Analysis
-
max time kernel
153s -
max time network
153s -
platform
windows10_x64 -
resource
win10-en-20211104 -
submitted
30-11-2021 06:58
Static task
static1
Behavioral task
behavioral1
Sample
Account sheet .jpg.js
Resource
win7-en-20211014
General
-
Target
Account sheet .jpg.js
-
Size
15KB
-
MD5
df9656ed02964c805f934e28abf9ebee
-
SHA1
76ab9cc502134c1c9a45d77e43bdb1c8273d43a8
-
SHA256
7708fbfa03f5eb10ade6b19f0a09af9c9ec4f6353e6be67ab045dca5d2e3b801
-
SHA512
cd457985dd298de401f0c0d06c4e2cb13c1c4833cbac97e2db9fd038da741b2d77a5566328ef1768a9b728345d8c18924c1f818413d5edc56d5b57386eb63566
Malware Config
Extracted
vjw0rm
http://77.247.110.107:7849
Signatures
-
Blocklisted process makes network request 1 IoCs
Processes:
wscript.exeflow pid process 15 3508 wscript.exe -
Drops startup file 2 IoCs
Processes:
wscript.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Account sheet .jpg.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Account sheet .jpg.js wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
Processes:
wscript.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings wscript.exe -
Runs .reg file with regedit 1 IoCs
Processes:
regedit.exepid process 4212 regedit.exe -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
wscript.exedescription pid process target process PID 3508 wrote to memory of 4212 3508 wscript.exe regedit.exe PID 3508 wrote to memory of 4212 3508 wscript.exe regedit.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe "C:\Users\Admin\AppData\Local\Temp\Account sheet .jpg.js"1⤵
- Blocklisted process makes network request
- Drops startup file
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\regedit.exe"regedit.exe" "C:\Users\Admin\AppData\Local\Temp\ebgeaegdbdecaedfebace.reg"2⤵
- Runs .reg file with regedit
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\ebgeaegdbdecaedfebace.regMD5
0e5411d7ecba9a435afda71c6c39d8fd
SHA12d6812052bf7be1b5e213e1d813ae39faa07284c
SHA256cb68d50df5817e51ec5b2f72893dc4c749bf3504519107e0a78dda84d55f09e2
SHA512903ac6e5c8a12607af267b54bcbbedfa5542c5b4f7ea289ab7c6a32a424d5b846ae406d830cb4ad48e2b46f92c504163c0856af8c3e09685a8855f39f616ddb1
-
memory/4212-118-0x0000000000000000-mapping.dmp