Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    148s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26/12/2024, 23:46

General

  • Target

    456-Invoice.js

  • Size

    166KB

  • MD5

    c000b245272ad81b74958689e4b3352e

  • SHA1

    ce74042c88b852c6a5b00186096f0ce42afc38b6

  • SHA256

    f19462db16c63e8c26095f8ee024340649e0b2cb26a9ba9d08691b6d01e4f2be

  • SHA512

    f9b3f811a4be2bee356d9265d15a20a00d41b4a5933d8ab5adcf683ce23cab0ac0b6a7cbdbc97abb509385082aa038d11f1b4f8e502f61e6a42535bbd4df155c

  • SSDEEP

    3072:Z6EsOoG2OGyjn37WIMnhHXmhRZkIQQZ9ophBCvD9hsbVhjv5:PsOotKeIMnimk+EIb5

Malware Config

Signatures

  • Vjw0rm

    Vjw0rm is a remote access trojan written in JavaScript.

  • Vjw0rm family
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Command and Scripting Interpreter: JavaScript 1 TTPs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious use of AdjustPrivilegeToken 35 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe C:\Users\Admin\AppData\Local\Temp\456-Invoice.js
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:5020
    • C:\Windows\System32\wscript.exe
      "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\YgrKtkfSUZ.js"
      2⤵
      • Drops startup file
      • Adds Run key to start application
      PID:756
    • C:\Users\Admin\AppData\Local\Temp\New Client.exe
      "C:\Users\Admin\AppData\Local\Temp\New Client.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2432
      • C:\Windows\SysWOW64\schtasks.exe
        schtasks /Delete /tn NYAN /F
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1104
      • C:\Windows\SysWOW64\schtasks.exe
        schtasks /create /tn NYAN /tr "C:\Users\Admin\AppData\Local\Temp\New Client.exe" /sc minute /mo 1
        3⤵
        • System Location Discovery: System Language Discovery
        • Scheduled Task/Job: Scheduled Task
        PID:1480
  • C:\Users\Admin\AppData\Local\Temp\New Client.exe
    "C:\Users\Admin\AppData\Local\Temp\New Client.exe"
    1⤵
    • Executes dropped EXE
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:836
    • C:\Windows\SysWOW64\schtasks.exe
      schtasks /Delete /tn NYAN /F
      2⤵
      • System Location Discovery: System Language Discovery
      PID:3924
    • C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /tn NYAN /tr "C:\Users\Admin\AppData\Local\Temp\New Client.exe" /sc minute /mo 1
      2⤵
      • System Location Discovery: System Language Discovery
      • Scheduled Task/Job: Scheduled Task
      PID:4564
  • C:\Users\Admin\AppData\Local\Temp\New Client.exe
    "C:\Users\Admin\AppData\Local\Temp\New Client.exe"
    1⤵
    • Executes dropped EXE
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3468
    • C:\Windows\SysWOW64\schtasks.exe
      schtasks /Delete /tn NYAN /F
      2⤵
      • System Location Discovery: System Language Discovery
      PID:656
    • C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /tn NYAN /tr "C:\Users\Admin\AppData\Local\Temp\New Client.exe" /sc minute /mo 1
      2⤵
      • System Location Discovery: System Language Discovery
      • Scheduled Task/Job: Scheduled Task
      PID:3456

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\New Client.exe.log

    Filesize

    588B

    MD5

    80be65da858b28232bbb0f926fafcbcc

    SHA1

    f7647b8969e6642939b0d0b249db50a191bead49

    SHA256

    f147961fcb74f2cc8d8d1528bc77db6671ade4cd61b7a71b01c58c184364c6fc

    SHA512

    7795a9aa9f5702ca35dcf4900e2dac0994bd1a5a14cd0c8a25388110f47b1ce8f8032099067668146e8af56bf5966a3c854ccc1ddf586fe9ae22e9836880549c

  • C:\Users\Admin\AppData\Local\Temp\New Client.exe

    Filesize

    78KB

    MD5

    4c1c9fdf28215ae2f0f681349b66bbff

    SHA1

    8ab23d0ee7a361c8f29622fa9ba05f6644e24e9a

    SHA256

    50842fb63d2308152a3d6c25bf5c45b2a71906193e299975401e8cc5189abd7a

    SHA512

    f0415187e7f7dc15546ea4bc8e6c53281aa407df064a2d73e0360e796caf807430d7ab565ba842e8d1c58c1bc35eefffcd868042c65357906a625b92064e96c5

  • C:\Users\Admin\AppData\Roaming\YgrKtkfSUZ.js

    Filesize

    10KB

    MD5

    4e1188211bc0a1f728e5a97cf47a7105

    SHA1

    740914054d0824fbacf494855eb9121355a49740

    SHA256

    ada3ac15b6fd893f1f8b1a4ad1f6d4cbc86c566c0d5a639c4dda15f4727f2cee

    SHA512

    b37d9c26c44b45e89a4732439480bf6d09e292fb85ef054a4a591cb7228eeef0f8595aeaf12824771c033297ea218996d6e4c9006972c15a58d02b89365b2a14

  • memory/2432-10-0x0000000074DD2000-0x0000000074DD3000-memory.dmp

    Filesize

    4KB

  • memory/2432-12-0x0000000074DD0000-0x0000000075381000-memory.dmp

    Filesize

    5.7MB

  • memory/2432-13-0x0000000074DD0000-0x0000000075381000-memory.dmp

    Filesize

    5.7MB

  • memory/2432-14-0x0000000074DD2000-0x0000000074DD3000-memory.dmp

    Filesize

    4KB

  • memory/2432-15-0x0000000074DD0000-0x0000000075381000-memory.dmp

    Filesize

    5.7MB

  • memory/2432-16-0x0000000074DD0000-0x0000000075381000-memory.dmp

    Filesize

    5.7MB