Analysis
-
max time kernel
130s -
max time network
130s -
platform
windows7_x64 -
resource
win7-en-20211014 -
submitted
26-10-2021 16:48
Static task
static1
Behavioral task
behavioral1
Sample
b2m1_Payment_receipt.js
Resource
win7-en-20211014
Behavioral task
behavioral2
Sample
b2m1_Payment_receipt.js
Resource
win10-en-20210920
General
-
Target
b2m1_Payment_receipt.js
-
Size
81KB
-
MD5
983be3951a672b11ebdfd6d7d1233299
-
SHA1
bb0e6da5abae02fcbefa6f1a619c6f3b1a3bf5a8
-
SHA256
1d31f4d9800687307188f1527d2c512249b972426e8ed4be143467ff2d9183f3
-
SHA512
67fdb9bc954ec67f83e0febdc2510665b8249af6ae00781ae02fca5b51b34a55fb4fd8c878969a49182a3cc29dc1f7d8328d56f8ab90df655222e9f4a8ed703c
Malware Config
Extracted
vjw0rm
http://6200js.duckdns.org:6200
Signatures
-
Blocklisted process makes network request 1 IoCs
Processes:
wscript.exeflow pid process 5 600 wscript.exe -
Drops startup file 2 IoCs
Processes:
wscript.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\b2m1_Payment_receipt.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\b2m1_Payment_receipt.js wscript.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
wscript.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Windows\CurrentVersion\Run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Windows\CurrentVersion\Run\BB4HJP0E1C = "'C:\\Users\\Admin\\AppData\\Local\\Temp\\b2m1_Payment_receipt.js'" wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
wscript.exedescription pid process target process PID 600 wrote to memory of 1868 600 wscript.exe schtasks.exe PID 600 wrote to memory of 1868 600 wscript.exe schtasks.exe PID 600 wrote to memory of 1868 600 wscript.exe schtasks.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\b2m1_Payment_receipt.js1⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /sc minute /mo 30 /tn Skype /tr 'C:\Users\Admin\AppData\Local\Temp\b2m1_Payment_receipt.js2⤵
- Creates scheduled task(s)