Overview

overview

10

Static

static

3

windows.exe

windows7-x64

10

windows.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    165s
  • max time network
    174s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230621-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230621-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30-06-2023 12:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    windows.exe

  • Size

    541KB

  • MD5

    c159fc653a86ef3eab80e5d06b9cfa2c

  • SHA1

    f95b35bcd8528dafda2b8fd53bed2bab150676e3

  • SHA256

    b6e0c17a224fe0df6f58add122e0420aad76a697c1d7634aa0cfe2f5dc84dc2b

  • SHA512

    78ee8d1c957f21e6023f4c9096f63c9bc697620cfc7584bb937b4cffb792f312c8fd0cb586c0aa4f43ddf8e622042f2c85852f10018e0c5799d6dd02903ab9f2

  • SSDEEP

    12288:lBXSh9d55EWf6bkHXgtQZDsfDfWXWBt9ExkUp8ZbcoahOOufKlgc+ABeaESJAzEM:7QZQz8Du4

Score
10/10
vjw0rmwshratpersistencetrojanworm

Malware Config

Signatures

  • Vjw0rm

    Vjw0rm is a remote access trojan written in JavaScript.

    trojanwormvjw0rm
  • WSHRAT

    WSHRAT is a variant of Houdini worm and has vbs and js variants.

    trojanwshrat
  • WSHRAT payload 4 IoCs
  • Blocklisted process makes network request 32 IoCs
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 3 IoCs
  • Adds Run key to start application 2 TTPs 10 IoCs
    persistence
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 1 IoCs
  • Script User-Agent 4 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\windows.exe
    "C:\Users\Admin\AppData\Local\Temp\windows.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4032
    • C:\Windows\SysWOW64\wscript.exe
      "C:\Windows\System32\wscript.exe" "C:\Users\Admin\AppData\Roaming\lRDdN.vbs"
      2⤵
      • Blocklisted process makes network request
      • Checks computer location settings
      • Drops startup file
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:4236
      • C:\Windows\SysWOW64\wscript.exe
        "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\lRDdN.vbs"
        3⤵
        • Blocklisted process makes network request
        • Checks computer location settings
        • Drops startup file
        • Adds Run key to start application
        • Modifies registry class
        • Suspicious use of WriteProcessMemory
        PID:3300
        • C:\Windows\SysWOW64\WScript.exe
          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\windows.js"
          4⤵
          • Blocklisted process makes network request
          • Drops startup file
          • Adds Run key to start application
          PID:5032

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\QM3UZKSX\json[1].json
    Filesize

    323B

    MD5

    0c17abb0ed055fecf0c48bb6e46eb4eb

    SHA1

    a692730c8ec7353c31b94a888f359edb54aaa4c8

    SHA256

    f41e99f954e33e7b0e39930ec8620bf29801efc44275c1ee6b5cfa5e1be202c0

    SHA512

    645a9f2f94461d8a187261b736949df398ece5cfbf1af8653d18d3487ec1269d9f565534c1e249c12f31b3b1a41a8512953b1e991b001fc1360059e3fd494ec3

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lRDdN.vbs
    Filesize

    185KB

    MD5

    43fca5129026c9b6b49ce26c27759df2

    SHA1

    46a4acdd5faae42e04ba753f69e6e777324ae8e9

    SHA256

    a6772f8687d81d92138a6cfa10ead2b3c409a0884053a1600c640ae65eea517e

    SHA512

    c465b24ebba4ce399e7e8605b8b93993e92916b653c42c470e9168a8a9573bfc42bb1dc730674e1fc7656453820fc3a19240514c1bd2b8acf32d87ffa09cf228

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lRDdN.vbs
    Filesize

    185KB

    MD5

    43fca5129026c9b6b49ce26c27759df2

    SHA1

    46a4acdd5faae42e04ba753f69e6e777324ae8e9

    SHA256

    a6772f8687d81d92138a6cfa10ead2b3c409a0884053a1600c640ae65eea517e

    SHA512

    c465b24ebba4ce399e7e8605b8b93993e92916b653c42c470e9168a8a9573bfc42bb1dc730674e1fc7656453820fc3a19240514c1bd2b8acf32d87ffa09cf228

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windows.js
    Filesize

    3KB

    MD5

    14d1d9d3dc5e8d0eac04d5b78645a2ea

    SHA1

    aa14b5a613919e41c4d97fef48ff1a24ff06fd2b

    SHA256

    92d5609974d3d52dc028185e819111679f0ff052c1e3b951e2eee9b18e361f36

    SHA512

    e13cc2ca8b4dc4564a2176e4bc06d2a3271a957918cb84589402462ea2fe33782eb92ab1575187ab07ac3e270e8301607bff6b7ccb1dd688666be940716f092c

    Download Submit

  • C:\Users\Admin\AppData\Roaming\lRDdN.vbs
    Filesize

    185KB

    MD5

    43fca5129026c9b6b49ce26c27759df2

    SHA1

    46a4acdd5faae42e04ba753f69e6e777324ae8e9

    SHA256

    a6772f8687d81d92138a6cfa10ead2b3c409a0884053a1600c640ae65eea517e

    SHA512

    c465b24ebba4ce399e7e8605b8b93993e92916b653c42c470e9168a8a9573bfc42bb1dc730674e1fc7656453820fc3a19240514c1bd2b8acf32d87ffa09cf228

    Download Submit

  • C:\Users\Admin\lRDdN.vbs
    Filesize

    185KB

    MD5

    43fca5129026c9b6b49ce26c27759df2

    SHA1

    46a4acdd5faae42e04ba753f69e6e777324ae8e9

    SHA256

    a6772f8687d81d92138a6cfa10ead2b3c409a0884053a1600c640ae65eea517e

    SHA512

    c465b24ebba4ce399e7e8605b8b93993e92916b653c42c470e9168a8a9573bfc42bb1dc730674e1fc7656453820fc3a19240514c1bd2b8acf32d87ffa09cf228

    Download Submit

  • C:\Users\Admin\windows.js
    Filesize

    3KB

    MD5

    14d1d9d3dc5e8d0eac04d5b78645a2ea

    SHA1

    aa14b5a613919e41c4d97fef48ff1a24ff06fd2b

    SHA256

    92d5609974d3d52dc028185e819111679f0ff052c1e3b951e2eee9b18e361f36

    SHA512

    e13cc2ca8b4dc4564a2176e4bc06d2a3271a957918cb84589402462ea2fe33782eb92ab1575187ab07ac3e270e8301607bff6b7ccb1dd688666be940716f092c

    Download Submit

  • memory/4032-133-0x00000000016B0000-0x00000000016C0000-memory.dmp

    Filesize

    64KB

    Download