Analysis
-
max time kernel
144s -
max time network
144s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
16-12-2021 08:20
Static task
static1
Behavioral task
behavioral1
Sample
Scanned_copy.js
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
Scanned_copy.js
Resource
win10-en-20211208
General
-
Target
Scanned_copy.js
-
Size
3KB
-
MD5
069760354f3e37200a7112a84aaa3f3b
-
SHA1
7b55b0e82f004e922f2e886e800e9379c9e09250
-
SHA256
df29cf83fe008627f1475b86bf67530eab0680bc18995786f51719136d079926
-
SHA512
e77bc7cd7fbc38da4b9c59bcc1336c9a2e46e040606c8e6db12649cc6e29907ddbd6aa76005e760074ee3b04b6df9b3ac23d33927b41f134a2922ddf759a6d99
Malware Config
Extracted
vjw0rm
http://2ndversionjs.duckdns.org:9100
Signatures
-
Blocklisted process makes network request 1 IoCs
Processes:
wscript.exeflow pid process 5 1276 wscript.exe -
Drops startup file 2 IoCs
Processes:
wscript.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Scanned_copy.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Scanned_copy.js wscript.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
wscript.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\SBFT6OCUB2 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Scanned_copy.js\"" wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
wscript.exedescription pid process target process PID 1276 wrote to memory of 980 1276 wscript.exe schtasks.exe PID 1276 wrote to memory of 980 1276 wscript.exe schtasks.exe PID 1276 wrote to memory of 980 1276 wscript.exe schtasks.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\Scanned_copy.js1⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Local\Temp\Scanned_copy.js2⤵
- Creates scheduled task(s)