Analysis
-
max time kernel
122s -
max time network
165s -
platform
windows7_x64 -
resource
win7-en-20210920 -
submitted
29-10-2021 05:12
Static task
static1
Behavioral task
behavioral1
Sample
v1m5_Payment_receipt.js
Resource
win7-en-20210920
Behavioral task
behavioral2
Sample
v1m5_Payment_receipt.js
Resource
win10-en-20211014
General
-
Target
v1m5_Payment_receipt.js
-
Size
81KB
-
MD5
141b981a8468e109d39c54a3a425ff66
-
SHA1
92878aa2adea4c26dc639e60a3d9c0f76e536407
-
SHA256
25fa1b8dca724a1c9e059e76ae2654ad249242f8b8c82358b4041061028bc80d
-
SHA512
a5284bee064ad956244232baa6fe5a5084bdc2699209a8a1c5bc618e831bc20a2a91df5f65ba23d5dee92d47691797a8fade162d53434fd1e608fc2cc9fd21ff
Malware Config
Extracted
vjw0rm
http://7300js.duckdns.org:7300
Signatures
-
Blocklisted process makes network request 1 IoCs
Processes:
wscript.exeflow pid process 5 1140 wscript.exe -
Drops startup file 2 IoCs
Processes:
wscript.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\v1m5_Payment_receipt.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\v1m5_Payment_receipt.js wscript.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
wscript.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows\CurrentVersion\Run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows\CurrentVersion\Run\O8A8WRK7AC = "'C:\\Users\\Admin\\AppData\\Local\\Temp\\v1m5_Payment_receipt.js'" wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
wscript.exedescription pid process target process PID 1140 wrote to memory of 808 1140 wscript.exe schtasks.exe PID 1140 wrote to memory of 808 1140 wscript.exe schtasks.exe PID 1140 wrote to memory of 808 1140 wscript.exe schtasks.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\v1m5_Payment_receipt.js1⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /sc minute /mo 30 /tn Skype /tr 'C:\Users\Admin\AppData\Local\Temp\v1m5_Payment_receipt.js2⤵
- Creates scheduled task(s)