Some notes about the last WD test made by
@SeriousHoax:
1. AL_5014513395824.vbs
The malware uses WMI to run payload. This should be blocked by ASR if it did not auto terminate (ASR rule "Block process creations originating from PSExec and WMI commands").
https://app.any.run/tasks/a8184aa1-1892-4434-82a7-93bbba1364fa/
2.JD.vbe
The malware was prevented from using ADOB.Stream to download something and the script execution was interrupted with error (probably by ASR).
https://app.any.run/tasks/cd3a5e8a-9725-41aa-b3a1-9c554ee198a8/
3. JVC_21555.vbs
The malware (
QBOT) is going to download and run a payload. This should be prevented by ASR rule "Impede JavaScript and VBScript to launch executables" (the name of this rule was changed by MS to "Block JavaScript or VBScript from launching downloaded executable content").
https://app.any.run/tasks/0e65507e-685a-4b68-9358-7dc619c8b4c2/
4.ps.ps1
This malicious script is going to download and run the
EMOTET trojan. Blocked probably by ASR.
https://app.any.run/tasks/7e5fab0a-d591-4dde-b33f-2fe1501a3941/
5. Order_2718032693_Proforma_invoice.jar
This is
Adwind RAT.
WD has allowed the malware on the initial stage, but it seems that the malicious actions were neutralized.
"
This initial process executed js script which in turn ran one more js script and another .jar file. JS script also used Task Scheduler to run itself later. Jar file started a series of malicious activities such as using attrib.exe to mark files or folders as hidden, running VBS script files, changing the autorun value in the registry and more. It has been noted that sometimes Jar file runs a series of taskkill commands to shutdown processes by their names based on a list that contains names of system processes, names of common Anti-virus programs and analyzing programs, such as wireshark.exe, procexp.exe, processhacker.exe and so on."
https://any.run/malware-trends/adwin
Thanks to
@SeriousHoax and other testers for their excellent job.
