Analysis
-
max time kernel
142s -
max time network
147s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
14-12-2021 16:03
Static task
static1
Behavioral task
behavioral1
Sample
8023_Payment_Copy.js
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
8023_Payment_Copy.js
Resource
win10-en-20211208
General
-
Target
8023_Payment_Copy.js
-
Size
62KB
-
MD5
f91ad741727a485b74a5cd3d0a32163a
-
SHA1
05fcc5bbd03cfbd35174d7d2ef991f345d167ad0
-
SHA256
3c85914030d8cdb4c41ca8cd0d24b785fef114aa2c1f9864feb028abd3d80356
-
SHA512
6762e1ae2c087e0937e107acc6dff7724eada47ddf861edca18df330fb6ab83fe1bf445b930ad2da1771a53f5f69ac0e0d57faa057080746b5fcd295b7f68151
Malware Config
Extracted
vjw0rm
http://wormming.duckdns.org:8023
Signatures
-
Blocklisted process makes network request 1 IoCs
Processes:
wscript.exeflow pid process 5 1352 wscript.exe -
Drops startup file 2 IoCs
Processes:
wscript.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8023_Payment_Copy.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8023_Payment_Copy.js wscript.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
wscript.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows\CurrentVersion\Run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows\CurrentVersion\Run\MEBWY6QJMA = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\8023_Payment_Copy.js\"" wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
wscript.exedescription pid process target process PID 1352 wrote to memory of 568 1352 wscript.exe schtasks.exe PID 1352 wrote to memory of 568 1352 wscript.exe schtasks.exe PID 1352 wrote to memory of 568 1352 wscript.exe schtasks.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\8023_Payment_Copy.js1⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1352 -
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Local\Temp\8023_Payment_Copy.js2⤵
- Creates scheduled task(s)
PID:568
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/568-54-0x0000000000000000-mapping.dmp