Analysis
-
max time kernel
147s -
max time network
158s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
19-08-2021 12:32
Static task
static1
Behavioral task
behavioral1
Sample
VJMY250M.js
Resource
win7v20210410
Behavioral task
behavioral2
Sample
VJMY250M.js
Resource
win10v20210408
General
-
Target
VJMY250M.js
-
Size
67KB
-
MD5
7e58440b8eb773b24aace538de1c5437
-
SHA1
b824cf54e9e9e1c28ff2ec6b6e3de9048750f5cb
-
SHA256
21e0026aeb23c03125337151d862a29372ac17af5663fca1f5ff7beeacf82fc1
-
SHA512
a3d50e13255253989be68a25304ad51098fdbbe8873269d6fd148cc7ef641639bea881cfb57837182ee0c5036340cdd572706d0ac5552c6be8404404f79db298
Malware Config
Signatures
-
Blocklisted process makes network request 34 IoCs
Processes:
wscript.exewscript.exeflow pid process 6 628 wscript.exe 7 3944 wscript.exe 14 628 wscript.exe 15 3944 wscript.exe 17 628 wscript.exe 18 3944 wscript.exe 19 628 wscript.exe 20 3944 wscript.exe 21 628 wscript.exe 22 3944 wscript.exe 23 628 wscript.exe 24 3944 wscript.exe 25 628 wscript.exe 26 3944 wscript.exe 27 628 wscript.exe 28 3944 wscript.exe 29 628 wscript.exe 30 3944 wscript.exe 31 628 wscript.exe 32 3944 wscript.exe 33 628 wscript.exe 34 3944 wscript.exe 35 628 wscript.exe 36 3944 wscript.exe 37 628 wscript.exe 38 3944 wscript.exe 39 628 wscript.exe 40 3944 wscript.exe 41 628 wscript.exe 42 3944 wscript.exe 43 628 wscript.exe 44 3944 wscript.exe 45 628 wscript.exe 46 3944 wscript.exe -
Drops startup file 4 IoCs
Processes:
wscript.exewscript.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rVRpsUBiCR.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rVRpsUBiCR.js wscript.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VJMY250M.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VJMY250M.js wscript.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
wscript.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\0HKX5ALWLG = "\"C:\\Users\\Admin\\AppData\\Roaming\\rVRpsUBiCR.js\"" wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
wscript.exedescription pid process target process PID 628 wrote to memory of 3944 628 wscript.exe wscript.exe PID 628 wrote to memory of 3944 628 wscript.exe wscript.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\VJMY250M.js1⤵
- Blocklisted process makes network request
- Drops startup file
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\rVRpsUBiCR.js"2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\rVRpsUBiCR.jsMD5
ed533885cb7d43829db0e85dbaabec22
SHA1c19225ec3612ce86d4f5b8046ae65b3332d40776
SHA2566641f0211253402fa4b39005e29c7e0b688d3722d05746040f6c35b4c14182eb
SHA512b6420e3c79ebb31b687f1b3f89ee4a67ea45bc08628aa91cf9ad63cd6c488f198ef6f981ad784cfa6ce3534d937a4a957e02e00d2b09c99301cfba1e90d1996b
-
memory/3944-114-0x0000000000000000-mapping.dmp