Analysis
-
max time kernel
156s -
max time network
155s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
13-12-2021 20:10
Static task
static1
Behavioral task
behavioral1
Sample
Order20827.js
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
Order20827.js
Resource
win10-en-20211208
General
-
Target
Order20827.js
-
Size
307KB
-
MD5
d3d3edd039a3e591e822bb981e7e1fc7
-
SHA1
dc79c1c6268f32dbe746394868db3d23bd4e4126
-
SHA256
528452ce702d1bc05f0c968137625ae1518faf152aeac200948e39974c6ef4cf
-
SHA512
f377e3a8d3816130cf5db479e980bfad2b2dc13b86b7eee297b0fb9982a808751e429bbd10263fa6b61a066869e67bb88205ae83f27d5527e99cd7c9b5dfba95
Malware Config
Extracted
vjw0rm
http://dwal-vesj.duckdns.org:29563
Signatures
-
Blocklisted process makes network request 18 IoCs
Processes:
wscript.exewscript.exeflow pid process 8 268 wscript.exe 9 1672 wscript.exe 11 268 wscript.exe 13 268 wscript.exe 15 268 wscript.exe 18 268 wscript.exe 20 268 wscript.exe 22 268 wscript.exe 25 268 wscript.exe 27 268 wscript.exe 30 268 wscript.exe 32 268 wscript.exe 33 268 wscript.exe 37 268 wscript.exe 39 268 wscript.exe 41 268 wscript.exe 43 268 wscript.exe 45 268 wscript.exe -
Drops startup file 4 IoCs
Processes:
wscript.exewscript.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Order20827.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Order20827.js wscript.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cAcMvTWMWr.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cAcMvTWMWr.js wscript.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
wscript.exewscript.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\SEJOKAOI5S = "\"C:\\Users\\Admin\\AppData\\Roaming\\cAcMvTWMWr.js\"" wscript.exe Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\XXM15XR7UO = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Order20827.js\"" wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
wscript.exedescription pid process target process PID 1672 wrote to memory of 268 1672 wscript.exe wscript.exe PID 1672 wrote to memory of 268 1672 wscript.exe wscript.exe PID 1672 wrote to memory of 268 1672 wscript.exe wscript.exe PID 1672 wrote to memory of 1832 1672 wscript.exe schtasks.exe PID 1672 wrote to memory of 1832 1672 wscript.exe schtasks.exe PID 1672 wrote to memory of 1832 1672 wscript.exe schtasks.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\Order20827.js1⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\cAcMvTWMWr.js"2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Local\Temp\Order20827.js2⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\cAcMvTWMWr.jsMD5
3dc6e38070337cd2f2ad3212b8f01374
SHA1d19f419607ba2f2f64689f1ed43b4ddd2df2a8b2
SHA256e81b55f2232dfaea360908e0046d4997a030f9e8113e5ca8f02a6f3598a4c111
SHA5122e4e75339c0c2b775f90d4e8ed865dd9f3e9fc8603b6244f80ae64eede38806b8f76954698b5d0e41c31b4243520fc441c964c55ad481629cdd36eb4b98f7514
-
memory/268-55-0x0000000000000000-mapping.dmp
-
memory/1832-57-0x0000000000000000-mapping.dmp