Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
13-10-2021 17:19
Static task
static1
Behavioral task
behavioral1
Sample
temp.js
Resource
win7v20210408
Behavioral task
behavioral2
Sample
temp.js
Resource
win10-en-20210920
General
-
Target
temp.js
-
Size
81KB
-
MD5
cef5ae43fcc340029300954a60931ca5
-
SHA1
f7f67f70c25c1a7d59ed79e896ef47b0efa83d86
-
SHA256
c05fa4aabfad177a35fb044dfbe9354a91a7e06ccba7e9b1aa349a7b11f3c6ab
-
SHA512
4e8a0fe5a850ec7db3cc1e30f609e02a7934eba6e0e2978d304d32573606a75565b0ab7bc7d3f3979b9eeb70ce380f9d1d1f17cb80564c2ed786efbe03ec8804
Malware Config
Extracted
vjw0rm
http://7700js.duckdns.org:7700
Signatures
-
Blocklisted process makes network request 1 IoCs
Processes:
wscript.exeflow pid process 4 684 wscript.exe -
Drops startup file 2 IoCs
Processes:
wscript.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\temp.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\temp.js wscript.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
wscript.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\FM24ZGX1AP = "'C:\\Users\\Admin\\AppData\\Local\\Temp\\temp.js'" wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
wscript.exedescription pid process target process PID 684 wrote to memory of 1964 684 wscript.exe schtasks.exe PID 684 wrote to memory of 1964 684 wscript.exe schtasks.exe PID 684 wrote to memory of 1964 684 wscript.exe schtasks.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\temp.js1⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /sc minute /mo 30 /tn Skype /tr 'C:\Users\Admin\AppData\Local\Temp\temp.js2⤵
- Creates scheduled task(s)