A

Analysis: behavioral14

Detonation Overview

Submitted

2023-03-11 21:38

Reported

2023-03-11 21:42

Platform

win10v2004-20230220-en

Max time kernel

146s

Max time network

156s

Command Line

C:\Windows\system32\NOTEPAD.EXE C:\Users\Admin\AppData\Local\Temp\$RECYCLE.BIN\desktop.ini

Signatures

N/A

Processes

C:\Windows\system32\NOTEPAD.EXE

C:\Windows\system32\NOTEPAD.EXE C:\Users\Admin\AppData\Local\Temp\$RECYCLE.BIN\desktop.ini

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 20.42.65.90:443 tcp
US 52.152.110.14:443 tcp
US 8.247.210.254:80 tcp
NL 173.223.113.164:443 tcp
US 52.152.110.14:443 tcp
US 8.247.210.254:80 tcp
IE 52.109.77.0:443 tcp
NL 173.223.113.131:80 tcp
US 131.253.33.203:80 tcp
US 52.152.110.14:443 tcp
US 52.152.110.14:443 tcp
US 8.8.8.8:53 97.238.32.23.in-addr.arpa udp
US 52.152.110.14:443 tcp
US 52.152.110.14:443 tcp

Files

N/A

Analysis: behavioral15

Detonation Overview

Submitted

2023-03-11 21:38

Reported

2023-03-11 21:42

Platform

win7-20230220-en

Max time kernel

29s

Max time network

34s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\System Volume Information\IndexerVolumeGuid"

Signatures

N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\System Volume Information\IndexerVolumeGuid"

Network

N/A

Files

N/A

Analysis: behavioral11

Detonation Overview

Submitted

2023-03-11 21:38

Reported

2023-03-11 21:42

Platform

win7-20230220-en

Max time kernel

127s

Max time network

133s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\$RECYCLE.BIN\$RMH8R2U.js

Signatures

Vjw0rm

trojan worm vjw0rm

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\system32\wscript.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\$RMH8R2U.js C:\Windows\system32\wscript.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Windows\CurrentVersion\Run\0YME0MQN5Y = "'C:\\Users\\Admin\\AppData\\Local\\Temp\\$RMH8R2U.js'" C:\Windows\system32\wscript.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\system32\wscript.exe N/A

Enumerates physical storage devices

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\$RECYCLE.BIN\$RMH8R2U.js

Network

Country Destination Domain Proto
US 8.8.8.8:53 js9400.duckdns.org udp
EE 91.193.75.174:9400 js9400.duckdns.org tcp

Files

N/A

Analysis: behavioral13

Detonation Overview

Submitted

2023-03-11 21:38

Reported

2023-03-11 21:42

Platform

win7-20230220-en

Max time kernel

25s

Max time network

32s

Command Line

C:\Windows\system32\NOTEPAD.EXE C:\Users\Admin\AppData\Local\Temp\$RECYCLE.BIN\desktop.ini

Signatures

N/A

Processes

C:\Windows\system32\NOTEPAD.EXE

C:\Windows\system32\NOTEPAD.EXE C:\Users\Admin\AppData\Local\Temp\$RECYCLE.BIN\desktop.ini

Network

N/A

Files

N/A

Analysis: behavioral16

Detonation Overview

Submitted

2023-03-11 21:38

Reported

2023-03-11 21:42

Platform

win10v2004-20230220-en

Max time kernel

75s

Max time network

153s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\System Volume Information\IndexerVolumeGuid"

Signatures

N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\System Volume Information\IndexerVolumeGuid"

Network

Country Destination Domain Proto
US 209.197.3.8:80 tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 33.146.190.20.in-addr.arpa udp
US 8.8.8.8:53 76.38.195.152.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 113.238.32.23.in-addr.arpa udp
US 20.42.65.85:443 tcp
NL 173.223.113.164:443 tcp
NL 173.223.113.131:80 tcp
US 204.79.197.203:80 tcp
US 8.8.8.8:53 97.238.32.23.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 209.197.3.8:80 tcp
US 209.197.3.8:80 tcp
US 209.197.3.8:80 tcp
US 8.8.8.8:53 226.101.242.52.in-addr.arpa udp
US 8.8.8.8:53 64.13.109.52.in-addr.arpa udp
US 8.8.8.8:53 2.36.159.162.in-addr.arpa udp
US 8.8.8.8:53 226.101.242.52.in-addr.arpa udp
NL 173.223.113.131:80 tcp
US 8.8.8.8:53 126.139.241.8.in-addr.arpa udp

Files

N/A

Analysis: behavioral10

Detonation Overview

Submitted

2023-03-11 21:38

Reported

2023-03-11 21:42

Platform

win10v2004-20230220-en

Max time kernel

141s

Max time network

147s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\$RECYCLE.BIN\$R5VEPRW.js

Signatures

Vjw0rm

trojan worm vjw0rm

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\system32\wscript.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\$R5VEPRW.js C:\Windows\system32\wscript.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\system32\wscript.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\0YME0MQN5Y = "'C:\\Users\\Admin\\AppData\\Local\\Temp\\$R5VEPRW.js'" C:\Windows\system32\wscript.exe N/A

Enumerates physical storage devices

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\$RECYCLE.BIN\$R5VEPRW.js

Network

Country Destination Domain Proto
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 117.18.232.240:80 tcp
US 117.18.232.240:80 tcp
US 93.184.220.29:80 tcp
US 93.184.220.29:80 tcp
US 93.184.221.240:80 tcp
US 117.18.232.240:80 tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 js9400.duckdns.org udp
EE 91.193.75.174:9400 js9400.duckdns.org tcp
US 8.8.8.8:53 174.75.193.91.in-addr.arpa udp
US 8.8.8.8:53 76.38.195.152.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
FR 40.79.141.153:443 tcp
NL 173.223.113.164:443 tcp
US 8.8.8.8:53 97.238.32.23.in-addr.arpa udp
US 8.8.8.8:53 62.13.109.52.in-addr.arpa udp
US 93.184.221.240:80 tcp
US 93.184.221.240:80 tcp
NL 173.223.113.131:80 tcp
US 131.253.33.203:80 tcp

Files

N/A