Overview

overview

10

Static

static

1

swift copy.PDF.js

windows7-x64

10

swift copy.PDF.js

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7-20230831-en
  • resource tags

    arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
  • submitted
    09-10-2023 04:41

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    swift copy.PDF.js

  • Size

    453KB

  • MD5

    811a102d237ae380b2d9517fa79f2c6d

  • SHA1

    17ff05d6c71c7c3f27be24cfd46b9653de9f67f2

  • SHA256

    47ac55851c62e30f0553a5d32f2b6a128f532b9904fbf5e100b53895ec8a86ca

  • SHA512

    3fcd5e98e5dbe0fb529ca77592bc012bc8560173114dfa754d363fe621b9336485a74fa48bd8bca4f676bfc91c2dc8ad5bc69c9a3b275b02722ec4e932688680

  • SSDEEP

    6144:N5gPKUmu6hIe4UhL60X4dOvNJ38QJfJiDzh8qQESvpWvnR4Rt1Prz2fLFh2WR:N56fmu6mUhZVJ1J8DnRvAtlf2

Score
10/10
vjw0rmtrojanworm

Malware Config

Signatures

  • Vjw0rm

    Vjw0rm is a remote access trojan written in JavaScript.

    trojanwormvjw0rm
  • Blocklisted process makes network request 2 IoCs
  • Drops startup file 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 31 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 7 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of WriteProcessMemory
    PID:1200
    • C:\Windows\system32\wscript.exe
      wscript.exe "C:\Users\Admin\AppData\Local\Temp\swift copy.PDF.js"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1464
      • C:\Windows\System32\wscript.exe
        "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\ECqEVMhpHV.js"
        3⤵
        • Blocklisted process makes network request
        • Drops startup file
        PID:1688
      • C:\Users\Admin\AppData\Roaming\bin.exe
        "C:\Users\Admin\AppData\Roaming\bin.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        PID:3064
    • C:\Windows\SysWOW64\ktmutil.exe
      "C:\Windows\SysWOW64\ktmutil.exe"
      2⤵
      • Loads dropped DLL
      • Suspicious use of SetThreadContext
      • Modifies Internet Explorer settings
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:2508
      • C:\Program Files\Mozilla Firefox\Firefox.exe
        "C:\Program Files\Mozilla Firefox\Firefox.exe"
        3⤵
          PID:1488

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\cns436vh.zip
      Filesize

      542KB

      MD5

      a9a3b70adcf65be80c9b00e65d158669

      SHA1

      f2149444f70b702a43ad1e058dea147d6ba2eb5d

      SHA256

      bdcd90d909c708eff9a829c01b428c2b24fafc15f63deccd064c2bb12b0a49e3

      SHA512

      e06ea8f9d982ecd5bedf23676fa41b49d8673d9135f752655210c322529fb1441a4ef5f292825eea11ccb0cb516e873c33d16c3f800204511639c5b8db429290

      Download Submit

    • C:\Users\Admin\AppData\Roaming\ECqEVMhpHV.js
      Filesize

      7KB

      MD5

      d7f1bd09dc54cdb298d18b01c350daad

      SHA1

      14389215c04486782b191d7e717604d47b4855f5

      SHA256

      1d15ca695084184b5e58a8ea3776bb5c8d2972c1d22d8ba0ded53b00bae8807b

      SHA512

      4fc09bf5626f1ce47a6b66b64bf9c3f22545ce481161f9b2c5e9fdc302d4d5b3e7acfd549bb24ec1405e4d93b3727abd301d957f32d44ed8d6d5cb3af7f8d976

      Download Submit

    • C:\Users\Admin\AppData\Roaming\bin.exe
      Filesize

      244KB

      MD5

      191c89bfc7613125182be0c6f7dc0828

      SHA1

      1f856de98621182f9885f5ceb5017806a48a19f6

      SHA256

      0b5a9848fa4433d737febc05dafaa4f8db69d2605c8014a616fac6c4abc69c53

      SHA512

      a1d22bfe1716682d00ae6dce97d2da37c33fcfc40a10da745f23abd837042e0016e651cabd9e12979dd2a0eb055c7f41c0d7ad8bafefb07e8203d3d4ef1f6550

      Download Submit

    • C:\Users\Admin\AppData\Roaming\bin.exe
      Filesize

      244KB

      MD5

      191c89bfc7613125182be0c6f7dc0828

      SHA1

      1f856de98621182f9885f5ceb5017806a48a19f6

      SHA256

      0b5a9848fa4433d737febc05dafaa4f8db69d2605c8014a616fac6c4abc69c53

      SHA512

      a1d22bfe1716682d00ae6dce97d2da37c33fcfc40a10da745f23abd837042e0016e651cabd9e12979dd2a0eb055c7f41c0d7ad8bafefb07e8203d3d4ef1f6550

      Download Submit

    • C:\Users\Admin\AppData\Roaming\bin.exe
      Filesize

      244KB

      MD5

      191c89bfc7613125182be0c6f7dc0828

      SHA1

      1f856de98621182f9885f5ceb5017806a48a19f6

      SHA256

      0b5a9848fa4433d737febc05dafaa4f8db69d2605c8014a616fac6c4abc69c53

      SHA512

      a1d22bfe1716682d00ae6dce97d2da37c33fcfc40a10da745f23abd837042e0016e651cabd9e12979dd2a0eb055c7f41c0d7ad8bafefb07e8203d3d4ef1f6550

      Download Submit

    • \Users\Admin\AppData\Local\Temp\sqlite3.dll
      Filesize

      1.0MB

      MD5

      ce5c15b5092877974d5b6476ad1cb2d7

      SHA1

      76a6fc307d1524081cba1886d312df97c9dd658f

      SHA256

      1f1a186ea26bd2462ea2a9cf35a816b92caf0897fdf332af3a61569e0ba97b24

      SHA512

      bb9ced38c63d2a29e18c38f60020cfdf0161384cd4ad6328352626643becdf49f6b4bef47012391720344fdd8ad520aa802dcbbed15b5026d27eb93b0a839c90

      Download Submit

    • memory/1200-29-0x0000000006E70000-0x0000000006F73000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/1200-25-0x0000000008A60000-0x000000000B6C4000-memory.dmp

      Filesize

      44.4MB

      Download

    • memory/1200-32-0x0000000006E70000-0x0000000006F73000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/1200-28-0x0000000006E70000-0x0000000006F73000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/1200-17-0x0000000008A60000-0x000000000B6C4000-memory.dmp

      Filesize

      44.4MB

      Download

    • memory/2508-31-0x0000000000340000-0x00000000003DA000-memory.dmp

      Filesize

      616KB

      Download

    • memory/2508-30-0x0000000000080000-0x00000000000BA000-memory.dmp

      Filesize

      232KB

      Download

    • memory/2508-19-0x0000000000080000-0x00000000000BA000-memory.dmp

      Filesize

      232KB

      Download

    • memory/2508-18-0x0000000000080000-0x00000000000BA000-memory.dmp

      Filesize

      232KB

      Download

    • memory/2508-22-0x0000000002050000-0x0000000002353000-memory.dmp

      Filesize

      3.0MB

      Download

    • memory/2508-24-0x0000000000080000-0x00000000000BA000-memory.dmp

      Filesize

      232KB

      Download

    • memory/2508-73-0x0000000061E00000-0x0000000061EED000-memory.dmp

      Filesize

      948KB

      Download

    • memory/2508-26-0x0000000000340000-0x00000000003DA000-memory.dmp

      Filesize

      616KB

      Download

    • memory/3064-13-0x00000000009A0000-0x00000000009DD000-memory.dmp

      Filesize

      244KB

      Download

    • memory/3064-21-0x0000000000180000-0x000000000019B000-memory.dmp

      Filesize

      108KB

      Download

    • memory/3064-20-0x00000000009A0000-0x00000000009DD000-memory.dmp

      Filesize

      244KB

      Download

    • memory/3064-14-0x00000000009A0000-0x00000000009DD000-memory.dmp

      Filesize

      244KB

      Download

    • memory/3064-15-0x0000000000180000-0x000000000019B000-memory.dmp

      Filesize

      108KB

      Download

    • memory/3064-12-0x00000000009E0000-0x0000000000CE3000-memory.dmp

      Filesize

      3.0MB

      Download

    • memory/3064-10-0x00000000009A0000-0x00000000009DD000-memory.dmp

      Filesize

      244KB

      Download

    • memory/3064-9-0x00000000009A0000-0x00000000009DD000-memory.dmp

      Filesize

      244KB

      Download