Analysis
-
max time kernel
136s -
max time network
167s -
platform
windows7_x64 -
resource
win7-en-20210920 -
submitted
14-10-2021 15:13
Static task
static1
Behavioral task
behavioral1
Sample
G62J15CB97C53V.js
Resource
win7-en-20210920
Behavioral task
behavioral2
Sample
G62J15CB97C53V.js
Resource
win10-en-20210920
General
-
Target
G62J15CB97C53V.js
-
Size
81KB
-
MD5
c5b048b21730de23dabcc6758914a2f7
-
SHA1
e9d5f9bee531aff20d8c8f64b70e51861b9f6b81
-
SHA256
6566e970bb140ac6ecdc59a11319c7a0650dbae2c182157e7f51b9bb8502c34e
-
SHA512
a83d03ce24643e91f40ecaeddefbc55fa2720df6e75f7422e8470caf8e3199b8d8c7783e0665a6d176ea44e1d4f7b6d415e903d7bc25fd2cab3ae4e347005975
Malware Config
Extracted
vjw0rm
http://6800js.duckdns.org:6800
Signatures
-
Blocklisted process makes network request 1 IoCs
Processes:
wscript.exeflow pid process 5 1576 wscript.exe -
Drops startup file 2 IoCs
Processes:
wscript.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\G62J15CB97C53V.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\G62J15CB97C53V.js wscript.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
wscript.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows\CurrentVersion\Run\BYK43BSFUJ = "'C:\\Users\\Admin\\AppData\\Local\\Temp\\G62J15CB97C53V.js'" wscript.exe Key created \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows\CurrentVersion\Run wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
wscript.exedescription pid process target process PID 1576 wrote to memory of 572 1576 wscript.exe schtasks.exe PID 1576 wrote to memory of 572 1576 wscript.exe schtasks.exe PID 1576 wrote to memory of 572 1576 wscript.exe schtasks.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\G62J15CB97C53V.js1⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /sc minute /mo 30 /tn Skype /tr 'C:\Users\Admin\AppData\Local\Temp\G62J15CB97C53V.js2⤵
- Creates scheduled task(s)