Analysis
-
max time kernel
148s -
max time network
152s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
16-12-2021 08:20
Static task
static1
Behavioral task
behavioral1
Sample
IMAGE.js
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
IMAGE.js
Resource
win10-en-20211208
General
-
Target
IMAGE.js
-
Size
3KB
-
MD5
4828f0de0d5a6dfe853ed9bc18437863
-
SHA1
c97fa294329a27d8e096f572e69b1319f644c967
-
SHA256
fbc8ed5862b8ac3766b10502bc1afef13e84fbf2b07454c8988aa2140fa5ee9c
-
SHA512
b1c58dc31b191e91d7371397e17500e704c2dbf33e5d413c31e6cd7035b3219165395cf872ef7846456efd67b88737e7fcfa944fbf94c4a956d00aff7ac97be0
Malware Config
Extracted
vjw0rm
http://2ndversionjs.duckdns.org:9100
Signatures
-
Blocklisted process makes network request 1 IoCs
Processes:
wscript.exeflow pid process 5 1740 wscript.exe -
Drops startup file 2 IoCs
Processes:
wscript.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IMAGE.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IMAGE.js wscript.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
wscript.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows\CurrentVersion\Run\FZ7XTLKJQ0 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\IMAGE.js\"" wscript.exe Key created \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows\CurrentVersion\Run wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
wscript.exedescription pid process target process PID 1740 wrote to memory of 1644 1740 wscript.exe schtasks.exe PID 1740 wrote to memory of 1644 1740 wscript.exe schtasks.exe PID 1740 wrote to memory of 1644 1740 wscript.exe schtasks.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\IMAGE.js1⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Local\Temp\IMAGE.js2⤵
- Creates scheduled task(s)