Analysis
-
max time kernel
136s -
max time network
138s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
14-12-2021 06:58
Static task
static1
Behavioral task
behavioral1
Sample
#00957.js
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
#00957.js
Resource
win10-en-20211208
General
-
Target
#00957.js
-
Size
9KB
-
MD5
422a51830d190a1e37b9a45c05ce539a
-
SHA1
022c845c213e2cc1b311e37a1ee9eae32410441e
-
SHA256
54b582961ebc52c5017f65743f7e96715ca76ac77a285708f33e76cf6159cecd
-
SHA512
97ed9014a86f484701615e4daa60cc6c31c35ef22c033f846016ca3a71636733f628d94dc039754eb2b6c1131859713ca23b3b2fd83a9aa799a83c4806a39b93
Malware Config
Extracted
vjw0rm
http://decebermoney.duckdns.org:8022
Signatures
-
Blocklisted process makes network request 1 IoCs
Processes:
wscript.exeflow pid process 5 952 wscript.exe -
Drops startup file 2 IoCs
Processes:
wscript.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\#00957.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\#00957.js wscript.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
wscript.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\7XZCXIM5XX = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\#00957.js\"" wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
wscript.exedescription pid process target process PID 952 wrote to memory of 980 952 wscript.exe schtasks.exe PID 952 wrote to memory of 980 952 wscript.exe schtasks.exe PID 952 wrote to memory of 980 952 wscript.exe schtasks.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\#00957.js1⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:952 -
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Local\Temp\#00957.js2⤵
- Creates scheduled task(s)
PID:980
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/980-55-0x0000000000000000-mapping.dmp