Overview

overview

10

Static

static

PO_CG20210302346.js

windows7_x64

10

PO_CG20210302346.js

windows10_x64

10

Analysis

  • max time kernel
    153s
  • max time network
    157s
  • platform
    windows10_x64
  • resource
    win10-en-20211014
  • submitted
    02-12-2021 16:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    PO_CG20210302346.js

  • Size

    742KB

  • MD5

    4d7d2a0d4fe470f6cf2a0a9fc519a5ff

  • SHA1

    c8364f810e6c2bef6801c4b7196882dca05decb0

  • SHA256

    7d024e7fbc39d9379d96332276f41b08670843de3803ea91b257efeadbf8f46c

  • SHA512

    fb3c7bb3fdec6257a8c027e54662f4ac9eb9952647201f10a5942011810d9690bf6b970718bc38038093df9f1d8ab349b3b27cf6432ce69df1e383a7074977f5

Score
10/10
vjw0rmxloaderpzi0loaderpersistenceratsuricatatrojanworm

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

pzi0

C2

http://www.buffstaff.com/pzi0/

Decoy

laylmodest.com

woruke.club

metaverseslots.net

syscogent.net

aluxxenterprise.com

lm-solar.com

lightempirestore.com

witcheboutique.com

hometech-bosch.xyz

expert-netcad.com

poteconomist.com

mycousinsfriend.biz

shineveranda.com

collegedictionary.cloud

zqlidexx.com

businessesopportunity.com

2utalahs4.com

participatetn.info

dare2ownit.com

varser.com

Signatures

  • Vjw0rm

    Vjw0rm is a remote access trojan written in JavaScript.

    trojanwormvjw0rm
  • Xloader

    Xloader is a rebranded version of Formbook malware.

    loaderxloader
  • suricata: ET MALWARE FormBook CnC Checkin (GET)

    suricata: ET MALWARE FormBook CnC Checkin (GET)

    suricata
  • Xloader Payload 4 IoCs
    rat
  • Blocklisted process makes network request 18 IoCs
  • Executes dropped EXE 4 IoCs
  • Drops startup file 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 46 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of WriteProcessMemory
    PID:3020
    • C:\Windows\system32\wscript.exe
      wscript.exe C:\Users\Admin\AppData\Local\Temp\PO_CG20210302346.js
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2716
      • C:\Windows\System32\wscript.exe
        "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\bXCJbnYyZT.js"
        3⤵
        • Blocklisted process makes network request
        • Drops startup file
        • Adds Run key to start application
        PID:3320
      • C:\Users\Admin\AppData\Local\Temp\MJoeuu6lp4G7m5Q.exe
        "C:\Users\Admin\AppData\Local\Temp\MJoeuu6lp4G7m5Q.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:500
        • C:\Users\Admin\AppData\Local\Temp\MJoeuu6lp4G7m5Q.exe
          "C:\Users\Admin\AppData\Local\Temp\MJoeuu6lp4G7m5Q.exe"
          4⤵
          • Executes dropped EXE
          PID:1160
        • C:\Users\Admin\AppData\Local\Temp\MJoeuu6lp4G7m5Q.exe
          "C:\Users\Admin\AppData\Local\Temp\MJoeuu6lp4G7m5Q.exe"
          4⤵
          • Executes dropped EXE
          PID:972
        • C:\Users\Admin\AppData\Local\Temp\MJoeuu6lp4G7m5Q.exe
          "C:\Users\Admin\AppData\Local\Temp\MJoeuu6lp4G7m5Q.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          PID:380
    • C:\Windows\SysWOW64\explorer.exe
      "C:\Windows\SysWOW64\explorer.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1112
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Users\Admin\AppData\Local\Temp\MJoeuu6lp4G7m5Q.exe"
        3⤵
          PID:2208

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Registry Run Keys / Startup Folder

    1
    T1060

    Privilege Escalation

    Defense Evasion

    Modify Registry

    1
    T1112

    Credential Access

    Discovery

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\MJoeuu6lp4G7m5Q.exe
      MD5

      81f24b219e4b7c29122243a7745e0d70

      SHA1

      162087ad805242265b42bb046696b39d1cd76f50

      SHA256

      3fa318a8ae6e6582155aa6dd984168f77a7f81b43f578c974fa3c4f5c7668da8

      SHA512

      315480c4d4a96c9b4c7d7bc80b96cd09ce5a5ad8a9a5edd2c435eca171a13278825d80d6c6de1d575388540ac2ef5820d1f0645221d6adc8702396a56662b5bb

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\MJoeuu6lp4G7m5Q.exe
      MD5

      81f24b219e4b7c29122243a7745e0d70

      SHA1

      162087ad805242265b42bb046696b39d1cd76f50

      SHA256

      3fa318a8ae6e6582155aa6dd984168f77a7f81b43f578c974fa3c4f5c7668da8

      SHA512

      315480c4d4a96c9b4c7d7bc80b96cd09ce5a5ad8a9a5edd2c435eca171a13278825d80d6c6de1d575388540ac2ef5820d1f0645221d6adc8702396a56662b5bb

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\MJoeuu6lp4G7m5Q.exe
      MD5

      81f24b219e4b7c29122243a7745e0d70

      SHA1

      162087ad805242265b42bb046696b39d1cd76f50

      SHA256

      3fa318a8ae6e6582155aa6dd984168f77a7f81b43f578c974fa3c4f5c7668da8

      SHA512

      315480c4d4a96c9b4c7d7bc80b96cd09ce5a5ad8a9a5edd2c435eca171a13278825d80d6c6de1d575388540ac2ef5820d1f0645221d6adc8702396a56662b5bb

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\MJoeuu6lp4G7m5Q.exe
      MD5

      81f24b219e4b7c29122243a7745e0d70

      SHA1

      162087ad805242265b42bb046696b39d1cd76f50

      SHA256

      3fa318a8ae6e6582155aa6dd984168f77a7f81b43f578c974fa3c4f5c7668da8

      SHA512

      315480c4d4a96c9b4c7d7bc80b96cd09ce5a5ad8a9a5edd2c435eca171a13278825d80d6c6de1d575388540ac2ef5820d1f0645221d6adc8702396a56662b5bb

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\MJoeuu6lp4G7m5Q.exe
      MD5

      81f24b219e4b7c29122243a7745e0d70

      SHA1

      162087ad805242265b42bb046696b39d1cd76f50

      SHA256

      3fa318a8ae6e6582155aa6dd984168f77a7f81b43f578c974fa3c4f5c7668da8

      SHA512

      315480c4d4a96c9b4c7d7bc80b96cd09ce5a5ad8a9a5edd2c435eca171a13278825d80d6c6de1d575388540ac2ef5820d1f0645221d6adc8702396a56662b5bb

      Download Submit
    • C:\Users\Admin\AppData\Roaming\bXCJbnYyZT.js
      MD5

      9d628656a16fa431c6290136bec8395a

      SHA1

      abbc3359d13f5af4bb00b12e28f903bbfc2327f3

      SHA256

      7f8bc9fa4c2948c50e91f6606ca0140a29d726ad9ead11eccf92d6ac13cc19c4

      SHA512

      38f612d1211a1b15ad2f14f0ef2a19b7b8b04520aff9ae6b43133a4a87f81182a5b625302956a8fe193f7bbb43f6a89ac75280025399a1df404d04f271adcc72

      Download Submit
    • memory/380-140-0x0000000000B00000-0x0000000000BAE000-memory.dmp
      Filesize

      696KB

      Download
    • memory/380-135-0x0000000000400000-0x0000000000429000-memory.dmp
      Filesize

      164KB

      Download
    • memory/380-138-0x0000000001090000-0x00000000013B0000-memory.dmp
      Filesize

      3.1MB

      Download
    • memory/380-136-0x000000000041D480-mapping.dmp
      Download
    • memory/500-131-0x0000000006750000-0x0000000006751000-memory.dmp
      Filesize

      4KB

      Download
    • memory/500-127-0x00000000059B0000-0x00000000059B1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/500-126-0x00000000059E0000-0x00000000059E1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/500-132-0x00000000067F0000-0x0000000006848000-memory.dmp
      Filesize

      352KB

      Download
    • memory/500-125-0x0000000005EE0000-0x0000000005EE1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/500-123-0x0000000000F60000-0x0000000000F61000-memory.dmp
      Filesize

      4KB

      Download
    • memory/500-129-0x00000000059A0000-0x00000000059A8000-memory.dmp
      Filesize

      32KB

      Download
    • memory/500-128-0x0000000005940000-0x0000000005941000-memory.dmp
      Filesize

      4KB

      Download
    • memory/500-120-0x0000000000000000-mapping.dmp
      Download
    • memory/500-130-0x00000000063E0000-0x00000000063E1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1112-142-0x0000000000000000-mapping.dmp
      Download
    • memory/1112-144-0x0000000000C20000-0x0000000000C49000-memory.dmp
      Filesize

      164KB

      Download
    • memory/1112-143-0x0000000000E60000-0x000000000129F000-memory.dmp
      Filesize

      4.2MB

      Download
    • memory/1112-145-0x00000000051B0000-0x00000000054D0000-memory.dmp
      Filesize

      3.1MB

      Download
    • memory/1112-147-0x0000000004E70000-0x0000000004F00000-memory.dmp
      Filesize

      576KB

      Download
    • memory/2208-146-0x0000000000000000-mapping.dmp
      Download
    • memory/3020-141-0x0000000005F40000-0x00000000060B0000-memory.dmp
      Filesize

      1.4MB

      Download
    • memory/3020-148-0x0000000006430000-0x000000000658C000-memory.dmp
      Filesize

      1.4MB

      Download
    • memory/3320-118-0x0000000000000000-mapping.dmp
      Download