Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
03-04-2023 03:24
Static task
static1
Behavioral task
behavioral1
Sample
vjworm.js
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
vjworm.js
Resource
win10v2004-20230220-en
General
-
Target
vjworm.js
-
Size
47KB
-
MD5
4d4480b2a363d66f2647d10d978c085a
-
SHA1
3f9d64be86691d734d8d7018ff0436b615e7effc
-
SHA256
76c7451f27cd07c3bbe48b7378ed85047036c65fed201128b892545ff8e46a5a
-
SHA512
3425b770417baabe9bfffe85f7ad084547fd5b10b53c0a7b05b65c2934412cdb24752db648f851447516ceb46de5bb4e8986688cade03a52a9ca232da60cb63b
-
SSDEEP
768:8tZ8oMh8ycJrJWRJpBWefOydp5pb5aNs9SVY4D3HaTvICf99EWrWExBSSLtLG:8tZ8o28yKrJ+HWQOydp5pb5aNs90Y4DP
Malware Config
Signatures
-
Blocklisted process makes network request 20 IoCs
flow pid Process 10 1488 wscript.exe 11 1488 wscript.exe 14 1488 wscript.exe 20 1488 wscript.exe 24 1488 wscript.exe 27 1488 wscript.exe 33 1488 wscript.exe 36 1488 wscript.exe 39 1488 wscript.exe 45 1488 wscript.exe 48 1488 wscript.exe 51 1488 wscript.exe 57 1488 wscript.exe 60 1488 wscript.exe 63 1488 wscript.exe 69 1488 wscript.exe 72 1488 wscript.exe 75 1488 wscript.exe 81 1488 wscript.exe 84 1488 wscript.exe -
Drops startup file 5 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NEFneLogGT.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NEFneLogGT.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NEFneLogGT.js wscript.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vjworm.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vjworm.js wscript.exe -
Adds Run key to start application 2 TTPs 8 IoCs
description ioc Process Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vjworm = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\vjworm.js\"" wscript.exe Key created \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Windows\CurrentVersion\Run\vjworm = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\vjworm.js\"" wscript.exe Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vjworm = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\vjworm.js\"" wscript.exe Key created \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Windows\CurrentVersion\Run\vjworm = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\vjworm.js\"" wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 1104 wrote to memory of 1812 1104 wscript.exe 28 PID 1104 wrote to memory of 1812 1104 wscript.exe 28 PID 1104 wrote to memory of 1812 1104 wscript.exe 28 PID 1104 wrote to memory of 1488 1104 wscript.exe 29 PID 1104 wrote to memory of 1488 1104 wscript.exe 29 PID 1104 wrote to memory of 1488 1104 wscript.exe 29 PID 1488 wrote to memory of 588 1488 wscript.exe 30 PID 1488 wrote to memory of 588 1488 wscript.exe 30 PID 1488 wrote to memory of 588 1488 wscript.exe 30
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\vjworm.js1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1104 -
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\NEFneLogGT.js"2⤵
- Drops startup file
PID:1812
-
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\vjworm.js"2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1488 -
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\NEFneLogGT.js"3⤵
- Drops startup file
PID:588
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
8KB
MD5f835554d0a082a0f29fceb25ca077d3a
SHA13da72690ae950602516c471e6732810d484c9c4c
SHA2568fda4f0487b7a6c80ae2d524ab571f0819b229e9b453b0aa91ea67fdbffbcfb7
SHA512271a7870d427deeeebab5c04de4a39d071571ffeabb32b7fa8539c0f7269548a76c6a0973a49b951db3792bed59ad97a51584914a042324d46db43fe342479b1
-
Filesize
47KB
MD54d4480b2a363d66f2647d10d978c085a
SHA13f9d64be86691d734d8d7018ff0436b615e7effc
SHA25676c7451f27cd07c3bbe48b7378ed85047036c65fed201128b892545ff8e46a5a
SHA5123425b770417baabe9bfffe85f7ad084547fd5b10b53c0a7b05b65c2934412cdb24752db648f851447516ceb46de5bb4e8986688cade03a52a9ca232da60cb63b
-
Filesize
47KB
MD54d4480b2a363d66f2647d10d978c085a
SHA13f9d64be86691d734d8d7018ff0436b615e7effc
SHA25676c7451f27cd07c3bbe48b7378ed85047036c65fed201128b892545ff8e46a5a
SHA5123425b770417baabe9bfffe85f7ad084547fd5b10b53c0a7b05b65c2934412cdb24752db648f851447516ceb46de5bb4e8986688cade03a52a9ca232da60cb63b
-
Filesize
8KB
MD5f835554d0a082a0f29fceb25ca077d3a
SHA13da72690ae950602516c471e6732810d484c9c4c
SHA2568fda4f0487b7a6c80ae2d524ab571f0819b229e9b453b0aa91ea67fdbffbcfb7
SHA512271a7870d427deeeebab5c04de4a39d071571ffeabb32b7fa8539c0f7269548a76c6a0973a49b951db3792bed59ad97a51584914a042324d46db43fe342479b1
-
Filesize
8KB
MD5f835554d0a082a0f29fceb25ca077d3a
SHA13da72690ae950602516c471e6732810d484c9c4c
SHA2568fda4f0487b7a6c80ae2d524ab571f0819b229e9b453b0aa91ea67fdbffbcfb7
SHA512271a7870d427deeeebab5c04de4a39d071571ffeabb32b7fa8539c0f7269548a76c6a0973a49b951db3792bed59ad97a51584914a042324d46db43fe342479b1
-
Filesize
47KB
MD54d4480b2a363d66f2647d10d978c085a
SHA13f9d64be86691d734d8d7018ff0436b615e7effc
SHA25676c7451f27cd07c3bbe48b7378ed85047036c65fed201128b892545ff8e46a5a
SHA5123425b770417baabe9bfffe85f7ad084547fd5b10b53c0a7b05b65c2934412cdb24752db648f851447516ceb46de5bb4e8986688cade03a52a9ca232da60cb63b