Malware Analysis Report

2024-11-13 15:40

Sample ID 230324-hfa3rseg9t
Target Orden_de_embargo__pdf.uue
SHA256 3f5a623301740e9a78429d41530fde0492026f3cf97d7b1e1fb91babf0c89d06
Tags
vjw0rm persistence trojan worm
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3f5a623301740e9a78429d41530fde0492026f3cf97d7b1e1fb91babf0c89d06

Threat Level: Known bad

The file Orden_de_embargo__pdf.uue was found to be: Known bad.

Malicious Activity Summary

vjw0rm persistence trojan worm

Vjw0rm

Blocklisted process makes network request

Checks computer location settings

Drops startup file

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Enumerates physical storage devices

Modifies registry class

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-03-24 06:40

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2023-03-24 06:40

Reported

2023-03-24 06:42

Platform

win10v2004-20230220-en

Max time kernel

148s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Orden_de_embargo__pdf.scr" /S

Signatures

Vjw0rm

trojan worm vjw0rm

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Documento-pdf.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\wscript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Orden_de_embargo__pdf.scr N/A

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FtWlbrTJaO.js C:\Windows\SysWOW64\wscript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Documento-pdf.js C:\Windows\SysWOW64\wscript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FtWlbrTJaO.js C:\Windows\SysWOW64\wscript.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Documento-pdf.js C:\Windows\SysWOW64\WScript.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FtWlbrTJaO.js C:\Windows\SysWOW64\wscript.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Documento-pdf.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Documento-pdf = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Documento-pdf.js\"" C:\Windows\SysWOW64\wscript.exe N/A
Key created \REGISTRY\MACHINE\software\WOW6432Node\microsoft\windows\currentversion\run C:\Windows\SysWOW64\wscript.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Documento-pdf = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Documento-pdf.js\"" C:\Windows\SysWOW64\wscript.exe N/A
Key created \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\software\microsoft\windows\currentversion\run C:\Windows\SysWOW64\WScript.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Documento-pdf = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Documento-pdf.js\"" C:\Windows\SysWOW64\WScript.exe N/A
Key created \REGISTRY\MACHINE\software\WOW6432Node\microsoft\windows\currentversion\run C:\Windows\SysWOW64\WScript.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Documento-pdf = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Documento-pdf.js\"" C:\Windows\SysWOW64\WScript.exe N/A
Key created \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\software\microsoft\windows\currentversion\run C:\Windows\SysWOW64\wscript.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\Documento-pdf.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3608 wrote to memory of 4640 N/A C:\Users\Admin\AppData\Local\Temp\Orden_de_embargo__pdf.scr C:\Windows\SysWOW64\cmd.exe
PID 3608 wrote to memory of 4640 N/A C:\Users\Admin\AppData\Local\Temp\Orden_de_embargo__pdf.scr C:\Windows\SysWOW64\cmd.exe
PID 3608 wrote to memory of 4640 N/A C:\Users\Admin\AppData\Local\Temp\Orden_de_embargo__pdf.scr C:\Windows\SysWOW64\cmd.exe
PID 4640 wrote to memory of 4648 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\Documento-pdf.exe
PID 4640 wrote to memory of 4648 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\Documento-pdf.exe
PID 4640 wrote to memory of 4648 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\Documento-pdf.exe
PID 4648 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\Documento-pdf.exe C:\Windows\SysWOW64\WScript.exe
PID 4648 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\Documento-pdf.exe C:\Windows\SysWOW64\WScript.exe
PID 4648 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\Documento-pdf.exe C:\Windows\SysWOW64\WScript.exe
PID 2896 wrote to memory of 3272 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\wscript.exe
PID 2896 wrote to memory of 3272 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\wscript.exe
PID 2896 wrote to memory of 3272 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\wscript.exe
PID 2896 wrote to memory of 1644 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\wscript.exe
PID 2896 wrote to memory of 1644 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\wscript.exe
PID 2896 wrote to memory of 1644 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\wscript.exe
PID 1644 wrote to memory of 4948 N/A C:\Windows\SysWOW64\wscript.exe C:\Windows\SysWOW64\wscript.exe
PID 1644 wrote to memory of 4948 N/A C:\Windows\SysWOW64\wscript.exe C:\Windows\SysWOW64\wscript.exe
PID 1644 wrote to memory of 4948 N/A C:\Windows\SysWOW64\wscript.exe C:\Windows\SysWOW64\wscript.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Orden_de_embargo__pdf.scr

"C:\Users\Admin\AppData\Local\Temp\Orden_de_embargo__pdf.scr" /S

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1.bat" "

C:\Users\Admin\AppData\Local\Temp\Documento-pdf.exe

Documento-pdf.exe -pDocumento -dC:\Users\Admin\AppData\Local\Temp

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Documento-pdf.js"

C:\Windows\SysWOW64\wscript.exe

"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\FtWlbrTJaO.js"

C:\Windows\SysWOW64\wscript.exe

"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\Documento-pdf.js"

C:\Windows\SysWOW64\wscript.exe

"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\FtWlbrTJaO.js"

Network

Country Destination Domain Proto
US 8.8.8.8:53 123.108.74.40.in-addr.arpa udp
US 8.8.8.8:53 210.81.184.52.in-addr.arpa udp
US 8.8.8.8:53 javaautorun.duia.ro udp
RU 23.111.200.87:5449 javaautorun.duia.ro tcp
US 8.8.8.8:53 cachi2818.duckdns.org udp
SE 188.126.90.6:1510 cachi2818.duckdns.org tcp
RU 23.111.200.87:5449 javaautorun.duia.ro tcp
US 8.8.8.8:53 58.104.205.20.in-addr.arpa udp
US 8.8.8.8:53 234.238.32.23.in-addr.arpa udp
SE 188.126.90.6:1510 cachi2818.duckdns.org tcp
US 8.8.8.8:53 37.146.190.20.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
RU 23.111.200.87:5449 javaautorun.duia.ro tcp
RU 23.111.200.87:5449 javaautorun.duia.ro tcp
SE 188.126.90.6:1510 cachi2818.duckdns.org tcp
RU 23.111.200.87:5449 javaautorun.duia.ro tcp
RU 23.111.200.87:5449 javaautorun.duia.ro tcp
FR 40.79.141.153:443 tcp
US 52.152.110.14:443 tcp
SE 188.126.90.6:1510 cachi2818.duckdns.org tcp
RU 23.111.200.87:5449 javaautorun.duia.ro tcp
RU 23.111.200.87:5449 javaautorun.duia.ro tcp
SE 188.126.90.6:1510 cachi2818.duckdns.org tcp
US 8.8.8.8:53 199.176.139.52.in-addr.arpa udp
RU 23.111.200.87:5449 javaautorun.duia.ro tcp
RU 23.111.200.87:5449 javaautorun.duia.ro tcp
SE 188.126.90.6:1510 cachi2818.duckdns.org tcp
US 52.152.110.14:443 tcp
RU 23.111.200.87:5449 javaautorun.duia.ro tcp
RU 23.111.200.87:5449 javaautorun.duia.ro tcp
US 8.8.8.8:53 63.13.109.52.in-addr.arpa udp
SE 188.126.90.6:1510 cachi2818.duckdns.org tcp
RU 23.111.200.87:5449 javaautorun.duia.ro tcp
RU 23.111.200.87:5449 javaautorun.duia.ro tcp
SE 188.126.90.6:1510 cachi2818.duckdns.org tcp
US 52.152.110.14:443 tcp
SE 188.126.90.6:1510 cachi2818.duckdns.org tcp
RU 23.111.200.87:5449 javaautorun.duia.ro tcp
RU 23.111.200.87:5449 javaautorun.duia.ro tcp
SE 188.126.90.6:1510 cachi2818.duckdns.org tcp
RU 23.111.200.87:5449 javaautorun.duia.ro tcp
RU 23.111.200.87:5449 javaautorun.duia.ro tcp
SE 188.126.90.6:1510 cachi2818.duckdns.org tcp
RU 23.111.200.87:5449 javaautorun.duia.ro tcp
RU 23.111.200.87:5449 javaautorun.duia.ro tcp
US 52.152.110.14:443 tcp
SE 188.126.90.6:1510 cachi2818.duckdns.org tcp
NL 173.223.113.164:443 tcp
RU 23.111.200.87:5449 javaautorun.duia.ro tcp
RU 23.111.200.87:5449 javaautorun.duia.ro tcp
SE 188.126.90.6:1510 cachi2818.duckdns.org tcp
RU 23.111.200.87:5449 javaautorun.duia.ro tcp
RU 23.111.200.87:5449 javaautorun.duia.ro tcp
SE 188.126.90.6:1510 cachi2818.duckdns.org tcp
IE 20.54.89.15:443 tcp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
RU 23.111.200.87:5449 javaautorun.duia.ro tcp
RU 23.111.200.87:5449 javaautorun.duia.ro tcp
SE 188.126.90.6:1510 cachi2818.duckdns.org tcp
SE 188.126.90.6:1510 cachi2818.duckdns.org tcp
RU 23.111.200.87:5449 javaautorun.duia.ro tcp
RU 23.111.200.87:5449 javaautorun.duia.ro tcp
US 8.8.8.8:53 164.2.77.40.in-addr.arpa udp
US 8.8.8.8:53 164.2.77.40.in-addr.arpa udp
US 8.8.8.8:53 2.36.159.162.in-addr.arpa udp
SE 188.126.90.6:1510 cachi2818.duckdns.org tcp
RU 23.111.200.87:5449 javaautorun.duia.ro tcp
US 8.8.8.8:53 176.122.125.40.in-addr.arpa udp
RU 23.111.200.87:5449 javaautorun.duia.ro tcp
SE 188.126.90.6:1510 cachi2818.duckdns.org tcp
RU 23.111.200.87:5449 javaautorun.duia.ro tcp
RU 23.111.200.87:5449 javaautorun.duia.ro tcp

Files

C:\Users\Admin\AppData\Local\Temp\1.bat

MD5 eb06c33b8a3d3d5b97437290a6c6667a
SHA1 01cf7cc470719780ac7426f81e9377a5a2fde2b0
SHA256 f59a9c3d70113758d4df71aac1b3c7cc4ab7b008625296656ff63889e483f5af
SHA512 e843113f9dc0a7e2222d99081f78ce3df94aadcef40295d811b459d835ae491913dc5f83a4407f877dcaaf71cfbd848be29f1335474bb8e6e9fa52c95617857c

C:\Users\Admin\AppData\Local\Temp\Documento-pdf.exe

MD5 61f92ceaeff088131346a89da5aea358
SHA1 280b8377dcabe6a87919f301606cbd19ee2cf94b
SHA256 ece3ab55fbecc5699b7e363b666b06f328b17da05e065e637c87ce08a7c38b2d
SHA512 cdd8f17d65e2e7669a0d8a53df879330b5c4d2ad62b26d4c08c127091bde48e11faf9cbd0e7d3ce7fa392767710cbbe712e3275b102083df87f2478a319847f1

C:\Users\Admin\AppData\Local\Temp\Documento-pdf.exe

MD5 61f92ceaeff088131346a89da5aea358
SHA1 280b8377dcabe6a87919f301606cbd19ee2cf94b
SHA256 ece3ab55fbecc5699b7e363b666b06f328b17da05e065e637c87ce08a7c38b2d
SHA512 cdd8f17d65e2e7669a0d8a53df879330b5c4d2ad62b26d4c08c127091bde48e11faf9cbd0e7d3ce7fa392767710cbbe712e3275b102083df87f2478a319847f1

C:\Users\Admin\AppData\Local\Temp\Documento-pdf.js

MD5 00ff505f8de6f97f92a8277e89ed91a0
SHA1 eb96b024221ad9ea73f4d8ab0ec23e99c007c02c
SHA256 c9ed8584cf9b6fd071b98e94a056d00a84223ca1994a3e514a40e486320b0dd6
SHA512 ad9e23a5512fddf43b8ff462a1e2dbdb42dd80c97359b614b3aad816116a47003debb77137d2ec4f3fccdbae0fae279404dbf1cc913ebe028f1cc05653b7cc9f

C:\Users\Admin\AppData\Roaming\FtWlbrTJaO.js

MD5 20610ce7393521f1f07bc5f77ae2935e
SHA1 ec8d679edf1d334ec9bcf1275060ab29b69b71cc
SHA256 cb774141828a2cba93d3b7ec9aa1052a160af7088e769b24a45bd8095c0dedda
SHA512 d63adb503083752371ad1c40c2b92fcd75428eaff30d128d4e55c247a8aab9e78d27e0f7547fcec4cbb56c2d7a2943766d337c715c3536ea400f4ed9c44906a2

C:\Users\Admin\AppData\Roaming\Documento-pdf.js

MD5 00ff505f8de6f97f92a8277e89ed91a0
SHA1 eb96b024221ad9ea73f4d8ab0ec23e99c007c02c
SHA256 c9ed8584cf9b6fd071b98e94a056d00a84223ca1994a3e514a40e486320b0dd6
SHA512 ad9e23a5512fddf43b8ff462a1e2dbdb42dd80c97359b614b3aad816116a47003debb77137d2ec4f3fccdbae0fae279404dbf1cc913ebe028f1cc05653b7cc9f

C:\Users\Admin\AppData\Roaming\Documento-pdf.js

MD5 00ff505f8de6f97f92a8277e89ed91a0
SHA1 eb96b024221ad9ea73f4d8ab0ec23e99c007c02c
SHA256 c9ed8584cf9b6fd071b98e94a056d00a84223ca1994a3e514a40e486320b0dd6
SHA512 ad9e23a5512fddf43b8ff462a1e2dbdb42dd80c97359b614b3aad816116a47003debb77137d2ec4f3fccdbae0fae279404dbf1cc913ebe028f1cc05653b7cc9f

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Documento-pdf.js

MD5 00ff505f8de6f97f92a8277e89ed91a0
SHA1 eb96b024221ad9ea73f4d8ab0ec23e99c007c02c
SHA256 c9ed8584cf9b6fd071b98e94a056d00a84223ca1994a3e514a40e486320b0dd6
SHA512 ad9e23a5512fddf43b8ff462a1e2dbdb42dd80c97359b614b3aad816116a47003debb77137d2ec4f3fccdbae0fae279404dbf1cc913ebe028f1cc05653b7cc9f

C:\Users\Admin\AppData\Roaming\FtWlbrTJaO.js

MD5 20610ce7393521f1f07bc5f77ae2935e
SHA1 ec8d679edf1d334ec9bcf1275060ab29b69b71cc
SHA256 cb774141828a2cba93d3b7ec9aa1052a160af7088e769b24a45bd8095c0dedda
SHA512 d63adb503083752371ad1c40c2b92fcd75428eaff30d128d4e55c247a8aab9e78d27e0f7547fcec4cbb56c2d7a2943766d337c715c3536ea400f4ed9c44906a2

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FtWlbrTJaO.js

MD5 20610ce7393521f1f07bc5f77ae2935e
SHA1 ec8d679edf1d334ec9bcf1275060ab29b69b71cc
SHA256 cb774141828a2cba93d3b7ec9aa1052a160af7088e769b24a45bd8095c0dedda
SHA512 d63adb503083752371ad1c40c2b92fcd75428eaff30d128d4e55c247a8aab9e78d27e0f7547fcec4cbb56c2d7a2943766d337c715c3536ea400f4ed9c44906a2

Analysis: behavioral1

Detonation Overview

Submitted

2023-03-24 06:40

Reported

2023-03-24 06:42

Platform

win7-20230220-en

Max time kernel

150s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Orden_de_embargo__pdf.scr" /S

Signatures

Vjw0rm

trojan worm vjw0rm

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FtWlbrTJaO.js C:\Windows\SysWOW64\wscript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FtWlbrTJaO.js C:\Windows\SysWOW64\wscript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Documento-pdf.js C:\Windows\SysWOW64\wscript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FtWlbrTJaO.js C:\Windows\SysWOW64\wscript.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Documento-pdf.js C:\Windows\SysWOW64\WScript.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Documento-pdf.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\software\microsoft\windows\currentversion\run C:\Windows\SysWOW64\wscript.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Windows\CurrentVersion\Run\Documento-pdf = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Documento-pdf.js\"" C:\Windows\SysWOW64\wscript.exe N/A
Key created \REGISTRY\MACHINE\software\Wow6432Node\microsoft\windows\currentversion\run C:\Windows\SysWOW64\wscript.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Documento-pdf = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Documento-pdf.js\"" C:\Windows\SysWOW64\wscript.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\software\microsoft\windows\currentversion\run C:\Windows\SysWOW64\WScript.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Windows\CurrentVersion\Run\Documento-pdf = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Documento-pdf.js\"" C:\Windows\SysWOW64\WScript.exe N/A
Key created \REGISTRY\MACHINE\software\Wow6432Node\microsoft\windows\currentversion\run C:\Windows\SysWOW64\WScript.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Documento-pdf = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Documento-pdf.js\"" C:\Windows\SysWOW64\WScript.exe N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1516 wrote to memory of 472 N/A C:\Users\Admin\AppData\Local\Temp\Orden_de_embargo__pdf.scr C:\Windows\SysWOW64\cmd.exe
PID 1516 wrote to memory of 472 N/A C:\Users\Admin\AppData\Local\Temp\Orden_de_embargo__pdf.scr C:\Windows\SysWOW64\cmd.exe
PID 1516 wrote to memory of 472 N/A C:\Users\Admin\AppData\Local\Temp\Orden_de_embargo__pdf.scr C:\Windows\SysWOW64\cmd.exe
PID 1516 wrote to memory of 472 N/A C:\Users\Admin\AppData\Local\Temp\Orden_de_embargo__pdf.scr C:\Windows\SysWOW64\cmd.exe
PID 472 wrote to memory of 1460 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\Documento-pdf.exe
PID 472 wrote to memory of 1460 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\Documento-pdf.exe
PID 472 wrote to memory of 1460 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\Documento-pdf.exe
PID 472 wrote to memory of 1460 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\Documento-pdf.exe
PID 1460 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\Documento-pdf.exe C:\Windows\SysWOW64\WScript.exe
PID 1460 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\Documento-pdf.exe C:\Windows\SysWOW64\WScript.exe
PID 1460 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\Documento-pdf.exe C:\Windows\SysWOW64\WScript.exe
PID 1460 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\Documento-pdf.exe C:\Windows\SysWOW64\WScript.exe
PID 1692 wrote to memory of 1352 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\wscript.exe
PID 1692 wrote to memory of 1352 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\wscript.exe
PID 1692 wrote to memory of 1352 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\wscript.exe
PID 1692 wrote to memory of 1352 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\wscript.exe
PID 1692 wrote to memory of 372 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\wscript.exe
PID 1692 wrote to memory of 372 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\wscript.exe
PID 1692 wrote to memory of 372 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\wscript.exe
PID 1692 wrote to memory of 372 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\wscript.exe
PID 372 wrote to memory of 1468 N/A C:\Windows\SysWOW64\wscript.exe C:\Windows\SysWOW64\wscript.exe
PID 372 wrote to memory of 1468 N/A C:\Windows\SysWOW64\wscript.exe C:\Windows\SysWOW64\wscript.exe
PID 372 wrote to memory of 1468 N/A C:\Windows\SysWOW64\wscript.exe C:\Windows\SysWOW64\wscript.exe
PID 372 wrote to memory of 1468 N/A C:\Windows\SysWOW64\wscript.exe C:\Windows\SysWOW64\wscript.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Orden_de_embargo__pdf.scr

"C:\Users\Admin\AppData\Local\Temp\Orden_de_embargo__pdf.scr" /S

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\1.bat" "

C:\Users\Admin\AppData\Local\Temp\Documento-pdf.exe

Documento-pdf.exe -pDocumento -dC:\Users\Admin\AppData\Local\Temp

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Documento-pdf.js"

C:\Windows\SysWOW64\wscript.exe

"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\FtWlbrTJaO.js"

C:\Windows\SysWOW64\wscript.exe

"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\Documento-pdf.js"

C:\Windows\SysWOW64\wscript.exe

"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\FtWlbrTJaO.js"

Network

Country Destination Domain Proto
US 8.8.8.8:53 javaautorun.duia.ro udp
US 8.8.8.8:53 cachi2818.duckdns.org udp
US 8.8.8.8:53 javaautorun.duia.ro udp
RU 23.111.200.87:5449 javaautorun.duia.ro tcp
RU 23.111.200.87:5449 javaautorun.duia.ro tcp
SE 188.126.90.6:1510 cachi2818.duckdns.org tcp
SE 188.126.90.6:1510 cachi2818.duckdns.org tcp
RU 23.111.200.87:5449 javaautorun.duia.ro tcp
RU 23.111.200.87:5449 javaautorun.duia.ro tcp
SE 188.126.90.6:1510 cachi2818.duckdns.org tcp
RU 23.111.200.87:5449 javaautorun.duia.ro tcp
RU 23.111.200.87:5449 javaautorun.duia.ro tcp
RU 23.111.200.87:5449 javaautorun.duia.ro tcp
RU 23.111.200.87:5449 javaautorun.duia.ro tcp
SE 188.126.90.6:1510 cachi2818.duckdns.org tcp
RU 23.111.200.87:5449 javaautorun.duia.ro tcp
RU 23.111.200.87:5449 javaautorun.duia.ro tcp
SE 188.126.90.6:1510 cachi2818.duckdns.org tcp
RU 23.111.200.87:5449 javaautorun.duia.ro tcp
RU 23.111.200.87:5449 javaautorun.duia.ro tcp
SE 188.126.90.6:1510 cachi2818.duckdns.org tcp
RU 23.111.200.87:5449 javaautorun.duia.ro tcp
RU 23.111.200.87:5449 javaautorun.duia.ro tcp
SE 188.126.90.6:1510 cachi2818.duckdns.org tcp
RU 23.111.200.87:5449 javaautorun.duia.ro tcp
RU 23.111.200.87:5449 javaautorun.duia.ro tcp
SE 188.126.90.6:1510 cachi2818.duckdns.org tcp
RU 23.111.200.87:5449 javaautorun.duia.ro tcp
RU 23.111.200.87:5449 javaautorun.duia.ro tcp
SE 188.126.90.6:1510 cachi2818.duckdns.org tcp
SE 188.126.90.6:1510 cachi2818.duckdns.org tcp
RU 23.111.200.87:5449 javaautorun.duia.ro tcp
RU 23.111.200.87:5449 javaautorun.duia.ro tcp
RU 23.111.200.87:5449 javaautorun.duia.ro tcp
RU 23.111.200.87:5449 javaautorun.duia.ro tcp
SE 188.126.90.6:1510 cachi2818.duckdns.org tcp
SE 188.126.90.6:1510 cachi2818.duckdns.org tcp
RU 23.111.200.87:5449 javaautorun.duia.ro tcp
RU 23.111.200.87:5449 javaautorun.duia.ro tcp
SE 188.126.90.6:1510 cachi2818.duckdns.org tcp
RU 23.111.200.87:5449 javaautorun.duia.ro tcp
RU 23.111.200.87:5449 javaautorun.duia.ro tcp
SE 188.126.90.6:1510 cachi2818.duckdns.org tcp
RU 23.111.200.87:5449 javaautorun.duia.ro tcp
RU 23.111.200.87:5449 javaautorun.duia.ro tcp
SE 188.126.90.6:1510 cachi2818.duckdns.org tcp
RU 23.111.200.87:5449 javaautorun.duia.ro tcp
RU 23.111.200.87:5449 javaautorun.duia.ro tcp
SE 188.126.90.6:1510 cachi2818.duckdns.org tcp

Files

C:\Users\Admin\AppData\Local\Temp\1.bat

MD5 eb06c33b8a3d3d5b97437290a6c6667a
SHA1 01cf7cc470719780ac7426f81e9377a5a2fde2b0
SHA256 f59a9c3d70113758d4df71aac1b3c7cc4ab7b008625296656ff63889e483f5af
SHA512 e843113f9dc0a7e2222d99081f78ce3df94aadcef40295d811b459d835ae491913dc5f83a4407f877dcaaf71cfbd848be29f1335474bb8e6e9fa52c95617857c

C:\Users\Admin\AppData\Local\Temp\1.bat

MD5 eb06c33b8a3d3d5b97437290a6c6667a
SHA1 01cf7cc470719780ac7426f81e9377a5a2fde2b0
SHA256 f59a9c3d70113758d4df71aac1b3c7cc4ab7b008625296656ff63889e483f5af
SHA512 e843113f9dc0a7e2222d99081f78ce3df94aadcef40295d811b459d835ae491913dc5f83a4407f877dcaaf71cfbd848be29f1335474bb8e6e9fa52c95617857c

\Users\Admin\AppData\Local\Temp\Documento-pdf.exe

MD5 61f92ceaeff088131346a89da5aea358
SHA1 280b8377dcabe6a87919f301606cbd19ee2cf94b
SHA256 ece3ab55fbecc5699b7e363b666b06f328b17da05e065e637c87ce08a7c38b2d
SHA512 cdd8f17d65e2e7669a0d8a53df879330b5c4d2ad62b26d4c08c127091bde48e11faf9cbd0e7d3ce7fa392767710cbbe712e3275b102083df87f2478a319847f1

C:\Users\Admin\AppData\Local\Temp\Documento-pdf.exe

MD5 61f92ceaeff088131346a89da5aea358
SHA1 280b8377dcabe6a87919f301606cbd19ee2cf94b
SHA256 ece3ab55fbecc5699b7e363b666b06f328b17da05e065e637c87ce08a7c38b2d
SHA512 cdd8f17d65e2e7669a0d8a53df879330b5c4d2ad62b26d4c08c127091bde48e11faf9cbd0e7d3ce7fa392767710cbbe712e3275b102083df87f2478a319847f1

C:\Users\Admin\AppData\Local\Temp\Documento-pdf.exe

MD5 61f92ceaeff088131346a89da5aea358
SHA1 280b8377dcabe6a87919f301606cbd19ee2cf94b
SHA256 ece3ab55fbecc5699b7e363b666b06f328b17da05e065e637c87ce08a7c38b2d
SHA512 cdd8f17d65e2e7669a0d8a53df879330b5c4d2ad62b26d4c08c127091bde48e11faf9cbd0e7d3ce7fa392767710cbbe712e3275b102083df87f2478a319847f1

C:\Users\Admin\AppData\Local\Temp\Documento-pdf.js

MD5 00ff505f8de6f97f92a8277e89ed91a0
SHA1 eb96b024221ad9ea73f4d8ab0ec23e99c007c02c
SHA256 c9ed8584cf9b6fd071b98e94a056d00a84223ca1994a3e514a40e486320b0dd6
SHA512 ad9e23a5512fddf43b8ff462a1e2dbdb42dd80c97359b614b3aad816116a47003debb77137d2ec4f3fccdbae0fae279404dbf1cc913ebe028f1cc05653b7cc9f

C:\Users\Admin\AppData\Roaming\FtWlbrTJaO.js

MD5 20610ce7393521f1f07bc5f77ae2935e
SHA1 ec8d679edf1d334ec9bcf1275060ab29b69b71cc
SHA256 cb774141828a2cba93d3b7ec9aa1052a160af7088e769b24a45bd8095c0dedda
SHA512 d63adb503083752371ad1c40c2b92fcd75428eaff30d128d4e55c247a8aab9e78d27e0f7547fcec4cbb56c2d7a2943766d337c715c3536ea400f4ed9c44906a2

C:\Users\Admin\AppData\Roaming\Documento-pdf.js

MD5 00ff505f8de6f97f92a8277e89ed91a0
SHA1 eb96b024221ad9ea73f4d8ab0ec23e99c007c02c
SHA256 c9ed8584cf9b6fd071b98e94a056d00a84223ca1994a3e514a40e486320b0dd6
SHA512 ad9e23a5512fddf43b8ff462a1e2dbdb42dd80c97359b614b3aad816116a47003debb77137d2ec4f3fccdbae0fae279404dbf1cc913ebe028f1cc05653b7cc9f

C:\Users\Admin\AppData\Roaming\Documento-pdf.js

MD5 00ff505f8de6f97f92a8277e89ed91a0
SHA1 eb96b024221ad9ea73f4d8ab0ec23e99c007c02c
SHA256 c9ed8584cf9b6fd071b98e94a056d00a84223ca1994a3e514a40e486320b0dd6
SHA512 ad9e23a5512fddf43b8ff462a1e2dbdb42dd80c97359b614b3aad816116a47003debb77137d2ec4f3fccdbae0fae279404dbf1cc913ebe028f1cc05653b7cc9f

C:\Users\Admin\AppData\Roaming\FtWlbrTJaO.js

MD5 20610ce7393521f1f07bc5f77ae2935e
SHA1 ec8d679edf1d334ec9bcf1275060ab29b69b71cc
SHA256 cb774141828a2cba93d3b7ec9aa1052a160af7088e769b24a45bd8095c0dedda
SHA512 d63adb503083752371ad1c40c2b92fcd75428eaff30d128d4e55c247a8aab9e78d27e0f7547fcec4cbb56c2d7a2943766d337c715c3536ea400f4ed9c44906a2

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Documento-pdf.js

MD5 00ff505f8de6f97f92a8277e89ed91a0
SHA1 eb96b024221ad9ea73f4d8ab0ec23e99c007c02c
SHA256 c9ed8584cf9b6fd071b98e94a056d00a84223ca1994a3e514a40e486320b0dd6
SHA512 ad9e23a5512fddf43b8ff462a1e2dbdb42dd80c97359b614b3aad816116a47003debb77137d2ec4f3fccdbae0fae279404dbf1cc913ebe028f1cc05653b7cc9f

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FtWlbrTJaO.js

MD5 20610ce7393521f1f07bc5f77ae2935e
SHA1 ec8d679edf1d334ec9bcf1275060ab29b69b71cc
SHA256 cb774141828a2cba93d3b7ec9aa1052a160af7088e769b24a45bd8095c0dedda
SHA512 d63adb503083752371ad1c40c2b92fcd75428eaff30d128d4e55c247a8aab9e78d27e0f7547fcec4cbb56c2d7a2943766d337c715c3536ea400f4ed9c44906a2