Overview

overview

10

Static

static

PO26910193.js

windows7_x64

10

PO26910193.js

windows10_x64

10

Analysis

  • max time kernel
    152s
  • max time network
    154s
  • platform
    windows10_x64
  • resource
    win10-en-20211208
  • submitted
    15-12-2021 09:37

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    PO26910193.js

  • Size

    715KB

  • MD5

    471845f89fdc0d48bbbc4eef5513d5e2

  • SHA1

    e25a0ca1425e8bfcc8516e0e85ecaf8b5d99ecf2

  • SHA256

    1103cc349deb9d738448ee8ba8f4189af39984f3e92a9adf1bafcda1d45bd652

  • SHA512

    2605e7db46bd4e3435c3710ad2ab443525d9b94ead16a6fdb73756d8a9afba2c5a4792e2d625503b2ae19c944cb7c1e441f2b5dc9328573ea0a47ddfe0698ec6

Score
10/10
vjw0rmxloaderpzi0loaderpersistenceratsuricatatrojanworm

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

pzi0

C2

http://www.buffstaff.com/pzi0/

Decoy

laylmodest.com

woruke.club

metaverseslots.net

syscogent.net

aluxxenterprise.com

lm-solar.com

lightempirestore.com

witcheboutique.com

hometech-bosch.xyz

expert-netcad.com

poteconomist.com

mycousinsfriend.biz

shineveranda.com

collegedictionary.cloud

zqlidexx.com

businessesopportunity.com

2utalahs4.com

participatetn.info

dare2ownit.com

varser.com

Signatures

  • Vjw0rm

    Vjw0rm is a remote access trojan written in JavaScript.

    trojanwormvjw0rm
  • Xloader

    Xloader is a rebranded version of Formbook malware.

    loaderxloader
  • suricata: ET MALWARE FormBook CnC Checkin (GET)

    suricata: ET MALWARE FormBook CnC Checkin (GET)

    suricata
  • Xloader Payload 3 IoCs
    rat
  • Blocklisted process makes network request 18 IoCs
  • Executes dropped EXE 1 IoCs
  • Drops startup file 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 58 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2712
    • C:\Windows\system32\wscript.exe
      wscript.exe C:\Users\Admin\AppData\Local\Temp\PO26910193.js
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2096
      • C:\Windows\System32\wscript.exe
        "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\lPObwAVZjm.js"
        3⤵
        • Blocklisted process makes network request
        • Drops startup file
        • Adds Run key to start application
        PID:852
      • C:\Users\Admin\AppData\Local\Temp\wealth.exe
        "C:\Users\Admin\AppData\Local\Temp\wealth.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:1136
    • C:\Windows\SysWOW64\wlanext.exe
      "C:\Windows\SysWOW64\wlanext.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3824
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Users\Admin\AppData\Local\Temp\wealth.exe"
        3⤵
          PID:2380

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Registry Run Keys / Startup Folder

    1
    T1060

    Privilege Escalation

    Defense Evasion

    Modify Registry

    1
    T1112

    Credential Access

    Discovery

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\wealth.exe
      MD5

      83481bf872730cd133669c5ea5b1be2b

      SHA1

      fbd2369965b20f6bee09063aa454de13a18c71d3

      SHA256

      5d174dd08492f307e4b367e262f3e96b9beefb99f5abb11043ddf7142a18e9e8

      SHA512

      9080dc9bcdfba87ff3ecb3ba04af7a03dea2228f093fbb91149ff8825694601908ba85b2ce27a1de47ce1f6e263b03d96d80d43b7a4033051fbbac64fde7dc51

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\wealth.exe
      MD5

      83481bf872730cd133669c5ea5b1be2b

      SHA1

      fbd2369965b20f6bee09063aa454de13a18c71d3

      SHA256

      5d174dd08492f307e4b367e262f3e96b9beefb99f5abb11043ddf7142a18e9e8

      SHA512

      9080dc9bcdfba87ff3ecb3ba04af7a03dea2228f093fbb91149ff8825694601908ba85b2ce27a1de47ce1f6e263b03d96d80d43b7a4033051fbbac64fde7dc51

      Download Submit
    • C:\Users\Admin\AppData\Roaming\lPObwAVZjm.js
      MD5

      cc4c347aa8b598d1187c6ac8220b645d

      SHA1

      9075dc46990744f92756bcf86493a1a85b45db97

      SHA256

      b27ceeed7816086caa5d310dbf342d345d2a9367ee1455d2ccf19196f4c2fe6b

      SHA512

      e9ae8851374c67c725f8a16ad2461497da793f56c73fff1bf89e1d4f3e3d48a110e01018d963aba843fd256c9cc9ab2950323b3ea93df422dbd20d348603cd03

      Download Submit
    • memory/852-115-0x0000000000000000-mapping.dmp
      Download
    • memory/1136-120-0x0000000001860000-0x0000000001B80000-memory.dmp
      Filesize

      3.1MB

      Download
    • memory/1136-121-0x0000000001340000-0x000000000148A000-memory.dmp
      Filesize

      1.3MB

      Download
    • memory/1136-117-0x0000000000000000-mapping.dmp
      Download
    • memory/2380-124-0x0000000000000000-mapping.dmp
      Download
    • memory/2712-122-0x00000000023C0000-0x00000000024A9000-memory.dmp
      Filesize

      932KB

      Download
    • memory/2712-129-0x0000000002540000-0x000000000261D000-memory.dmp
      Filesize

      884KB

      Download
    • memory/3824-123-0x0000000000000000-mapping.dmp
      Download
    • memory/3824-126-0x0000000000B40000-0x0000000000B69000-memory.dmp
      Filesize

      164KB

      Download
    • memory/3824-125-0x0000000001200000-0x0000000001217000-memory.dmp
      Filesize

      92KB

      Download
    • memory/3824-127-0x0000000003560000-0x0000000003880000-memory.dmp
      Filesize

      3.1MB

      Download
    • memory/3824-128-0x00000000032B0000-0x0000000003340000-memory.dmp
      Filesize

      576KB

      Download