Overview

overview

10

Static

static

3

fb1dddc298...fN.exe

windows7-x64

10

fb1dddc298...fN.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    120s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    19-09-2024 21:54

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    fb1dddc298eb8e049c053ebc2e1585d7338769af53d60a635c296ad47d559dffN.exe

  • Size

    359KB

  • MD5

    8168ebc24991383d3ca87a3641cddf50

  • SHA1

    099589f333ff8cab37ea6dcbc27b5873305b125a

  • SHA256

    fb1dddc298eb8e049c053ebc2e1585d7338769af53d60a635c296ad47d559dff

  • SHA512

    2a5131ce1e50ece6873899d2f90659bf5a5a1b4f77a38f32e714665507f9b4bfb8042d4568692c535cd8a150d7ef42354504a5819984944fc074a1c263b5bc08

  • SSDEEP

    6144:VT17ZpbhRqk8WwtB17ZpbhRBk8Wwt0717ZpbhRqk8WwtwDdG/cw:Xqk8WwtTBk8WwtAqk8Wwtwuc

Score
10/10
vjw0rmdiscoveryexecutionpersistencetrojanworm

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Vjw0rm

    Vjw0rm is a remote access trojan written in JavaScript.

    trojanwormvjw0rm
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Drops startup file 6 IoCs
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 9 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Command and Scripting Interpreter: JavaScript 1 TTPs
    execution
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Internet Explorer settings 1 TTPs 2 IoCs
    adwarespyware
  • Modifies registry class 11 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 13 IoCs
  • Suspicious use of FindShellTrayWindow 26 IoCs
  • Suspicious use of SendNotifyMessage 15 IoCs
  • Suspicious use of WriteProcessMemory 47 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\fb1dddc298eb8e049c053ebc2e1585d7338769af53d60a635c296ad47d559dffN.exe
    "C:\Users\Admin\AppData\Local\Temp\fb1dddc298eb8e049c053ebc2e1585d7338769af53d60a635c296ad47d559dffN.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2768
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\eReceipt.js"
      2⤵
      • Drops startup file
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2568
      • C:\Windows\SysWOW64\wscript.exe
        "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\KvtuGnRuDM.js"
        3⤵
        • Drops startup file
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        PID:1436
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\vj.js"
      2⤵
      • Drops startup file
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      PID:2724
    • C:\Users\Admin\AppData\Roaming\awesome.exe
      "C:\Users\Admin\AppData\Roaming\awesome.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2896
      • C:\Users\Admin\AppData\Local\Temp\gasmask.exe
        "C:\Users\Admin\AppData\Local\Temp\gasmask.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2088
        • C:\Users\Admin\AppData\Local\Temp\Client.exe
          "C:\Users\Admin\AppData\Local\Temp\Client.exe"
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2136
          • C:\Windows\explorer.exe
            "C:\Windows\explorer.exe"
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Modifies Internet Explorer settings
            • Modifies registry class
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SendNotifyMessage
            • Suspicious use of WriteProcessMemory
            PID:1992
            • C:\Windows\system32\ctfmon.exe
              ctfmon.exe
              6⤵
                PID:3052
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 2136 -s 932
              5⤵
              • Loads dropped DLL
              • Program crash
              PID:1876
        • C:\Users\Admin\AppData\Local\Temp\pandora.exe
          "C:\Users\Admin\AppData\Local\Temp\pandora.exe"
          3⤵
          • Modifies WinLogon for persistence
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2448
          • C:\Windows\explorer.exe
            "C:\Windows\explorer.exe"
            4⤵
              PID:1784
            • C:\Windows\SysWOW64\ComputerDefaults.exe
              "C:\Windows\System32\ComputerDefaults.exe"
              4⤵
              • System Location Discovery: System Language Discovery
              PID:1632

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Roaming\KvtuGnRuDM.js
        Filesize

        8KB

        MD5

        e1825bba6bb57f8087e9e56b88d1e818

        SHA1

        4d8aaac848eb45dcebcb43dbbc681003000d18f7

        SHA256

        bf8565fc61324b0d42c8a8f1a6ae3cfbbb5d0d717fe7fa9250c6458958019958

        SHA512

        b811eefcf26eec307dcd6c4411409b391af7837704da301456220be1d026cebb9573a308ea9354d37f3ca5da967386f6e432dbe8de186bda31435ea40cdeba75

        Download Submit

      • C:\Users\Admin\AppData\Roaming\eReceipt.js
        Filesize

        23KB

        MD5

        34996db3bbafb0cbc1cafc05bf07d37d

        SHA1

        1614af664b9729891a6f0b6f9c379db9642ab044

        SHA256

        b67d9cbf7fb6a22f88674808551e5d14c45b7167058ada5f5a22baf63ca93af6

        SHA512

        78892037bdf71a3683ce1bd3bd58e4d8730643af032a88f2e339c7107044958cb98b3b34eacdcd190dee227b029feee47059fe9d696df43b35edd05f26f0d68d

        Download Submit

      • C:\Users\Admin\AppData\Roaming\vj.js
        Filesize

        3KB

        MD5

        fa29cac3eb51372529b68ff16b53c45a

        SHA1

        e3ec1169577ffe8f9c3bdb4b055fdb5b415f3843

        SHA256

        c1efbe1b7bec3aba906d9e6c8c1216580735d5acd56b65cb4d6e8d3217d6ffa6

        SHA512

        357c386775665e8d5a54c3f25d544711f0b97a9aa95b6f2cf74dc05083b2b606bb83a0e5c696676b3caffcc5cc438b59efbfe7e7c0abf13c1cb1f14c68f6f463

        Download Submit

      • \Users\Admin\AppData\Local\Temp\Client.exe
        Filesize

        98KB

        MD5

        b160c1fdb54ebf1a5e20b371c1456f99

        SHA1

        5ebf1a9d7243bb2db995f0084558cb877b050333

        SHA256

        f8f76287ec03bf10a54cce992ef07a6e396f619907c27423892e0a7485977bf6

        SHA512

        f9af5cedca134ca8a6bd615121b515c8ee6da535e5390d18fb35997fe4d04a982dd13112b18b179d3b3e52c7654ec550b1273007fdfd54fc7c35f031a8b50142

        Download Submit

      • \Users\Admin\AppData\Local\Temp\gasmask.exe
        Filesize

        209KB

        MD5

        19ed0f1c419f170d47e782527cbf461c

        SHA1

        4b9bba4a75eea4155b20c189201777199873d9e7

        SHA256

        62879e612c4f99fe060b4b9d93456ac1beb18d1a0978a0fc9e9e96fc20b83cc4

        SHA512

        85b358a5e59dad683055de4479cf92432ca6fd1e8539e8fdd83cff7c0d18e49a8a0c7c1038774db751ef8a25e66adc79eab6640ecc803e6abef34b335d365008

        Download Submit

      • \Users\Admin\AppData\Local\Temp\pandora.exe
        Filesize

        98KB

        MD5

        c5920f986d204334e5f6036b8259d765

        SHA1

        b86016db0d94801b8705d6c16029c112ca7e4678

        SHA256

        249b2e9a08c06d3bb0ceee2de9affb8b50be4f776e9eece4e918acda0dcd58f5

        SHA512

        866ed4bc5ec387489b6a396138f36036ba470e5b1459f502f92ffee75ab3a2559031bd02f28c2532c70d2e63134668ede0897a447930631d8ffcd52b4d880761

        Download Submit

      • \Users\Admin\AppData\Roaming\awesome.exe
        Filesize

        319KB

        MD5

        a0618f0f499ffe104f2fd9a645f23550

        SHA1

        b8d7a2a3f551d6f4d7c74dbe9ddef7bc0e59cd94

        SHA256

        691fb560ff1bea5fa71c5fac45a61ec33213dbd1f2b62cda363942a4099b7480

        SHA512

        0c07c9583b4aee63049300d39156ecd39900c554a80c1f3d316996087a8b71a59939ac0feebb9618ce22db6968ba50bbd3b8b27153bd40963171c4fef5975e3b

        Download Submit

      • memory/1992-52-0x0000000004130000-0x0000000004140000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2136-46-0x00000000010D0000-0x00000000010EE000-memory.dmp

        Filesize

        120KB

        Download

      • memory/2448-51-0x0000000000230000-0x0000000000236000-memory.dmp

        Filesize

        24KB

        Download

      • memory/2448-47-0x0000000001340000-0x000000000135E000-memory.dmp

        Filesize

        120KB

        Download

      • memory/2768-0-0x0000000074651000-0x0000000074652000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2768-16-0x0000000074650000-0x0000000074BFB000-memory.dmp

        Filesize

        5.7MB

        Download

      • memory/2768-2-0x0000000074650000-0x0000000074BFB000-memory.dmp

        Filesize

        5.7MB

        Download

      • memory/2768-1-0x0000000074650000-0x0000000074BFB000-memory.dmp

        Filesize

        5.7MB

        Download

      • memory/2896-21-0x0000000074650000-0x0000000074BFB000-memory.dmp

        Filesize

        5.7MB

        Download

      • memory/2896-36-0x0000000074650000-0x0000000074BFB000-memory.dmp

        Filesize

        5.7MB

        Download

      • memory/2896-23-0x0000000074650000-0x0000000074BFB000-memory.dmp

        Filesize

        5.7MB

        Download

      • memory/2896-17-0x0000000074650000-0x0000000074BFB000-memory.dmp

        Filesize

        5.7MB

        Download