Analysis
-
max time kernel
149s -
max time network
157s -
platform
windows7_x64 -
resource
win7-en-20211014 -
submitted
30-11-2021 06:58
Static task
static1
Behavioral task
behavioral1
Sample
Account sheet .jpg.js
Resource
win7-en-20211014
General
-
Target
Account sheet .jpg.js
-
Size
15KB
-
MD5
df9656ed02964c805f934e28abf9ebee
-
SHA1
76ab9cc502134c1c9a45d77e43bdb1c8273d43a8
-
SHA256
7708fbfa03f5eb10ade6b19f0a09af9c9ec4f6353e6be67ab045dca5d2e3b801
-
SHA512
cd457985dd298de401f0c0d06c4e2cb13c1c4833cbac97e2db9fd038da741b2d77a5566328ef1768a9b728345d8c18924c1f818413d5edc56d5b57386eb63566
Malware Config
Extracted
vjw0rm
http://77.247.110.107:7849
Signatures
-
Blocklisted process makes network request 1 IoCs
Processes:
wscript.exeflow pid process 4 1712 wscript.exe -
Drops startup file 2 IoCs
Processes:
wscript.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Account sheet .jpg.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Account sheet .jpg.js wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs .reg file with regedit 1 IoCs
Processes:
regedit.exepid process 1108 regedit.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
wscript.exedescription pid process target process PID 1712 wrote to memory of 1108 1712 wscript.exe regedit.exe PID 1712 wrote to memory of 1108 1712 wscript.exe regedit.exe PID 1712 wrote to memory of 1108 1712 wscript.exe regedit.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe "C:\Users\Admin\AppData\Local\Temp\Account sheet .jpg.js"1⤵
- Blocklisted process makes network request
- Drops startup file
- Suspicious use of WriteProcessMemory
-
C:\Windows\regedit.exe"regedit.exe" "C:\Users\Admin\AppData\Local\Temp\ebgeaegdbdecaedfebace.reg"2⤵
- Runs .reg file with regedit
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\ebgeaegdbdecaedfebace.regMD5
0e5411d7ecba9a435afda71c6c39d8fd
SHA12d6812052bf7be1b5e213e1d813ae39faa07284c
SHA256cb68d50df5817e51ec5b2f72893dc4c749bf3504519107e0a78dda84d55f09e2
SHA512903ac6e5c8a12607af267b54bcbbedfa5542c5b4f7ea289ab7c6a32a424d5b846ae406d830cb4ad48e2b46f92c504163c0856af8c3e09685a8855f39f616ddb1
-
memory/1108-56-0x0000000000000000-mapping.dmp
-
memory/1108-58-0x0000000001C20000-0x0000000001C21000-memory.dmpFilesize
4KB
-
memory/1712-55-0x000007FEFB561000-0x000007FEFB563000-memory.dmpFilesize
8KB