Overview

overview

10

Static

static

1

Orden_de_e...df.scr

windows7-x64

10

Orden_de_e...df.scr

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    153s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    24-03-2023 06:40

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Orden_de_embargo__pdf.scr

  • Size

    697KB

  • MD5

    08d0d2ae2030e26e3257869f0c1129e4

  • SHA1

    c82aa06abed5ea9ead115e5a83d49183519f20de

  • SHA256

    4c3bf5e59687731fbbbfbce763a4e097cd3863fd39773fc2e6189a2658dfb1a5

  • SHA512

    65fb86ed49c510ea4a3f622b4cb9affed0358ff50f96d937b7345d1b0e92916a9bc527a4558ffbe9205be6b6c86f4403d60afc5e0d1d1ab29e03cdfcc8e4e3dc

  • SSDEEP

    12288:soVl2TmnvZAdJ41JHQbYEAmDJAb8f+jtT6vcxXiFmxG4yeXnCugYUU87UF:9VgmnudJ41JhQLmT6ijxr3zUH7UF

Score
10/10
vjw0rmpersistencetrojanworm

Malware Config

Signatures

  • Vjw0rm

    Vjw0rm is a remote access trojan written in JavaScript.

    trojanwormvjw0rm
  • Blocklisted process makes network request 46 IoCs
  • Drops startup file 5 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 8 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Orden_de_embargo__pdf.scr
    "C:\Users\Admin\AppData\Local\Temp\Orden_de_embargo__pdf.scr" /S
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1516
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\1.bat" "
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:472
      • C:\Users\Admin\AppData\Local\Temp\Documento-pdf.exe
        Documento-pdf.exe -pDocumento -dC:\Users\Admin\AppData\Local\Temp
        3⤵
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:1460
        • C:\Windows\SysWOW64\WScript.exe
          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Documento-pdf.js"
          4⤵
          • Drops startup file
          • Adds Run key to start application
          • Suspicious use of WriteProcessMemory
          PID:1692
          • C:\Windows\SysWOW64\wscript.exe
            "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\FtWlbrTJaO.js"
            5⤵
            • Blocklisted process makes network request
            • Drops startup file
            PID:1352
          • C:\Windows\SysWOW64\wscript.exe
            "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\Documento-pdf.js"
            5⤵
            • Blocklisted process makes network request
            • Drops startup file
            • Adds Run key to start application
            • Suspicious use of WriteProcessMemory
            PID:372
            • C:\Windows\SysWOW64\wscript.exe
              "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\FtWlbrTJaO.js"
              6⤵
              • Blocklisted process makes network request
              • Drops startup file
              PID:1468

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\1.bat
    Filesize

    38B

    MD5

    eb06c33b8a3d3d5b97437290a6c6667a

    SHA1

    01cf7cc470719780ac7426f81e9377a5a2fde2b0

    SHA256

    f59a9c3d70113758d4df71aac1b3c7cc4ab7b008625296656ff63889e483f5af

    SHA512

    e843113f9dc0a7e2222d99081f78ce3df94aadcef40295d811b459d835ae491913dc5f83a4407f877dcaaf71cfbd848be29f1335474bb8e6e9fa52c95617857c

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\1.bat
    Filesize

    38B

    MD5

    eb06c33b8a3d3d5b97437290a6c6667a

    SHA1

    01cf7cc470719780ac7426f81e9377a5a2fde2b0

    SHA256

    f59a9c3d70113758d4df71aac1b3c7cc4ab7b008625296656ff63889e483f5af

    SHA512

    e843113f9dc0a7e2222d99081f78ce3df94aadcef40295d811b459d835ae491913dc5f83a4407f877dcaaf71cfbd848be29f1335474bb8e6e9fa52c95617857c

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Documento-pdf.exe
    Filesize

    499KB

    MD5

    61f92ceaeff088131346a89da5aea358

    SHA1

    280b8377dcabe6a87919f301606cbd19ee2cf94b

    SHA256

    ece3ab55fbecc5699b7e363b666b06f328b17da05e065e637c87ce08a7c38b2d

    SHA512

    cdd8f17d65e2e7669a0d8a53df879330b5c4d2ad62b26d4c08c127091bde48e11faf9cbd0e7d3ce7fa392767710cbbe712e3275b102083df87f2478a319847f1

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Documento-pdf.exe
    Filesize

    499KB

    MD5

    61f92ceaeff088131346a89da5aea358

    SHA1

    280b8377dcabe6a87919f301606cbd19ee2cf94b

    SHA256

    ece3ab55fbecc5699b7e363b666b06f328b17da05e065e637c87ce08a7c38b2d

    SHA512

    cdd8f17d65e2e7669a0d8a53df879330b5c4d2ad62b26d4c08c127091bde48e11faf9cbd0e7d3ce7fa392767710cbbe712e3275b102083df87f2478a319847f1

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Documento-pdf.js
    Filesize

    3.0MB

    MD5

    00ff505f8de6f97f92a8277e89ed91a0

    SHA1

    eb96b024221ad9ea73f4d8ab0ec23e99c007c02c

    SHA256

    c9ed8584cf9b6fd071b98e94a056d00a84223ca1994a3e514a40e486320b0dd6

    SHA512

    ad9e23a5512fddf43b8ff462a1e2dbdb42dd80c97359b614b3aad816116a47003debb77137d2ec4f3fccdbae0fae279404dbf1cc913ebe028f1cc05653b7cc9f

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Documento-pdf.js
    Filesize

    3.0MB

    MD5

    00ff505f8de6f97f92a8277e89ed91a0

    SHA1

    eb96b024221ad9ea73f4d8ab0ec23e99c007c02c

    SHA256

    c9ed8584cf9b6fd071b98e94a056d00a84223ca1994a3e514a40e486320b0dd6

    SHA512

    ad9e23a5512fddf43b8ff462a1e2dbdb42dd80c97359b614b3aad816116a47003debb77137d2ec4f3fccdbae0fae279404dbf1cc913ebe028f1cc05653b7cc9f

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Documento-pdf.js
    Filesize

    3.0MB

    MD5

    00ff505f8de6f97f92a8277e89ed91a0

    SHA1

    eb96b024221ad9ea73f4d8ab0ec23e99c007c02c

    SHA256

    c9ed8584cf9b6fd071b98e94a056d00a84223ca1994a3e514a40e486320b0dd6

    SHA512

    ad9e23a5512fddf43b8ff462a1e2dbdb42dd80c97359b614b3aad816116a47003debb77137d2ec4f3fccdbae0fae279404dbf1cc913ebe028f1cc05653b7cc9f

    Download Submit

  • C:\Users\Admin\AppData\Roaming\FtWlbrTJaO.js
    Filesize

    346KB

    MD5

    20610ce7393521f1f07bc5f77ae2935e

    SHA1

    ec8d679edf1d334ec9bcf1275060ab29b69b71cc

    SHA256

    cb774141828a2cba93d3b7ec9aa1052a160af7088e769b24a45bd8095c0dedda

    SHA512

    d63adb503083752371ad1c40c2b92fcd75428eaff30d128d4e55c247a8aab9e78d27e0f7547fcec4cbb56c2d7a2943766d337c715c3536ea400f4ed9c44906a2

    Download Submit

  • C:\Users\Admin\AppData\Roaming\FtWlbrTJaO.js
    Filesize

    346KB

    MD5

    20610ce7393521f1f07bc5f77ae2935e

    SHA1

    ec8d679edf1d334ec9bcf1275060ab29b69b71cc

    SHA256

    cb774141828a2cba93d3b7ec9aa1052a160af7088e769b24a45bd8095c0dedda

    SHA512

    d63adb503083752371ad1c40c2b92fcd75428eaff30d128d4e55c247a8aab9e78d27e0f7547fcec4cbb56c2d7a2943766d337c715c3536ea400f4ed9c44906a2

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Documento-pdf.js
    Filesize

    3.0MB

    MD5

    00ff505f8de6f97f92a8277e89ed91a0

    SHA1

    eb96b024221ad9ea73f4d8ab0ec23e99c007c02c

    SHA256

    c9ed8584cf9b6fd071b98e94a056d00a84223ca1994a3e514a40e486320b0dd6

    SHA512

    ad9e23a5512fddf43b8ff462a1e2dbdb42dd80c97359b614b3aad816116a47003debb77137d2ec4f3fccdbae0fae279404dbf1cc913ebe028f1cc05653b7cc9f

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FtWlbrTJaO.js
    Filesize

    346KB

    MD5

    20610ce7393521f1f07bc5f77ae2935e

    SHA1

    ec8d679edf1d334ec9bcf1275060ab29b69b71cc

    SHA256

    cb774141828a2cba93d3b7ec9aa1052a160af7088e769b24a45bd8095c0dedda

    SHA512

    d63adb503083752371ad1c40c2b92fcd75428eaff30d128d4e55c247a8aab9e78d27e0f7547fcec4cbb56c2d7a2943766d337c715c3536ea400f4ed9c44906a2

    Download Submit

  • \Users\Admin\AppData\Local\Temp\Documento-pdf.exe
    Filesize

    499KB

    MD5

    61f92ceaeff088131346a89da5aea358

    SHA1

    280b8377dcabe6a87919f301606cbd19ee2cf94b

    SHA256

    ece3ab55fbecc5699b7e363b666b06f328b17da05e065e637c87ce08a7c38b2d

    SHA512

    cdd8f17d65e2e7669a0d8a53df879330b5c4d2ad62b26d4c08c127091bde48e11faf9cbd0e7d3ce7fa392767710cbbe712e3275b102083df87f2478a319847f1

    Download Submit