Overview

overview

10

Static

static

Invoice re...286.js

windows7_x64

10

Invoice re...286.js

windows10_x64

10

Analysis

  • max time kernel
    154s
  • max time network
    188s
  • platform
    windows7_x64
  • resource
    win7v20210408
  • submitted
    02-09-2021 05:48

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Invoice remittance 52286.js

  • Size

    317KB

  • MD5

    c0fd4d06d9d01680a307ffcf75355352

  • SHA1

    2daeb72092e39bcf668815ab472c6010436f5e47

  • SHA256

    e3f3d8e11b4dcac7bc9f7ba3e88659ecfabe9e03b42c9728ff01d1ee73ba0261

  • SHA512

    0ee84815dd36fb7ffbe5d07427fb0c2849795b50be115fa92b813ba823f8c7d4a2031f1d2c70ccd02cb148fe3106e0a8dc5d804162de0007fa7155b92e984f74

Score
10/10
vjw0rmxloadern64dloaderpersistenceratsuricatatrojanworm

Malware Config

Extracted

Family

xloader

Version

2.3

Campaign

n64d

C2

http://www.bughtmisly.com/n64d/

Decoy

hayominta.com

dunstabzug.website

fafmediagroup.com

keepamericagreatagain-again.com

15jizhi.com

hachiden.net

manifestarz.com

bridgeschc.com

floving.com

tintaalairelibre.com

ditsawong.com

dabanse.com

choiceschristianliving.com

pcojapan-online.com

unityinsport.com

hersvin.com

suhaizat.com

vitaliyvs.com

equipmunks.com

yfhzx.com

Signatures

  • Vjw0rm

    Vjw0rm is a remote access trojan written in JavaScript.

    trojanwormvjw0rm
  • Xloader

    Xloader is a rebranded version of Formbook malware.

    loaderxloader
  • suricata: ET MALWARE FormBook CnC Checkin (GET)

    suricata: ET MALWARE FormBook CnC Checkin (GET)

    suricata
  • Xloader Payload 3 IoCs
    rat
  • Blocklisted process makes network request 17 IoCs
  • Executes dropped EXE 1 IoCs
  • Drops startup file 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 30 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SendNotifyMessage 4 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1244
    • C:\Windows\system32\wscript.exe
      wscript.exe "C:\Users\Admin\AppData\Local\Temp\Invoice remittance 52286.js"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1736
      • C:\Windows\System32\wscript.exe
        "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\abQJTxmwNy.js"
        3⤵
        • Blocklisted process makes network request
        • Drops startup file
        • Adds Run key to start application
        PID:1996
      • C:\Users\Admin\AppData\Roaming\bin.exe
        "C:\Users\Admin\AppData\Roaming\bin.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:1764
    • C:\Windows\SysWOW64\raserver.exe
      "C:\Windows\SysWOW64\raserver.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1964
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Users\Admin\AppData\Roaming\bin.exe"
        3⤵
          PID:1108

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Registry Run Keys / Startup Folder

    1
    T1060

    Privilege Escalation

    Defense Evasion

    Modify Registry

    1
    T1112

    Credential Access

    Discovery

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\abQJTxmwNy.js
      MD5

      3f7b92769fc59d8adc125b4d4e8adee4

      SHA1

      b3ea6913dcf3681572a1db1f429cc5e1e49b060e

      SHA256

      e1fccde6528046c2c1e41096085c199efaddc1393d42f6696165aeec43c9a209

      SHA512

      659caad97e885af9d5f2dece465873b517fc34a5c67f5f0aba08b9ef868cca57fe025ed9979bd0933e46ee45792d5b424bd99a24c4449c5b739f17e0b6bdf01f

      Download Submit
    • C:\Users\Admin\AppData\Roaming\bin.exe
      MD5

      79d02002f7841dceae1bc53186c94b67

      SHA1

      3bf5dc0017d1239d962a80d48236c785b56cb78a

      SHA256

      251a226acb74675f4650739fd13adb1c1b468e53936ccc6385dbbdacb5220ade

      SHA512

      abc48c2c32ef4eef177c9904fd162cf65c98fe180e2435c3e9fd22506a400eb43f576a7731de02fc50dcfdafc59047695c4b1e74d8863e1c58c422ad7363a17e

      Download Submit
    • C:\Users\Admin\AppData\Roaming\bin.exe
      MD5

      79d02002f7841dceae1bc53186c94b67

      SHA1

      3bf5dc0017d1239d962a80d48236c785b56cb78a

      SHA256

      251a226acb74675f4650739fd13adb1c1b468e53936ccc6385dbbdacb5220ade

      SHA512

      abc48c2c32ef4eef177c9904fd162cf65c98fe180e2435c3e9fd22506a400eb43f576a7731de02fc50dcfdafc59047695c4b1e74d8863e1c58c422ad7363a17e

      Download Submit
    • memory/1108-71-0x0000000000000000-mapping.dmp
      Download
    • memory/1244-76-0x0000000003BB0000-0x0000000003C48000-memory.dmp
      Filesize

      608KB

      Download
    • memory/1244-67-0x0000000002980000-0x0000000002A3A000-memory.dmp
      Filesize

      744KB

      Download
    • memory/1736-60-0x000007FEFC031000-0x000007FEFC033000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1764-63-0x0000000000000000-mapping.dmp
      Download
    • memory/1764-66-0x00000000000A0000-0x00000000000B0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1764-65-0x0000000000900000-0x0000000000C03000-memory.dmp
      Filesize

      3.0MB

      Download
    • memory/1964-68-0x0000000000000000-mapping.dmp
      Download
    • memory/1964-69-0x0000000075551000-0x0000000075553000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1964-74-0x0000000000B40000-0x0000000000E43000-memory.dmp
      Filesize

      3.0MB

      Download
    • memory/1964-73-0x0000000000080000-0x00000000000A8000-memory.dmp
      Filesize

      160KB

      Download
    • memory/1964-72-0x0000000000FD0000-0x0000000000FEC000-memory.dmp
      Filesize

      112KB

      Download
    • memory/1964-75-0x00000000002E0000-0x000000000036F000-memory.dmp
      Filesize

      572KB

      Download
    • memory/1996-61-0x0000000000000000-mapping.dmp
      Download