Analysis
-
max time kernel
151s -
max time network
197s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
19-08-2021 12:32
Static task
static1
Behavioral task
behavioral1
Sample
VJMY250M.js
Resource
win7v20210410
Behavioral task
behavioral2
Sample
VJMY250M.js
Resource
win10v20210408
General
-
Target
VJMY250M.js
-
Size
67KB
-
MD5
7e58440b8eb773b24aace538de1c5437
-
SHA1
b824cf54e9e9e1c28ff2ec6b6e3de9048750f5cb
-
SHA256
21e0026aeb23c03125337151d862a29372ac17af5663fca1f5ff7beeacf82fc1
-
SHA512
a3d50e13255253989be68a25304ad51098fdbbe8873269d6fd148cc7ef641639bea881cfb57837182ee0c5036340cdd572706d0ac5552c6be8404404f79db298
Malware Config
Signatures
-
Blocklisted process makes network request 45 IoCs
Processes:
wscript.exewscript.exeflow pid process 8 1640 wscript.exe 9 1908 wscript.exe 10 1908 wscript.exe 11 1640 wscript.exe 12 1908 wscript.exe 14 1908 wscript.exe 15 1640 wscript.exe 17 1908 wscript.exe 19 1908 wscript.exe 21 1640 wscript.exe 23 1908 wscript.exe 24 1908 wscript.exe 25 1640 wscript.exe 26 1908 wscript.exe 28 1908 wscript.exe 29 1640 wscript.exe 32 1908 wscript.exe 33 1908 wscript.exe 35 1640 wscript.exe 37 1908 wscript.exe 38 1908 wscript.exe 39 1640 wscript.exe 41 1908 wscript.exe 42 1640 wscript.exe 43 1908 wscript.exe 45 1640 wscript.exe 47 1908 wscript.exe 48 1908 wscript.exe 50 1640 wscript.exe 52 1908 wscript.exe 53 1908 wscript.exe 54 1640 wscript.exe 57 1908 wscript.exe 58 1908 wscript.exe 59 1640 wscript.exe 61 1908 wscript.exe 62 1908 wscript.exe 64 1640 wscript.exe 65 1908 wscript.exe 67 1908 wscript.exe 68 1640 wscript.exe 70 1908 wscript.exe 72 1908 wscript.exe 73 1640 wscript.exe 75 1908 wscript.exe -
Drops startup file 4 IoCs
Processes:
wscript.exewscript.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rVRpsUBiCR.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rVRpsUBiCR.js wscript.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VJMY250M.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VJMY250M.js wscript.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
wscript.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\0HKX5ALWLG = "\"C:\\Users\\Admin\\AppData\\Roaming\\rVRpsUBiCR.js\"" wscript.exe Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
wscript.exedescription pid process target process PID 1908 wrote to memory of 1640 1908 wscript.exe wscript.exe PID 1908 wrote to memory of 1640 1908 wscript.exe wscript.exe PID 1908 wrote to memory of 1640 1908 wscript.exe wscript.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\VJMY250M.js1⤵
- Blocklisted process makes network request
- Drops startup file
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\rVRpsUBiCR.js"2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\rVRpsUBiCR.jsMD5
ed533885cb7d43829db0e85dbaabec22
SHA1c19225ec3612ce86d4f5b8046ae65b3332d40776
SHA2566641f0211253402fa4b39005e29c7e0b688d3722d05746040f6c35b4c14182eb
SHA512b6420e3c79ebb31b687f1b3f89ee4a67ea45bc08628aa91cf9ad63cd6c488f198ef6f981ad784cfa6ce3534d937a4a957e02e00d2b09c99301cfba1e90d1996b
-
memory/1640-60-0x0000000000000000-mapping.dmp